Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe

Overview

General Information

Sample name:SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
Analysis ID:1467386
MD5:9bae70489ffa1fd07797f8964350af30
SHA1:274d484c8de888ba87f3232f451c888e436337b5
SHA256:38afba1a62ee831a679ed728da8ca167b4c80a432a3ddf575c784bdd29d33975
Tags:exe
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to infect the boot sector
Modifies the windows firewall
Potentially malicious time measurement code found
Uses netsh to modify the Windows network and firewall settings
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to create new users
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to enumerate running services
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Modifies existing windows services
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe (PID: 3540 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe" MD5: 9BAE70489FFA1FD07797F8964350AF30)
    • dllhost.exe (PID: 1196 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
    • vc_redist.x64.exe (PID: 5404 cmdline: "C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" /quiet MD5: 35431D059197B67227CD12F841733539)
      • VC_redist.x64.exe (PID: 6220 cmdline: "C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /quiet MD5: 24323F69876BDA1B9909A0D0D6B981BA)
    • nssm.exe (PID: 4512 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" install IDmelonFidoCredentialProviderService "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 1540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 1196 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Application "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 6420 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppDirectory "C:\Program Files (x86)\IDmelon\FCP" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 2172 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdout "C:\Program Files (x86)\IDmelon\FCP\logs.log" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 3284 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderr "C:\Program Files (x86)\IDmelon\FCP\logs.log" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 1652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 6220 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Description "Handles the FIDO authentication of IDmelon credential provider." MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 5352 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdoutCreationDisposition 4 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 4912 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderrCreationDisposition 4 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 1240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 3964 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateFiles 1 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 1540 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateOnline 0 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 3416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 2172 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateSeconds 14400 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 1484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 1916 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateBytes 5000000 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 1652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 4456 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Start SERVICE_AUTO_START MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 1792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 3416 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" restart IDmelonFidoCredentialProviderService MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 2384 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" status IDmelonFidoCredentialProviderService MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 3452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 2044 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" start IDmelonFidoCredentialProviderService MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cacls.exe (PID: 3920 cmdline: CACLS "C:\Program Files (x86)\IDmelon\FCP\cashedData.xml" /e /p Everyone:f MD5: 00BAAE10C69DAD58F169A3ED638D6C59)
      • conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cacls.exe (PID: 2236 cmdline: CACLS "C:\Program Files (x86)\IDmelon\FCP\service_log.lo" /e /p Everyone:f MD5: 00BAAE10C69DAD58F169A3ED638D6C59)
      • conhost.exe (PID: 1916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • icacls.exe (PID: 1792 cmdline: icacls "C:\Program Files (x86)\IDmelon\FCP" /inheritance:d MD5: 2E49585E4E08565F52090B144062F97E)
      • conhost.exe (PID: 2716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • icacls.exe (PID: 2860 cmdline: icacls "C:\Program Files (x86)\IDmelon\FCP" /grant:r everyone:(OI)(CI)(F) /T MD5: 2E49585E4E08565F52090B144062F97E)
      • conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 6836 cmdline: netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 6120 cmdline: netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=out program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 1168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 1964 cmdline: netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 2384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 3920 cmdline: netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=out program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 1488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • conhost.exe (PID: 3308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 2552 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • nssm.exe (PID: 1180 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
    • conhost.exe (PID: 3672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • IDmelonCredentialProviderFidoAgent.exe (PID: 3232 cmdline: "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" MD5: 2B087903208E385308BF23C41F82E872)
      • conhost.exe (PID: 1568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • IDmelonCredentialProviderFidoAgent.exe (PID: 2184 cmdline: "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" MD5: 2B087903208E385308BF23C41F82E872)
        • cmd.exe (PID: 5868 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 2196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • IDmelonCredentialProviderFidoAgent.exe (PID: 1504 cmdline: "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" MD5: 2B087903208E385308BF23C41F82E872)
      • conhost.exe (PID: 3084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • IDmelonCredentialProviderFidoAgent.exe (PID: 3452 cmdline: "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" MD5: 2B087903208E385308BF23C41F82E872)
        • cmd.exe (PID: 3048 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • svchost.exe (PID: 2848 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: IDmelonV2CredentialProvider, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, ProcessId: 3540, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{adeba497-0484-4d69-aff3-d7c759f21d15}\(Default)
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, ProcessId: 2552, ProcessName: svchost.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeAvira: detection malicious, Label: HEUR/AGEN.1305235
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeReversingLabs: Detection: 13%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeVirustotal: Detection: 12%Perma Link
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A09EB7 DecryptFileW,3_2_00A09EB7
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A2F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,3_2_00A2F961
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A09C99 DecryptFileW,DecryptFileW,3_2_00A09C99
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002D9EB7 DecryptFileW,4_2_002D9EB7
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002FF961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,4_2_002FF961
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002D9C99 DecryptFileW,DecryptFileW,4_2_002D9C99
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB49C90 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,PyCapsule_GetPointer,PyCallable_Check,PyExc_TypeError,PyErr_SetString,PyEval_SaveThread,WriteEncryptedFileRaw,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,PyErr_Occurred,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,43_2_00007FFB0BB49C90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB48840 PyExc_NotImplementedError,PyErr_Format,_Py_NoneStruct,_PyArg_ParseTupleAndKeywords_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,?PyWinObject_AsSECURITY_ATTRIBUTES@@YAHPEAU_object@@PEAPEAU_SECURITY_ATTRIBUTES@@H@Z,DuplicateEncryptionInfoFile,_Py_NoneStruct,_Py_NoneStruct,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,43_2_00007FFB0BB48840
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB48440 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,QueryRecoveryAgentsOnEncryptedFile,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,FreeEncryptionCertificateHashList,43_2_00007FFB0BB48440
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB47850 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,DecryptFileW,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,_Py_NoneStruct,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,43_2_00007FFB0BB47850
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB497A0 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyEval_SaveThread,OpenEncryptedFileRawW,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyCapsule_New,CloseEncryptedFileRaw,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,43_2_00007FFB0BB497A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB47770 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,EncryptFileW,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,_Py_NoneStruct,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,43_2_00007FFB0BB47770
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB49750 PyCapsule_IsValid,PyCapsule_GetContext,PyCapsule_GetPointer,CloseEncryptedFileRaw,43_2_00007FFB0BB49750
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB48350 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,QueryUsersOnEncryptedFile,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,FreeEncryptionCertificateHashList,43_2_00007FFB0BB48350
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB486C0 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,AddUsersToEncryptedFile,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NoneStruct,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,free,free,free,43_2_00007FFB0BB486C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB47A30 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,FileEncryptionStatusW,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,_Py_BuildValue_SizeT,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,43_2_00007FFB0BB47A30
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB499B0 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,PyCapsule_GetPointer,PyCallable_Check,PyExc_TypeError,PyErr_SetString,PyEval_SaveThread,ReadEncryptedFileRaw,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,PyErr_Occurred,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,43_2_00007FFB0BB499B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB49DD0 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,PyCapsule_IsValid,PyExc_TypeError,PyErr_Format,PyCapsule_GetDestructor,PyExc_TypeError,PyErr_Format,PyCapsule_GetContext,PyExc_ValueError,PyErr_Format,PyCapsule_GetPointer,CloseEncryptedFileRaw,PyCapsule_SetContext,_Py_NoneStruct,_Py_NoneStruct,43_2_00007FFB0BB49DD0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB48530 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,RemoveUsersFromEncryptedFile,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NoneStruct,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,free,free,free,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,43_2_00007FFB0BB48530
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB47940 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,EncryptionDisable,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,_Py_NoneStruct,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,43_2_00007FFB0BB47940
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7189D CRYPTO_malloc,ERR_put_error,43_2_00007FFB0BB7189D
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7132A CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,43_2_00007FFB0BB7132A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB9CC00 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error,43_2_00007FFB0BB9CC00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71DA2 CRYPTO_THREAD_run_once,43_2_00007FFB0BB71DA2
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBD0B50 EVP_PKEY_get0_RSA,RSA_size,CRYPTO_malloc,RAND_priv_bytes,CRYPTO_free,43_2_00007FFB0BBD0B50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71523 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,43_2_00007FFB0BB71523
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71FBE CRYPTO_free,43_2_00007FFB0BB71FBE
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB9CB10 CRYPTO_free,CRYPTO_free,43_2_00007FFB0BB9CB10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBB0AA0 CRYPTO_memcmp,43_2_00007FFB0BBB0AA0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB8CAC0 OPENSSL_sk_num,X509_STORE_CTX_new,ERR_put_error,OPENSSL_sk_value,X509_STORE_CTX_init,ERR_put_error,X509_STORE_CTX_free,X509_STORE_CTX_set_flags,CRYPTO_THREAD_run_once,X509_STORE_CTX_set_ex_data,OPENSSL_sk_num,X509_STORE_CTX_set0_dane,X509_STORE_CTX_set_default,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_verify_cert,X509_STORE_CTX_get_error,OPENSSL_sk_pop_free,X509_STORE_CTX_get0_chain,X509_STORE_CTX_get1_chain,ERR_put_error,X509_VERIFY_PARAM_move_peername,X509_STORE_CTX_free,43_2_00007FFB0BB8CAC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBAAA70 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,43_2_00007FFB0BBAAA70
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBA4A90 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,43_2_00007FFB0BBA4A90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7221B CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BB7221B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB9C970 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,43_2_00007FFB0BB9C970
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB78980 CRYPTO_free,43_2_00007FFB0BB78980
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBCC980 CRYPTO_memcmp,43_2_00007FFB0BBCC980
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBC0990 CRYPTO_free,CRYPTO_free,CRYPTO_strndup,43_2_00007FFB0BBC0990
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB72153 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,ENGINE_finish,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,CRYPTO_THREAD_lock_free,CRYPTO_free,43_2_00007FFB0BB72153
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7135C memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,43_2_00007FFB0BB7135C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBD1060 BN_bin2bn,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,43_2_00007FFB0BBD1060
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71479 CRYPTO_free,CRYPTO_free,CRYPTO_memdup,43_2_00007FFB0BB71479
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71410 CRYPTO_malloc,ERR_put_error,BIO_snprintf,43_2_00007FFB0BB71410
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBBB020 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,43_2_00007FFB0BBBB020
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBBD050 EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BBBD050
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB87008 CRYPTO_free,CRYPTO_strdup,43_2_00007FFB0BB87008
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71078 CRYPTO_free,43_2_00007FFB0BB71078
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB86F39 CRYPTO_free,CRYPTO_strdup,43_2_00007FFB0BB86F39
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB724FA CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,43_2_00007FFB0BB724FA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71DC0 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_put_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,43_2_00007FFB0BB71DC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBA4EF0 CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,memcpy,43_2_00007FFB0BBA4EF0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7163B CRYPTO_free,CRYPTO_malloc,43_2_00007FFB0BB7163B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7AEA0 CRYPTO_free,43_2_00007FFB0BB7AEA0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB8CEC0 i2d_X509_NAME,i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BB8CEC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB8CE60 CRYPTO_get_ex_new_index,43_2_00007FFB0BB8CE60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBA8E70 CRYPTO_zalloc,CRYPTO_free,43_2_00007FFB0BBA8E70
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBB0E70 CRYPTO_free,CRYPTO_memdup,43_2_00007FFB0BBB0E70
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7157D CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,ERR_put_error,ERR_put_error,ERR_put_error,memcpy,43_2_00007FFB0BB7157D
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBD8E40 CRYPTO_free,CRYPTO_malloc,ERR_put_error,43_2_00007FFB0BBD8E40
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBB8E3D CRYPTO_malloc,43_2_00007FFB0BBB8E3D
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71B81 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,43_2_00007FFB0BB71B81
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBC2E00 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,43_2_00007FFB0BBC2E00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71393 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_clear_error,OPENSSL_sk_value,X509_get0_pubkey,X509_free,X509_up_ref,X509_free,OPENSSL_sk_pop_free,43_2_00007FFB0BB71393
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7220C ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,OPENSSL_LH_new,OPENSSL_sk_num,EVP_get_digestbyname,EVP_get_digestbyname,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,RAND_bytes,RAND_priv_bytes,RAND_priv_bytes,RAND_priv_bytes,43_2_00007FFB0BB7220C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71F37 CRYPTO_free,CRYPTO_malloc,RAND_bytes,43_2_00007FFB0BB71F37
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB9CDC0 ERR_put_error,ERR_put_error,ERR_put_error,EVP_MD_size,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,d2i_X509,X509_get0_pubkey,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,X509_free,OPENSSL_sk_new_null,OPENSSL_sk_push,ERR_put_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,ERR_put_error,43_2_00007FFB0BB9CDC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7ED90 EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,43_2_00007FFB0BB7ED90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7243C CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,ERR_put_error,43_2_00007FFB0BB7243C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71D61 CRYPTO_clear_free,43_2_00007FFB0BB71D61
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB715C8 EVP_MD_CTX_new,EVP_PKEY_size,CRYPTO_malloc,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_DigestSignFinal,EVP_DigestSign,BUF_reverse,CRYPTO_free,EVP_MD_CTX_free,CRYPTO_free,EVP_MD_CTX_free,43_2_00007FFB0BB715C8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB72469 CRYPTO_malloc,memcpy,43_2_00007FFB0BB72469
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71F14 CRYPTO_free,43_2_00007FFB0BB71F14
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB74497 CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_set_data,BIO_clear_flags,43_2_00007FFB0BB74497
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71A00 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,43_2_00007FFB0BB71A00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB883F0 EVP_PKEY_CTX_new,EVP_PKEY_derive_init,EVP_PKEY_derive_set_peer,EVP_PKEY_derive,CRYPTO_malloc,EVP_PKEY_derive,CRYPTO_clear_free,EVP_PKEY_CTX_free,43_2_00007FFB0BB883F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71E7E CRYPTO_free,CRYPTO_malloc,43_2_00007FFB0BB71E7E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB78410 CRYPTO_zalloc,ERR_put_error,43_2_00007FFB0BB78410
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71CBC CRYPTO_clear_free,43_2_00007FFB0BB71CBC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB8E3C0 CRYPTO_THREAD_run_once,43_2_00007FFB0BB8E3C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB86330 CRYPTO_free,43_2_00007FFB0BB86330
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBC2350 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BBC2350
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7E2E0 CRYPTO_malloc,43_2_00007FFB0BB7E2E0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB720FE BN_bin2bn,BN_is_zero,CRYPTO_free,CRYPTO_strdup,CRYPTO_clear_free,43_2_00007FFB0BB720FE
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB713B6 CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BB713B6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB962F0 ERR_put_error,CRYPTO_free,ERR_put_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,43_2_00007FFB0BB962F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBC42B0 CRYPTO_malloc,memcpy,43_2_00007FFB0BBC42B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB72293 CRYPTO_free,CRYPTO_memdup,43_2_00007FFB0BB72293
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB8C280 CRYPTO_zalloc,ERR_put_error,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,43_2_00007FFB0BB8C280
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71131 CRYPTO_free,43_2_00007FFB0BB71131
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB861F8 CRYPTO_free,CRYPTO_strdup,43_2_00007FFB0BB861F8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB8E180 COMP_zlib,CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,43_2_00007FFB0BB8E180
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7195B EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,strncmp,strncmp,strncmp,strncmp,strncmp,43_2_00007FFB0BB7195B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB72590 CRYPTO_free,CRYPTO_strdup,43_2_00007FFB0BB72590
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB88130 CRYPTO_free,CRYPTO_memdup,43_2_00007FFB0BB88130
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBA80F0 CRYPTO_free,43_2_00007FFB0BBA80F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7E0B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,43_2_00007FFB0BB7E0B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB740BA BIO_get_data,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_clear_flags,BIO_get_data,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,43_2_00007FFB0BB740BA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBB0820 CRYPTO_free,CRYPTO_free,43_2_00007FFB0BBB0820
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBD0830 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,43_2_00007FFB0BBD0830
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBB883B CRYPTO_clear_free,43_2_00007FFB0BBB883B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71C08 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,43_2_00007FFB0BB71C08
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBAA850 CRYPTO_free,CRYPTO_memdup,43_2_00007FFB0BBAA850
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7101E CRYPTO_free,CRYPTO_free,43_2_00007FFB0BB7101E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7222A CRYPTO_free,43_2_00007FFB0BB7222A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB72225 CRYPTO_free,CRYPTO_memdup,43_2_00007FFB0BB72225
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7218A CONF_parse_list,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BB7218A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBCE730 OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,CRYPTO_memcmp,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BBCE730
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71AC8 CRYPTO_malloc,ERR_put_error,CRYPTO_free,43_2_00007FFB0BB71AC8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB713FC EVP_MD_CTX_new,EVP_MD_CTX_free,CRYPTO_memcmp,memcpy,memcpy,43_2_00007FFB0BB713FC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB746C0 BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,43_2_00007FFB0BB746C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB721C1 _time64,CRYPTO_free,CRYPTO_malloc,EVP_sha256,EVP_Digest,EVP_MD_size,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BB721C1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71762 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error,43_2_00007FFB0BB71762
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7236A CRYPTO_free,CRYPTO_malloc,ERR_put_error,memcpy,43_2_00007FFB0BB7236A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBAA5E0 CRYPTO_memcmp,43_2_00007FFB0BBAA5E0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71BCC CRYPTO_strdup,CRYPTO_free,43_2_00007FFB0BB71BCC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71050 EVP_PKEY_free,BN_num_bits,BN_bn2bin,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_clear_free,43_2_00007FFB0BB71050
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71438 ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BB71438
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBB0550 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BBB0550
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB924E0 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,43_2_00007FFB0BB924E0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71DD4 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,_time64,memcpy,OPENSSL_cleanse,OPENSSL_cleanse,EVP_MD_size,43_2_00007FFB0BB71DD4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB72414 CRYPTO_free,BIO_clear_flags,BIO_set_flags,BIO_snprintf,ERR_add_error_data,memcpy,43_2_00007FFB0BB72414
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB722C5 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,43_2_00007FFB0BB722C5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB784C0 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,43_2_00007FFB0BB784C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB91C60 CRYPTO_free,CRYPTO_strdup,43_2_00007FFB0BB91C60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71A69 CRYPTO_free,43_2_00007FFB0BB71A69
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBA7C90 CRYPTO_free,CRYPTO_free,43_2_00007FFB0BBA7C90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBB7C50 CRYPTO_free,CRYPTO_strndup,43_2_00007FFB0BBB7C50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBC1BE0 CRYPTO_malloc,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,CRYPTO_free,43_2_00007FFB0BBC1BE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBBDBE0 CRYPTO_free,CRYPTO_free,43_2_00007FFB0BBBDBE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBA7BF0 CRYPTO_free,43_2_00007FFB0BBA7BF0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71122 CRYPTO_free,43_2_00007FFB0BB71122
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71069 CRYPTO_free,43_2_00007FFB0BB71069
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71398 EVP_MD_CTX_new,EVP_PKEY_new,EVP_PKEY_assign,EVP_PKEY_security_bits,DH_free,EVP_PKEY_get0_DH,EVP_PKEY_free,DH_get0_key,EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,EVP_PKEY_size,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,CRYPTO_free,EVP_MD_CTX_free,43_2_00007FFB0BB71398
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7129E CRYPTO_THREAD_run_once,43_2_00007FFB0BB7129E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71163 EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BB71163
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBAFAE0 CRYPTO_realloc,43_2_00007FFB0BBAFAE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71A0A CRYPTO_zalloc,memcpy,memcpy,memcpy,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BB71A0A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7176C CRYPTO_free,CRYPTO_malloc,memcmp,CRYPTO_memdup,43_2_00007FFB0BB7176C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBA7A70 CRYPTO_free,43_2_00007FFB0BBA7A70
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB718DE CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,43_2_00007FFB0BB718DE
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB72063 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,43_2_00007FFB0BB72063
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB9FA54 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,43_2_00007FFB0BB9FA54
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB77A50 CRYPTO_free,43_2_00007FFB0BB77A50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB716F4 CRYPTO_malloc,CRYPTO_THREAD_lock_new,X509_up_ref,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,ERR_put_error,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,43_2_00007FFB0BB716F4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB95A07 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,43_2_00007FFB0BB95A07
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBBBA00 X509_get0_pubkey,CRYPTO_malloc,RAND_bytes,EVP_PKEY_CTX_new,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_PKEY_CTX_free,43_2_00007FFB0BBBBA00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB97A10 X509_VERIFY_PARAM_free,CRYPTO_free_ex_data,BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,43_2_00007FFB0BB97A10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBA39C0 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,43_2_00007FFB0BBA39C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBB79C0 CRYPTO_free,CRYPTO_memdup,43_2_00007FFB0BBB79C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB710FF CRYPTO_zalloc,ERR_put_error,ERR_put_error,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,ERR_put_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,43_2_00007FFB0BB710FF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBDD990 BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,CRYPTO_clear_free,BN_clear_free,BN_clear_free,BN_clear_free,43_2_00007FFB0BBDD990
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBC9990 CRYPTO_malloc,EVP_CIPHER_CTX_new,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_iv_length,RAND_bytes,EVP_sha256,EVP_EncryptUpdate,EVP_EncryptFinal,HMAC_Update,HMAC_Final,43_2_00007FFB0BBC9990
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71DCF CRYPTO_malloc,CRYPTO_mem_ctrl,OPENSSL_sk_find,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,OPENSSL_sk_push,CRYPTO_mem_ctrl,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,43_2_00007FFB0BB71DCF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71235 X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,43_2_00007FFB0BB71235
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB8E090 CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,43_2_00007FFB0BB8E090
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71C8F CRYPTO_free,CRYPTO_memdup,43_2_00007FFB0BB71C8F
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB720B8 CRYPTO_free,CRYPTO_malloc,memcpy,43_2_00007FFB0BB720B8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB716F9 CRYPTO_free,43_2_00007FFB0BB716F9
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB8A000 CRYPTO_free,CRYPTO_strndup,43_2_00007FFB0BB8A000
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB714FB EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,43_2_00007FFB0BB714FB
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7DFA0 CRYPTO_free,43_2_00007FFB0BB7DFA0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71C99 HMAC_CTX_new,EVP_CIPHER_CTX_new,EVP_sha256,HMAC_Init_ex,EVP_aes_256_cbc,HMAC_size,EVP_CIPHER_CTX_iv_length,HMAC_Update,HMAC_Final,CRYPTO_memcmp,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_CTX_iv_length,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,43_2_00007FFB0BB71C99
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB711B3 EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,43_2_00007FFB0BB711B3
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB710F5 EVP_PKEY_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_new,RSA_pkey_ctx_ctrl,CRYPTO_free,EVP_MD_CTX_free,EVP_MD_CTX_free,43_2_00007FFB0BB710F5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBC1F50 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BBC1F50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7DEF0 CRYPTO_free,43_2_00007FFB0BB7DEF0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB8FF10 strncmp,strncmp,strncmp,strncmp,ERR_put_error,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,ERR_put_error,strncmp,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,43_2_00007FFB0BB8FF10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB72022 EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,43_2_00007FFB0BB72022
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB715E6 EVP_MD_CTX_new,X509_get0_pubkey,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_size,EVP_DigestVerifyInit,CRYPTO_malloc,BUF_reverse,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestVerify,BIO_free,EVP_MD_CTX_free,CRYPTO_free,43_2_00007FFB0BB715E6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBA3EC0 CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,43_2_00007FFB0BBA3EC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB72527 ERR_put_error,CRYPTO_free,CRYPTO_strdup,43_2_00007FFB0BB72527
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB79E40 CRYPTO_malloc,memset,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BB79E40
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBA7E50 CRYPTO_free,43_2_00007FFB0BBA7E50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBA7DE0 CRYPTO_free,43_2_00007FFB0BBA7DE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB711EA CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,CRYPTO_free,43_2_00007FFB0BB711EA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71FF5 CRYPTO_free,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,43_2_00007FFB0BB71FF5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71979 CRYPTO_free,CRYPTO_memdup,43_2_00007FFB0BB71979
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB85DB0 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,43_2_00007FFB0BB85DB0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB716D1 CRYPTO_zalloc,ERR_put_error,43_2_00007FFB0BB716D1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB93D60 CRYPTO_free,CRYPTO_memdup,43_2_00007FFB0BB93D60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB723BF CRYPTO_free,CRYPTO_memdup,43_2_00007FFB0BB723BF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBBBD80 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,43_2_00007FFB0BBBBD80
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7102D CRYPTO_malloc,COMP_expand_block,43_2_00007FFB0BB7102D
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB87D30 CRYPTO_zalloc,43_2_00007FFB0BB87D30
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBAFD10 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BBAFD10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71348 CRYPTO_zalloc,ERR_put_error,43_2_00007FFB0BB71348
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBDDCA0 SRP_Calc_u,BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,43_2_00007FFB0BBDDCA0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB8FCC0 CRYPTO_zalloc,ERR_put_error,CRYPTO_free,43_2_00007FFB0BB8FCC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71929 BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,CRYPTO_free,CRYPTO_strdup,43_2_00007FFB0BB71929
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71951 ERR_put_error,ASN1_item_free,memcpy,memcpy,_time64,X509_free,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,ASN1_item_free,43_2_00007FFB0BB71951
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71073 ERR_put_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,43_2_00007FFB0BB71073
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB72298 CRYPTO_memdup,ERR_put_error,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BB72298
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB953A4 CRYPTO_memdup,ERR_put_error,43_2_00007FFB0BB953A4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71933 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BB71933
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7115E OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,43_2_00007FFB0BB7115E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71195 CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BB71195
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB72388 CRYPTO_malloc,43_2_00007FFB0BB72388
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7177B EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key,EVP_sha256,EVP_DigestSignInit,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,_time64,EVP_MD_CTX_free,EVP_PKEY_free,EVP_MD_CTX_free,EVP_PKEY_free,43_2_00007FFB0BB7177B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB714B5 ERR_put_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,OPENSSL_sk_value,X509_VERIFY_PARAM_get_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,43_2_00007FFB0BB714B5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB72289 EVP_MD_size,EVP_CIPHER_iv_length,EVP_CIPHER_key_length,CRYPTO_clear_free,CRYPTO_malloc,43_2_00007FFB0BB72289
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBBB1F0 CRYPTO_malloc,EVP_DigestUpdate,EVP_MD_CTX_free,EVP_PKEY_CTX_free,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,43_2_00007FFB0BBBB1F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71E29 CRYPTO_malloc,43_2_00007FFB0BB71E29
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71FD2 CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BB71FD2
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB791C0 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BB791C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBB9178 CRYPTO_free,CRYPTO_free,43_2_00007FFB0BBB9178
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBB1120 CRYPTO_free,CRYPTO_strndup,43_2_00007FFB0BBB1120
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBC9130 CRYPTO_memcmp,43_2_00007FFB0BBC9130
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB72554 BIO_s_file,BIO_new,BIO_ctrl,strncmp,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,43_2_00007FFB0BB72554
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7230B CRYPTO_memcmp,memchr,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,43_2_00007FFB0BB7230B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71802 CRYPTO_strdup,43_2_00007FFB0BB71802
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71A50 OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,CRYPTO_memcmp,43_2_00007FFB0BB71A50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71BE0 EVP_MD_size,RAND_bytes,_time64,CRYPTO_free,CRYPTO_memdup,43_2_00007FFB0BB71BE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71115 CRYPTO_zalloc,CRYPTO_free,43_2_00007FFB0BB71115
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB997F0 ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_put_error,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data,43_2_00007FFB0BB997F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB717BE OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,CRYPTO_memcmp,OPENSSL_sk_push,OPENSSL_sk_num,CRYPTO_free,X509_free,OPENSSL_sk_pop_free,OPENSSL_sk_value,X509_get0_pubkey,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free,43_2_00007FFB0BB717BE
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71433 CRYPTO_free,CRYPTO_strndup,43_2_00007FFB0BB71433
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBCB77C CRYPTO_free,CRYPTO_memdup,43_2_00007FFB0BBCB77C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71E15 ERR_put_error,CRYPTO_free,CRYPTO_strdup,43_2_00007FFB0BB71E15
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7247D CRYPTO_malloc,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_put_error,CRYPTO_clear_free,43_2_00007FFB0BB7247D
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBA76F0 CRYPTO_free,CRYPTO_strdup,CRYPTO_free,43_2_00007FFB0BBA76F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71988 CRYPTO_free,CRYPTO_memdup,memcmp,CRYPTO_memdup,43_2_00007FFB0BB71988
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBC96D0 CRYPTO_free,CRYPTO_strndup,43_2_00007FFB0BBC96D0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7160E CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,43_2_00007FFB0BB7160E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBA7680 CRYPTO_free,43_2_00007FFB0BBA7680
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB87690 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,43_2_00007FFB0BB87690
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71A8C memcmp,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,memcmp,memcmp,memcpy,CRYPTO_free,CRYPTO_free,43_2_00007FFB0BB71A8C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBBB630 CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,43_2_00007FFB0BBBB630
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBA35F0 CRYPTO_THREAD_write_lock,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,43_2_00007FFB0BBA35F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB79600 CRYPTO_malloc,ERR_put_error,CRYPTO_free,43_2_00007FFB0BB79600
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBC3610 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,memcpy,43_2_00007FFB0BBC3610
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB719F1 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,43_2_00007FFB0BB719F1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB72004 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,_time64,43_2_00007FFB0BB72004
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB994F0 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,43_2_00007FFB0BB994F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBC94B0 CRYPTO_free,CRYPTO_memdup,43_2_00007FFB0BBC94B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BF84D90 ASN1_STRING_type,ASN1_STRING_length,ASN1_STRING_get0_data,_Py_BuildValue_SizeT,ASN1_STRING_to_UTF8,_Py_Dealloc,_Py_BuildValue_SizeT,CRYPTO_free,43_2_00007FFB0BF84D90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BF84B08 i2d_X509,PyBytes_FromStringAndSize,CRYPTO_free,43_2_00007FFB0BF84B08
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB1AB05D4C CRYPTO_memcmp,63_2_00007FFB1AB05D4C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB1AB01640 _Py_NoneStruct,_PyArg_UnpackKeywords,PyObject_GetBuffer,PyBuffer_IsContiguous,PyObject_GetBuffer,PyBuffer_IsContiguous,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,EVP_PBE_scrypt,PyBytes_FromStringAndSize,PyEval_SaveThread,EVP_PBE_scrypt,PyEval_RestoreThread,PyExc_ValueError,PyErr_SetString,PyBuffer_Release,PyBuffer_Release,PyLong_AsLong,PyErr_Occurred,PyLong_AsLong,PyErr_Occurred,PyExc_ValueError,PyExc_ValueError,PyErr_Format,_PyArg_BadArgument,_PyArg_BadArgument,_PyArg_BadArgument,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,_PyArg_BadArgument,_PyArg_BadArgument,PyExc_OverflowError,PyExc_OverflowError,_Py_Dealloc,PyExc_ValueError,63_2_00007FFB1AB01640
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IDmelon FCPJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1028\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1029\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1031\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1036\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1040\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1041\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1042\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1045\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1046\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1049\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1055\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\2052\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\3082\license.rtfJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\TEMP\_MEI32322\wheel-0.37.1.dist-info\LICENSE.txt
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\TEMP\_MEI15042\wheel-0.37.1.dist-info\LICENSE.txt
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vc_redist.x64.exe, 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmp, vc_redist.x64.exe, 00000003.00000000.1353568119.0000000000A3B000.00000002.00000001.01000000.00000008.sdmp, VC_redist.x64.exe, 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmp, VC_redist.x64.exe, 00000004.00000000.1354748130.000000000030B000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1464603934.00007FFB0C03C000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: Release\win32pipe.pdb source: IDmelonCredentialProviderFidoAgent.exe
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2548740919.00007FFB0BAFC000.00000002.00000001.01000000.00000043.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb## source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2543870556.00007FFB0B069000.00000002.00000001.01000000.0000005D.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1466630850.00007FFB1DF0B000.00000002.00000001.01000000.00000016.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2554901948.00007FFB1DF0B000.00000002.00000001.01000000.0000002F.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2543870556.00007FFB0B069000.00000002.00000001.01000000.0000005D.sdmp
Source: Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1463295105.00007FFB0BBE6000.00000002.00000001.01000000.00000021.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2549543223.00007FFB0BBE6000.00000002.00000001.01000000.0000003A.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1466166586.00007FFB1D5B5000.00000002.00000001.01000000.0000001B.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2554249601.00007FFB1D5B5000.00000002.00000001.01000000.00000034.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb}},GCTL source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1464603934.00007FFB0C03C000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2546972518.00007FFB0B613000.00000002.00000001.01000000.00000048.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1463910526.00007FFB0BE70000.00000002.00000001.01000000.00000020.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2550164045.00007FFB0BE70000.00000002.00000001.01000000.00000039.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1465912346.00007FFB1CA15000.00000002.00000001.01000000.00000023.sdmp
Source: Binary string: C:\projects\hidapi\windows\x64\Release\hidapi.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2548228809.00007FFB0B9BE000.00000002.00000001.01000000.00000047.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1464798053.00007FFB0C0A0000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: D:\a\1\b\libcrypto-1_1.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1463910526.00007FFB0BEF2000.00000002.00000001.01000000.00000020.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2550164045.00007FFB0BEF2000.00000002.00000001.01000000.00000039.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32net.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2548458242.00007FFB0B9DB000.00000002.00000001.01000000.00000046.sdmp
Source: Binary string: win32event.pdb source: IDmelonCredentialProviderFidoAgent.exe
Source: Binary string: D:\a\1\b\libssl-1_1.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1463295105.00007FFB0BBE6000.00000002.00000001.01000000.00000021.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2549543223.00007FFB0BBE6000.00000002.00000001.01000000.0000003A.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32pipe.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1465788664.00007FFB1C2E5000.00000002.00000001.01000000.00000024.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32net.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2548458242.00007FFB0B9DB000.00000002.00000001.01000000.00000046.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1466790982.00007FFB1E3A3000.00000002.00000001.01000000.00000019.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2555300836.00007FFB1E3A3000.00000002.00000001.01000000.00000032.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1463910526.00007FFB0BE70000.00000002.00000001.01000000.00000020.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2550164045.00007FFB0BE70000.00000002.00000001.01000000.00000039.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1467307183.00007FFB1E871000.00000002.00000001.01000000.00000011.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2556182828.00007FFB1E871000.00000002.00000001.01000000.0000002A.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1467063030.00007FFB1E850000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2552769265.00007FFB1AB06000.00000002.00000001.01000000.00000040.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb!! source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1464446893.00007FFB0BFC3000.00000002.00000001.01000000.0000001D.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2550842451.00007FFB0BFC3000.00000002.00000001.01000000.00000036.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1465667650.00007FFB1C257000.00000002.00000001.01000000.00000022.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2553385771.00007FFB1C257000.00000002.00000001.01000000.0000003B.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2544050747.00007FFB0B082000.00000002.00000001.01000000.0000005C.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32file.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1463063031.00007FFB0BB55000.00000002.00000001.01000000.00000025.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2549310942.00007FFB0BB55000.00000002.00000001.01000000.0000003E.sdmp
Source: Binary string: crypto\stack\stack.cOPENSSL_sk_dupOPENSSL_sk_deep_copysk_reserveOPENSSL_sk_new_reserveOPENSSL_sk_reserveOPENSSL_sk_insertOPENSSL_sk_seti=%dcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC3.1.4built on: Fri Nov 24 00:12:45 2023 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptoOPENSSL_atexitcrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2546972518.00007FFB0B613000.00000002.00000001.01000000.00000048.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python310.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1465066228.00007FFB0C3FF000.00000002.00000001.01000000.00000010.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2551593408.00007FFB0C3FF000.00000002.00000001.01000000.00000029.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1466469305.00007FFB1DED2000.00000002.00000001.01000000.00000017.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2554691544.00007FFB1DED2000.00000002.00000001.01000000.00000030.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1464446893.00007FFB0BFC3000.00000002.00000001.01000000.0000001D.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2550842451.00007FFB0BFC3000.00000002.00000001.01000000.00000036.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1466039739.00007FFB1D343000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1466630850.00007FFB1DF0B000.00000002.00000001.01000000.00000016.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2554901948.00007FFB1DF0B000.00000002.00000001.01000000.0000002F.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb** source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1464798053.00007FFB0C0A0000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1466919560.00007FFB1E3BD000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1466322473.00007FFB1DE98000.00000002.00000001.01000000.00000018.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2554463336.00007FFB1DE98000.00000002.00000001.01000000.00000031.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1452100859.0000014270790000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1464247580.00007FFB0BF8D000.00000002.00000001.01000000.0000001F.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2550628722.00007FFB0BF8D000.00000002.00000001.01000000.00000038.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32event.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1465530100.00007FFB1BB25000.00000002.00000001.01000000.00000026.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2553241342.00007FFB1BB25000.00000002.00000001.01000000.0000003F.sdmp
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9D89A0 PyArg_ParseTuple,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyExc_ValueError,PyErr_SetString,NetUserEnum,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyList_New,Py_BuildValue,_Py_Dealloc,NetApiBufferFree,_Py_Dealloc,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,63_2_00007FFB0B9D89A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C63
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_004068B4 FindFirstFileW,FindClose,0_2_004068B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_009F3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,3_2_009F3BC3
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A34315 FindFirstFileW,FindClose,3_2_00A34315
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A0993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,3_2_00A0993E
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A27A87 FindFirstFileExW,3_2_00A27A87
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002C3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,4_2_002C3BC3
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_00304315 FindFirstFileW,FindClose,4_2_00304315
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002D993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,4_2_002D993E
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002F7A87 FindFirstFileExW,4_2_002F7A87
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF600537B80 FindFirstFileExW,FindClose,35_2_00007FF600537B80
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF600548110 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,35_2_00007FF600548110
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF600548110 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,35_2_00007FF600548110
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF6005520D4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,35_2_00007FF6005520D4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB4AC60 _Py_NoneStruct,_PyArg_ParseTupleAndKeywords_SizeT,?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z,PyExc_NotImplementedError,PyErr_Format,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,_PyObject_New,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,memset,PyEval_SaveThread,FindFirstFileTransactedW,FindFirstFileW,PyEval_RestoreThread,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,GetLastError,_Py_Dealloc,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,43_2_00007FFB0BB4AC60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB4AA10 _Py_NoneStruct,_PyArg_ParseTupleAndKeywords_SizeT,?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z,PyExc_NotImplementedError,PyErr_Format,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,memset,FindFirstFileTransactedW,FindFirstFileW,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,GetLastError,PyList_New,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyList_New,FindClose,?PyObject_FromWIN32_FIND_DATAW@@YAPEAU_object@@PEAU_WIN32_FIND_DATAW@@@Z,PyList_Append,_Py_Dealloc,memset,FindNextFileW,GetLastError,FindClose,_Py_Dealloc,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,FindClose,_Py_Dealloc,43_2_00007FFB0BB4AA10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB4B100 PyExc_NotImplementedError,PyErr_Format,_Py_NoneStruct,_PyArg_ParseTupleAndKeywords_SizeT,?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z,PyExc_NotImplementedError,PyErr_Format,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,malloc,FindFirstFileNameTransactedW,FindFirstFileNameW,PyList_New,FindNextFileNameW,?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W@Z,PyList_Append,_Py_Dealloc,GetLastError,free,PyExc_MemoryError,PyErr_Format,_Py_Dealloc,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_Dealloc,FindClose,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,free,43_2_00007FFB0BB4B100
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2322E _errno,malloc,_errno,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,43_2_00007FFB0BC2322E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFB3740 _PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyList_New,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,FindFirstFileW,GetLastError,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,?PyObject_FromWIN32_FIND_DATAW@@YAPEAU_object@@PEAU_WIN32_FIND_DATAW@@@Z,PyList_Append,_Py_Dealloc,FindNextFileW,GetLastError,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,FindClose,_Py_Dealloc,43_2_00007FFB0BFB3740
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9B7A14 FindFirstFileExA,63_2_00007FFB0B9B7A14
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2322E _errno,malloc,_errno,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,63_2_00007FFB0BC2322E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFB55A0 _PyArg_ParseTuple_SizeT,GetLogicalDriveStringsW,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,GetLogicalDriveStringsW,?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W_J@Z,43_2_00007FFB0BFB55A0
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB46990 _PyArg_ParseTuple_SizeT,?PySocket_AsSOCKET@@YAHPEAU_object@@PEA_K@Z,?PyWinObject_AsOVERLAPPED@@YAHPEAU_object@@PEAPEAU_OVERLAPPED@@H@Z,?init@PyWinBufferView@@QEAA_NPEAU_object@@_N1@Z,PyEval_SaveThread,WSARecv,PyEval_RestoreThread,WSAGetLastError,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_Dealloc,_Py_Dealloc,??1PyWinBufferView@@QEAA@XZ,PyTuple_New,PyLong_FromLong,PyLong_FromLong,43_2_00007FFB0BB46990
Source: global trafficDNS traffic detected: DNS query: time.windows.com
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1461908759.0000014272460000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541852979.0000020E2C4F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://aka.ms/vcpython27
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1461908759.0000014272460000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://aka.ms/vcpython27P
Source: vc_redist.x64.exe, VC_redist.x64.exeString found in binary or memory: http://appsyndication.org/2006/appsyn
Source: vc_redist.x64.exe, 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmp, vc_redist.x64.exe, 00000003.00000000.1353568119.0000000000A3B000.00000002.00000001.01000000.00000008.sdmp, VC_redist.x64.exe, 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmp, VC_redist.x64.exe, 00000004.00000000.1354748130.000000000030B000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542763777.0000020E2CF10000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541531379.0000020E2C292000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.2538755134.000001FDB55BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca
Source: IDmelonCredentialProviderFidoAgent.exe, 00000023.00000002.1469150305.000001C6A305B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000023.00000003.1468035568.000001C6A305B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca?
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542763777.0000020E2CF10000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541531379.0000020E2C292000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542262977.0000020E2CA74000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1444204176.00000142716FD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1435161281.0000014271EA0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1449163703.00000142716FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1443313298.00000142716F5000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442873539.00000142716E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1455566367.0000014271705000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442011477.00000142716DD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1448232396.00000142716FD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1440990236.00000142716DD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1438645387.00000142716DA000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512219425.0000020E2B990000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540614851.0000020E2BA1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/pprint.html#pprint.pprint
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1439099612.0000014271FBF000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442108999.0000014271FDB000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1462047611.0000014272574000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1440638090.0000014271FC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1462047611.00000142725CC000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442058390.0000014271A33000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1438434561.0000014271A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1439099612.0000014271FBF000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442058390.0000014271A33000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442108999.0000014271FDB000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1438434561.0000014271A33000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1462047611.0000014272620000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1440638090.0000014271FC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1461668814.0000014272260000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1439099612.0000014271FBF000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1439373811.0000014271FE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/library/unittest.html
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1460580684.0000014271C60000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540971548.0000020E2BCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://github.com/ActiveState/appdirs
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512461436.0000020E2C183000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://goo.gl/zeJZl.
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512461436.0000020E2C183000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, 00000000.00000003.1449504869.0000000000808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, 00000000.00000000.1297748421.000000000040A000.00000008.00000001.01000000.00000003.sdmp, SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: nssm.exe, nssm.exe, 00000005.00000002.1366194698.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000007.00000002.1368659903.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000009.00000000.1369522059.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000000B.00000002.1373041457.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000000D.00000000.1374230000.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000000F.00000000.1376570989.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000011.00000000.1378904152.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000013.00000002.1384174915.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000015.00000002.1387887076.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000017.00000000.1388938645.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000019.00000000.1391281770.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000001B.00000002.1395193449.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000001D.00000002.1397389767.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000001F.00000002.1416882815.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000021.00000002.2540334590.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000025.00000000.1417417033.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000027.00000000.1419927724.0000000140065000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://nssm.cc/
Source: IDmelonCredentialProviderFidoAgent.exe, 00000023.00000002.1469150305.000001C6A305B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000023.00000003.1468035568.000001C6A305B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.2538755134.000001FDB55BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1453414232.0000014270E8C000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1460178740.0000014271A60000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2539925841.0000020E2B220000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1508108518.0000020E2BEE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pyparsing.wikispaces.com
Source: IDmelonCredentialProviderFidoAgent.exe, 00000023.00000002.1469150305.000001C6A305B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000023.00000003.1468035568.000001C6A305B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesi
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1461786222.0000014272360000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541773506.0000020E2C3E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://stackoverflow.com/questions/19622133/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1449382048.00000142716A4000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442058390.0000014271A33000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1435161281.0000014271E61000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1438434561.0000014271A33000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1435161281.0000014271EA0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441741799.0000014271691000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1444355559.0000014271A3A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442477570.00000142716A2000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512219425.0000020E2B990000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540614851.0000020E2BA1F000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540364569.0000020E2B626000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1508108518.0000020E2BEE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular-
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: VC_redist.x64.exe, 00000004.00000003.1360114571.0000000002BCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1460383962.0000014271B60000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540894343.0000020E2BBB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542763777.0000020E2CF10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442058390.0000014271A33000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1438434561.0000014271A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1437963322.000001427208C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1462047611.000001427256C000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1461908759.0000014272460000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1437963322.000001427209C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541852979.0000020E2C4F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.nightmare.com/squirl/python-ext/misc/syslog.py
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542763777.0000020E2CF10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1461786222.0000014272360000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1460689243.0000014271D60000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541047457.0000020E2BDE0000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541773506.0000020E2C3E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugs.python.org/issue44497.
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512461436.0000020E2C227000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512461436.0000020E2C1EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cbor.io/
Source: IDmelonCredentialProviderFidoAgent.exe, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2548035959.00007FFB0B98C000.00000002.00000001.01000000.00000049.sdmpString found in binary or memory: https://cffi.readthedocs.io/en/latest/using.html#callbacks
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2546972518.00007FFB0B613000.00000002.00000001.01000000.00000048.sdmpString found in binary or memory: https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542997680.0000020E2D7D4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://develop.sentry.dev/sdk/event-payloads/exception/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540614851.0000020E2BA1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://develop.sentry.dev/sdk/event-payloads/transaction/#transaction-annotations
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542997680.0000020E2D7D4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://develop.sentry.dev/sdk/performance/span-data-conventions/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542997680.0000020E2D7D4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.sentry.io/platforms/python/contextvars/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1461908759.0000014272460000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1460383962.0000014271B60000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541852979.0000020E2C4F0000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540894343.0000020E2BBB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512219425.0000020E2B990000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441464368.0000014270846000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441234579.000001427088A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1443141337.00000142708AC000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1448198403.00000142708B2000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1427948614.00000142708AD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1453114466.00000142708B6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1427465154.000001427088C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442222153.000001427088A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441703606.0000014270858000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1502893772.0000020E2A908000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542262977.0000020E2CA70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/getsentry/relay/blob/be12cd49a0f06ea932ed9b9f93a655de5d6ad6d1/relay-general/src/t
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: IDmelonCredentialProviderFidoAgent.exe, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2553655992.00007FFB1C2E9000.00000002.00000001.01000000.0000003D.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2551387174.00007FFB0C0B1000.00000002.00000001.01000000.00000033.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2549376398.00007FFB0BB63000.00000002.00000001.01000000.0000003E.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2553296398.00007FFB1BB29000.00000002.00000001.01000000.0000003F.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2551213570.00007FFB0C084000.00000002.00000001.01000000.00000035.sdmpString found in binary or memory: https://github.com/mhammond/pywin32
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2546972518.00007FFB0B613000.00000002.00000001.01000000.00000048.sdmpString found in binary or memory: https://github.com/pyca/cryptography/issues
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2546972518.00007FFB0B613000.00000002.00000001.01000000.00000048.sdmpString found in binary or memory: https://github.com/pyca/cryptography/issues/8996
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540971548.0000020E2BCC0000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541773506.0000020E2C3E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/packaging
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1460580684.0000014271C60000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540971548.0000020E2BCC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1460689243.0000014271D60000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541047457.0000020E2BDE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1453414232.0000014270E8C000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2539925841.0000020E2B220000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1502893772.0000020E2A908000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441464368.0000014270846000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441234579.000001427088A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1443141337.00000142708AC000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1448198403.00000142708B2000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1427948614.00000142708AD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1453114466.00000142708B6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1427465154.000001427088C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442222153.000001427088A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441703606.0000014270858000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1502893772.0000020E2A908000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441464368.0000014270846000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441234579.000001427088A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1443141337.00000142708AC000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1448198403.00000142708B2000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1427948614.00000142708AD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1453114466.00000142708B6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1427465154.000001427088C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442222153.000001427088A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441703606.0000014270858000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1502893772.0000020E2A908000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540364569.0000020E2B626000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540364569.0000020E2B626000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512461436.0000020E2C227000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/get
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1439162770.0000014271F5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1465066228.00007FFB0C3FF000.00000002.00000001.01000000.00000010.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2551593408.00007FFB0C3FF000.00000002.00000001.01000000.00000029.sdmpString found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1461908759.0000014272460000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1460383962.0000014271B60000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541852979.0000020E2C4F0000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540894343.0000020E2BBB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://requests.readthedocs.io
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1443096441.00000142718DD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1429424717.00000142718F1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1459153886.00000142718E2000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1439583314.00000142718D6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1429491422.0000014271898000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1438088616.0000014271899000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1443038849.00000142718D7000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1434283041.0000014271889000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1429637717.00000142718F1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1429637717.00000142718A2000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1447131319.00000142718E1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1434579442.0000014271897000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1506304591.0000020E2B96A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1507402690.0000020E2B8B8000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1506117766.0000020E2B96A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1506304591.0000020E2B91B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512219425.0000020E2B990000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540614851.0000020E2BA1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542763777.0000020E2CF10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540364569.0000020E2B626000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541773506.0000020E2C3E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://upload.pypi.org/legacy/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441464368.0000014270846000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1445288275.0000014270872000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442642900.0000014270859000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441703606.0000014270858000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1507402690.0000020E2B8B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wiki.debian.org/XDGBaseDirectorySpecification#state
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1464113224.00007FFB0BF69000.00000002.00000001.01000000.00000020.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1463392990.00007FFB0BC1B000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: https://www.openssl.org/H
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1460383962.0000014271B60000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540894343.0000020E2BBB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1453414232.0000014270E00000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2539925841.0000020E2B220000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_0040571B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040571B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFB5140 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,GetKeyboardState,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyBytes_FromStringAndSize,43_2_00007FFB0BFB5140
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C1E90 PyList_New,GetActiveProcessorCount,PyErr_SetFromWindowsErr,_Py_Dealloc,free,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,PyExc_RuntimeError,PyErr_SetString,malloc,PyErr_NoMemory,NtQuerySystemInformation,Py_BuildValue,PyList_Append,_Py_Dealloc,free,_Py_Dealloc,63_2_00007FFB174C1E90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C73F0 malloc,NtQuerySystemInformation,free,malloc,PyErr_NoMemory,free,free,63_2_00007FFB174C73F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C5810 PyArg_ParseTuple,OpenProcess,GetLastError,NtSetInformationProcess,CloseHandle,_Py_NoneStruct,_Py_NoneStruct,63_2_00007FFB174C5810
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C4D00 PyArg_ParseTuple,OpenProcess,GetLastError,PyObject_IsTrue,NtSuspendProcess,NtResumeProcess,CloseHandle,_Py_NoneStruct,_Py_NoneStruct,63_2_00007FFB174C4D00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C6600 PyList_New,EnterCriticalSection,GetProcessHeap,HeapAlloc,PyErr_NoMemory,_Py_Dealloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,PyExc_RuntimeError,PyErr_SetString,GetCurrentProcess,DuplicateHandle,PyUnicode_FromWideChar,PyList_Append,_Py_Dealloc,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,_Py_Dealloc,GetProcessHeap,HeapFree,LeaveCriticalSection,63_2_00007FFB174C6600
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C6AA0 OpenProcess,GetLastError,NtQueryInformationProcess,RtlNtStatusToDosErrorNoTeb,PyErr_SetFromWindowsErrWithFilename,CloseHandle,ReadProcessMemory,GetLastError,CloseHandle,ReadProcessMemory,NtQueryInformationProcess,CloseHandle,ReadProcessMemory,ReadProcessMemory,VirtualQueryEx,GetLastError,PyErr_SetFromWindowsErrWithFilename,CloseHandle,calloc,PyErr_NoMemory,CloseHandle,ReadProcessMemory,GetLastError,CloseHandle,free,CloseHandle,63_2_00007FFB174C6AA0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C4A70 PyArg_ParseTuple,OpenProcess,GetLastError,GetProcessHeap,HeapAlloc,NtQueryVirtualMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQueryVirtualMemory,PyExc_RuntimeError,PyErr_SetString,CloseHandle,PyErr_Clear,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,Py_BuildValue,PyErr_NoMemory,CloseHandle,63_2_00007FFB174C4A70
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C2480 GetActiveProcessorCount,PyErr_SetFromWindowsErr,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,PyExc_RuntimeError,PyErr_SetString,malloc,PyErr_NoMemory,NtQuerySystemInformation,free,malloc,PyErr_NoMemory,NtQuerySystemInformation,malloc,PyErr_NoMemory,NtQuerySystemInformation,free,free,free,free,free,Py_BuildValue,63_2_00007FFB174C2480
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C4680 PyArg_ParseTuple,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,Py_BuildValue,PyUnicode_FromWideChar,GetProcessHeap,HeapFree,PyErr_NoMemory,63_2_00007FFB174C4680
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C5720 PyArg_ParseTuple,OpenProcess,GetLastError,NtQueryInformationProcess,CloseHandle,Py_BuildValue,63_2_00007FFB174C5720
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C6250 GetProcessHeap,HeapAlloc,GetFileType,SetLastError,NtQueryObject,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,PyErr_NoMemory,GetProcessHeap,HeapFree,63_2_00007FFB174C6250
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C6E40 PyExc_RuntimeError,PyErr_SetString,OpenProcess,GetLastError,NtQueryInformationProcess,CloseHandle,CloseHandle,calloc,PyErr_NoMemory,CloseHandle,NtQueryInformationProcess,calloc,PyErr_NoMemory,free,CloseHandle,wcscpy_s,free,CloseHandle,63_2_00007FFB174C6E40
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB43B30: _Py_NoneStruct,_PyArg_ParseTupleAndKeywords_SizeT,?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z,?init@PyWinBufferView@@QEAA_NPEAU_object@@_N1@Z,?PyWinObject_AsOVERLAPPED@@YAHPEAU_object@@PEAPEAU_OVERLAPPED@@H@Z,PyLong_AsLong,PyErr_Occurred,PyErr_Clear,?init@PyWinBufferView@@QEAA_NPEAU_object@@_N1@Z,PyErr_Clear,PyExc_TypeError,PyErr_Format,?PyBuffer_New@@YAPEAU_object@@_J@Z,?init@PyWinBufferView@@QEAA_NPEAU_object@@_N1@Z,_Py_Dealloc,PyBytes_FromStringAndSize,PyEval_SaveThread,DeviceIoControl,PyEval_RestoreThread,GetLastError,_Py_Dealloc,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PySequence_GetSlice,_Py_Dealloc,_PyBytes_Resize,??1PyWinBufferView@@QEAA@XZ,??1PyWinBufferView@@QEAA@XZ,43_2_00007FFB0BB43B30
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_00000001400133A0 _snwprintf_s,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,5_2_00000001400133A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFB5A90 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,ExitWindowsEx,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NoneStruct,_Py_NoneStruct,43_2_00007FFB0BFB5A90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFB5B30 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,ExitWindowsEx,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NoneStruct,_Py_NoneStruct,43_2_00007FFB0BFB5B30
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Windows\System32\IDmelonV2CredentialProvider.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeFile deleted: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_00406DC60_2_00406DC6
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_0040759D0_2_0040759D
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A1C0FA3_2_00A1C0FA
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_009F61843_2_009F6184
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A2022D3_2_00A2022D
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A2A3B03_2_00A2A3B0
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A206623_2_00A20662
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_009FA7EF3_2_009FA7EF
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A2A85E3_2_00A2A85E
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A069CC3_2_00A069CC
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A1F9193_2_00A1F919
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A20A973_2_00A20A97
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A22B213_2_00A22B21
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A2ED4C3_2_00A2ED4C
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A22D503_2_00A22D50
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A1FE153_2_00A1FE15
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002EC0FA4_2_002EC0FA
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002C61844_2_002C6184
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002F022D4_2_002F022D
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002FA3B04_2_002FA3B0
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002F06624_2_002F0662
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002CA7EF4_2_002CA7EF
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002FA85E4_2_002FA85E
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002EF9194_2_002EF919
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002D69CC4_2_002D69CC
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002F0A974_2_002F0A97
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002F2B214_2_002F2B21
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002FED4C4_2_002FED4C
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002F2D504_2_002F2D50
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002EFE154_2_002EFE15
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_000000014000D2D05_2_000000014000D2D0
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_00000001400238645_2_0000000140023864
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_00000001400104705_2_0000000140010470
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_00000001400070A05_2_00000001400070A0
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_0000000140019CB45_2_0000000140019CB4
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_00000001400030D05_2_00000001400030D0
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_000000014000F5005_2_000000014000F500
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_0000000140013D105_2_0000000140013D10
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_0000000140005D205_2_0000000140005D20
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_000000014000DD405_2_000000014000DD40
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_00000001400125505_2_0000000140012550
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_0000000140022D605_2_0000000140022D60
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_000000014001CDD45_2_000000014001CDD4
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_0000000140012E005_2_0000000140012E00
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_0000000140008E205_2_0000000140008E20
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_0000000140020A2C5_2_0000000140020A2C
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_000000014000EE505_2_000000014000EE50
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_0000000140021B405_2_0000000140021B40
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_0000000140002B505_2_0000000140002B50
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_000000014001ABAC5_2_000000014001ABAC
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_000000014001DBB85_2_000000014001DBB8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF600536B5035_2_00007FF600536B50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF6005574AC35_2_00007FF6005574AC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60055656035_2_00007FF600556560
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60054811035_2_00007FF600548110
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60054618035_2_00007FF600546180
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60054119035_2_00007FF600541190
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60054899435_2_00007FF600548994
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60054321C35_2_00007FF60054321C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60055A1E835_2_00007FF60055A1E8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF600543A5835_2_00007FF600543A58
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60054811035_2_00007FF600548110
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60054E2DC35_2_00007FF60054E2DC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60054139435_2_00007FF600541394
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60054236C35_2_00007FF60054236C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF6005384A035_2_00007FF6005384A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60055112835_2_00007FF600551128
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60055447035_2_00007FF600554470
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF6005415A035_2_00007FF6005415A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF600540D8035_2_00007FF600540D80
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60054EDF035_2_00007FF60054EDF0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60054365435_2_00007FF600543654
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60054270435_2_00007FF600542704
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60054A6F035_2_00007FF60054A6F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF6005417A435_2_00007FF6005417A4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF600540F8435_2_00007FF600540F84
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF600547F5C35_2_00007FF600547F5C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF600556F6035_2_00007FF600556F60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60054E77035_2_00007FF60054E770
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF6005567DC35_2_00007FF6005567DC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60055112835_2_00007FF600551128
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60055490C35_2_00007FF60055490C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF6005520D435_2_00007FF6005520D4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB50E5043_2_00007FFB0BB50E50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB4809043_2_00007FFB0BB48090
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB4AE5043_2_00007FFB0BB4AE50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB4AA1043_2_00007FFB0BB4AA10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB4161243_2_00007FFB0BB41612
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB47DA043_2_00007FFB0BB47DA0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7153743_2_00007FFB0BB71537
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB76BA043_2_00007FFB0BB76BA0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBD0B5043_2_00007FFB0BBD0B50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB720B343_2_00007FFB0BB720B3
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7168B43_2_00007FFB0BB7168B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBD846043_2_00007FFB0BBD8460
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7257243_2_00007FFB0BB72572
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BBC024043_2_00007FFB0BBC0240
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7195B43_2_00007FFB0BB7195B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71DD443_2_00007FFB0BB71DD4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7139843_2_00007FFB0BB71398
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7114F43_2_00007FFB0BB7114F
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7F9C543_2_00007FFB0BB7F9C5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7145143_2_00007FFB0BB71451
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71C9943_2_00007FFB0BB71C99
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7199C43_2_00007FFB0BB7199C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7B36043_2_00007FFB0BB7B360
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB7115E43_2_00007FFB0BB7115E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB812F043_2_00007FFB0BB812F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71BE043_2_00007FFB0BB71BE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB715B443_2_00007FFB0BB715B4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB713F243_2_00007FFB0BB713F2
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB717BE43_2_00007FFB0BB717BE
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB8F66043_2_00007FFB0BB8F660
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB71A8C43_2_00007FFB0BB71A8C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC21EA643_2_00007FFB0BC21EA6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2593443_2_00007FFB0BC25934
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC24A5943_2_00007FFB0BC24A59
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC23B9843_2_00007FFB0BC23B98
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2516E43_2_00007FFB0BC2516E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BD5896043_2_00007FFB0BD58960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC22D7943_2_00007FFB0BC22D79
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC25D8A43_2_00007FFB0BC25D8A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC26CBC43_2_00007FFB0BC26CBC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC26A8743_2_00007FFB0BC26A87
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC23FDF43_2_00007FFB0BC23FDF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2655F43_2_00007FFB0BC2655F
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC21F9B43_2_00007FFB0BC21F9B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BE60E0043_2_00007FFB0BE60E00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC260A043_2_00007FFB0BC260A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC222ED43_2_00007FFB0BC222ED
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC221BC43_2_00007FFB0BC221BC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC26F2843_2_00007FFB0BC26F28
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2114043_2_00007FFB0BC21140
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2704A43_2_00007FFB0BC2704A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC3C48043_2_00007FFB0BC3C480
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC272C543_2_00007FFB0BC272C5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BCD044043_2_00007FFB0BCD0440
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC25B1443_2_00007FFB0BC25B14
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC22C7A43_2_00007FFB0BC22C7A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BDC417043_2_00007FFB0BDC4170
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC25B7843_2_00007FFB0BC25B78
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2410643_2_00007FFB0BC24106
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC24B5B43_2_00007FFB0BC24B5B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC26C2143_2_00007FFB0BC26C21
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC229D243_2_00007FFB0BC229D2
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BD5C66043_2_00007FFB0BD5C660
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC3C62043_2_00007FFB0BC3C620
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2177B43_2_00007FFB0BC2177B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2463843_2_00007FFB0BC24638
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC225F443_2_00007FFB0BC225F4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2214443_2_00007FFB0BC22144
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC269E743_2_00007FFB0BC269E7
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BD4DC5043_2_00007FFB0BD4DC50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2360243_2_00007FFB0BC23602
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC21D0243_2_00007FFB0BC21D02
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC23A8A43_2_00007FFB0BC23A8A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BDD99D043_2_00007FFB0BDD99D0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC259FC43_2_00007FFB0BC259FC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC22FD143_2_00007FFB0BC22FD1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC211CC43_2_00007FFB0BC211CC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC24C1943_2_00007FFB0BC24C19
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2276143_2_00007FFB0BC22761
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC222B143_2_00007FFB0BC222B1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC272AC43_2_00007FFB0BC272AC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2736A43_2_00007FFB0BC2736A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC21D8843_2_00007FFB0BC21D88
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2162243_2_00007FFB0BC21622
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BD5149043_2_00007FFB0BD51490
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC232EC43_2_00007FFB0BC232EC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2428C43_2_00007FFB0BC2428C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2551543_2_00007FFB0BC25515
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2228E43_2_00007FFB0BC2228E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC3D26043_2_00007FFB0BC3D260
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC230C643_2_00007FFB0BC230C6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC4520043_2_00007FFB0BC45200
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC25BF543_2_00007FFB0BC25BF5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BD5913043_2_00007FFB0BD59130
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BDD910043_2_00007FFB0BDD9100
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2710D43_2_00007FFB0BC2710D
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BDC50B043_2_00007FFB0BDC50B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2142443_2_00007FFB0BC21424
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BD6176043_2_00007FFB0BD61760
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC254D443_2_00007FFB0BC254D4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC22E9143_2_00007FFB0BC22E91
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC24C3C43_2_00007FFB0BC24C3C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC24ACA43_2_00007FFB0BC24ACA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2504C43_2_00007FFB0BC2504C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2276B43_2_00007FFB0BC2276B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2561443_2_00007FFB0BC25614
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC215C843_2_00007FFB0BC215C8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC254CF43_2_00007FFB0BC254CF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC21B2743_2_00007FFB0BC21B27
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BD62C0043_2_00007FFB0BD62C00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC23A9443_2_00007FFB0BC23A94
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC24D0943_2_00007FFB0BC24D09
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC25F1043_2_00007FFB0BC25F10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC25DA343_2_00007FFB0BC25DA3
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC223F643_2_00007FFB0BC223F6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BDDA90043_2_00007FFB0BDDA900
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC253AD43_2_00007FFB0BC253AD
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC244CB43_2_00007FFB0BC244CB
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC3F06043_2_00007FFB0BC3F060
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2638E43_2_00007FFB0BC2638E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BDC301043_2_00007FFB0BDC3010
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC24F4343_2_00007FFB0BC24F43
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2217143_2_00007FFB0BC22171
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC3EF0043_2_00007FFB0BC3EF00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC253C643_2_00007FFB0BC253C6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2213A43_2_00007FFB0BC2213A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2543443_2_00007FFB0BC25434
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BD02CD043_2_00007FFB0BD02CD0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2656443_2_00007FFB0BC26564
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2129943_2_00007FFB0BC21299
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2121743_2_00007FFB0BC21217
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2363443_2_00007FFB0BC23634
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC26EBF43_2_00007FFB0BC26EBF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC21A5043_2_00007FFB0BC21A50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2230143_2_00007FFB0BC22301
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC226EE43_2_00007FFB0BC226EE
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC26D5C43_2_00007FFB0BC26D5C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BDD610043_2_00007FFB0BDD6100
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC268CA43_2_00007FFB0BC268CA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC24E5343_2_00007FFB0BC24E53
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2144C43_2_00007FFB0BC2144C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BD4E5F043_2_00007FFB0BD4E5F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BD625D043_2_00007FFB0BD625D0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC26FFF43_2_00007FFB0BC26FFF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2318E43_2_00007FFB0BC2318E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC265A043_2_00007FFB0BC265A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2440843_2_00007FFB0BC24408
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC210AA43_2_00007FFB0BC210AA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2707C43_2_00007FFB0BC2707C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2416A43_2_00007FFB0BC2416A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2369843_2_00007FFB0BC23698
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2348B43_2_00007FFB0BC2348B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC3BF2043_2_00007FFB0BC3BF20
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC260DC43_2_00007FFB0BC260DC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC25E2543_2_00007FFB0BC25E25
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC3BD6043_2_00007FFB0BC3BD60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC21CC643_2_00007FFB0BC21CC6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BD53CC043_2_00007FFB0BD53CC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC25A6543_2_00007FFB0BC25A65
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BD5748043_2_00007FFB0BD57480
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC22D1043_2_00007FFB0BC22D10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC23BA743_2_00007FFB0BC23BA7
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2267143_2_00007FFB0BC22671
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2298743_2_00007FFB0BC22987
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2725743_2_00007FFB0BC27257
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2383743_2_00007FFB0BC23837
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC3F20043_2_00007FFB0BC3F200
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC26EF143_2_00007FFB0BC26EF1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC4B1C043_2_00007FFB0BC4B1C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2114F43_2_00007FFB0BC2114F
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC250B043_2_00007FFB0BC250B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BDDB0E043_2_00007FFB0BDDB0E0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC257D643_2_00007FFB0BC257D6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BD5778043_2_00007FFB0BD57780
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2379243_2_00007FFB0BC23792
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC8F70043_2_00007FFB0BC8F700
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2435E43_2_00007FFB0BC2435E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC21B3643_2_00007FFB0BC21B36
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2474B43_2_00007FFB0BC2474B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC4B55043_2_00007FFB0BC4B550
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BF898DC43_2_00007FFB0BF898DC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BF8950443_2_00007FFB0BF89504
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BF8563843_2_00007FFB0BF85638
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BF8815043_2_00007FFB0BF88150
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BF8B43443_2_00007FFB0BF8B434
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFB45C043_2_00007FFB0BFB45C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFB3B2043_2_00007FFB0BFB3B20
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFB374043_2_00007FFB0BFB3740
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFF82C043_2_00007FFB0BFF82C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0C00BD2043_2_00007FFB0C00BD20
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFF7E9043_2_00007FFB0BFF7E90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B04BC4063_2_00007FFB0B04BC40
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B04A88063_2_00007FFB0B04A880
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B044C8063_2_00007FFB0B044C80
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B048EBC63_2_00007FFB0B048EBC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B04D6F063_2_00007FFB0B04D6F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B04EEE063_2_00007FFB0B04EEE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B04575463_2_00007FFB0B045754
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B04F1B063_2_00007FFB0B04F1B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0531A963_2_00007FFB0B0531A9
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0451C463_2_00007FFB0B0451C4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B04E0B063_2_00007FFB0B04E0B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B04FD0063_2_00007FFB0B04FD00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B091FD063_2_00007FFB0B091FD0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B09244063_2_00007FFB0B092440
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0A482063_2_00007FFB0B0A4820
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0A45D063_2_00007FFB0B0A45D0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0B24A063_2_00007FFB0B0B24A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0B355063_2_00007FFB0B0B3550
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0B29C063_2_00007FFB0B0B29C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0B2EC063_2_00007FFB0B0B2EC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0B1FF063_2_00007FFB0B0B1FF0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0B1D8063_2_00007FFB0B0B1D80
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0C213063_2_00007FFB0B0C2130
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0C1D4063_2_00007FFB0B0C1D40
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0D21C063_2_00007FFB0B0D21C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0D1F1063_2_00007FFB0B0D1F10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0F1FA063_2_00007FFB0B0F1FA0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B101D4063_2_00007FFB0B101D40
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B10227063_2_00007FFB0B102270
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B10238063_2_00007FFB0B102380
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B111D4063_2_00007FFB0B111D40
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B11255063_2_00007FFB0B112550
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B121D4063_2_00007FFB0B121D40
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B1222D063_2_00007FFB0B1222D0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B13216063_2_00007FFB0B132160
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B95207063_2_00007FFB0B952070
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B97B2A063_2_00007FFB0B97B2A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9B1C7063_2_00007FFB0B9B1C70
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9B780863_2_00007FFB0B9B7808
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9B5FF463_2_00007FFB0B9B5FF4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9BCA8863_2_00007FFB0B9BCA88
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9D6E3063_2_00007FFB0B9D6E30
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9F186063_2_00007FFB0B9F1860
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BB1C05063_2_00007FFB0BB1C050
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BB13A0063_2_00007FFB0BB13A00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BB2017063_2_00007FFB0BB20170
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC21EA663_2_00007FFB0BC21EA6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2593463_2_00007FFB0BC25934
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC24A5963_2_00007FFB0BC24A59
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC23B9863_2_00007FFB0BC23B98
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2516E63_2_00007FFB0BC2516E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BD5896063_2_00007FFB0BD58960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC22D7963_2_00007FFB0BC22D79
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC25D8A63_2_00007FFB0BC25D8A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC26CBC63_2_00007FFB0BC26CBC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC26A8763_2_00007FFB0BC26A87
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC23FDF63_2_00007FFB0BC23FDF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2655F63_2_00007FFB0BC2655F
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC21F9B63_2_00007FFB0BC21F9B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BE60E0063_2_00007FFB0BE60E00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC260A063_2_00007FFB0BC260A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC222ED63_2_00007FFB0BC222ED
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC221BC63_2_00007FFB0BC221BC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC26F2863_2_00007FFB0BC26F28
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2114063_2_00007FFB0BC21140
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2704A63_2_00007FFB0BC2704A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC3C48063_2_00007FFB0BC3C480
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC272C563_2_00007FFB0BC272C5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BCD044063_2_00007FFB0BCD0440
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC25B1463_2_00007FFB0BC25B14
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC22C7A63_2_00007FFB0BC22C7A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BDC417063_2_00007FFB0BDC4170
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC25B7863_2_00007FFB0BC25B78
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2410663_2_00007FFB0BC24106
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC24B5B63_2_00007FFB0BC24B5B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC26C2163_2_00007FFB0BC26C21
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC229D263_2_00007FFB0BC229D2
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BD5C66063_2_00007FFB0BD5C660
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC3C62063_2_00007FFB0BC3C620
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2177B63_2_00007FFB0BC2177B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2463863_2_00007FFB0BC24638
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC225F463_2_00007FFB0BC225F4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2214463_2_00007FFB0BC22144
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC269E763_2_00007FFB0BC269E7
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BD4DC5063_2_00007FFB0BD4DC50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2360263_2_00007FFB0BC23602
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC21D0263_2_00007FFB0BC21D02
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC23A8A63_2_00007FFB0BC23A8A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BDD99D063_2_00007FFB0BDD99D0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC259FC63_2_00007FFB0BC259FC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC22FD163_2_00007FFB0BC22FD1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC211CC63_2_00007FFB0BC211CC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC24C1963_2_00007FFB0BC24C19
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2276163_2_00007FFB0BC22761
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC222B163_2_00007FFB0BC222B1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC272AC63_2_00007FFB0BC272AC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2736A63_2_00007FFB0BC2736A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC21D8863_2_00007FFB0BC21D88
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2162263_2_00007FFB0BC21622
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BD5149063_2_00007FFB0BD51490
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC232EC63_2_00007FFB0BC232EC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2428C63_2_00007FFB0BC2428C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2551563_2_00007FFB0BC25515
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2228E63_2_00007FFB0BC2228E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC3D26063_2_00007FFB0BC3D260
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC230C663_2_00007FFB0BC230C6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC4520063_2_00007FFB0BC45200
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC25BF563_2_00007FFB0BC25BF5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BD5913063_2_00007FFB0BD59130
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BDD910063_2_00007FFB0BDD9100
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2710D63_2_00007FFB0BC2710D
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BDC50B063_2_00007FFB0BDC50B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2142463_2_00007FFB0BC21424
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BD6176063_2_00007FFB0BD61760
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC254D463_2_00007FFB0BC254D4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC22E9163_2_00007FFB0BC22E91
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC24C3C63_2_00007FFB0BC24C3C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC24ACA63_2_00007FFB0BC24ACA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2504C63_2_00007FFB0BC2504C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2276B63_2_00007FFB0BC2276B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2561463_2_00007FFB0BC25614
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC215C863_2_00007FFB0BC215C8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC254CF63_2_00007FFB0BC254CF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC21B2763_2_00007FFB0BC21B27
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BD62C0063_2_00007FFB0BD62C00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC23A9463_2_00007FFB0BC23A94
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC24D0963_2_00007FFB0BC24D09
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC25F1063_2_00007FFB0BC25F10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC25DA363_2_00007FFB0BC25DA3
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC223F663_2_00007FFB0BC223F6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BDDA90063_2_00007FFB0BDDA900
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC253AD63_2_00007FFB0BC253AD
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC244CB63_2_00007FFB0BC244CB
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC3F06063_2_00007FFB0BC3F060
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2638E63_2_00007FFB0BC2638E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BDC301063_2_00007FFB0BDC3010
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC24F4363_2_00007FFB0BC24F43
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2217163_2_00007FFB0BC22171
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC3EF0063_2_00007FFB0BC3EF00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC253C663_2_00007FFB0BC253C6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2213A63_2_00007FFB0BC2213A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2543463_2_00007FFB0BC25434
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BD02CD063_2_00007FFB0BD02CD0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2656463_2_00007FFB0BC26564
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2129963_2_00007FFB0BC21299
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2121763_2_00007FFB0BC21217
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2363463_2_00007FFB0BC23634
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC26EBF63_2_00007FFB0BC26EBF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC21A5063_2_00007FFB0BC21A50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2230163_2_00007FFB0BC22301
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC226EE63_2_00007FFB0BC226EE
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC26D5C63_2_00007FFB0BC26D5C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BDD610063_2_00007FFB0BDD6100
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC268CA63_2_00007FFB0BC268CA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC24E5363_2_00007FFB0BC24E53
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2144C63_2_00007FFB0BC2144C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BD4E5F063_2_00007FFB0BD4E5F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BD625D063_2_00007FFB0BD625D0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC26FFF63_2_00007FFB0BC26FFF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2318E63_2_00007FFB0BC2318E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC265A063_2_00007FFB0BC265A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2440863_2_00007FFB0BC24408
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC210AA63_2_00007FFB0BC210AA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2707C63_2_00007FFB0BC2707C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2416A63_2_00007FFB0BC2416A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2369863_2_00007FFB0BC23698
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2348B63_2_00007FFB0BC2348B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC3BF2063_2_00007FFB0BC3BF20
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC260DC63_2_00007FFB0BC260DC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC25E2563_2_00007FFB0BC25E25
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC3BD6063_2_00007FFB0BC3BD60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC21CC663_2_00007FFB0BC21CC6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BD53CC063_2_00007FFB0BD53CC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC25A6563_2_00007FFB0BC25A65
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BD5748063_2_00007FFB0BD57480
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC22D1063_2_00007FFB0BC22D10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC23BA763_2_00007FFB0BC23BA7
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2267163_2_00007FFB0BC22671
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2298763_2_00007FFB0BC22987
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2725763_2_00007FFB0BC27257
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2383763_2_00007FFB0BC23837
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC3F20063_2_00007FFB0BC3F200
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC26EF163_2_00007FFB0BC26EF1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC4B1C063_2_00007FFB0BC4B1C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2114F63_2_00007FFB0BC2114F
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC250B063_2_00007FFB0BC250B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BDDB0E063_2_00007FFB0BDDB0E0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC257D663_2_00007FFB0BC257D6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BD5778063_2_00007FFB0BD57780
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2379263_2_00007FFB0BC23792
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC8F70063_2_00007FFB0BC8F700
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2435E63_2_00007FFB0BC2435E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC21B3663_2_00007FFB0BC21B36
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2474B63_2_00007FFB0BC2474B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC4B55063_2_00007FFB0BC4B550
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB1691222063_2_00007FFB16912220
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C99D063_2_00007FFB174C99D0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C1E9063_2_00007FFB174C1E90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C4DF063_2_00007FFB174C4DF0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C2B0063_2_00007FFB174C2B00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C660063_2_00007FFB174C6600
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C2E7063_2_00007FFB174C2E70
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C399063_2_00007FFB174C3990
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C8F3063_2_00007FFB174C8F30
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB18B7AB1063_2_00007FFB18B7AB10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB1AB0164063_2_00007FFB1AB01640
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: String function: 003031C7 appears 85 times
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: String function: 0030012F appears 678 times
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: String function: 002C1F20 appears 54 times
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: String function: 0030061A appears 34 times
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: String function: 002C37D3 appears 496 times
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: String function: 00A3012F appears 678 times
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: String function: 009F37D3 appears 496 times
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: String function: 00A3061A appears 34 times
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: String function: 00A331C7 appears 83 times
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: String function: 009F1F20 appears 54 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BC22DD3 appears 38 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BC224BE appears 168 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BB138C0 appears 96 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BC2405C appears 1558 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BC21EF6 appears 3160 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB174C1070 appears 43 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BBDE055 appears 105 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BBDDFBF appears 218 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BE67EBA appears 58 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BC22739 appears 1032 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0B06779C appears 32 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BC22A09 appears 344 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BFF8250 appears 248 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BC24840 appears 258 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FF600532010 appears 52 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BB712EE appears 568 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BB13850 appears 51 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BC2688E appears 62 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BC23012 appears 110 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BC24D6D appears 68 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BC2698D appears 98 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB0BB54D1B appears 54 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFB174C1D70 appears 39 times
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeStatic PE information: invalid certificate
Source: unicodedata.pyd.35.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: python3.dll.35.drStatic PE information: No import functions for PE file found
Source: IDmelonFcp.exe.0.drStatic PE information: No import functions for PE file found
Source: FileDeleter.exe.0.drStatic PE information: No import functions for PE file found
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal80.evad.winEXE@96/272@1/0
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A2FD20 FormatMessageW,GetLastError,LocalFree,3_2_00A2FD20
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_009F44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,3_2_009F44E9
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002C44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,4_2_002C44E9
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_000000014000A810 GetCurrentThread,OpenThreadToken,GetLastError,ImpersonateSelf,GetCurrentThread,OpenThreadToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,5_2_000000014000A810
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174C7DB0 GetCurrentProcess,OpenProcessToken,GetLastError,ImpersonateSelf,OpenProcessToken,GetLastError,PyErr_SetFromWindowsErrWithFilename,LookupPrivilegeValueA,GetLastError,PyErr_SetFromWindowsErrWithFilename,AdjustTokenPrivileges,GetLastError,PyErr_SetFromWindowsErrWithFilename,AdjustTokenPrivileges,RevertToSelf,CloseHandle,63_2_00007FFB174C7DB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_004049C7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004049C7
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: _snwprintf_s,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,5_2_00000001400133A0
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_000000014000ACB0 CreateToolhelp32Snapshot,GetLastError,GetLastError,CloseHandle,PostThreadMessageW,Thread32Next,PostThreadMessageW,Thread32Next,GetLastError,GetLastError,CloseHandle,5_2_000000014000ACB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_004021AF CoCreateInstance,0_2_004021AF
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_0000000140002840 GetUserDefaultLangID,FindResourceExW,GetLastError,FindResourceExW,LoadResource,CreateDialogIndirectParamW,5_2_0000000140002840
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A16945 ChangeServiceConfigW,GetLastError,3_2_00A16945
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_000000014000A2E0 _snwprintf_s,PathQuoteSpacesW,GetModuleFileNameW,GetModuleFileNameW,PathQuoteSpacesW,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError,5_2_000000014000A2E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelonJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2196:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1484:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3416:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1540:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5468:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2716:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1168:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3308:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1568:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3452:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2384:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1792:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1652:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3672:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3084:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:396:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1488:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsdC5D3.tmpJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCommand line argument: cabinet.dll3_2_009F1070
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCommand line argument: msi.dll3_2_009F1070
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCommand line argument: version.dll3_2_009F1070
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCommand line argument: wininet.dll3_2_009F1070
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCommand line argument: comres.dll3_2_009F1070
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCommand line argument: clbcatq.dll3_2_009F1070
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCommand line argument: msasn1.dll3_2_009F1070
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCommand line argument: crypt32.dll3_2_009F1070
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCommand line argument: feclient.dll3_2_009F1070
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCommand line argument: cabinet.dll4_2_002C1070
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCommand line argument: msi.dll4_2_002C1070
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCommand line argument: version.dll4_2_002C1070
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCommand line argument: wininet.dll4_2_002C1070
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCommand line argument: comres.dll4_2_002C1070
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCommand line argument: clbcatq.dll4_2_002C1070
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCommand line argument: msasn1.dll4_2_002C1070
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCommand line argument: crypt32.dll4_2_002C1070
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCommand line argument: feclient.dll4_2_002C1070
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeVirustotal: Detection: 12%
Source: vc_redist.x64.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x64.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exe "C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" /quiet
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeProcess created: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe "C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /quiet
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" install IDmelonFidoCredentialProviderService "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Application "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppDirectory "C:\Program Files (x86)\IDmelon\FCP"
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdout "C:\Program Files (x86)\IDmelon\FCP\logs.log"
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderr "C:\Program Files (x86)\IDmelon\FCP\logs.log"
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Description "Handles the FIDO authentication of IDmelon credential provider."
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdoutCreationDisposition 4
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderrCreationDisposition 4
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateFiles 1
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateOnline 0
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateBytes 5000000
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Start SERVICE_AUTO_START
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" restart IDmelonFidoCredentialProviderService
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" status IDmelonFidoCredentialProviderService
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" start IDmelonFidoCredentialProviderService
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "C:\Program Files (x86)\IDmelon\FCP\cashedData.xml" /e /p Everyone:f
Source: C:\Windows\SysWOW64\cacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "C:\Program Files (x86)\IDmelon\FCP\service_log.lo" /e /p Everyone:f
Source: C:\Windows\SysWOW64\cacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Program Files (x86)\IDmelon\FCP" /inheritance:d
Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Program Files (x86)\IDmelon\FCP" /grant:r everyone:(OI)(CI)(F) /T
Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=out program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=out program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exe "C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" /quietJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" install IDmelonFidoCredentialProviderService "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppDirectory "C:\Program Files (x86)\IDmelon\FCP"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdout "C:\Program Files (x86)\IDmelon\FCP\logs.log"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderr "C:\Program Files (x86)\IDmelon\FCP\logs.log"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe "C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /quietJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdoutCreationDisposition 4Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderrCreationDisposition 4Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateFiles 1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdout "C:\Program Files (x86)\IDmelon\FCP\logs.log"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateBytes 5000000Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" status IDmelonFidoCredentialProviderServiceJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" start IDmelonFidoCredentialProviderServiceJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "C:\Program Files (x86)\IDmelon\FCP\cashedData.xml" /e /p Everyone:fJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "C:\Program Files (x86)\IDmelon\FCP\service_log.lo" /e /p Everyone:fJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Program Files (x86)\IDmelon\FCP" /grant:r everyone:(OI)(CI)(F) /TJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "C:\Program Files (x86)\IDmelon\FCP\cashedData.xml" /e /p Everyone:fJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeProcess created: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe "C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /quietJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\dllhost.exeSection loaded: thumbcache.dllJump to behavior
Source: C:\Windows\System32\dllhost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: msi.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: feclient.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: feclient.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: riched20.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: usp10.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: version.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: vcruntime140.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: libffi-7.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: vcruntime140_1.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: urlmon.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: iertutil.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: srvcli.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: netutils.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: secur32.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: sspicli.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: libcrypto-1_1.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: libssl-1_1.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: sfc.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: version.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: vcruntime140.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: libffi-7.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: vcruntime140_1.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: urlmon.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: iertutil.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: srvcli.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: netutils.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: secur32.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: sspicli.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: libcrypto-1_1.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: libssl-1_1.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: sfc.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: sfc_os.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: powrprof.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: pdh.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: umpdc.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: wtsapi32.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: netapi32.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: wkscli.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: logoncli.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: samcli.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: hid.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: winsta.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: samlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile written: C:\Users\user\AppData\Local\Temp\nstC680.tmp\ioSpecial.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IDmelon FCPJump to behavior
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeStatic file information: File size 42660808 > 1048576
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vc_redist.x64.exe, 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmp, vc_redist.x64.exe, 00000003.00000000.1353568119.0000000000A3B000.00000002.00000001.01000000.00000008.sdmp, VC_redist.x64.exe, 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmp, VC_redist.x64.exe, 00000004.00000000.1354748130.000000000030B000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1464603934.00007FFB0C03C000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: Release\win32pipe.pdb source: IDmelonCredentialProviderFidoAgent.exe
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2548740919.00007FFB0BAFC000.00000002.00000001.01000000.00000043.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb## source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2543870556.00007FFB0B069000.00000002.00000001.01000000.0000005D.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1466630850.00007FFB1DF0B000.00000002.00000001.01000000.00000016.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2554901948.00007FFB1DF0B000.00000002.00000001.01000000.0000002F.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2543870556.00007FFB0B069000.00000002.00000001.01000000.0000005D.sdmp
Source: Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1463295105.00007FFB0BBE6000.00000002.00000001.01000000.00000021.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2549543223.00007FFB0BBE6000.00000002.00000001.01000000.0000003A.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1466166586.00007FFB1D5B5000.00000002.00000001.01000000.0000001B.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2554249601.00007FFB1D5B5000.00000002.00000001.01000000.00000034.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb}},GCTL source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1464603934.00007FFB0C03C000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2546972518.00007FFB0B613000.00000002.00000001.01000000.00000048.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1463910526.00007FFB0BE70000.00000002.00000001.01000000.00000020.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2550164045.00007FFB0BE70000.00000002.00000001.01000000.00000039.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1465912346.00007FFB1CA15000.00000002.00000001.01000000.00000023.sdmp
Source: Binary string: C:\projects\hidapi\windows\x64\Release\hidapi.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2548228809.00007FFB0B9BE000.00000002.00000001.01000000.00000047.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1464798053.00007FFB0C0A0000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: D:\a\1\b\libcrypto-1_1.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1463910526.00007FFB0BEF2000.00000002.00000001.01000000.00000020.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2550164045.00007FFB0BEF2000.00000002.00000001.01000000.00000039.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32net.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2548458242.00007FFB0B9DB000.00000002.00000001.01000000.00000046.sdmp
Source: Binary string: win32event.pdb source: IDmelonCredentialProviderFidoAgent.exe
Source: Binary string: D:\a\1\b\libssl-1_1.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1463295105.00007FFB0BBE6000.00000002.00000001.01000000.00000021.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2549543223.00007FFB0BBE6000.00000002.00000001.01000000.0000003A.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32pipe.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1465788664.00007FFB1C2E5000.00000002.00000001.01000000.00000024.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32net.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2548458242.00007FFB0B9DB000.00000002.00000001.01000000.00000046.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1466790982.00007FFB1E3A3000.00000002.00000001.01000000.00000019.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2555300836.00007FFB1E3A3000.00000002.00000001.01000000.00000032.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1463910526.00007FFB0BE70000.00000002.00000001.01000000.00000020.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2550164045.00007FFB0BE70000.00000002.00000001.01000000.00000039.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1467307183.00007FFB1E871000.00000002.00000001.01000000.00000011.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2556182828.00007FFB1E871000.00000002.00000001.01000000.0000002A.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1467063030.00007FFB1E850000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2552769265.00007FFB1AB06000.00000002.00000001.01000000.00000040.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb!! source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1464446893.00007FFB0BFC3000.00000002.00000001.01000000.0000001D.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2550842451.00007FFB0BFC3000.00000002.00000001.01000000.00000036.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1465667650.00007FFB1C257000.00000002.00000001.01000000.00000022.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2553385771.00007FFB1C257000.00000002.00000001.01000000.0000003B.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2544050747.00007FFB0B082000.00000002.00000001.01000000.0000005C.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32file.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1463063031.00007FFB0BB55000.00000002.00000001.01000000.00000025.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2549310942.00007FFB0BB55000.00000002.00000001.01000000.0000003E.sdmp
Source: Binary string: crypto\stack\stack.cOPENSSL_sk_dupOPENSSL_sk_deep_copysk_reserveOPENSSL_sk_new_reserveOPENSSL_sk_reserveOPENSSL_sk_insertOPENSSL_sk_seti=%dcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC3.1.4built on: Fri Nov 24 00:12:45 2023 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptoOPENSSL_atexitcrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2546972518.00007FFB0B613000.00000002.00000001.01000000.00000048.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python310.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1465066228.00007FFB0C3FF000.00000002.00000001.01000000.00000010.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2551593408.00007FFB0C3FF000.00000002.00000001.01000000.00000029.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1466469305.00007FFB1DED2000.00000002.00000001.01000000.00000017.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2554691544.00007FFB1DED2000.00000002.00000001.01000000.00000030.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1464446893.00007FFB0BFC3000.00000002.00000001.01000000.0000001D.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2550842451.00007FFB0BFC3000.00000002.00000001.01000000.00000036.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1466039739.00007FFB1D343000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1466630850.00007FFB1DF0B000.00000002.00000001.01000000.00000016.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2554901948.00007FFB1DF0B000.00000002.00000001.01000000.0000002F.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb** source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1464798053.00007FFB0C0A0000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1466919560.00007FFB1E3BD000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1466322473.00007FFB1DE98000.00000002.00000001.01000000.00000018.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2554463336.00007FFB1DE98000.00000002.00000001.01000000.00000031.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1452100859.0000014270790000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1464247580.00007FFB0BF8D000.00000002.00000001.01000000.0000001F.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2550628722.00007FFB0BF8D000.00000002.00000001.01000000.00000038.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32event.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1465530100.00007FFB1BB25000.00000002.00000001.01000000.00000026.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2553241342.00007FFB1BB25000.00000002.00000001.01000000.0000003F.sdmp
Source: Microsoft.Win32.Registry.dll.0.drStatic PE information: 0x80FC6AE5 [Thu Jul 29 14:21:25 2038 UTC]
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_0000000140023A88 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,5_2_0000000140023A88
Source: md.cp310-win_amd64.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x12854
Source: System.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x67cd
Source: EnVar.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xe868
Source: _psutil_windows.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x1d3ed
Source: hidapi.dll.35.drStatic PE information: real checksum: 0x0 should be: 0x1c6c2
Source: _rust.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x66978e
Source: nsExec.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xc1ae
Source: uninstall.exe.0.drStatic PE information: real checksum: 0x28b16b9 should be: 0x329d7
Source: pythoncom310.dll.35.drStatic PE information: real checksum: 0x0 should be: 0xa906f
Source: md__mypyc.cp310-win_amd64.pyd.35.drStatic PE information: real checksum: 0x0 should be: 0x2bdb3
Source: FileDeleter.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x2196a
Source: InstallOptions.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xb123
Source: pywintypes310.dll.35.drStatic PE information: real checksum: 0x0 should be: 0x26a6c
Source: vc_redist.x64.exe.0.drStatic PE information: section name: .wixburn
Source: IDmelonCredentialProviderFidoAgent.exe.0.drStatic PE information: section name: _RDATA
Source: VC_redist.x64.exe.3.drStatic PE information: section name: .wixburn
Source: libcrypto-1_1.dll.35.drStatic PE information: section name: .00cfg
Source: libssl-1_1.dll.35.drStatic PE information: section name: .00cfg
Source: python310.dll.35.drStatic PE information: section name: PyRuntim
Source: mfc140u.dll.35.drStatic PE information: section name: .didat
Source: VCRUNTIME140.dll.35.drStatic PE information: section name: _RDATA
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A1E876 push ecx; ret 3_2_00A1E889
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002EE876 push ecx; ret 4_2_002EE889
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_00000001400055DB push rcx; iretd 5_2_00000001400055DC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60057510C push rcx; retf 0000h35_2_00007FF60057510D

Persistence and Installation Behavior

barindex
Contains functionality to infect the boot sector
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, \\.\PhysicalDrive%d63_2_00007FFB174C2B00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, PhysicalDrive%i63_2_00007FFB174C2B00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i63_2_00007FFB174C2B00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i63_2_00007FFB174C2B00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9D8950 NetUserAdd,63_2_00007FFB0B9D8950
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\pywin32_system32\pythoncom310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_cffi_backend.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_hashlib.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_aes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_asyncio.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_cfb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\hidapi.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32\win32evtlog.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_cast.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_queue.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32com\shell\shell.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_keccak.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\VCRUNTIME140.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_ctr.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\unicodedata.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\CommandLine.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_ARC4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_msi.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_cffi_backend.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA256.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_cbor2.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_ctypes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32com\shell\shell.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32\win32api.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Util\_strxor.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\libffi-7.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_RIPEMD160.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ecb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\select.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_des3.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\pywin32_system32\pythoncom310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_RIPEMD160.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_aesni.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_poly1305.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32\win32event.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_ecb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Math\_modexp.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_msi.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32\win32evtlog.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\libffi-7.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\FileDeleter.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\IDmelonFcp.exeJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\psutil\_psutil_windows.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32\win32file.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_multiprocessing.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\select.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_MD2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_bz2.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Users\user\AppData\Local\Temp\nstC680.tmp\nsExec.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_cbc.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\PublicKey\_ed448.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_des.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_ghash_portable.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_MD4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_ofb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_chacha20.pydJump to dropped file
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\wixstdba.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_des.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_des3.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_poly1305.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\pyexpat.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\pyexpat.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\libcrypto-1_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32\_win32sysloader.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_Salsa20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Users\user\AppData\Local\Temp\nstC680.tmp\EnVar.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA1.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\libcrypto-1_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Util\_cpuid_c.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Pythonwin\win32ui.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA384.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\System.Security.AccessControl.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_MD2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_MD5.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA224.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA512.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Protocol\_scrypt.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\PublicKey\_x25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\PublicKey\_ec_ws.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32\win32event.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ctr.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Util\_strxor.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\nssm.exeJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_arc2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\pywin32_system32\pywintypes310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_BLAKE2s.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_ghash_portable.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_uuid.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32\win32file.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\System.Security.Principal.Windows.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32\win32net.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\python3.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_ctypes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\PublicKey\_x25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\VCRUNTIME140.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32\win32net.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA256.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32\_win32sysloader.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Users\user\AppData\Local\Temp\nstC680.tmp\InstallOptions.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32\win32pipe.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Pythonwin\mfc140u.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_keccak.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Protocol\_scrypt.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_chacha20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_BLAKE2b.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_Salsa20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\VCRUNTIME140_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\VCRUNTIME140_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ofb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_decimal.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Users\user\AppData\Local\Temp\nstC680.tmp\System.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32\win32pipe.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA1.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Pythonwin\win32ui.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_cast.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_overlapped.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_decimal.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA224.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\PublicKey\_ed448.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA512.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_lzma.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\libssl-1_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_ssl.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_ghash_clmul.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_uuid.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_multiprocessing.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_socket.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_overlapped.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_cbor2.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\hidapi.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_MD5.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA384.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\pywin32_system32\pywintypes310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_ocb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_ARC4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_bz2.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\Microsoft.Win32.Registry.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_lzma.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Pythonwin\mfc140u.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_ghash_clmul.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\psutil\_psutil_windows.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\libssl-1_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_cbc.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Util\_cpuid_c.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32\win32trace.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_queue.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\python3.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_hashlib.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32\win32trace.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_aes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_asyncio.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_MD4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ocb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\cryptography\hazmat\bindings\_rust.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_arc2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeFile created: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\python310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_BLAKE2s.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\PublicKey\_ed25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\PublicKey\_ed25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_cfb.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\log4net.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_BLAKE2b.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\cryptography\hazmat\bindings\_rust.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Windows\System32\IDmelonV2CredentialProvider.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Math\_modexp.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\python310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\PublicKey\_ec_ws.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\uninstall.exeJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_aesni.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32\win32api.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_ssl.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\pywin32_system32\pythoncom310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_cffi_backend.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_hashlib.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_aes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_asyncio.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_cfb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\hidapi.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32\win32evtlog.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_cast.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_queue.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32com\shell\shell.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_keccak.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\VCRUNTIME140.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_ctr.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\unicodedata.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_socket.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_ARC4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_msi.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_cffi_backend.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA256.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_cbor2.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_ctypes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32com\shell\shell.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32\win32api.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Util\_strxor.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\libffi-7.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_RIPEMD160.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ecb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\select.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_des3.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\pywin32_system32\pythoncom310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_RIPEMD160.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_aesni.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_poly1305.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32\win32event.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_ecb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Math\_modexp.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_msi.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32\win32evtlog.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\libffi-7.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\psutil\_psutil_windows.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32\win32file.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_multiprocessing.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\select.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_MD2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_bz2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_cbc.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\PublicKey\_ed448.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_des.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_ghash_portable.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_MD4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_ofb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_chacha20.pydJump to dropped file
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\wixstdba.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_des.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_des3.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_poly1305.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\pyexpat.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\pyexpat.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\libcrypto-1_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32\_win32sysloader.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_Salsa20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\unicodedata.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA1.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\libcrypto-1_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Util\_cpuid_c.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Pythonwin\win32ui.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA384.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_MD2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_MD5.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA224.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA512.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Protocol\_scrypt.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\PublicKey\_x25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\PublicKey\_ec_ws.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32\win32event.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ctr.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Util\_strxor.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_arc2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\pywin32_system32\pywintypes310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_BLAKE2s.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_ghash_portable.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_uuid.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32\win32file.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32\win32net.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\python3.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_ctypes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\PublicKey\_x25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\VCRUNTIME140.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32\win32net.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA256.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32\_win32sysloader.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32\win32pipe.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Pythonwin\mfc140u.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_keccak.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Protocol\_scrypt.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_chacha20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_BLAKE2b.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_Salsa20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\VCRUNTIME140_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\VCRUNTIME140_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ofb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_decimal.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32\win32pipe.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA1.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Pythonwin\win32ui.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_cast.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_overlapped.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_decimal.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA224.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\PublicKey\_ed448.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA512.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_lzma.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\libssl-1_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_ssl.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_ghash_clmul.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_uuid.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_multiprocessing.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_socket.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_overlapped.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_cbor2.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\hidapi.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_MD5.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA384.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\pywin32_system32\pywintypes310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_ocb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_ARC4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_bz2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_lzma.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Pythonwin\mfc140u.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_ghash_clmul.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\psutil\_psutil_windows.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\libssl-1_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_cbc.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Util\_cpuid_c.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32\win32trace.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\_queue.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\python3.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_hashlib.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\win32\win32trace.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_aes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_asyncio.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_MD4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ocb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\cryptography\hazmat\bindings\_rust.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_arc2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeFile created: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\python310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Hash\_BLAKE2s.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\PublicKey\_ed25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\PublicKey\_ed25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_cfb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Hash\_BLAKE2b.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\cryptography\hazmat\bindings\_rust.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Windows\System32\IDmelonV2CredentialProvider.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\Math\_modexp.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\python310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI32322\Crypto\PublicKey\_ec_ws.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_aesni.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\win32\win32api.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI15042\_ssl.pydJump to dropped file
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1028\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1029\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1031\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1036\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1040\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1041\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1042\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1045\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1046\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1049\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1055\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\2052\license.rtfJump to behavior
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\3082\license.rtfJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\TEMP\_MEI32322\wheel-0.37.1.dist-info\LICENSE.txt
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\TEMP\_MEI15042\wheel-0.37.1.dist-info\LICENSE.txt

Boot Survival

barindex
Contains functionality to infect the boot sector
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, \\.\PhysicalDrive%d63_2_00007FFB174C2B00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, PhysicalDrive%i63_2_00007FFB174C2B00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i63_2_00007FFB174C2B00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i63_2_00007FFB174C2B00
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\NSSMJump to behavior
Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\ConfigJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_000000014000A2E0 _snwprintf_s,PathQuoteSpacesW,GetModuleFileNameW,GetModuleFileNameW,PathQuoteSpacesW,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError,5_2_000000014000A2E0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF6005343B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,35_2_00007FF6005343B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "C:\Program Files (x86)\IDmelon\FCP\cashedData.xml" /e /p Everyone:f
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC24246 rdtsc 43_2_00007FFB0BC24246
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: OpenServiceW,GetServiceDisplayNameW,GetServiceKeyNameW,GetLastError,GetLastError,EnumServicesStatusExW,GetLastError,GetProcessHeap,HeapAlloc,EnumServicesStatusExW,GetLastError,GetProcessHeap,HeapFree,GetLastError,_snwprintf_s,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,5_2_000000014000EE50
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: EnumServicesStatusExW,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,EnumServicesStatusExW,GetLastError,_snwprintf_s,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,5_2_0000000140011A80
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyList_New,OpenSCManagerA,GetLastError,PyErr_SetFromWindowsErrWithFilename,EnumServicesStatusExW,GetLastError,free,malloc,EnumServicesStatusExW,PyUnicode_FromWideChar,PyUnicode_FromWideChar,Py_BuildValue,PyList_Append,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseServiceHandle,free,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseServiceHandle,free,63_2_00007FFB174C8170
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9B1C70 FreeLibrary,FreeLibrary,SetupDiGetClassDevsA,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailA,SetupDiGetDeviceInterfaceDetailA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,CreateFileA,CloseHandle,SetupDiEnumDeviceInterfaces,SetupDiDestroyDeviceInfoList,63_2_00007FFB0B9B1C70
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\pywin32_system32\pythoncom310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\_cffi_backend.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\_hashlib.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\_asyncio.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_aes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\hidapi.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_cfb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\win32\win32evtlog.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_cast.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\_queue.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Hash\_keccak.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\win32com\shell\shell.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\_socket.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_ctr.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\FCP\CommandLine.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\_msi.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_ARC4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA256.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\_cffi_backend.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\_cbor2.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\_ctypes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\win32com\shell\shell.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\win32\win32api.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Util\_strxor.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Hash\_RIPEMD160.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ecb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\select.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_des3.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\pywin32_system32\pythoncom310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Hash\_RIPEMD160.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_aesni.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Hash\_poly1305.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\win32\win32event.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_ecb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Math\_modexp.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\_msi.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\win32\win32evtlog.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\FCP\FileDeleter.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\FCP\IDmelonFcp.exeJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\psutil\_psutil_windows.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\select.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\win32\win32file.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\_multiprocessing.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\_bz2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Hash\_MD2.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstC680.tmp\nsExec.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_cbc.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\PublicKey\_ed448.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_des.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Hash\_ghash_portable.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Hash\_MD4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_ofb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_chacha20.pydJump to dropped file
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeDropped PE file which has not been started: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\wixstdba.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_des.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_des3.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Hash\_poly1305.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\pyexpat.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\pyexpat.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\win32\_win32sysloader.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_Salsa20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstC680.tmp\EnVar.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA1.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Util\_cpuid_c.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Pythonwin\win32ui.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA384.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Hash\_MD2.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\FCP\System.Security.AccessControl.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA224.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Hash\_MD5.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA512.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Protocol\_scrypt.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\PublicKey\_ec_ws.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\PublicKey\_x25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\win32\win32event.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ctr.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Util\_strxor.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Hash\_BLAKE2s.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\_uuid.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_arc2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Hash\_ghash_portable.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\pywin32_system32\pywintypes310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\win32\win32file.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\FCP\System.Security.Principal.Windows.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\win32\win32net.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\python3.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\PublicKey\_x25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\_ctypes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\win32\win32net.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA256.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\win32\_win32sysloader.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\win32\win32pipe.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstC680.tmp\InstallOptions.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Hash\_keccak.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Pythonwin\mfc140u.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Protocol\_scrypt.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_chacha20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Hash\_BLAKE2b.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_Salsa20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ofb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\_decimal.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Pythonwin\win32ui.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstC680.tmp\System.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA1.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\win32\win32pipe.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_cast.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\_overlapped.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\_decimal.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA224.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\PublicKey\_ed448.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA512.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\_lzma.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\_ssl.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Hash\_ghash_clmul.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\_multiprocessing.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\_uuid.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\_socket.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\_overlapped.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\_cbor2.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\hidapi.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Hash\_MD5.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA384.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\pywin32_system32\pywintypes310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_ocb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_ARC4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\_bz2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\_lzma.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\FCP\Microsoft.Win32.Registry.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Pythonwin\mfc140u.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Hash\_ghash_clmul.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\psutil\_psutil_windows.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Util\_cpuid_c.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_cbc.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\win32\win32trace.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\_queue.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\_hashlib.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\python3.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\win32\win32trace.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\_asyncio.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_aes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Hash\_MD4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ocb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\cryptography\hazmat\bindings\_rust.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_arc2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Hash\_BLAKE2s.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\python310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\PublicKey\_ed25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\PublicKey\_ed25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_cfb.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\FCP\log4net.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\cryptography\hazmat\bindings\_rust.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Windows\System32\IDmelonV2CredentialProvider.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Hash\_BLAKE2b.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\Math\_modexp.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\python310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI32322\Crypto\PublicKey\_ec_ws.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\FCP\uninstall.exeJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_aesni.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\win32\win32api.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI15042\_ssl.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeAPI coverage: 4.3 %
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeAPI coverage: 4.2 %
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeAPI coverage: 1.1 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A2FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00A2FE5Dh3_2_00A2FDC2
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A2FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00A2FE56h3_2_00A2FDC2
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002FFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 002FFE5Dh4_2_002FFDC2
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002FFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 002FFE56h4_2_002FFDC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C63
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_004068B4 FindFirstFileW,FindClose,0_2_004068B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_009F3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,3_2_009F3BC3
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A34315 FindFirstFileW,FindClose,3_2_00A34315
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A0993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,3_2_00A0993E
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A27A87 FindFirstFileExW,3_2_00A27A87
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002C3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,4_2_002C3BC3
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_00304315 FindFirstFileW,FindClose,4_2_00304315
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002D993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,4_2_002D993E
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002F7A87 FindFirstFileExW,4_2_002F7A87
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF600537B80 FindFirstFileExW,FindClose,35_2_00007FF600537B80
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF600548110 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,35_2_00007FF600548110
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF600548110 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,35_2_00007FF600548110
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF6005520D4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,35_2_00007FF6005520D4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB4AC60 _Py_NoneStruct,_PyArg_ParseTupleAndKeywords_SizeT,?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z,PyExc_NotImplementedError,PyErr_Format,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,_PyObject_New,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,memset,PyEval_SaveThread,FindFirstFileTransactedW,FindFirstFileW,PyEval_RestoreThread,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,GetLastError,_Py_Dealloc,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,43_2_00007FFB0BB4AC60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB4AA10 _Py_NoneStruct,_PyArg_ParseTupleAndKeywords_SizeT,?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z,PyExc_NotImplementedError,PyErr_Format,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,memset,FindFirstFileTransactedW,FindFirstFileW,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,GetLastError,PyList_New,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyList_New,FindClose,?PyObject_FromWIN32_FIND_DATAW@@YAPEAU_object@@PEAU_WIN32_FIND_DATAW@@@Z,PyList_Append,_Py_Dealloc,memset,FindNextFileW,GetLastError,FindClose,_Py_Dealloc,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,FindClose,_Py_Dealloc,43_2_00007FFB0BB4AA10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB4B100 PyExc_NotImplementedError,PyErr_Format,_Py_NoneStruct,_PyArg_ParseTupleAndKeywords_SizeT,?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z,PyExc_NotImplementedError,PyErr_Format,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,malloc,FindFirstFileNameTransactedW,FindFirstFileNameW,PyList_New,FindNextFileNameW,?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W@Z,PyList_Append,_Py_Dealloc,GetLastError,free,PyExc_MemoryError,PyErr_Format,_Py_Dealloc,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_Dealloc,FindClose,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,free,43_2_00007FFB0BB4B100
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2322E _errno,malloc,_errno,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,43_2_00007FFB0BC2322E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFB3740 _PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyList_New,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,FindFirstFileW,GetLastError,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,?PyObject_FromWIN32_FIND_DATAW@@YAPEAU_object@@PEAU_WIN32_FIND_DATAW@@@Z,PyList_Append,_Py_Dealloc,FindNextFileW,GetLastError,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,FindClose,_Py_Dealloc,43_2_00007FFB0BFB3740
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9B7A14 FindFirstFileExA,63_2_00007FFB0B9B7A14
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2322E _errno,malloc,_errno,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,63_2_00007FFB0BC2322E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFB55A0 _PyArg_ParseTuple_SizeT,GetLogicalDriveStringsW,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,GetLogicalDriveStringsW,?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W_J@Z,43_2_00007FFB0BFB55A0
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A3962D VirtualQuery,GetSystemInfo,3_2_00A3962D
Source: netsh.exe, 00000032.00000003.1435371767.0000000000D81000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000032.00000002.1435922774.0000000000D84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1507402690.0000020E2B8B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: netsh.exe, 00000037.00000002.1443697562.0000000001524000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000037.00000003.1442974239.0000000001521000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1443096441.00000142718DD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1459153886.00000142718E2000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1439583314.00000142718D6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1438088616.0000014271899000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1443038849.00000142718D7000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1434283041.0000014271889000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1447131319.00000142718E1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1434579442.0000014271897000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWill
Source: svchost.exe, 00000002.00000002.2539486589.000001D32742B000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000035.00000003.1439301055.0000000001121000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000003A.00000002.1447759025.000000000104A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeAPI call chain: ExitProcess graph end nodegraph_0-3390
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeAPI call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeAPI call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess information queried: ProcessInformation

Anti Debugging

barindex
Potentially malicious time measurement code found
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2424643_2_00007FFB0BC24246
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC2573143_2_00007FFB0BC25731
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2424663_2_00007FFB0BC24246
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC2573163_2_00007FFB0BC25731
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC24246 rdtsc 43_2_00007FFB0BC24246
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A1E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00A1E625
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_0000000140023A88 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,5_2_0000000140023A88
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A24812 mov eax, dword ptr fs:[00000030h]3_2_00A24812
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002F4812 mov eax, dword ptr fs:[00000030h]4_2_002F4812
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_009F38D4 GetProcessHeap,RtlAllocateHeap,3_2_009F38D4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess token adjusted: Debug
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess token adjusted: Debug
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A1E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00A1E188
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A1E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00A1E625
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A1E773 SetUnhandledExceptionFilter,3_2_00A1E773
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A23BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00A23BB0
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002EE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_002EE188
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002EE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_002EE625
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002EE773 SetUnhandledExceptionFilter,4_2_002EE773
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeCode function: 4_2_002F3BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_002F3BB0
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_0000000140018800 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0000000140018800
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_0000000140023D20 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0000000140023D20
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_0000000140020180 SetUnhandledExceptionFilter,5_2_0000000140020180
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_000000014001B6C4 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_000000014001B6C4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60053B1B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,35_2_00007FF60053B1B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60053BA5C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,35_2_00007FF60053BA5C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60053BC04 SetUnhandledExceptionFilter,35_2_00007FF60053BC04
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 35_2_00007FF60054AE98 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,35_2_00007FF60054AE98
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB5443C SetUnhandledExceptionFilter,43_2_00007FFB0BB5443C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB53658 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,43_2_00007FFB0BB53658
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB54254 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,43_2_00007FFB0BB54254
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BB72009 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,43_2_00007FFB0BB72009
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC25A24 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,43_2_00007FFB0BC25A24
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BF82EF8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,43_2_00007FFB0BF82EF8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BF824B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,43_2_00007FFB0BF824B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFC0C9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,43_2_00007FFB0BFC0C9C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFC18A0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,43_2_00007FFB0BFC18A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFC1A88 SetUnhandledExceptionFilter,43_2_00007FFB0BFC1A88
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0606A8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B0606A8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B05FD80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B05FD80
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B081A30 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B081A30
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B081460 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B081460
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B091960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B091960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B091390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B091390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0A1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B0A1960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0A1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B0A1390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0B1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B0B1960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0B1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B0B1390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0C1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B0C1960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0C1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B0C1390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0D1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B0D1960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0D1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B0D1390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0E1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B0E1960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0E1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B0E1390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0F1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B0F1960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B0F1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B0F1390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B101960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B101960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B101390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B101390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B111390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B111390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B111960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B111960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B121390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B121390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B121960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B121960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B131390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B131390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B131960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B131960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B951390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B951390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B951960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B951960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B961390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B961390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B961960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B961960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B98B828 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B98B828
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B98AEC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B98AEC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9B6630 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B9B6630
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9B2A84 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B9B2A84
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9B3594 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B9B3594
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9D97B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B9D97B4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9DA364 SetUnhandledExceptionFilter,63_2_00007FFB0B9DA364
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9DA17C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B9DA17C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9F3028 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0B9F3028
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9F2A60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0B9F2A60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BB23270 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB0BB23270
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BB23838 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0BB23838
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC25A24 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB0BC25A24
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB16911390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB16911390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB16911960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB16911960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174CA978 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB174CA978
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB174CA050 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB174CA050
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB18581390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB18581390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB18581960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB18581960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB18B7BE50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB18B7BE50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB18B7C418 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB18B7C418
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB1A721960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB1A721960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB1A721390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB1A721390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB1AB042B0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB1AB042B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB1AB03CE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB1AB03CE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB1B9F1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB1B9F1390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB1B9F1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB1B9F1960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB1BA41390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB1BA41390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB1BA41960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB1BA41960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB1BB11A00 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,63_2_00007FFB1BB11A00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB1BB11430 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,63_2_00007FFB1BB11430
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 5_2_000000014000A180 GetProcessHeap,HeapAlloc,GetCommandLineW,_snwprintf_s,ShellExecuteExW,GetProcessHeap,HeapFree,5_2_000000014000A180
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFBDC50 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,keybd_event,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,43_2_00007FFB0BFBDC50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFBDCF0 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,mouse_event,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,43_2_00007FFB0BFBDCF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" install IDmelonFidoCredentialProviderService "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppDirectory "C:\Program Files (x86)\IDmelon\FCP"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdout "C:\Program Files (x86)\IDmelon\FCP\logs.log"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderr "C:\Program Files (x86)\IDmelon\FCP\logs.log"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe "C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /quietJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdoutCreationDisposition 4Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderrCreationDisposition 4Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateFiles 1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdout "C:\Program Files (x86)\IDmelon\FCP\logs.log"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateBytes 5000000Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" status IDmelonFidoCredentialProviderServiceJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" start IDmelonFidoCredentialProviderServiceJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "C:\Program Files (x86)\IDmelon\FCP\cashedData.xml" /e /p Everyone:fJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "C:\Program Files (x86)\IDmelon\FCP\service_log.lo" /e /p Everyone:fJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Program Files (x86)\IDmelon\FCP" /grant:r everyone:(OI)(CI)(F) /TJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "C:\Program Files (x86)\IDmelon\FCP\cashedData.xml" /e /p Everyone:fJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeProcess created: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe "C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /quietJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A315CB InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,3_2_00A315CB
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A3393B AllocateAndInitializeSid,CheckTokenMembership,3_2_00A3393B
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A1E9A7 cpuid 3_2_00A1E9A7
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: GetLocaleInfoA,5_2_00000001400245E8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0B9B1C70 FreeLibrary,FreeLibrary,SetupDiGetClassDevsA,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailA,SetupDiGetDeviceInterfaceDetailA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,CreateFileA,CloseHandle,SetupDiEnumDeviceInterfaces,SetupDiDestroyDeviceInfoList,63_2_00007FFB0B9B1C70
Source: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exeQueries volume information: C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\logo.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\logs.log VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto\Hash VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto\Hash VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto\Hash VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto\Hash VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto\PublicKey VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Crypto\Util VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\certifi VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\pywin32_system32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\logs.log VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\logs.log VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\_ctypes.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\_bz2.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\_lzma.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Pythonwin VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\pywin32_system32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\_queue.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\_ssl.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\pyexpat.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\_socket.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\select.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Pythonwin VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32\win32api.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32com VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32com VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32com VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Pythonwin VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Pythonwin VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Pythonwin VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\pywin32_system32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\pywin32_system32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\tmp92i965a7 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\pywin32_system32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\pywin32_system32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Pythonwin VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\pywin32_system32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Pythonwin VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\pywin32_system32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\Pythonwin VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\pywin32_system32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\_queue.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\_ssl.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\_asyncio.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\_overlapped.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32\win32pipe.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32\win32file.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI32322\win32\win32event.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\tmp92i965a7 VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto\Hash VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto\Hash VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto\Hash VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto\Hash VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto\Hash VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto\Hash VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto\Hash VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto\PublicKey VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\Crypto\Util VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\certifi VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\pywin32_system32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI15042\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A04CE8 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,3_2_00A04CE8
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A3858F GetSystemTime,3_2_00A3858F
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_009F60BA GetUserNameW,GetLastError,3_2_009F60BA
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 3_2_00A38733 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,3_2_00A38733
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies the windows firewall
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BC22B62 bind,WSAGetLastError,43_2_00007FFB0BC22B62
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFF2E90 _PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyObject_IsInstance,PyExc_ValueError,PyErr_Format,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,PyErr_SetString,PyEval_SaveThread,PyEval_RestoreThread,CreateBindCtx,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,_Py_NoneStruct,_Py_NoneStruct,?PyWinObject_FromIID@@YAPEAU_object@@AEBU_GUID@@@Z,PyDict_GetItem,_Py_Dealloc,PyErr_Clear,PyExc_TypeError,PyErr_SetString,PyEval_SaveThread,PyEval_RestoreThread,PyObject_IsSubclass,PyEval_SaveThread,MkParseDisplayName,PyEval_RestoreThread,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,_Py_Dealloc,_Py_NoneStruct,_Py_NoneStruct,?PyWinObject_FromIID@@YAPEAU_object@@AEBU_GUID@@@Z,PyDict_GetItem,_Py_Dealloc,PyErr_Clear,PyExc_TypeError,PyErr_SetString,PyEval_SaveThread,PyEval_RestoreThread,PyObject_IsSubclass,_Py_BuildValue_SizeT,43_2_00007FFB0BFF2E90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 43_2_00007FFB0BFF4010 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,CreateBindCtx,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,?PyWinObject_FromIID@@YAPEAU_object@@AEBU_GUID@@@Z,PyEval_SaveThread,PyEval_RestoreThread,PyDict_GetItem,_Py_Dealloc,PyErr_Clear,PyObject_IsSubclass,PyExc_TypeError,PyErr_SetString,PyEval_SaveThread,PyEval_RestoreThread,43_2_00007FFB0BFF4010
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 63_2_00007FFB0BC22B62 bind,WSAGetLastError,63_2_00007FFB0BC22B62

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Exploitation for Privilege Escalation		2
Disable or Modify Tools		11
Input Capture		12
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts3
Native API		1
Create Account		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol11
Input Capture		2
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts3
Command and Scripting Interpreter		34
Windows Service		1
Access Token Manipulation		2
Obfuscated Files or Information		Security Account Manager1
System Service Discovery		SMB/Windows Admin Shares1
Clipboard Data		1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts12
Service Execution		1
Bootkit		34
Windows Service		1
Timestomp		NTDS4
File and Directory Discovery		Distributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchd1
Services File Permissions Weakness		12
Process Injection		1
DLL Side-Loading		LSA Secrets46
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Services File Permissions Weakness		1
File Deletion		Cached Domain Credentials1
Network Share Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Masquerading		DCSync1
Query Registry		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Access Token Manipulation		Proc Filesystem141
Security Software Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
Process Injection		/etc/passwd and /etc/shadow2
Process Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Bootkit		Network Sniffing1
System Owner/User Discovery		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Services File Permissions Weakness		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467386 Sample: SecuriteInfo.com.PUA.Tool.I... Startdate: 04/07/2024 Architecture: WINDOWS Score: 80 89 time.windows.com 2->89 91 Antivirus detection for dropped file 2->91 93 Multi AV Scanner detection for dropped file 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 2 other signatures 2->97 9 nssm.exe 2->9         started        11 SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe 10 45 2->11         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 file5 19 IDmelonCredentialProviderFidoAgent.exe 9->19         started        22 IDmelonCredentialProviderFidoAgent.exe 9->22         started        24 conhost.exe 9->24         started        26 conhost.exe 9->26         started        79 C:\...\IDmelonV2CredentialProvider.dll, PE32+ 11->79 dropped 81 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 11->81 dropped 83 C:\Users\user\AppData\Local\...\System.dll, PE32 11->83 dropped 85 13 other malicious files 11->85 dropped 99 Uses netsh to modify the Windows network and firewall settings 11->99 101 Modifies the windows firewall 11->101 28 vc_redist.x64.exe 3 11->28         started        30 netsh.exe 11->30         started        32 nssm.exe 1 11->32         started        34 23 other processes 11->34 signatures6 process7 file8 61 C:\Windows\Temp\_MEI32322\...\shell.pyd, PE32+ 19->61 dropped 63 C:\Windows\Temp\_MEI32322\...\win32trace.pyd, PE32+ 19->63 dropped 65 C:\Windows\Temp\_MEI32322\...\win32pipe.pyd, PE32+ 19->65 dropped 75 81 other files (78 malicious) 19->75 dropped 36 IDmelonCredentialProviderFidoAgent.exe 19->36         started        38 conhost.exe 19->38         started        67 C:\Windows\Temp\_MEI15042\...\shell.pyd, PE32+ 22->67 dropped 69 C:\Windows\Temp\_MEI15042\...\win32trace.pyd, PE32+ 22->69 dropped 71 C:\Windows\Temp\_MEI15042\...\win32pipe.pyd, PE32+ 22->71 dropped 77 81 other files (78 malicious) 22->77 dropped 40 IDmelonCredentialProviderFidoAgent.exe 22->40         started        42 conhost.exe 22->42         started        73 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 28->73 dropped 44 VC_redist.x64.exe 63 28->44         started        47 conhost.exe 30->47         started        49 conhost.exe 32->49         started        51 conhost.exe 34->51         started        53 21 other processes 34->53 process9 file10 55 cmd.exe 36->55         started        57 cmd.exe 40->57         started        87 C:\Windows\Temp\...\wixstdba.dll, PE32 44->87 dropped 59 conhost.exe 47->59         started        process11

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe17%ReversingLabs
SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe12%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe100%AviraHEUR/AGEN.1305235
C:\Program Files (x86)\IDmelon\FCP\CommandLine.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\FileDeleter.exe0%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe5%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\IDmelonFcp.exe0%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\Microsoft.Win32.Registry.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\System.Security.AccessControl.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\System.Security.Principal.Windows.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\log4net.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\nssm.exe14%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\uninstall.exe0%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nstC680.tmp\EnVar.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nstC680.tmp\InstallOptions.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nstC680.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nstC680.tmp\nsExec.dll0%ReversingLabs
C:\Windows\System32\IDmelonV2CredentialProvider.dll0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_ARC4.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_Salsa20.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_chacha20.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_pkcs1_decode.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_aes.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_aesni.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_arc2.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_blowfish.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_cast.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_cbc.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_cfb.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ctr.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_des.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_des3.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ecb.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_eksblowfish.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ocb.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ofb.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Hash\_BLAKE2b.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Hash\_BLAKE2s.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Hash\_MD2.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Hash\_MD4.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Hash\_MD5.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Hash\_RIPEMD160.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA1.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA224.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA256.pyd0%ReversingLabs
C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA384.pyd0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
time.windows.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
https://twitter.com/0%URL Reputationsafe
https://cbor.io/0%Avira URL Cloudsafe
https://develop.sentry.dev/sdk/performance/span-data-conventions/0%Avira URL Cloudsafe
https://github.com/giampaolo/psutil/issues/875.0%Avira URL Cloudsafe
https://github.com/pyca/cryptography/issues/89960%Avira URL Cloudsafe
http://wixtoolset.org/schemas/thmutil/20100%Avira URL Cloudsafe
http://aka.ms/vcpython270%Avira URL Cloudsafe
https://www.python.org/download/releases/2.3/mro/.0%Avira URL Cloudsafe
http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html0%Avira URL Cloudsafe
http://wixtoolset.org/schemas/thmutil/20100%VirustotalBrowse
https://www.python.org/download/releases/2.3/mro/.1%VirustotalBrowse
https://github.com/pyca/cryptography/issues/89960%VirustotalBrowse
http://aka.ms/vcpython270%VirustotalBrowse
https://github.com/mhammond/pywin320%Avira URL Cloudsafe
https://github.com/giampaolo/psutil/issues/875.0%VirustotalBrowse
https://github.com/Ousret/charset_normalizer0%Avira URL Cloudsafe
http://docs.python.org/library/unittest.html0%Avira URL Cloudsafe
https://python.org/dev/peps/pep-0263/0%Avira URL Cloudsafe
http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html0%VirustotalBrowse
https://github.com/getsentry/relay/blob/be12cd49a0f06ea932ed9b9f93a655de5d6ad6d1/relay-general/src/t0%Avira URL Cloudsafe
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#0%Avira URL Cloudsafe
https://python.org/dev/peps/pep-0263/0%VirustotalBrowse
https://github.com/mhammond/pywin320%VirustotalBrowse
https://github.com/getsentry/relay/blob/be12cd49a0f06ea932ed9b9f93a655de5d6ad6d1/relay-general/src/t0%VirustotalBrowse
http://docs.python.org/library/unittest.html0%VirustotalBrowse
https://develop.sentry.dev/sdk/event-payloads/exception/0%Avira URL Cloudsafe
https://github.com/Ousret/charset_normalizer0%VirustotalBrowse
http://goo.gl/zeJZl.0%Avira URL Cloudsafe
https://tools.ietf.org/html/rfc2388#section-4.40%Avira URL Cloudsafe
https://develop.sentry.dev/sdk/performance/span-data-conventions/0%VirustotalBrowse
http://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular-0%Avira URL Cloudsafe
https://github.com/pypa/packaging0%Avira URL Cloudsafe
https://tools.ietf.org/html/rfc2388#section-4.40%VirustotalBrowse
http://stackoverflow.com/questions/19622133/0%Avira URL Cloudsafe
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-60%Avira URL Cloudsafe
http://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular-0%VirustotalBrowse
https://develop.sentry.dev/sdk/event-payloads/exception/0%VirustotalBrowse
https://refspecs.linuxfoundation.org/elf/gabi40%Avira URL Cloudsafe
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf0%Avira URL Cloudsafe
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-60%VirustotalBrowse
https://github.com/pypa/packaging0%VirustotalBrowse
http://goo.gl/zeJZl.0%VirustotalBrowse
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#0%VirustotalBrowse
https://cbor.io/0%VirustotalBrowse
http://docs.python.org/3/library/subprocess#subprocess.Popen.kill0%Avira URL Cloudsafe
http://tools.ietf.org/html/rfc52970%Avira URL Cloudsafe
https://refspecs.linuxfoundation.org/elf/gabi40%VirustotalBrowse
https://upload.pypi.org/legacy/0%Avira URL Cloudsafe
http://docs.python.org/library/itertools.html#recipes0%Avira URL Cloudsafe
https://requests.readthedocs.io0%Avira URL Cloudsafe
http://curl.haxx.se/rfc/cookie_spec.html0%Avira URL Cloudsafe
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode0%Avira URL Cloudsafe
http://stackoverflow.com/questions/19622133/0%VirustotalBrowse
http://docs.python.org/3/library/subprocess#subprocess.Popen.kill0%VirustotalBrowse
http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf0%Avira URL Cloudsafe
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf0%VirustotalBrowse
http://curl.haxx.se/rfc/cookie_spec.html0%VirustotalBrowse
http://docs.python.org/library/itertools.html#recipes0%VirustotalBrowse
https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca0%Avira URL Cloudsafe
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L6880%Avira URL Cloudsafe
https://httpbin.org/get0%Avira URL Cloudsafe
https://upload.pypi.org/legacy/0%VirustotalBrowse
http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf0%VirustotalBrowse
https://github.com/pypa/setuptools/issues/1024.0%Avira URL Cloudsafe
https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access0%Avira URL Cloudsafe
https://httpbin.org/get1%VirustotalBrowse
http://www.tarsnap.com/scrypt/scrypt-slides.pdf0%Avira URL Cloudsafe
https://requests.readthedocs.io0%VirustotalBrowse
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf0%Avira URL Cloudsafe
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode0%VirustotalBrowse
https://github.com/pypa/setuptools/issues/1024.0%VirustotalBrowse
http://nssm.cc/0%Avira URL Cloudsafe
http://tools.ietf.org/html/rfc52970%VirustotalBrowse
http://www.tarsnap.com/scrypt/scrypt-slides.pdf0%VirustotalBrowse
https://docs.sentry.io/platforms/python/contextvars/0%Avira URL Cloudsafe
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf0%VirustotalBrowse
https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access0%VirustotalBrowse
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader0%Avira URL Cloudsafe
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L6880%VirustotalBrowse
https://json.org0%Avira URL Cloudsafe
http://docs.python.org/3/library/pprint.html#pprint.pprint0%Avira URL Cloudsafe
http://nssm.cc/0%VirustotalBrowse
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.0%Avira URL Cloudsafe
https://httpbin.org/0%Avira URL Cloudsafe
https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca0%VirustotalBrowse
https://www.python.org/dev/peps/pep-0205/0%Avira URL Cloudsafe
https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file0%Avira URL Cloudsafe
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor0%Avira URL Cloudsafe
https://stackoverflow.com/questions/4457745#4457745.0%Avira URL Cloudsafe
http://www.nightmare.com/squirl/python-ext/misc/syslog.py0%Avira URL Cloudsafe
http://aka.ms/vcpython27P0%Avira URL Cloudsafe
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy0%Avira URL Cloudsafe
https://google.com/0%Avira URL Cloudsafe
https://github.com/pypa/setuptools/issues/417#issuecomment-3922984010%Avira URL Cloudsafe
http://github.com/ActiveState/appdirs0%Avira URL Cloudsafe
http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate0%Avira URL Cloudsafe
https://wiki.debian.org/XDGBaseDirectorySpecification#state0%Avira URL Cloudsafe
http://pyparsing.wikispaces.com0%Avira URL Cloudsafe
https://cffi.readthedocs.io/en/latest/using.html#callbacks0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
time.windows.com
unknown
unknownfalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://cbor.io/IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512461436.0000020E2C227000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512461436.0000020E2C1EE000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/pyca/cryptography/issues/8996IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2546972518.00007FFB0B613000.00000002.00000001.01000000.00000048.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://develop.sentry.dev/sdk/performance/span-data-conventions/IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542997680.0000020E2D7D4000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/giampaolo/psutil/issues/875.IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://wixtoolset.org/schemas/thmutil/2010VC_redist.x64.exe, 00000004.00000003.1360114571.0000000002BCD000.00000004.00000800.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://aka.ms/vcpython27IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1461908759.0000014272460000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541852979.0000020E2C4F0000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.python.org/download/releases/2.3/mro/.IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1453414232.0000014270E00000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2539925841.0000020E2B220000.00000004.00001000.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.htmlIDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542763777.0000020E2CF10000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541531379.0000020E2C292000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/mhammond/pywin32IDmelonCredentialProviderFidoAgent.exe, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2553655992.00007FFB1C2E9000.00000002.00000001.01000000.0000003D.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2551387174.00007FFB0C0B1000.00000002.00000001.01000000.00000033.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2549376398.00007FFB0BB63000.00000002.00000001.01000000.0000003E.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2553296398.00007FFB1BB29000.00000002.00000001.01000000.0000003F.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2551213570.00007FFB0C084000.00000002.00000001.01000000.00000035.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/Ousret/charset_normalizerIDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512219425.0000020E2B990000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://docs.python.org/library/unittest.htmlIDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1439099612.0000014271FBF000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1439373811.0000014271FE9000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://python.org/dev/peps/pep-0263/IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1465066228.00007FFB0C3FF000.00000002.00000001.01000000.00000010.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2551593408.00007FFB0C3FF000.00000002.00000001.01000000.00000029.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/getsentry/relay/blob/be12cd49a0f06ea932ed9b9f93a655de5d6ad6d1/relay-general/src/tIDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542262977.0000020E2CA70000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441464368.0000014270846000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441234579.000001427088A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1443141337.00000142708AC000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1448198403.00000142708B2000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1427948614.00000142708AD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1453114466.00000142708B6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1427465154.000001427088C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442222153.000001427088A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441703606.0000014270858000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1502893772.0000020E2A908000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://develop.sentry.dev/sdk/event-payloads/exception/IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542997680.0000020E2D7D4000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://goo.gl/zeJZl.IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512461436.0000020E2C183000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://tools.ietf.org/html/rfc2388#section-4.4IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512219425.0000020E2B990000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540614851.0000020E2BA1F000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular-IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1449382048.00000142716A4000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442058390.0000014271A33000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1435161281.0000014271E61000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1438434561.0000014271A33000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1435161281.0000014271EA0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441741799.0000014271691000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1444355559.0000014271A3A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442477570.00000142716A2000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512219425.0000020E2B990000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540614851.0000020E2BA1F000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540364569.0000020E2B626000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1508108518.0000020E2BEE1000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/pypa/packagingIDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540971548.0000020E2BCC0000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541773506.0000020E2C3E0000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://stackoverflow.com/questions/19622133/IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1461786222.0000014272360000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541773506.0000020E2C3E0000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442058390.0000014271A33000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1438434561.0000014271A33000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://refspecs.linuxfoundation.org/elf/gabi4IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1461908759.0000014272460000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1460383962.0000014271B60000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541852979.0000020E2C4F0000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540894343.0000020E2BBB0000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdfIDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542763777.0000020E2CF10000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541531379.0000020E2C292000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://docs.python.org/3/library/subprocess#subprocess.Popen.killIDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1439099612.0000014271FBF000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442108999.0000014271FDB000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1462047611.0000014272574000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1440638090.0000014271FC7000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://tools.ietf.org/html/rfc5297IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://upload.pypi.org/legacy/IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541773506.0000020E2C3E0000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://docs.python.org/library/itertools.html#recipesIDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1461668814.0000014272260000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://requests.readthedocs.ioIDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://curl.haxx.se/rfc/cookie_spec.htmlIDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncodeIDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1462047611.00000142725CC000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442058390.0000014271A33000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1438434561.0000014271A33000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdfIDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542763777.0000020E2CF10000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbcaIDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1461908759.0000014272460000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1460383962.0000014271B60000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541852979.0000020E2C4F0000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540894343.0000020E2BBB0000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1453414232.0000014270E8C000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2539925841.0000020E2B220000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://httpbin.org/getIDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512461436.0000020E2C227000.00000004.00000020.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/pypa/setuptools/issues/1024.IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1460580684.0000014271C60000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540971548.0000020E2BCC0000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-accessIDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1443096441.00000142718DD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1429424717.00000142718F1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1459153886.00000142718E2000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1439583314.00000142718D6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1429491422.0000014271898000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1438088616.0000014271899000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1443038849.00000142718D7000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1434283041.0000014271889000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1429637717.00000142718F1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1429637717.00000142718A2000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1447131319.00000142718E1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1434579442.0000014271897000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1506304591.0000020E2B96A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1507402690.0000020E2B8B8000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1506117766.0000020E2B96A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1506304591.0000020E2B91B000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.tarsnap.com/scrypt/scrypt-slides.pdfIDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542763777.0000020E2CF10000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdfIDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542262977.0000020E2CA74000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://nssm.cc/nssm.exe, nssm.exe, 00000005.00000002.1366194698.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000007.00000002.1368659903.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000009.00000000.1369522059.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000000B.00000002.1373041457.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000000D.00000000.1374230000.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000000F.00000000.1376570989.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000011.00000000.1378904152.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000013.00000002.1384174915.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000015.00000002.1387887076.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000017.00000000.1388938645.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000019.00000000.1391281770.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000001B.00000002.1395193449.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000001D.00000002.1397389767.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000001F.00000002.1416882815.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000021.00000002.2540334590.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000025.00000000.1417417033.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000027.00000000.1419927724.0000000140065000.00000002.00000001.01000000.0000000E.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://docs.sentry.io/platforms/python/contextvars/IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542997680.0000020E2D7D4000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerIDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441464368.0000014270846000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441234579.000001427088A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1443141337.00000142708AC000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1448198403.00000142708B2000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1427948614.00000142708AD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1453114466.00000142708B6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1427465154.000001427088C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442222153.000001427088A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441703606.0000014270858000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1502893772.0000020E2A908000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://json.orgIDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1439162770.0000014271F5B000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://docs.python.org/3/library/pprint.html#pprint.pprintIDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1444204176.00000142716FD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1435161281.0000014271EA0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1449163703.00000142716FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1443313298.00000142716F5000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442873539.00000142716E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1455566367.0000014271705000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442011477.00000142716DD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1448232396.00000142716FD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1440990236.00000142716DD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1438645387.00000142716DA000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512219425.0000020E2B990000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540614851.0000020E2BA1F000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1512461436.0000020E2C183000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://httpbin.org/IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540364569.0000020E2B626000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.python.org/dev/peps/pep-0205/IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1460383962.0000014271B60000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540894343.0000020E2BBB0000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-fileIDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2546972518.00007FFB0B613000.00000002.00000001.01000000.00000048.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgorvc_redist.x64.exe, 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmp, vc_redist.x64.exe, 00000003.00000000.1353568119.0000000000A3B000.00000002.00000001.01000000.00000008.sdmp, VC_redist.x64.exe, 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmp, VC_redist.x64.exe, 00000004.00000000.1354748130.000000000030B000.00000002.00000001.01000000.0000000A.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://nsis.sf.net/NSIS_ErrorErrorSecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, 00000000.00000003.1449504869.0000000000808000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, 00000000.00000000.1297748421.000000000040A000.00000008.00000001.01000000.00000003.sdmp, SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
  • URL Reputation: safe
unknown
https://twitter.com/IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540364569.0000020E2B626000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://stackoverflow.com/questions/4457745#4457745.IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542177458.0000020E2C940000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.nightmare.com/squirl/python-ext/misc/syslog.pyIDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1437963322.000001427208C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1462047611.000001427256C000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1461908759.0000014272460000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1437963322.000001427209C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541852979.0000020E2C4F0000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://aka.ms/vcpython27PIDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1461908759.0000014272460000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syIDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441464368.0000014270846000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441234579.000001427088A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1443141337.00000142708AC000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1448198403.00000142708B2000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1427948614.00000142708AD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1453114466.00000142708B6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1427465154.000001427088C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442222153.000001427088A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441703606.0000014270858000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1502893772.0000020E2A908000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://google.com/IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540364569.0000020E2B626000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/pypa/setuptools/issues/417#issuecomment-392298401IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1460689243.0000014271D60000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541047457.0000020E2BDE0000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://github.com/ActiveState/appdirsIDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1460580684.0000014271C60000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540971548.0000020E2BCC0000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://wiki.debian.org/XDGBaseDirectorySpecification#stateIDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441464368.0000014270846000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1445288275.0000014270872000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442642900.0000014270859000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1441703606.0000014270858000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1507402690.0000020E2B8B8000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://docs.python.org/3/library/subprocess#subprocess.Popen.terminateIDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1439099612.0000014271FBF000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442058390.0000014271A33000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1442108999.0000014271FDB000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1438434561.0000014271A33000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1462047611.0000014272620000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000003.1440638090.0000014271FC7000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://pyparsing.wikispaces.comIDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1508108518.0000020E2BEE1000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://cffi.readthedocs.io/en/latest/using.html#callbacksIDmelonCredentialProviderFidoAgent.exe, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2548035959.00007FFB0B98C000.00000002.00000001.01000000.00000049.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://tools.ietf.org/html/rfc5297IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2542763777.0000020E2CF10000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://bugs.python.org/issue44497.IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1461786222.0000014272360000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1460689243.0000014271D60000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541047457.0000020E2BDE0000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2541773506.0000020E2C3E0000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.openssl.org/HIDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1464113224.00007FFB0BF69000.00000002.00000001.01000000.00000020.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002B.00000002.1463392990.00007FFB0BC1B000.00000002.00000001.01000000.00000021.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyIDmelonCredentialProviderFidoAgent.exe, 0000003F.00000003.1502893772.0000020E2A908000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://develop.sentry.dev/sdk/event-payloads/transaction/#transaction-annotationsIDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2540614851.0000020E2BA1F000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/pyca/cryptography/issuesIDmelonCredentialProviderFidoAgent.exe, 0000003F.00000002.2546972518.00007FFB0B613000.00000002.00000001.01000000.00000048.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://appsyndication.org/2006/appsynvc_redist.x64.exe, VC_redist.x64.exefalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1467386
Start date and time:2024-07-04 06:26:14 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 13m 15s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:69
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
Detection:MAL
Classification:mal80.evad.winEXE@96/272@1/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 61%
  • Number of executed functions: 169
  • Number of non-executed functions: 264
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe
  • Excluded IPs from analysis (whitelisted): 40.119.148.38
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.

Simulations

Behavior and APIs

TimeTypeDescription
00:27:16API Interceptor1x Sleep call for process: dllhost.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\IDmelon\FCP\CommandLine.dll

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:dropped
Size (bytes):225280
Entropy (8bit):6.201066097308408
Encrypted:false
SSDEEP:6144:sG/zAnUPpKO6acJ8Ha+VbR9HGzIuIliUtf:syzAUPMeaIDGcfi
MD5:2F345B6D207489E52DB3F85C2E4E617D
SHA1:D0CD77AA88B8ED0AE5F07A8132EACA857DEA7795
SHA-256:2135B40FA819E58CF1942453E4409BFDEA2BE631077A354B878DE8402BE7E026
SHA-512:24AD3B3620E5E093EA57C1BEC486379853D625DBF962210B2DEB823115A45F9EC4083B6D4BB69610A9DAE4B6076284C11E3663430DB4EA739224E6DE93D88E8D
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..f............... ........... ...............................d....`.................................b...O.......................................T............................................ ............... ..H............text....e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H.......dJ...9............................................................{....*..{/...*V.(0.....}......}/...*...0..A........u........4.,/(1....{.....{....o2...,.(3....{/....{/...o4...*.*.*. a.(. )UU.Z(1....{....o5...X )UU.Z(3....{/...o6...X*...0..b........r...p......%..{.......%q!....!...-.&.+...!...o7....%..{/......%q"...."...-.&.+..."...o7....(8...*..{9...*..{:...*V.(0.....}9.....}:...*.0..A........u#.......4.,/(1....{9....{9...o2...,.(3....{:....{:...o4...*.*.*. ..% )UU.

C:\Program Files (x86)\IDmelon\FCP\FileDeleter.exe

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Category:dropped
Size (bytes):112128
Entropy (8bit):3.6701691669294
Encrypted:false
SSDEEP:384:x6Djk5VqpY/zWabOc3sFE9r8l7n9KViZx1PPxv+Xo8152:l5kpODKE9uL9KgBVi2
MD5:4872481CC7259458841E5B2660F835A9
SHA1:A7B667687F021AE47B658343EE823CB80F956772
SHA-256:AB52192C8413B75121610CD472A1FFF007783150694E5174B9D36522A564BAB0
SHA-512:59EE2898B74E7915E1ED040631F83B2FD5DE4B6E9A08AD1BB5D543F1505303899CE52EC32B2365FF3335E19AB72377132AFD5204DC87B4AD30A31DE8E9F5FDD2
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...b2..........."...0.................. .....@..... ....................................`...@......@............... ...............................@..T............................(..8............................................................ ..H............text........ ...................... ..`.rsrc...T....@......................@..@........................................H.......$!...............................................................0...............(....,..(.....r...p(....(.....(....+..r/..p(....(.....(.....[&r_..p(.....(.....H.r...p.r...p.o....(....(.....(.....$.r...p.r...p.o....(....(.....(......*...(......>B..........>U.$........>y.$......(....*BSJB............v4.0.30319......l.......#~..........#Strings....P.......#US.T.......#GUID...d...t...#Blob...........G..........3........................................................!.o.....o...

C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:PE32+ executable (console) x86-64, for MS Windows
Category:dropped
Size (bytes):17194344
Entropy (8bit):7.993685883736123
Encrypted:true
SSDEEP:393216:hiIE7YoPQsSpUTLfhJKDfDgPc6U+gbtToNRQCaG:O7rPQfUTLJUb0k4gbtOQ4
MD5:2B087903208E385308BF23C41F82E872
SHA1:DEE1EB429C17CAC16CE50B38339FCE947F2F2CC8
SHA-256:97B90732767B548D5CA570B0A5A1BA40372BD0CDB70CDA4934E38C7E113A18D6
SHA-512:5B2399FA8774CF5EE84F87EC6A0B2A27E9B722E9A1F98A70D8EE7FC5F50572FB8B1CB8F8A48DDCFE73A3C4B731D8C8EE22C56AA9F72620F09B63E8F1A2EF185D
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%
  • Antivirus: ReversingLabs, Detection: 5%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1_..P1..P1..P1..(2..P1..(4.|P1..(5..P1../..P1../4..P1../5..P1../2..P1..(0..P1..P0..P1...5..P1...3..P1.Rich.P1.........................PE..d......e.........."....%......................@............................. ............`.....................................................P....`....... ...".. K..H.......\...P...................................@...............x............................text............................... ..`.rdata...).......*..................@..@.data...83..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc........`......................@..@.reloc..\...........................@..B................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\FCP\IDmelonFcp.exe

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Category:dropped
Size (bytes):127048
Entropy (8bit):4.1857296096986545
Encrypted:false
SSDEEP:768:jBdKWI3P1eWnBh9Pge2lUKNgpODKE9uLdKghVC5k271Pw:fKWMZBrge2lUKapOT5kY1Pw
MD5:E586DE437B9E9E6FD7FCB0DBFF66563E
SHA1:DAD2020888C6F72F4DA1276883A7A3030ABE6586
SHA-256:68B767FADF8D6AF9A6DBF4C683FB8B41301D1657A7B0FC8196F68A61ABF190D7
SHA-512:68A6349C982CB74DBCE535D95941B224D2F52D0DE2A86292E238300EFB7EF0F85A81100A29038FD156CA6B3AE5DE07C1C6091264E7FA09FA3ADD6048D1369593
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..2............... .....@..... ....................... ......W.....`...@......@............... ...............................`..................H............O..8............................................................ ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@........................................H........'..T(...... ....................................................~....%-.&~......)...s....%.....s.....(....*.0..F.......(&...,4.($...r...p(.....,.rU..p(....r...p.o....(....(......r/..p(....*.............".....0..F.......(&...,4.($...r...p(.....,.r...p(....r...p.o....(....(......r/..p(....*.............".....0..C.......(%....3.r?..p(....+.r...p(.....".r...p(....ri..p.o....(....(......*......... ."....r(....%.o....r...p(....o....*r(....%.o....rf..p(....o....*...0..R........~..

C:\Program Files (x86)\IDmelon\FCP\Microsoft.Win32.Registry.dll

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:dropped
Size (bytes):26496
Entropy (8bit):6.147606968484159
Encrypted:false
SSDEEP:384:j4nLpSumfSQrlHViaCZYvLPQmlJLfjnWn6GWfdHRN76+fVlGsa9h:j4QVrxViR9mlxd96lv
MD5:59C48AACB1C413C108161AFE13FDBED9
SHA1:31ACE4B26D8A069C84AAD6001E06C2A5483806F3
SHA-256:E9A9D281C1A708AAAE366F82FD6A1742F65DA2918CC4FA5EAAAADA0BE24277D9
SHA-512:8252ABE64C67863D9E4C70E820F0C69C517B8678A4B4C13A436118BC276E5F21E84522B93566C0BC009EFFCB251ED67BDBC60E4907ABEA2F33B6BE3764E28D1D
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j............" ..0..:..........jX... ...`....... ..............................a.....`..................................X..O....`...............D...#..........$W..T............................................ ............... ..H............text...p8... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............B..............@..B................LX......H........$..8"...........G.......V.......................................~....*..0..1.......(....,..%-.&.*..(.....o.......&...,...o....,..*.*....................(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%....(....*......(

C:\Program Files (x86)\IDmelon\FCP\System.Security.AccessControl.dll

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:dropped
Size (bytes):33672
Entropy (8bit):5.963333780741011
Encrypted:false
SSDEEP:384:jFGa3siuaS/bRSqtesyvaMAdB+w3G5h9MCZYsMfpcrqmf9wEJqIxVRvFNgfBkyNp:jAa3FuQwetxWBkyNE0MXwVP
MD5:996AAB294E1D369B148D732E5EC0DFDC
SHA1:28465FD34680A082506F160107F350B46140A1AA
SHA-256:1FDA491EEBDB19EA0A83CF6C16AB5DD004A1BFDFC845EDE017EBE0945BEB927F
SHA-512:5E6B172D2DE5928915B38EC80C7B76F42430AAC959F04AA3521C63495B6F3C4F82DF139C275E9FC5024B1A0A4F307DAADE6130B6028779F98F456282AE8B61CD
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..V...........u... ........... ..............................yj....`..................................u..O....................`...#...........t..T............................................ ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............^..............@..B.................u......H........%..P2..........@X.......t.......................................~....*..0..1.......(....,..%-.&.*..(.....o.......&...,...o....,..*.*....................(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%....(....*......(

C:\Program Files (x86)\IDmelon\FCP\System.Security.Principal.Windows.dll

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:dropped
Size (bytes):18312
Entropy (8bit):6.439506871486808
Encrypted:false
SSDEEP:384:cEwo6eTs14YY4cWpOW6dHRN7FYpJAlGspU:VwDdT463
MD5:BE2962225B441CC23575456F32A9CF6A
SHA1:9A5BE1FCF410FE5934D720329D36A2377E83747E
SHA-256:B4D8E15ADC235D0E858E39B5133E5D00A4BAA8C94F4F39E3B5E791B0F9C0C806
SHA-512:3F7692E94419BFFE3465D54C0E25C207330CD1368FCDFAD71DBEED1EE842474B5ABCB03DBA5BC124BD10033263F22DC9F462F12C20F866AEBC5C91EB151AF2E6
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r..........." ..0.............V8... ...@....... ..............................!.....`..................................8..O....@...............$...#...`.......6..T............................................ ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................68......H.......|!..............\4.. ...|6......................................:.(......}....*..{....*"..(....*"..(....*"..(....*..(....*..(....*..(....*..(....*:.(......}....*..{....*:.(......}....*..{....*:.(......}....*..{....*..(....*:.(......}....*..{....*^.(...........%...}....*:.(......}....*..{....*z.(......}...........%...}....*V.(......}......}....*..{....*..{....*..BSJB............v4.0.30319......l.......#~..@.......#Strings....8.......#US.<.......#GUID...L.......#Blob...

C:\Program Files (x86)\IDmelon\FCP\log4net.dll

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:dropped
Size (bytes):270336
Entropy (8bit):5.596191661109029
Encrypted:false
SSDEEP:3072:h+8gmdoxSO7ZbQFroo7RVir/dtnK0sgdnogtHcU5qFG1RSGCkE9kKn7GCcaLoWn:c1N8LLI/PK0scnodG1RS1T93caL
MD5:46319A38CE5D09020D2AC56B67829C6C
SHA1:FFE64CA4D4BC9E1DAB1D195982D22121A6BAA058
SHA-256:1D45A6AFA38F0B10814063F2A42E6EFCE45752853667650E765844B8566B3332
SHA-512:0DE61771A92EE71470E51BCCF66D3A39C105AE23D60E73D8E4E7D44135DFF4C8D1DDDFF9BBB6BE72FF083D51C784E5CA829A6ADEFEE87FD901D2DE58DB0DDB03
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....O..........." ..0...... ........... ... ....... .......................`...........`.....................................O.... .......................@......|................................................ ............... ..H............text...(.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\FCP\logs.log

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
File Type:ASCII text, with CRLF line terminators
Category:modified
Size (bytes):1256
Entropy (8bit):4.876030803987738
Encrypted:false
SSDEEP:12:f6Ge90DveQunddeWdGXRnroKVke90DveQunddeWdGXRn7rikZ4rOTpBTpjCbWk0S:fdUYvgvDCdcQkUYvgvDCd7g5SwujO8m
MD5:587795DD1324069EAAA8214348388A1A
SHA1:09884BB82E9A26FBEEAB9910B00046B496950595
SHA-256:969A0B459FAEED886DDE5A0DB8198FA2E1B66F0073387314C3277F6992D92FE5
SHA-512:5754E18B5970243DBB84180DCFA8FD380817EBA323635DCDE8F14BF91D46FA8950822867534CCF89BA1D0BA5C5C5DBDD0550E4EC54E198C06D4D6CC3294E2112
Malicious:false
Reputation:unknown
Preview:Traceback (most recent call last):.. File "main.py", line 2, in <module>.. File "<frozen importlib._bootstrap>", line 1027, in _find_and_load.. File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked.. File "<frozen importlib._bootstrap>", line 688, in _load_unlocked.. File "PyInstaller\loader\pyimod02_importers.py", line 419, in exec_module.. File "dependencies\credential_provider_core_api.py", line 5, in <module>.. File "<frozen importlib._bootstrap>", line 1027, in _find_and_load.. File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked.. File "<frozen importlib._bootstrap>", line 688, in _load_unlocked.. File "PyInstaller\loader\pyimod02_importers.py", line 419, in exec_module.. File "dependencies\utilities\logger.py", line 49, in <module>.. File "dependencies\utilities\logger.py", line 11, in __init__.. File "logging\handlers.py", line 155, in __init__.. File "logging\handlers.py", line 58, in __init__.. File "logging\__init__

C:\Program Files (x86)\IDmelon\FCP\nssm.exe

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:PE32+ executable (console) x86-64, for MS Windows
Category:dropped
Size (bytes):373288
Entropy (8bit):5.612916865047601
Encrypted:false
SSDEEP:6144:dI6VyDGb+HiFr4kchE18dkuCj7jLwcYBQarDosNXUk:dIJDGb+Hiu9hE18dkxfdsNXV
MD5:17DE7869B1B721B3FFF9DBE111CAAFF8
SHA1:5CA75CBF7928732B5B022BC06146216CC7EEBC30
SHA-256:852F71F992F9C6FE89875F468AB7058FD9E0CF03FC13654E7E2F291BC403517F
SHA-512:A4C736EECDCC4DBED1D871B1E593B174A09001DFAB5D2FE1309918CCDF82DC25C09683799B35F6BF748E4A61466BC302A30A5FB62A350A6912C9112108501155
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 14%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"1P.C_..C_..C_..;...C_..;...C_...$..C_..C^.YC_..;...C_......C_..;...C_.Rich.C_.........................PE..d...]..Y..........#......D...X................@.........................................................................................................|...P..."......(............................................................`.. ............................text...4B.......D.................. ..`.rdata.......`.......H..............@..@.data...dC......."..................@....pdata..."...P...$..................@..@.rsrc....|.......~..."..............@..@................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\FCP\uninstall.exe

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:dropped
Size (bytes):174762
Entropy (8bit):5.434075073453572
Encrypted:false
SSDEEP:1536:bferrLkSRoe8C4UZsys0Dh1duppOwSdnhCVEb010n6BBteqmLAv:bfi3k+oWDBDh1duCvnzb0+n6Xteqmkv
MD5:6787BBD72F237C093B03F66DDF142BF5
SHA1:B89FBED6EA076DEA30A23CAB818460B75FCB116C
SHA-256:D856C1CC16AEBD51DCB1D78DAD8F9BFFF51255482B5B1A998EE9F41CD76ABD3B
SHA-512:FF4CCCB44B25164DC4E487366B98A2A863DCED86B012D81A2114FF08785A93E9A2B6DC9E49367805E7958FCCE9798C2D205126898453D14A4F48A153AC79D458
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...l.d.................j..........25............@..........................0............@...........................................................(............................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata...0...P...........................rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exe

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):25226464
Entropy (8bit):7.997252015933408
Encrypted:true
SSDEEP:786432:z3pXDWoLTNOqMDH7ZQil1SGuS68qjK5cXc1++9:LpXDhLTNJM77WMUGumS7c
MD5:35431D059197B67227CD12F841733539
SHA1:AE97F1E35C50A3C1B7B231995AD547828E71FE4C
SHA-256:296F96CD102250636BCD23AB6E6CF70935337B1BBB3507FE8521D8D9CFAA932F
SHA-512:DFC0A9BD4151CBB9407A1234E6C892B65D3DB35F1A95684547FC0F5334A9B3D19EFE88D5F2661D7B4A372489334098629FFB2C433D4128772C3B021ED259424E
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p...........@..............................................;.............((...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

C:\ProgramData\IDmelon\FCP\service_logs.log

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:CSV text
Category:dropped
Size (bytes):264
Entropy (8bit):4.830047168308315
Encrypted:false
SSDEEP:6:i8Vd+F4s9WiIMEKB8Vd+F4s9WiIMIIkB8Vd+FDsF/iIMDbLVY+yKv:i8VdANv8VdANIIS8VdWsF2DbW+yKv
MD5:115694D78FB6D3F6BC1AF349F7B6EC51
SHA1:CA28C4347A250E558333579014AEF4AA4AF5EBDE
SHA-256:54A61E0257C5B08825890684DE5F4F91CB9F55EF77F196DE8FABC5BC2E8505A3
SHA-512:81D6C278F01789E0008AB452DF038083C6D22E6F279E640140D7714285C931A73D6D2B2B9C4215084452B4423D57843B26FAF084B3584EB67625E5454BC80669
Malicious:false
Reputation:unknown
Preview:2024-07-04 02:13:21,798 - INFO - IDmelon credential provider FIDO agent v1.1.0.0..2024-07-04 02:13:21,798 - INFO - IDmelon credential provider FIDO agent started...2024-07-04 02:13:21,798 - INFO - Waiting for credential provider to connect to the control pipe.....

C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20240704002722.log

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:ASCII text, with CRLF line terminators
Category:modified
Size (bytes):7148
Entropy (8bit):5.430338476458748
Encrypted:false
SSDEEP:96:7x+uqD2pbnonxt+1+1M1T1j1g1O1d1v0YBnq6MZ6t06hYGTYUW0dxZtD5u1+h:NRVonm1+1M1T1j1g1O1d1vtdxZe1c
MD5:123AF46A3534BE2F8E5D174DB4EC4690
SHA1:6E2EB43B87981B59D51CC3C19AF0F13891702FB5
SHA-256:EDC152297559DBBA475935327CC9CB112760A7D65F66CC212EF7AC8ABDEBD293
SHA-512:7771FA5A8342D8FA592E71193FD14D8C50A6FFA97A7CC237DBF7F3AA40CBC07908C06D78FD4521CF5024EEEF5ECE30229CC86A916EEA9C13D65137860A893294
Malicious:false
Reputation:unknown
Preview:[184C:1624][2024-07-04T00:27:22]i001: Burn v3.10.4.4718, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe..[184C:1624][2024-07-04T00:27:22]i009: Command Line: '"-burn.clean.room=C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /quiet'..[184C:1624][2024-07-04T00:27:22]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe'..[184C:1624][2024-07-04T00:27:22]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Program Files (x86)\IDmelon\FCP\vc\'..[184C:1624][2024-07-04T00:27:22]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user~1\AppData\Local\Temp\dd_vcredist_amd64_20240704002722.log'..[184C:1624][2024-07-04T00:27:22]i000: Setting string variable 'WixBundleName' to value 'Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.29.30139'..

C:\Users\user\AppData\Local\Temp\nstC680.tmp\EnVar.dll

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):10240
Entropy (8bit):5.408403475729264
Encrypted:false
SSDEEP:192:hjD5Bzu8mRd7ylc01dOF6Nr4mNiFHFEH3HGH8t+zaY6GVIb6:V9BXI4cqxCa+WFAzUeC6
MD5:4EE6C0578960BCB5DAD78947E0CBFFE9
SHA1:DD90488FFDE0B0DF76E0A5E8DCA8192C77619D8B
SHA-256:EB182D049BA19F697628E20228AF329780AAF62C3585A1E36B9FB988911FE697
SHA-512:0592166761C32AA804A26FB90191F636173B6E5144E4C10B100841FCB4D05CC30D8FFC3716E823D02DD3BCC73CFB9106639CF8AE2AEEBA409213F2F40DF5932C
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f.....................................................Rich....................PE..L...,N"`...........!................p'.......0...............................`............@.........................@2......l0..P............................P..\...P0...............................................0..L............................text............................... ..`.rdata..k....0......................@..@.data........@......."..............@....reloc.......P.......&..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nstC680.tmp\InstallOptions.dll

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):15872
Entropy (8bit):5.471472713414473
Encrypted:false
SSDEEP:192:EyGQtZkTktEQUrJaZfuyCnSmUsv3sY7L7cW8Y6Q86QvoTr11929WtshLAzgSrX8:EyNt+4t7uJalUnGesY7Lt8nCr/Yosa
MD5:D095B082B7C5BA4665D40D9C5042AF6D
SHA1:2220277304AF105CA6C56219F56F04E894B28D27
SHA-256:B2091205E225FC07DAF1101218C64CE62A4690CACAC9C3D0644D12E93E4C213C
SHA-512:61FB5CF84028437D8A63D0FDA53D9FE0F521D8FE04E96853A5B7A22050C4C4FB5528FF0CDBB3AE6BC74A5033563FC417FC7537E4778227C9FD6633AE844C47D9
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.px.q.+.q.+.q.+.q.+[q.+.~C+.q.+^R.+.q.+^R/+.q.+.w.+.q.+.Q.+.q.+Rich.q.+........PE..L...O.d...........!.........`.......+.......0............................................@..........................8......X1..................................X....................................................0..X............................text............................... ..`.rdata..G....0......."..............@..@.data...DL...@.......,..............@....rsrc................6..............@..@.reloc..x............8..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nstC680.tmp\System.dll

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):12288
Entropy (8bit):5.805604762622714
Encrypted:false
SSDEEP:192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
MD5:4ADD245D4BA34B04F213409BFE504C07
SHA1:EF756D6581D70E87D58CC4982E3F4D18E0EA5B09
SHA-256:9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
SHA-512:1BD260CABE5EA3CEFBBC675162F30092AB157893510F45A1B571489E03EBB2903C55F64F89812754D3FE03C8F10012B8078D1261A7E73AC1F87C82F714BCE03D
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...S.d...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nstC680.tmp\ioSpecial.ini

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:modified
Size (bytes):1078
Entropy (8bit):3.6989141664625618
Encrypted:false
SSDEEP:24:Q+sxv5SAD5ylSjqWCs7y6Vua689nhO6k8lDCxGl41+C96sWYpH:rsxwAQSjqQvua6oq8lOI4jWM
MD5:F731F624FD999F5C854D9A9CEFAC5CD8
SHA1:5FCFC3CF9E9CB11A946ED1655C3E6C6F271F604A
SHA-256:7A90D60B780DADA74369AE00A860597DD330FDB6F4680603AA29C3589EF0F136
SHA-512:4E7997379312DDA0E1E1E6B9037911468FB31F3DC917AF3849D252B10F307B03684263E3985A2F0E8EE010E3B159DC7F7EC75019FC35E8E99D6A6989057E5834
Malicious:false
Reputation:unknown
Preview:..[.S.e.t.t.i.n.g.s.].....R.e.c.t.=.1.0.4.4.....N.u.m.F.i.e.l.d.s.=.3.....R.T.L.=.0.....N.e.x.t.B.u.t.t.o.n.T.e.x.t.=.&.F.i.n.i.s.h.....C.a.n.c.e.l.E.n.a.b.l.e.d.=.....S.t.a.t.e.=.0.....[.F.i.e.l.d. .1.].....T.y.p.e.=.b.i.t.m.a.p.....L.e.f.t.=.0.....R.i.g.h.t.=.1.0.9.....T.o.p.=.0.....B.o.t.t.o.m.=.1.9.3.....F.l.a.g.s.=.R.E.S.I.Z.E.T.O.F.I.T.....T.e.x.t.=.C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.n.s.t.C.6.8.0...t.m.p.\.m.o.d.e.r.n.-.w.i.z.a.r.d...b.m.p.....H.W.N.D.=.3.9.3.3.4.8.....[.F.i.e.l.d. .2.].....T.y.p.e.=.l.a.b.e.l.....L.e.f.t.=.1.2.0.....R.i.g.h.t.=.3.1.5.....T.o.p.=.1.0.....T.e.x.t.=.C.o.m.p.l.e.t.i.n.g. .I.D.m.e.l.o.n. .F.C.P. .S.e.t.u.p.....B.o.t.t.o.m.=.3.8.....H.W.N.D.=.9.8.4.0.5.2.....[.F.i.e.l.d. .3.].....T.y.p.e.=.l.a.b.e.l.....L.e.f.t.=.1.2.0.....R.i.g.h.t.=.3.1.5.....T.o.p.=.4.5.....B.o.t.t.o.m.=.1.8.5.....T.e.x.t.=.I.D.m.e.l.o.n. .F.C.P. .h.a.s. .b.e.e.n. .i.n.s.t.a.l.l.e.d. .o.n. .y.o.u.r. .c.o.m.p.u.t.e.r...\.r.\.n.\.r.\.n.C.l.i.c.

C:\Users\user\AppData\Local\Temp\nstC680.tmp\modern-wizard.bmp

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118
Category:dropped
Size (bytes):26494
Entropy (8bit):1.9568109962493656
Encrypted:false
SSDEEP:24:Qwika6aSaaDaVYoG6abuJsnZs5GhI11BayNXPcDrSsUWcSphsWwlEWqCl6aHAX2x:Qoi47a5G8SddzKFIcsOz3Xz
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA1:366C216220AA4329DFF6C485FD0E9B0F4F0A7944
SHA-256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
SHA-512:62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
Malicious:false
Reputation:unknown
Preview:BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

C:\Users\user\AppData\Local\Temp\nstC680.tmp\nsExec.dll

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):7168
Entropy (8bit):5.2959870663251625
Encrypted:false
SSDEEP:96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
MD5:B4579BC396ACE8CAFD9E825FF63FE244
SHA1:32A87ED28A510E3B3C06A451D1F3D0BA9FAF8D9C
SHA-256:01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
SHA-512:3A76E0E259A0CA12275FED922CE6E01BDFD9E33BA85973E80101B8025EF9243F5E32461A113BBCC6AA75E40894BB5D3A42D6B21045517B6B3CF12D76B4CFA36A
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L...Q.d...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\IDmelonV2CredentialProvider.dll

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):1787976
Entropy (8bit):3.400243266399139
Encrypted:false
SSDEEP:6144:/iEh6ssRNdS8kcy4gEpb7LYbr5YtVM0cXyXs4NBLIT:hRsRNdS8g0Luy3tO
MD5:DF4F7E77A3779AE9424A4D5FEA15CB92
SHA1:B3485D8E9132F8AAC5589465946613F2D8FC5CA8
SHA-256:CCB42CFD4CBCC890F1B1E6525DBA69ED326DABF46441237F32332EF7DD042854
SHA-512:30E61D34E3722E69CE593DEF317C44B6F315E2660E4A2FB15A8BF45EB783B77476708F51ECB9D4535F003240CA76018E18EB3C1665604C541E96BB449E408854
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p.*.4.D.4.D.4.D.=f.$.D.2.@.<.D.2.G.1.D.2.A.(.D.2.E.2.D..fE.;.D.4.E...D.Y.M.9.D.Y.D.5.D.Y...5.D.4..5.D.Y.F.5.D.Rich4.D.........PE..d......e.........." ...&.N...........,.......................................p............`..........................................N.......N..h........p.......*...6..H....`.........p.......................(.......@............`...............................text....M.......N.................. ..`.rdata.. ....`.......R..............@..@.data...x=...p...4...\..............@....pdata...*.......,..................@..@.rsrc....p.......r..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_ARC4.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):11264
Entropy (8bit):4.6989965032233245
Encrypted:false
SSDEEP:96:v9VD9daQ2iTrqT+y/ThvQ0I1uLfcC75JiC4Rs89EcYyGDPM0OcX6gY/7ECFV:39damqT3ThITst0E5DPKcqgY/79X
MD5:56976443600793FF2302EE7634E496B3
SHA1:018CE9250732A1794BBD0BDB8164061022B067AA
SHA-256:10F461A94C3D616C19FF1A88DEC1EFEA5194F7150F5D490B38AC4E1B31F673DD
SHA-512:A764C636D5D0B878B91DC61485E8699D7AA36F09AA1F0BD6AF33A8652098F28AEB3D7055008E56EBFC012BD3EA0868242A72E44DED0C83926F13D16866C31415
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_Salsa20.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):13824
Entropy (8bit):5.047528837102683
Encrypted:false
SSDEEP:192:SF/1nb2eqCQtkluknuz4ceS4QDuEA7cqgYvEP:o2P6luLtn4QDHmgYvEP
MD5:30F13366926DDC878B6D761BEC41879E
SHA1:4B98075CCBF72A6CBF882B6C5CADEF8DC6EC91DB
SHA-256:19D5F8081552A8AAFE901601D1FF5C054869308CEF92D03BCBE7BD2BB1291F23
SHA-512:BDCEC85915AB6EC1D37C1D36B075AE2E69AA638B80CD08971D5FDFD9474B4D1CF442ABF8E93AA991F5A8DCF6DB9D79FB67A9FE7148581E6910D9C952A5E166B4
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..L............p..,....3...............................1..@............0...............................text...h........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_chacha20.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):13312
Entropy (8bit):5.0513840905718395
Encrypted:false
SSDEEP:192:7XF/1nb2eqCQtkXnFYIrWjz0YgWDbu5Do0vdvZt49lkVcqgYvEMN:L2P6XTr0zXgWDbui0vdvZt49MgYvEMN
MD5:CDF7D583B5C0150455BD3DAD43A6BF9B
SHA1:9EE9B033892BEB0E9641A67F456975A78122E4FA
SHA-256:4CA725A1CB10672EE5666ED2B18E926CAAE1A8D8722C14AB3BE2D84BABF646F6
SHA-512:96123559D21A61B144E2989F96F16786C4E94E5FA4DDA0C018EAA7FEFFA61DD6F0ADFA9815DF9D224CDEBE2E7849376D2A79D5A0F51A7F3327A2FAA0A444CE9C
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..d............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_pkcs1_decode.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):12800
Entropy (8bit):5.1050594710160535
Encrypted:false
SSDEEP:96:/PTF1siKeai1dqmJo0qVVLf/+NJSC6sc9kJ9oPobXXXP4IIYOxDmO8jcX6gRth2h:/LsiHfq5poUkJ97zIDmOucqgRvE
MD5:7918BFE07DCB7AD21822DBAAA777566D
SHA1:964F5B172759538C4E9E9131CE4BB39885D79842
SHA-256:C00840D02ADA7031D294B1AB94A5F630C813AAE6897F18DD66C731F56931868E
SHA-512:D4A05AB632D4F0EB0ED505D803F6A5C0DBE5117D12BA001CE820674903209F7249B690618555F9C061DB58BED1E03BE58AD5D5FE3BC35FC96DF27635639ABF25
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............l...l...l......l.q.m...l..m...l...m...l.q.i...l.q.h...l.q.o...l...d...l...l...l.......l...n...l.Rich..l.................PE..d....y.e.........." ...#............P.....................................................`.........................................P8..p....8..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@.......*..............@....pdata.......P.......,..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_aes.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):36352
Entropy (8bit):6.55587798283519
Encrypted:false
SSDEEP:384:Of+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuTLg4HPy:WqWB7YJlmLJ3oD/S4j990th9VTsC
MD5:4B032DA3C65EA0CFBDEB8610C4298C51
SHA1:541F9F8D428F4518F96D44BB1037BC348EAE54CF
SHA-256:4AEF77E1359439748E6D3DB1ADB531CF86F4E1A8E437CCD06E8414E83CA28900
SHA-512:2667BF25FD3BF81374750B43AFC5AEFF839EC1FF6DFC3FDD662F1D34A5924F69FC513EA3CD310991F85902A19ADA8B58DED9A9ED7B5D631563F62EA7F2624102
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#.H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_aesni.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):15872
Entropy (8bit):5.2919328525651945
Encrypted:false
SSDEEP:192:oJBjJPqZkEPYinXKccxrEWx4xLquhS3WQ67EIfD4A1ccqgwYUMvEW:6URwin7mrEYCLEGd7/fDnwgwYUMvE
MD5:57E4DF965E41B1F385B02F00EA08AE20
SHA1:583B08C3FC312C8943FECDDD67D6D0A5FC2FF98B
SHA-256:3F64DFFEC486DCF9A2E80CB9D96251B98F08795D5922D43FB69F0A5AC2340FC2
SHA-512:48C3F78AF4E35BFEF3B0023A8039CF83E6B2E496845A11B7A2C2FA8BB62C7CCDE52158D4D37755584716220C34BBF379ECE7F8E3439B009AD099B1890B42A3D9
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|X...................i.......................i.......i.......i.......................................Rich....................PE..d....y.e.........." ...#. ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_arc2.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):16384
Entropy (8bit):5.565187477275172
Encrypted:false
SSDEEP:192:MeDd9Vk3yQ5f8vjVKChhXoJDkq6NS7oE2DDHlWw2XpmdcqgwNeecBU8:1k/5cj4shXED+o2Du8zgwNeO8
MD5:F9C93FA6CA17FDF4FF2F13176684FD6C
SHA1:6B6422B4CAF157147F7C0DD4B4BAB2374BE31502
SHA-256:E9AEBB6F17BA05603E0763DFF1A91CE9D175C61C1C2E80F0881A0DEE8CFFBE3A
SHA-512:09843E40E0D861A2DEE97320779C603550433BC9AB9402052EA284C6C74909E17CE0F6D3FDBA983F5EB6E120E2FE0C2B087420E138760BB0716D2999C10935C1
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#."... ......P.....................................................`.........................................0J.......J..d....p.......`..................,....C...............................B..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...8....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_blowfish.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):20992
Entropy (8bit):6.058843128972375
Encrypted:false
SSDEEP:384:fHU/5cJMOZA0nmwBD+XpJgLa0Mp8Qhg4P2llyM:QK1XBD+DgLa1qTi
MD5:E4969D864420FEB94F54CEF173D0AD4D
SHA1:7F8FE4225BB6FD37F84EBCE8E64DF7192BA50FB6
SHA-256:94D7D7B43E58170CAEA4520D7F741D743BC82B59BE50AA37D3D2FB7B8F1BB061
SHA-512:F02F02A7DE647DDA723A344DBB043B75DA54D0783AE13E5D25EEC83072EA3B2375F672B710D6348D9FC829E30F8313FA44D5C28B4D65FDA8BB863700CAE994B7
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.$...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text....".......$.................. ..`.rdata..L....@... ...(..............@..@.data...8....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..4............P..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_cast.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):25088
Entropy (8bit):6.458942954966616
Encrypted:false
SSDEEP:384:xVcaHLHm+kJ7ZXmrfXA+UA10ol31tuXyZQ7gLWi:8aHrm+kJNXmrXA+NNxWi28LWi
MD5:CD4B96612DEFDAAC5CF923A3960F15B6
SHA1:3F987086C05A4246D8CCA9A65E42523440C7FFEC
SHA-256:5C25283C95FFF9B0E81FCC76614626EB8048EA3B3FD1CD89FE7E2689130E0447
SHA-512:C650860A3ECC852A25839FF1E379526157EB79D4F158B361C90077875B757F5E7A4AA33FFE5F4F49B28DF5D60E3471370889FBE3BF4D9568474ECE511FF5E67D
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.$...@............................................................`.........................................@i.......i..d...............................4....b...............................a..@............@...............................text....".......$.................. ..`.rdata.......@...0...(..............@..@.data...8....p.......X..............@....pdata...............Z..............@..@.rsrc................^..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_cbc.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):12288
Entropy (8bit):4.833693880012467
Encrypted:false
SSDEEP:192:BF/1nb2eqCQtkrAUj8OxKbDbzecqgYvEkrK:t2P6EE8OsbD2gYvEmK
MD5:0C46D7B7CD00B3D474417DE5D6229C41
SHA1:825BDB1EA8BBFE7DE69487B76ABB36196B5FDAC0
SHA-256:9D0A5C9813AD6BA129CAFEF815741636336EB9426AC4204DE7BC0471F7B006E1
SHA-512:D81B17B100A052899D1FD4F8CEA1B1919F907DAA52F1BAD8DC8E3F5AFC230A5BCA465BBAC2E45960E7F8072E51FDD86C00416D06CF2A1F07DB5AD8A4E3930864
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_cfb.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):13824
Entropy (8bit):4.900216636767426
Encrypted:false
SSDEEP:192:YTI1RgPfqLlvIOP3bdS2hkPUDk9oCM/vPXcqgzQkvEmO:YTvYgAdDkUDDCWpgzQkvE
MD5:3142C93A6D9393F071AB489478E16B86
SHA1:4FE99C817ED3BCC7708A6631F100862EBDA2B33D
SHA-256:5EA310E0F85316C8981ED6293086A952FA91A6D12CA3F8AF9581521EE2B15586
SHA-512:DCAFEC54BD9F9F42042E6FA4AC5ED53FEB6CF8D56ADA6A1787CAFC3736AA72F14912BBD1B27D0AF87E79A6D406B0326602ECD1AD394ACDC6275AED4C41CDB9EF
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................?.....q......................q.......q.......q.........................S.............Rich............PE..d....y.e.........." ...#..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ctr.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):14848
Entropy (8bit):5.302400096950382
Encrypted:false
SSDEEP:192:SJ1gSPqgKkwv0i8NSixSK57NEEE/qexcEtDr+DjRcqgUF6+6vEX:6E1si8NSixS0CqebtD+rgUUjvE
MD5:A34F499EE5F1B69FC4FED692A5AFD3D6
SHA1:6A37A35D4F5F772DAB18E1C2A51BE756DF16319A
SHA-256:4F74BCF6CC81BAC37EA24CB1EF0B17F26B23EDB77F605531857EAA7B07D6C8B2
SHA-512:301F7C31DEE8FF65BB11196F255122E47F3F1B6B592C86B6EC51AB7D9AC8926FECFBE274679AD4F383199378E47482B2DB707E09D73692BEE5E4EC79C244E3A8
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...,...,...,......,.q.-...,..-...,...-...,.q.)...,.q.(...,.q./...,...$...,...,...,.......,.......,.Rich..,.................PE..d....y.e.........." ...#..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_des.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):57856
Entropy (8bit):4.25844209931351
Encrypted:false
SSDEEP:384:1UqVT1dZ/lHkJnYcZiGKdZHDLtiduprZAZB0JAIg+v:nHlHfJid3X
MD5:007BE822C3657687A84A7596531D79B7
SHA1:B24F74FDC6FA04EB7C4D1CD7C757C8F1C08D4674
SHA-256:6CF2B3969E44C88B34FB145166ACCCDE02B53B46949A9D5C37D83CA9C921B8C8
SHA-512:F9A8B070302BDFE39D0CD8D3E779BB16C9278AE207F5FADF5B27E1A69C088EEF272BFBCE6B977BA37F68183C8BBEAC7A31668662178EFE4DF8940E19FBCD9909
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..n...n...n......n.q.o...n...o...n...o...n.q.k...n.q.j...n.q.m...n...f...n...n...n.......n...l...n.Rich..n.........PE..d....y.e.........." ...#.8...................................................0............`.....................................................d...............l............ ..4...................................@...@............P...............................text....7.......8.................. ..`.rdata..f....P.......<..............@..@.data...8...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_des3.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):58368
Entropy (8bit):4.274890605099198
Encrypted:false
SSDEEP:384:4Uqho9weF5/dHkRnYcZiGKdZHDL7idErZBZYmGg:ECndH//iduz
MD5:A883798D95F76DA8513DA6B87D470A2A
SHA1:0507D920C1935CE71461CA1982CDB8077DDB3413
SHA-256:AED194DD10B1B68493481E7E89F0B088EF216AB5DB81959A94D14BB134643BFB
SHA-512:5C65221542B3849CDFBC719A54678BB414E71DE4320196D608E363EFF69F2448520E620B5AA8398592D5B58D7F7EC1CC4C72652AD621308C398D45F294D05C9B
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..n...n...n......n.q.o...n...o...n...o...n.q.k...n.q.j...n.q.m...n...f...n...n...n.......n...l...n.Rich..n.........PE..d....y.e.........." ...#.:...................................................0............`.................................................P...d............................ ..4...................................@...@............P...............................text...x9.......:.................. ..`.rdata.......P.......>..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ecb.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):10752
Entropy (8bit):4.5811635662773185
Encrypted:false
SSDEEP:192:PzWVddiTHThQTctEEI4qXDc1CkcqgbW6:PzWMdsc+EuXDc0YgbW
MD5:DEDAE3EFDA452BAB95F69CAE7AEBB409
SHA1:520F3D02693D7013EA60D51A605212EFED9CA46B
SHA-256:6248FDF98F949D87D52232DDF61FADA5EF02CD3E404BB222D7541A84A3B07B8A
SHA-512:8C1CAB8F34DE2623A42F0750F182B6B9A7E2AFFA2667912B3660AF620C7D9AD3BD5B46867B3C2D50C0CAE2A1BC03D03E20E4020B7BA0F313B6A599726F022C6C
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_eksblowfish.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):22016
Entropy (8bit):6.1405490084747445
Encrypted:false
SSDEEP:384:WMU/5cRUtPMbNv37t6KjjNrDF6pJgLa0Mp8Qg0gYP2lcCM:WdKR8EbxwKflDFQgLa1AzP
MD5:914EA1707EBA03E4BE45D3662BF2466E
SHA1:3E110C9DBFE1D17E1B4BE69052E65C93DDC0BF26
SHA-256:4D4F22633D5DB0AF58EE260B5233D48B54A6F531FFD58EE98A5305E37A00D376
SHA-512:F6E6323655B351E5B7157231E04C352A488B0B49D7174855FC8594F119C87A26D31C602B3307C587A28AD408C2909A93B8BA8CB41166D0113BD5C6710C4162C3
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ocb.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):17920
Entropy (8bit):5.350740516564008
Encrypted:false
SSDEEP:384:GPHdP3Mj7Be/yB/MsB3yRcb+IqcOYoQViCBD88g6Vf4A:APcnB8KEsB3ocb+pcOYLMCBDu
MD5:52E481A15C3CE1B0DF8BA3B1B77DF9D0
SHA1:C1F06E1E956DFDE0F89C2E237ADFE42075AAE954
SHA-256:C85A6783557D96BFA6E49FE2F6EA4D2450CF110DA314C6B8DCEDD7590046879B
SHA-512:108FB1344347F0BC27B4D02D3F4E75A76E44DE26EF54323CB2737604DF8860A94FA37121623A627937F452B3B923C3D9671B13102D2E5F1005E4766E80A05A96
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d....y.e.........." ...#.(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Cipher\_raw_ofb.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):12288
Entropy (8bit):4.737329240938157
Encrypted:false
SSDEEP:192:BF/1nb2eqCQtkgU7L9D0T70fcqgYvEJPb:t2P6L9DWAxgYvEJj
MD5:A13584F663393F382C6D8D5C0023BC80
SHA1:D324D5FBD7A5DBA27AA9B0BDB5C2AEBFF17B55B1
SHA-256:13C34A25D10C42C6A12D214B2D027E5DC4AE7253B83F21FD70A091FEDAC1E049
SHA-512:14E4A6F2959BD68F441AA02A4E374740B1657AB1308783A34D588717F637611724BC90A73C80FC6B47BC48DAFB15CF2399DC7020515848F51072F29E4A8B4451
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Hash\_BLAKE2b.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):14848
Entropy (8bit):5.2072665819239585
Encrypted:false
SSDEEP:192:iF/1nb2eqCQtkhlgJ2ycxFzShJD9CAac2QDeJKcqgQx2XY:Y2PKr+2j8JDefJagQx2XY
MD5:104B480CB83BFF78101CF6940588D570
SHA1:6FC56B9CF380B508B01CAB342FCC939494D1F595
SHA-256:BA4F23BBDD1167B5724C04DB116A1305C687001FAC43304CD5119C44C3BA6588
SHA-512:60617865C67115AD070BD6462B346B89B69F834CAF2BFE0EF315FB4296B833E095CD03F3F4D6D9499245C5DA8785F2FBE1AC7427049BD48428EBF74529229040
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d...~y.e.........." ...#..... ......P.....................................................`..........................................9......|:..d....`.......P..@............p..,....3...............................2..@............0...............................text...X........................... ..`.rdata.......0....... ..............@..@.data...8....@.......0..............@....pdata..@....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Hash\_BLAKE2s.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):14336
Entropy (8bit):5.177411248432731
Encrypted:false
SSDEEP:192:mF/1nb2eqCQt7fSxp/CJPvADQZntxSOvbcqgEvcM+:c2PNKxZWPIDexVlgEvL
MD5:06D3E941860BB0ABEDF1BAF1385D9445
SHA1:E8C16C3E8956BA99A2D0DE860DCFC5021F1D7DE5
SHA-256:1C340D2625DAD4F07B88BB04A81D5002AABF429561C92399B0EB8F6A72432325
SHA-512:6F62ACFF39B77C1EC9F161A9BFA94F8E3B932D56E63DAEE0093C041543993B13422E12E29C8231D88BC85C0573AD9077C56AA7F7A307E27F269DA17FBA8EE5A3
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Hash\_MD2.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):14336
Entropy (8bit):5.137579183601755
Encrypted:false
SSDEEP:192:5siHfq5po0ZUp8XnUp8XjEQnlDtW26rcqgcx2:nqDZUp8XUp8AclDN69gcx2
MD5:F938A89AEC5F535AF25BD92221BBC141
SHA1:384E1E92EBF1A6BBE068AB1493A26B50EFE43A7E
SHA-256:774A39E65CC2D122F8D4EB314CED60848AFFF964FB5AD2627E32CB10EF28A6D0
SHA-512:ED0506B9EBCEC26868F484464F9CC38E28F8056D6E55C536ECD2FD98F58F29F2D1CE96C5E574876A9AA6FD22D3756A49BC3EB464A7845CB3F28A1F3D1C98B4D7
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...qy.e.........." ...#..... ......P.....................................................`..........................................9......0:..d....`.......P..(............p..,....4...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Hash\_MD4.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):13824
Entropy (8bit):5.158343521612926
Encrypted:false
SSDEEP:192:jsiHfq5pwUivkwXap8T0NchH73s47iDJxj2wcqgfvE:9qbi8wap8T0Ncp7n7iDbFgfvE
MD5:173EED515A1ADDD1DA0179DD2621F137
SHA1:D02F5E6EDA9FF08ABB4E88C8202BAD7DB926258F
SHA-256:9D9574A71EB0DE0D14570B5EDA06C15C17CC2E989A20D1E8A4821CB813290D5F
SHA-512:8926FBB78A00FD4DC67670670035D9E601AF27CDBE003DC45AD809E8DA1042DDECB997F44ED104BEC13391C8048051B0AAD0C10FDEEDFB7F858BA177E92FDC54
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...qy.e.........." ...#............P.....................................................`.........................................p8...... 9..d....`.......P..(............p..,...@3...............................2..@............0...............................text............................... ..`.rdata..p....0......................@..@.data...p....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Hash\_MD5.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):15360
Entropy (8bit):5.469810464531962
Encrypted:false
SSDEEP:192:RZ9WfqP7M93g8UdsoS1hhiBvzcuiDSjeoGmDZNbRBP0rcqgjPrvE:sA0gHdzS1MwuiDSyoGmD/r89gjPrvE
MD5:39B06A1707FF5FDC5B3170EB744D596D
SHA1:37307B2826607EA8D5029293990EB1476AD6CC42
SHA-256:2E8BB88D768890B6B68D5B6BB86820766ADA22B82F99F31C659F4C11DEF211A1
SHA-512:98C3C45EB8089800EDF99ACEA0810820099BFD6D2C805B80E35D9239626CB67C7599F1D93D2A14D2F3847D435EAA065BF56DF726606BB5E8A96E527E1420633D
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...ry.e.........." ...#. ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Hash\_RIPEMD160.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):13824
Entropy (8bit):5.137646874307781
Encrypted:false
SSDEEP:192:QF/1nb2eqCQtZl9k9VEmosHcBZTHGF31trDbu8oiZmtwcqgk+9TI:q2PXlG9VDos8BZA33rDbuNgk0gk+9U
MD5:1DFC771325DD625DE5A72E0949D90E5F
SHA1:8E1F39AAFD403EDA1E5CD39D5496B9FAA3387B52
SHA-256:13F9ADBBD60D7D80ACEE80D8FFB461D7665C5744F8FF917D06893AA6A4E25E3A
SHA-512:B678FB4AD6DF5F8465A80BFB9A2B0433CF6CFAD4C6A69EEBF951F3C4018FD09CB7F38B752BE5AB55C4BE6C88722F70521D22CBCBBB47F8C46DDB0B1ACBFD7D7E
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d...}y.e.........." ...#..... ......P.....................................................`..........................................9.......:..d....`.......P...............p..,....4..............................P3..@............0...............................text...X........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata.......P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA1.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):17920
Entropy (8bit):5.687377356938656
Encrypted:false
SSDEEP:384:bPHdP3MjeQTh+QAZUUw8lMF6D+1tgj+kf4:xPcKQT3iw8lfDUej+
MD5:9D15862569E033C5AA702F9E4041C928
SHA1:11376E8CB76AD2D9A7D48D11F4A74FB12B78BCF6
SHA-256:8970DF77D2F73350360DBE68F937E0523689FF3D7C0BE95EB7CA5820701F1493
SHA-512:322F0F4947C9D5D2800DEEBFD198EABE730D44209C1B61BB9FD0F7F9ED5F719AE49F8397F7920BDB368BB386A598E9B215502DC46FBE72F9340876CF40AFFC8A
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...sy.e.........." ...#.*..........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA224.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):21504
Entropy (8bit):5.9200472722347675
Encrypted:false
SSDEEP:384:pljwGpJpvrp/LTaqvYHp5RYcARQOj4MSTjqgPmJDcOwwgjxo:Ljw4JbZYtswvqDc51j
MD5:7398EFD589FBE4FEFADE15B52632CD5C
SHA1:5EA575056718D3EC9F57D3CFF4DF87D77D410A4B
SHA-256:F1970DB1DA66EFB4CD8E065C40C888EED795685FF4E5A6FA58CA56A840FE5B80
SHA-512:C26F6FF693782C84460535EBCD35F23AA3C95FB8C0C8A608FB9A849B0EFD735EF45125397549C61248AE06BD068554D2DE05F9A3BA64F363438EDB92DA59481B
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...wy.e.........." ...#.6... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..,............R..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA256.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):21504
Entropy (8bit):5.922439979230845
Encrypted:false
SSDEEP:384:jljwGpJpvrp/LtaqvYHp5RYcARQOj4MSTjqgPmJDcbegjxo:hjw4JVZYtswvqDcb7j
MD5:352F56E35D58ABE96D6F5DBBD40D1FEA
SHA1:5F0C9596B84B8A54D855441C6253303D0C81AA1B
SHA-256:44EED167431151E53A8F119466036F1D60773DDEB8350AF972C82B3789D5D397
SHA-512:CB4862B62ABB780656F1A06DADD3F80AEA453E226C38EFAE4318812928A7B0B6A3A8A86FCC43F65354B84FC07C7235FF384B75C2244553052E00DC85699D422A
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...uy.e.........." ...#.6... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..,............R..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA384.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):26624
Entropy (8bit):5.879121462749493
Encrypted:false
SSDEEP:768:pDLZ9BjjBui0gel9soFdkO66MlPGXmXcnRDbRj:VBfu/FZ6nPxMRDtj
MD5:3C47F387A68629C11C871514962342C1
SHA1:EA3E508A8FB2D3816C80CD54CDD9C8254809DB00
SHA-256:EA8A361B060EB648C987ECAF453AE25034DBEA3D760DC0805B705AC9AA1C7DD9
SHA-512:5C824E4C0E2AB13923DC8330D920DCD890A9B33331D97996BC1C3B73973DF7324FFFB6E940FA5AA92D6B23A0E6971532F3DB4BF899A9DF33CC0DD6CB1AC959DD
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...zy.e.........." ...#.H..."......P.....................................................`......................................... l.......m..d...............................,....e...............................d..@............`...............................text...HG.......H.................. ..`.rdata..X....`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..,............f..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Hash\_SHA512.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):26624
Entropy (8bit):5.937696428849242
Encrypted:false
SSDEEP:768:VYL59Ugjaui0gel9soFdkO66MlPGXmXcXVDuSFAj:60xu/FZ6nPxMlD7Kj
MD5:2F44F1B760EE24C89C13D9E8A06EA124
SHA1:CF8E16D8324A7823B11474211BD7B95ADB321448
SHA-256:7C7B6F59DD250BD0F8CBC5AF5BB2DB9F9E1A2A56BE6442464576CD578F0B2AE0
SHA-512:2AACB2BB6A9EBA89549BF864DDA56A71F3B3FFEDB8F2B7EF3FC552AB3D42BC4B832F5FA0BA87C59F0F899EA9716872198680275A70F3C973D44CA7711DB44A14
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...|y.e.........." ...#.H..."......P.....................................................`..........................................l.......m..d...............................,...@f...............................e..@............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..,............f..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Hash\_ghash_clmul.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):12800
Entropy (8bit):5.027823764756571
Encrypted:false
SSDEEP:192:/RF/1nb2eqCQtkbsAT2fixSrdYDt8ymjcqgQvEW:/d2P6bsK4H+DVwgQvEW
MD5:64604EE3AEBEE62168F837A41BA61DB1
SHA1:4D3FF7AC183BC28B89117240ED1F6D7A7D10AEF1
SHA-256:20C3CC2F50B51397ACDCD461EE24F0326982F2DC0E0A1A71F0FBB2CF973BBEB2
SHA-512:D03EEFF438AFB57E8B921CE080772DF485644DED1074F3D0AC12D3EBB1D6916BD6282E0E971408E89127FF1DAD1D0CB1D214D7B549D686193068DEA137A250CE
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Hash\_ghash_portable.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):13312
Entropy (8bit):5.020783935465456
Encrypted:false
SSDEEP:192:+F/1nb2eqCQtks0iiNqdF4mtPjD0ZA5LPYcqgYvEL2x:02P6fFA/4GjDXcgYvEL2x
MD5:E0EEDBAE588EE4EA1B3B3A59D2ED715A
SHA1:4629B04E585899A7DCB4298138891A98C7F93D0B
SHA-256:F507859F15A1E06A0F21E2A7B060D78491A9219A6A499472AA84176797F9DB02
SHA-512:9FD82784C7E06F00257D387F96E732CE4A4BD065F9EC5B023265396D58051BECC2D129ABDE24D05276D5CD8447B7DED394A02C7B71035CED27CBF094ED82547D
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Hash\_keccak.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):15872
Entropy (8bit):5.2616188776014665
Encrypted:false
SSDEEP:384:JP2T9FRjRskTdf4YBU7YP5yUYDE1give:qHlRl57IC8UYDEG
MD5:1708C4D1B28C303DA19480AF3C6D04FF
SHA1:BAC78207EFAA6D838A8684117E76FB871BD423D5
SHA-256:C90FB9F28AD4E7DEED774597B12AA7785F01DC4458076BE514930BF7AB0D15EC
SHA-512:2A174C1CB712E8B394CBEE20C33974AA277E09631701C80864B8935680F8A4570FD040EA6F59AD71631D421183B329B85C749F0977AEB9DE339DFABE7C23762E
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...}y.e.........." ...#. ... ......P.....................................................`.........................................`9......T:..d....`.......P..p............p..,....3...............................2..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......4..............@....pdata..p....P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Hash\_poly1305.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):15360
Entropy (8bit):5.130670522779765
Encrypted:false
SSDEEP:192:nZNGfqDgvUh43G6coX2SSwmPL4V7wTdDl41Y2cqgWjvE:CFMhuGGF2L4STdDcYWgWjvE
MD5:E08355F3952A748BADCA2DC2E82AA926
SHA1:F24828A3EEFB15A2550D872B5E485E2254C11B48
SHA-256:47C664CB7F738B4791C7D4C21A463E09E9C1AAAE2348E63FB2D13FC3E6E573EB
SHA-512:E7F48A140AFEF5D6F64A4A27D95E25A8D78963BB1F9175B0232D4198D811F6178648280635499C562F398613E0B46D237F7DB74A39B52003D6C8768B80EC6FB6
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d....y.e.........." ...#..... ......P.....................................................`......................................... 9.......9..d....`.......P..|............p..,....3...............................1..@............0...............................text...X........................... ..`.rdata..(....0......."..............@..@.data........@.......2..............@....pdata..|....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Math\_modexp.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):34816
Entropy (8bit):5.935249615462395
Encrypted:false
SSDEEP:768:gb+5F2hqrxS7yZAEfYcwcSPxpMgLp/GQNSpcVaGZ:gb+5Qwc7OAEfYcwJxpMgFJh
MD5:DB56C985DBC562A60325D5D68D2E5C5B
SHA1:854684CF126A10DE3B1C94FA6BCC018277275452
SHA-256:089585F5322ADF572B938D34892C2B4C9F29B62F21A5CF90F481F1B6752BC59F
SHA-512:274D9E4A200CAF6F60AC43F33AADF29C6853CC1A7E04DF7C8CA3E24A6243351E53F1E5D0207F23B34319DFC8EEE0D48B2821457B8F11B6D6A0DBA1AE820ACE43
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..|8k./8k./8k./1.Y/>k./....:k./s...;k./8k./.k./....4k./....0k./....;k./....:k./....9k./..5/9k./....9k./Rich8k./........................PE..d....y.e.........." ...#.\..........`.....................................................`..........................................~..d...$...d...............................,....s...............................q..@............p..(............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data................t..............@....pdata...............~..............@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Protocol\_scrypt.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):12288
Entropy (8bit):4.799861986912974
Encrypted:false
SSDEEP:192:YTIekCffqPSTMeAk4OeR64ADpki6RcqgO5vE:YTNZMcPeR64ADh63gO5vE
MD5:6229A84562A9B1FBB0C3CF891813AADD
SHA1:4FAFB8AF76A7F858418AA18B812FEACADFA87B45
SHA-256:149027958A821CBC2F0EC8A0384D56908761CC544914CED491989B2AD9D5A4DC
SHA-512:599C33F81B77D094E97944BB0A93DA68D2CCB31E6871CE5679179FB6B9B2CE36A9F838617AC7308F131F8424559C5D1A44631E75D0847F3CC63AB7BB57FE1871
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................?.....q......................q.......q.......q.........................S.............Rich............PE..d....y.e.........." ...#............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\PublicKey\_ec_ws.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):754176
Entropy (8bit):7.628627007698131
Encrypted:false
SSDEEP:12288:31ETHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h+b:lETHoxJFf1p34hcrn5Go9yQO6g
MD5:BBB83671232E0BE361E812369A463E03
SHA1:A37DAEC475AB230E14897077D17E20B7A5112B8D
SHA-256:873A3E3E945421917BA780D95C78ECCB92D4E143227987D6812BC9F9E4653BE0
SHA-512:BF6718DE5235F6A7C348A1E2F325FEE59C74356D4722DFA99DA36A2BE1E6386C544EEC09190E2EBBA58B7C6B4157D00409C59F29AE2CC7BC13CBC301B8592586
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.....L...L...L.V+L...LKR.M...L.V.M...L...L...LKR.M...LKR.M...LKR.M...L-S.M...L-S.M...L-SGL...L-S.M...LRich...L................PE..d....y.e.........." ...#.n..........`.....................................................`..........................................p..d...dq..d...............$...............4...@Z...............................Y..@...............(............................text....m.......n.................. ..`.rdata...............r..............@..@.data...x............h..............@....pdata..$............p..............@..@.rsrc................~..............@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\PublicKey\_ed25519.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):27648
Entropy (8bit):5.799740467345125
Encrypted:false
SSDEEP:384:PvRwir5rOF2MZz1n0/kyTMIl9bhgIW0mvBaeoSzra2pftjGQDdsC0MgkbQ0e1r:PJLtg2MTeM+9dmvBaeoCtaQDekf
MD5:7F2C691DEB4FF86F2F3B19F26C55115C
SHA1:63A9D6FA3B149825EA691F5E9FDF81EEC98224AA
SHA-256:BF9224037CAE862FE220094B6D690BC1992C19A79F7267172C90CBED0198582E
SHA-512:3A51F43BF628E44736859781F7CFF0E0A6081CE7E5BDE2F82B3CDB52D75D0E3DFAE92FC2D5F7D003D0B313F6835DBA2E393A0A8436F9409D92E20B65D3AED7E2
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y...............i...................i......i......i......................m...........Rich...........PE..d....y.e.........." ...#.F...(......P.....................................................`..........................................j..0....k..d...............................,...pc..............................0b..@............`...............................text....D.......F.................. ..`.rdata.."....`.......J..............@..@.data................\..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..,............j..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\PublicKey\_ed448.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):67072
Entropy (8bit):6.060804942512998
Encrypted:false
SSDEEP:1536:HqvnErJyGoqQXZKfp23mXKUULBeCFTUCqHF+PELb7MSAEfnctefBd5:HqvnErJyGoqQXZKfp2ayLsCFTUCqHEP4
MD5:AF46798028AB3ED0E56889DFB593999B
SHA1:D4D7B39A473E69774771B2292FDBF43097CE6015
SHA-256:FD4F1F6306950276A362D2B3D46EDBB38FEABA017EDCA3CD3A2304340EC8DD6C
SHA-512:58A80AFEEAC16D7C35F8063D03A1F71CA6D74F200742CAE4ADB3094CF4B3F2CD1A6B3F30A664BD75AB0AF85802D935B90DD9A1C29BFEA1B837C8C800261C6265
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..|8k./8k./8k./1.Y/>k./....:k./s...;k./8k./.k./....4k./....0k./....;k./....:k./....9k./..5/9k./....9k./Rich8k./........................PE..d....y.e.........." ...#.....8......`........................................@............`.............................................h.......d.... .......................0..,.......................................@............................................text............................... ..`.rdata..j...........................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..,....0......................@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\PublicKey\_x25519.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):10752
Entropy (8bit):4.488129745837651
Encrypted:false
SSDEEP:96:kfuF7pVVdJvbrqTuy/Th/Y0IluLfcC75JiC4cs89EfqADQhDsAbcX6gn/7EC:TF/VddiTHThQTctdErDQDsicqgn/7
MD5:F4B7324A8F7908C3655BE4C75EAC36E7
SHA1:11A30562A85A444F580213417483BE8D4D9264AD
SHA-256:5397E3F5762D15DCD84271F49FC52983ED8F2717B258C7EF370B24977A5D374B
SHA-512:66CA15A9BAD39DD4BE7921A28112A034FFE9CD11F91093318845C269E263804AB22A4AF262182D1C6DAC8741D517362C1D595D9F79C2F729216738C3DD79D7C2
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4=.bUS.bUS.bUS.k-..`US..)R.`US.)-R.aUS.bUR.FUS..)V.iUS..)W.jUS..)P.aUS.([.cUS.(S.cUS.(..cUS.(Q.cUS.RichbUS.................PE..d....y.e.........." ...#............P........................................p............`..........................................'..P...0(..P....P.......@...............`..,...P#..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Util\_cpuid_c.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):10240
Entropy (8bit):4.733990521299615
Encrypted:false
SSDEEP:192:PzVVddiTHThQTctEEaEDKDnMRWJcqgbW6:PzTMdsc+EaEDKDnCWvgbW
MD5:3D566506052018F0556ADF9D499D4336
SHA1:C3112FF145FACF47AF56B6C8DCA67DAE36E614A2
SHA-256:B5899A53BC9D3112B3423C362A7F6278736418A297BF86D32FF3BE6A58D2DEEC
SHA-512:0AC6A1FC0379F5C3C80D5C88C34957DFDB656E4BF1F10A9FA715AAD33873994835D1DE131FC55CD8B0DEBDA2997993E978700890308341873B8684C4CD59A411
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`..........................................'..|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Crypto\Util\_strxor.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):10240
Entropy (8bit):4.689063511060661
Encrypted:false
SSDEEP:96:P/ryZVVdJvbrqTuy/Th/Y0IluLfcC75JiCKs89EMz3DIWMot4BcX6gbW6O:PzQVddiTHThQTctEEO3DSoKcqgbW6
MD5:FAE081B2C91072288C1C8BF66AD1ABA5
SHA1:CD23DDB83057D5B056CA2B3AB49C8A51538247DE
SHA-256:AF76A5B10678F477069ADD6E0428E48461FB634D9F35FB518F9F6A10415E12D6
SHA-512:0ADB0B1088CB6C8F089CB9BF7AEC9EEEB1717CF6CF44B61FB0B053761FA70201AB3F7A6461AAAE1BC438D689E4F8B33375D31B78F1972AA5A4BF86AFAD66D3A4
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Pythonwin\mfc140u.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:dropped
Size (bytes):5653424
Entropy (8bit):6.729277267882055
Encrypted:false
SSDEEP:49152:EuEsNcEc8/CK4b11P5ViH8gw0+NVQD5stWIlE7lva8iposS9j5fzSQzs7ID+AVuS:EnL8+5fiEnQFLOAkGkzdnEVomFHKnPS
MD5:03A161718F1D5E41897236D48C91AE3C
SHA1:32B10EB46BAFB9F81A402CB7EFF4767418956BD4
SHA-256:E06C4BD078F4690AA8874A3DEB38E802B2A16CCB602A7EDC2E077E98C05B5807
SHA-512:7ABCC90E845B43D264EE18C9565C7D0CBB383BFD72B9CEBB198BA60C4A46F56DA5480DA51C90FF82957AD4C84A4799FA3EB0CEDFFAA6195F1315B3FF3DA1BE47
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.cu...&...&...&...'...&...'...&...'...&..&...&G..'...&G..'...&...'...&...&..&G..'...&G..'...&G..'...&G..'...&G..&...&G..'...&Rich...&................PE..d....~.a.........." .....(-..X)......X,.......................................V......YV...`A..........................................:.....h.;.......?......`=..8....V..'...PU.0p..p.5.T...........................`...8............@-.P...0.:......................text....&-......(-................. ..`.rdata.......@-......,-.............@..@.data....6... <.......<.............@....pdata...8...`=..:....<.............@..@.didat..H.....?.......?.............@....rsrc.........?.......?.............@..@.reloc..0p...PU..r....T.............@..B................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\Pythonwin\win32ui.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):1142272
Entropy (8bit):6.040548449175261
Encrypted:false
SSDEEP:12288:cLokSyhffpJSf6VJtHUR2L2mVSvya6Lx15IQnpKTlYcf9WBo:cLok/pXJdUzOSMx15dcTlYiK
MD5:B505E88EB8995C2EC46129FB4B389E6C
SHA1:CBFA8650730CBF6C07F5ED37B0744D983ABFE50A
SHA-256:BE7918B4F7E7DE53674894A4B8CFADCACB4726CEA39B7DB477A6C70231C41790
SHA-512:6A51B746D0FBC03F57FF28BE08F7E894AD2E9F2A2F3B61D88EAE22E7491CF35AE299CDB3261E85E4867F41D8FDA012AF5BD1EB8E1498F1A81ADC4354ADACDAAB
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aM.F%,r.%,r.%,r.,T../,r..Ys.',r..Es.',r.1Gs.+,r.wYv.-,r.wYq.!,r.wYw.3,r.%,s.-*r.wYs.",r..Y{..,r..Yr.$,r..Y..$,r..Yp.$,r.Rich%,r.........................PE..d......d.........." .........p......t.....................................................`..............................................T...q..h...............................`\..`...T.......................(.......8................0...........................text............................... ..`.rdata..............................@..@.data...............................@....pdata...............`..............@..@.rsrc...............................@..@.reloc..`\.......^..................@..B........................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\VCRUNTIME140.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:dropped
Size (bytes):98224
Entropy (8bit):6.452201564717313
Encrypted:false
SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:F34EB034AA4A9735218686590CBA2E8B
SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:false
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\VCRUNTIME140_1.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:dropped
Size (bytes):37256
Entropy (8bit):6.297533243519742
Encrypted:false
SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
MD5:135359D350F72AD4BF716B764D39E749
SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
Malicious:false
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\_asyncio.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):65304
Entropy (8bit):6.192082137044192
Encrypted:false
SSDEEP:1536:owmuopcJpmVwR40axzEfRILOnMv7SySmPxe:owmu4/mR40axzEfRILOnw3xe
MD5:33D0B6DE555DDBBBD5CA229BFA91C329
SHA1:03034826675AC93267CE0BF0EAEC9C8499E3FE17
SHA-256:A9A99A2B847E46C0EFCE7FCFEFD27F4BCE58BAF9207277C17BFFD09EF4D274E5
SHA-512:DBBD1DDFA445E22A0170A628387FCF3CB95E6F8B09465D76595555C4A67DA4274974BA7B348C4C81FE71C68D735C13AACB8063D3A964A8A0556FB000D68686B7
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.../../../..../....../...*../...+../...,../.V..../....../....../.V."../.V./../.V..../.V.-../.Rich../.........PE..d.....,d.........." .....T..........`.....................................................`.........................................p...P.......d......................../...........v..T...........................pv..8............p...............................text...aR.......T.................. ..`.rdata...I...p...J...X..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\_bz2.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):83736
Entropy (8bit):6.595094797707322
Encrypted:false
SSDEEP:1536:hXOz78ZqjUyAsIi7W/5+D8W35mjZm35ILCVM7SyfYPxe:pOzwpyAFi7WMgW34jZm35ILCVMZoxe
MD5:86D1B2A9070CD7D52124126A357FF067
SHA1:18E30446FE51CED706F62C3544A8C8FDC08DE503
SHA-256:62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
SHA-512:7DB4B7E0C518A02AE901F4B24E3860122ACC67E38E73F98F993FE99EB20BB3AA539DB1ED40E63D6021861B54F34A5F5A364907FFD7DA182ADEA68BBDD5C2B535
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.>...m...m...m.}<m...m.p.l...m.jRm...m.p.l...m.p.l...m.p.l...mup.l...m.}.l...m...m...mup.l...mup.l...mupPm...mup.l...mRich...m................PE..d.....,d.........." .........\..............................................P............`......................................... ...H...h........0....... ..,......../...@......`...T...............................8............................................text.............................. ..`.rdata...=.......>..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\_cbor2.cp310-win_amd64.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):97280
Entropy (8bit):5.863582949096841
Encrypted:false
SSDEEP:1536:DkpD/iwe/wv2yuaXLGq8AFrx/5SuGfQuTpyTPryTt3EO3O5Hk+FNniLfwy:63SLu8BTpEyTt0OyHniLfw
MD5:D24F4FE64C38018AE7FC9661C67739F6
SHA1:E7B2ECCCCA76C2B27A4A6BBCC97F435435977FE4
SHA-256:CF69E5FD60CE55AB42DDF01D27305F2C4EDBBA63D3DADADF04380B6A4A9C07EF
SHA-512:80C7C79ECAC160350C545D81AAAED8D73C53F43EC61238F0CFCD51CF0EF1A81C40A986ED3D3BFF7726EDA50238871B0C786D77162B13E8F37F74BCA580892191
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w\............................................................................................................Rich....................PE..d...~.c.........." ..."..................................................................`.........................................`I..\....I......................................P6...............................5..@............................................text...8........................... ..`.rdata..............................@..@.data... "...`.......L..............@....pdata...............f..............@..@.rsrc................v..............@..@.reloc...............x..............@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\_cffi_backend.cp310-win_amd64.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):181248
Entropy (8bit):6.188683787528254
Encrypted:false
SSDEEP:3072:rZ1fKD8GVLHASq0TTjfQxnkVB0hcspEsHS7iiSTLkKetJb9Pu:rZNRGVb9TTCnaZsuMXiSTLLeD9
MD5:EBB660902937073EC9695CE08900B13D
SHA1:881537ACEAD160E63FE6BA8F2316A2FBBB5CB311
SHA-256:52E5A0C3CA9B0D4FC67243BD8492F5C305FF1653E8D956A2A3D9D36AF0A3E4FD
SHA-512:19D5000EF6E473D2F533603AFE8D50891F81422C59AE03BEAD580412EC756723DC3379310E20CD0C39E9683CE7C5204791012E1B6B73996EA5CB59E8D371DE24
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ih..-..C-..C-..C$qMC!..C.|.B/..CKf#C)..C.|.B&..C.|.B%..C.|.B)..Cfq.B)..C.|.B...C-..C...C.|.B)..C$qKC,..C.|.B,..C.|!C,..C.|.B,..CRich-..C........PE..d.....e.........." .........@...............................................0............`..........................................g..l...|g..................H............ .......M...............................M..8............................................text...h........................... ..`.rdata..l...........................@..@.data....\.......0...v..............@....pdata..H...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\_ctypes.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):123672
Entropy (8bit):6.047035801914277
Encrypted:false
SSDEEP:3072:0OEESRiaiH6lU1vxqfrId0sx3gVILLPykxA:hj+I1vAfrIRx3gN
MD5:1635A0C5A72DF5AE64072CBB0065AEBE
SHA1:C975865208B3369E71E3464BBCC87B65718B2B1F
SHA-256:1EA3DD3DF393FA9B27BF6595BE4AC859064CD8EF9908A12378A6021BBA1CB177
SHA-512:6E34346EA8A0AACC29CCD480035DA66E280830A7F3D220FD2F12D4CFA3E1C03955D58C0B95C2674AEA698A36A1B674325D3588483505874C2CE018135320FF99
Malicious:true
Reputation:unknown
Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............d...d...d.......d...e...d...a...d...`...d...g...d.d.e...d...`...d...e...d.:.e...d...e.I.d.d.i...d.d.d...d.d...d.d.f...d.Rich..d.........................PE..d.....,d.........." ................@Z..............................................!.....`..........................................P.......P..................D......../..............T...........................0...8...............H............................text............................... ..`.rdata...k.......l..................@..@.data...T>...p...8...\..............@....pdata..D...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\_decimal.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):254744
Entropy (8bit):6.564308911485739
Encrypted:false
SSDEEP:6144:3LT2sto29vTlN5cdIKdo4/3VaV8FlBa9qWMa3pLW1A/T8O51j4iab9M:H2s/9vTlPcdk4vVtFU98iIu
MD5:20C77203DDF9FF2FF96D6D11DEA2EDCF
SHA1:0D660B8D1161E72C993C6E2AB0292A409F6379A5
SHA-256:9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
SHA-512:2B24346ECE2CBD1E9472A0E70768A8B4A5D2C12B3D83934F22EBDC9392D9023DCB44D2322ADA9EDBE2EB0E2C01B5742D2A83FA57CA23054080909EC6EB7CF3CA
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........76..VX..VX..VX.....VX..#Y..VX..#]..VX..#\..VX..#[..VX.t#Y..VX...Y..VX..VY.+VX.t#[..VX.t#U..VX.t#X..VX.t#...VX.t#Z..VX.Rich.VX.........................PE..d.....,d.........." .....|...:.......................................................r....`..........................................T..P...0U...................'......./......<...0...T...............................8............................................text....{.......|.................. ..`.rdata..............................@..@.data....)...p...$...X..............@....pdata...'.......(...|..............@..@.rsrc...............................@..@.reloc..<...........................@..B........................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\_hashlib.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):64792
Entropy (8bit):6.223467179037751
Encrypted:false
SSDEEP:1536:/smKJPganCspF1dqZAC2QjP2RILOIld7SyEPxDF:/smKpgNoF1dqZDnjP2RILOIv2xB
MD5:D4674750C732F0DB4C4DD6A83A9124FE
SHA1:FD8D76817ABC847BB8359A7C268ACADA9D26BFD5
SHA-256:CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
SHA-512:97D57CFB80DD9DD822F2F30F836E13A52F771EE8485BC0FD29236882970F6BFBDFAAC3F2E333BBA5C25C20255E8C0F5AD82D8BC8A6B6E2F7A07EA94A9149C81E
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..b?..b?..b?......b?..>..b?..:..b?..;..b?..<..b?.2.>..b?..>..b?.7.>..b?..b>.pb?.2.2..b?.2.?..b?.2....b?.2.=..b?.Rich.b?.........PE..d.....,d.........." .....P...........<....................................................`............................................P...0............................/......T....k..T............................k..8............`.. ............................text....N.......P.................. ..`.rdata..4P...`...R...T..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\_lzma.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):158488
Entropy (8bit):6.8491143497239655
Encrypted:false
SSDEEP:3072:j0k3SXjD9aWpAn3rb7SbuDlvNgS4fWqEznfo9mNoFTSlXZ8Ax5ILZ1GIxq:j0kiXjD9v8X7Euk4wYOFTafxn
MD5:7447EFD8D71E8A1929BE0FAC722B42DC
SHA1:6080C1B84C2DCBF03DCC2D95306615FF5FCE49A6
SHA-256:60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
SHA-512:C6295D45ED6C4F7534C1A38D47DDC55FEA8B9F62BBDC0743E4D22E8AD0484984F8AB077B73E683D0A92D11BF6588A1AE395456CFA57DA94BB2A6C4A1B07984DE
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.M...M...M...D..I.......O.......F.......E.......N.......N.......O...M...(.......w.......L.......L.......L...RichM...................PE..d...&.,d.........." .....`..........p3...............................................4....`.............................................L.......x....`.......@.......<.../...p..D...H{..T............................{..8............p...............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data........0......................@....pdata.......@......................@..@.rsrc........`.......0..............@..@.reloc..D....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\_msi.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):44824
Entropy (8bit):6.25910509143267
Encrypted:false
SSDEEP:768:6tZrHlbhCeruhfPxoUAIZdeoLuM3uJYVewp2m25SyG5ILCGSF5YiSyvkzLPxWElw:6PbtNruhfpuiVD2LSyG5ILCGSL7Sy83u
MD5:8B07A1F0A073E33A990BAB943CF2F22C
SHA1:D4FBED8732FDFE25FEC37F1152BBCAF3E0FB2D9B
SHA-256:C26236A23EA4B99C19F9F9BB30CAE26BC5FF66D0FDD7FD65726A0BCB667CB160
SHA-512:690A6F9EC6636DF89A43513554BE0BF4821DF8ECB60A578ADA8E0A6112846CD6BAFEF9449F85EF95BCDF91B3D3E0631F3413FC0EED14546F94FF42762270B7FE
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r..r6.|!6.|!6.|!?..!<.|!d.} 4.|!d.y =.|!d.x >.|!d.. 5.|!.} 4.|!}.} ?.|!6.}!L.|!.t 7.|!.| 7.|!.!7.|!.~ 7.|!Rich6.|!........................PE..d.....,d.........." .........T......p2..............................................s.....`..........................................b..H....b..................|......../...........V..T............................V..8............@...............................text....-.......................... ..`.rdata..H/...@...0...2..............@..@.data........p.......b..............@....pdata..|............n..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\_multiprocessing.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):34584
Entropy (8bit):6.41423936733334
Encrypted:false
SSDEEP:768:eZt56pxGyC572edLMILWt3u5YiSyvCVPxWElj:eL5PyC572edLMILWt3E7SyqPx3
MD5:A9A0588711147E01EED59BE23C7944A9
SHA1:122494F75E8BB083DDB6545740C4FAE1F83970C9
SHA-256:7581EDEA33C1DB0A49B8361E51E6291688601640E57D75909FB2007B2104FA4C
SHA-512:6B580F5C53000DB5954DEB5B2400C14CB07F5F8BBCFC069B58C2481719A0F22F0D40854CA640EF8425C498FBAE98C9DE156B5CC04B168577F0DA0C6B13846A88
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........sF.. F.. F.. O.k D.. ...!D.. ...!J.. ...!N.. ...!E.. ...!D.. F.. ... ...!C.. ...!D.. ...!G.. ... G.. ...!G.. RichF.. ................PE..d.....,d.........." .........<......0.....................................................`.........................................0D..`....D..x....p.......`.......X.../..........P3..T............................3..8............0...............................text............................... ..`.rdata..L....0... ..."..............@..@.data........P.......B..............@....pdata.......`.......H..............@..@.rsrc........p.......L..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\_overlapped.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):49944
Entropy (8bit):6.381980613434177
Encrypted:false
SSDEEP:768:8AM30ie6tyw0lTnj1TulWXaSV2cFVNILXtP5YiSyvWPxWElh7:8AM3hacSV2UNILXth7SyuPxd7
MD5:FDF8663B99959031780583CCE98E10F5
SHA1:6C0BAFC48646841A91625D74D6B7D1D53656944D
SHA-256:2EBBB0583259528A5178DD37439A64AFFCB1AB28CF323C6DC36A8C30362AA992
SHA-512:A5371D6F6055B92AC119A3E3B52B21E2D17604E5A5AC241C008EC60D1DB70B3CE4507D82A3C7CE580ED2EB7D83BB718F4EDC2943D10CB1D377FA006F4D0026B6
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........K..%..%..%.....%...$..%... ..%...!..%...&..%...$..%..$...%...$..%...!..%...(..%...%..%......%...'..%.Rich.%.........PE..d.....,d.........." .....>...X...... .....................................................`.........................................0w..X....w.........................../..........`U..T............................U..8............P...............................text....<.......>.................. ..`.rdata..F4...P...6...B..............@..@.data................x..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\_queue.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):31512
Entropy (8bit):6.563116725717513
Encrypted:false
SSDEEP:768:bxrUGCpa6rIxdK/rAwVILQU85YiSyvz5PxWEaAc:trUZIzYrAwVILQUG7SydPxDc
MD5:D8C1B81BBC125B6AD1F48A172181336E
SHA1:3FF1D8DCEC04CE16E97E12263B9233FBF982340C
SHA-256:925F05255F4AAE0997DC4EC94D900FD15950FD840685D5B8AA755427C7422B14
SHA-512:CCC9F0D3ACA66729832F26BE12F8E7021834BBEE1F4A45DA9451B1AA5C2E63126C0031D223AF57CF71FAD2C85860782A56D78D8339B35720194DF139076E0772
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a............................................V...................V......V......V......V......Rich....................PE..d.....,d.........." .........6......................................................N.....`.........................................@C..L....C..d....p.......`.......L.../...........3..T...........................p3..8............0.. ............................text...~........................... ..`.rdata.......0......................@..@.data........P.......8..............@....pdata.......`.......<..............@..@.rsrc........p.......@..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\_socket.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):79128
Entropy (8bit):6.284790077237953
Encrypted:false
SSDEEP:1536:ZmtvsXhgzrojAs9/s+S+pGLypbyxk/DDTBVILLwX7SyiPx9:c56OzyAs9/sT+pGLypb+k/XFVILLwX4f
MD5:819166054FEC07EFCD1062F13C2147EE
SHA1:93868EBCD6E013FDA9CD96D8065A1D70A66A2A26
SHA-256:E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
SHA-512:DA3A440C94CB99B8AF7D2BC8F8F0631AE9C112BD04BADF200EDBF7EA0C48D012843B4A9FB9F1E6D3A9674FD3D4EB6F0FA78FD1121FAD1F01F3B981028538B666
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...3.i.<...h...8...h...6...h...2...h...9.......8...:.......q...=.......;.......;.......;.......;...Rich:...........PE..d.....,d.........." .....l...........%.......................................P............`.............................................P............0....... ..<......../...@..........T..............................8............................................text...fj.......l.................. ..`.rdata..Ts.......t...p..............@..@.data...............................@....pdata..<.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\_ssl.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):160536
Entropy (8bit):6.027748879187965
Encrypted:false
SSDEEP:3072:OwYiZ+PtocHnVXhLlasuvMETxoEBA+nbUtGnBSonJCNI5ILC7Gax1:FYk+PtocHVxx/uvPCEwhGJ
MD5:7910FB2AF40E81BEE211182CFFEC0A06
SHA1:251482ED44840B3C75426DD8E3280059D2CA06C6
SHA-256:D2A7999E234E33828888AD455BAA6AB101D90323579ABC1095B8C42F0F723B6F
SHA-512:BFE6506FEB27A592FE9CF1DB7D567D0D07F148EF1A2C969F1E4F7F29740C6BB8CCF946131E65FE5AA8EDE371686C272B0860BD4C0C223195AAA1A44F59301B27
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.-...-...-.....-...,...-...(...-...)...-.......-.W.,...-.R.,...-...,...-...,...-.W. ...-.W.-...-.W....-.W./...-.Rich..-.................PE..d.....,d.........." ................l*..............................................%.....`.............................................d...........`.......P.......D.../...p..8.......T...............................8............................................text...(........................... ..`.rdata..6...........................@..@.data....j.......f..................@....pdata.......P....... ..............@..@.rsrc........`.......,..............@..@.reloc..8....p.......6..............@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\_uuid.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):25368
Entropy (8bit):6.613762885337037
Encrypted:false
SSDEEP:384:KYnvEaNKFDyuiBXK55ILZw59HQIYiSy1pCQNuPxh8E9VF0Ny8cIh:FTNK4uyXK55ILZwD5YiSyvEPxWEalh
MD5:B68C98113C8E7E83AF56BA98FF3AC84A
SHA1:448938564559570B269E05E745D9C52ECDA37154
SHA-256:990586F2A2BA00D48B59BDD03D3C223B8E9FB7D7FAB6D414BAC2833EB1241CA2
SHA-512:33C69199CBA8E58E235B96684346E748A17CC7F03FC068CFA8A7EC7B5F9F6FA90D90B5CDB43285ABF8B4108E71098D4E87FB0D06B28E2132357964B3EEA3A4F8
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........eG...)...)...)..|....)..q(...)..q,...)..q-...)..q*...).rq(...)..|(...)...(...).rq!...).rq)...).rq....).rq+...).Rich..).........PE..d.....,d.........." .........&...... ........................................p.......-....`......................................... )..L...l)..x....P.......@.......4.../...`..<...."..T...........................`"..8............ ..0............................text...X........................... ..`.rdata..f.... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..<....`.......2..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\base_library.zip

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:Zip archive data, at least v2.0 to extract, compression method=store
Category:dropped
Size (bytes):880569
Entropy (8bit):5.682997344315044
Encrypted:false
SSDEEP:12288:lgYJu4KXWyBC6S4IEZjA4a2Ya2xdOVwx/fpEh+rtSLMN5:lgYJiVB3La2xTVwx/fpEh++MN5
MD5:DCC69176BEA901A300A95298BD53E274
SHA1:8A8227E3C6791393254DA3244630161064B36A30
SHA-256:E1B4724D2A99B6E74B2DE4264302848BB1499DB777A7A76DE347720D0DC040D0
SHA-512:CDF24D139E1240C5E97B702C28551EAF8E853625C4D5D99DEB8E087EDC776977F1DE3EBD27B41F97512A223CDAA28DE0D718AC36C2110C5A00809E911522A93A
Malicious:false
Reputation:unknown
Preview:PK..........!..^".5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Z*e*..Z*e.e*..Z+e*.,....[*d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d*..d*e8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Windows\Temp\_MEI15042\certifi\cacert.pem

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):290282
Entropy (8bit):6.048183244201235
Encrypted:false
SSDEEP:6144:QW1H/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5Np:QWN/TRJLWURrI55MWavdF0L
MD5:302B49C5F476C0AE35571430BB2E4AA0
SHA1:35A7837A3F1B960807BF46B1C95EC22792262846
SHA-256:CF9D37FA81407AFE11DCC0D70FE602561422AA2344708C324E4504DB8C6C5748
SHA-512:1345AF52984B570B1FF223032575FEB36CDFB4F38E75E0BD3B998BC46E9C646F7AC5C583D23A70460219299B9C04875EF672BF5A0D614618731DF9B7A5637D0A
Malicious:false
Reputation:unknown
Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Windows\Temp\_MEI15042\charset_normalizer\md.cp310-win_amd64.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):10752
Entropy (8bit):4.675182011095312
Encrypted:false
SSDEEP:96:FL8Khp72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFaiHrmHcX6g8cim1qeSC:Zj2HzzU2bRYoe4Hmcqgvimoe
MD5:F33CA57D413E6B5313272FA54DBC8BAA
SHA1:4E0CABE7D38FE8D649A0A497ED18D4D1CA5F4C44
SHA-256:9B3D70922DCFAEB02812AFA9030A40433B9D2B58BCF088781F9AB68A74D20664
SHA-512:F17C06F4202B6EDBB66660D68FF938D4F75B411F9FAB48636C3575E42ABAAB6464D66CB57BCE7F84E8E2B5755B6EF757A820A50C13DD5F85FAA63CD553D3FF32
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..^W..^W..^W..W/..\W..K(..\W.../..\W..K(..UW..K(..VW..K(..]W.."..]W..^W..xW..g.._W..g.._W..g.a._W..g.._W..Rich^W..........PE..d....hAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):120320
Entropy (8bit):5.879886869577473
Encrypted:false
SSDEEP:3072:YKBCiXU2SBEUemE+OaOb3OEOz0fEDrF9pQKhN:YJZ2zOfdQKX
MD5:494F5B9ADC1CFB7FDB919C9B1AF346E1
SHA1:4A5FDDD47812D19948585390F76D5435C4220E6B
SHA-256:AD9BCC0DE6815516DFDE91BB2E477F8FB5F099D7F5511D0F54B50FA77B721051
SHA-512:2C0D68DA196075EA30D97B5FD853C673E28949DF2B6BF005AE72FD8B60A0C036F18103C5DE662CAC63BAAEF740B65B4ED2394FCD2E6DA4DFCFBEEF5B64DAB794
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........SRxr.Rxr.Rxr.[...Zxr.G.s.Pxr...s.Pxr.G.w._xr.G.v.Zxr.G.q.Qxr...s.Qxr.Rxs..xr.k.z.Sxr.k.r.Sxr.k...Sxr.k.p.Sxr.RichRxr.........................PE..d....hAe.........." ...%............02....................................... ............`.............................................d..........................................Px...............................w..@............@...............................text...X-.......................... ..`.rdata...X...@...Z...2..............@..@.data...8=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\cryptography-41.0.7.dist-info\INSTALLER

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):4
Entropy (8bit):1.5
Encrypted:false
SSDEEP:3:Mn:M
MD5:365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:false
Reputation:unknown
Preview:pip.

C:\Windows\Temp\_MEI15042\cryptography-41.0.7.dist-info\LICENSE

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):197
Entropy (8bit):4.61968998873571
Encrypted:false
SSDEEP:3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
MD5:8C3617DB4FB6FAE01F1D253AB91511E4
SHA1:E442040C26CD76D1B946822CAF29011A51F75D6D
SHA-256:3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
SHA-512:77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
Malicious:false
Reputation:unknown
Preview:This software is made available under the terms of *either* of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of *both* these licenses..

C:\Windows\Temp\_MEI15042\cryptography-41.0.7.dist-info\LICENSE.APACHE

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):11360
Entropy (8bit):4.426756947907149
Encrypted:false
SSDEEP:192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
MD5:4E168CCE331E5C827D4C2B68A6200E1B
SHA1:DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
SHA-256:AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
SHA-512:F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
Malicious:false
Reputation:unknown
Preview:. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

C:\Windows\Temp\_MEI15042\cryptography-41.0.7.dist-info\LICENSE.BSD

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):1532
Entropy (8bit):5.058591167088024
Encrypted:false
SSDEEP:24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
MD5:5AE30BA4123BC4F2FA49AA0B0DCE887B
SHA1:EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
SHA-256:602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
SHA-512:DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
Malicious:false
Reputation:unknown
Preview:Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

C:\Windows\Temp\_MEI15042\cryptography-41.0.7.dist-info\METADATA

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):5292
Entropy (8bit):5.115440205505611
Encrypted:false
SSDEEP:96:DxapqZink/QIHQIyzQIZQILuQIR8vtklGovxNx6sWwCvCCcTKvIrrg9BMM6VwDjz:sJnkoBs/sqLz8cTKvIrrUiM6VwDjyeWs
MD5:137D13F917D94C83137A0FA5AE12B467
SHA1:01E93402C225BF2A4EE59F9A06F8062CB5E4801E
SHA-256:36738E6971D2F20DB78433185A0EF7912A48544AA6FF7006505A7DC785158859
SHA-512:1B22CBC6E22FA5E2BD5CC4A370443A342D00E7DD53330A4000E9A680DE80262BCA7188764E3568944D01025188291602AC8C53C971630984FBD9FA7D75AAB124
Malicious:false
Reputation:unknown
Preview:Metadata-Version: 2.1..Name: cryptography..Version: 41.0.7..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Author-email: The Python Cryptographic Authority and individual contributors <cryptography-dev@python.org>..License: Apache-2.0 OR BSD-3-Clause..Project-URL: homepage, https://github.com/pyca/cryptography..Project-URL: documentation, https://cryptography.io/..Project-URL: source, https://github.com/pyca/cryptography/..Project-URL: issues, https://github.com/pyca/cryptography/issues..Project-URL: changelog, https://cryptography.io/en/latest/changelog/..Classifier: Development Status :: 5 - Production/Stable..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating Syst

C:\Windows\Temp\_MEI15042\cryptography-41.0.7.dist-info\RECORD

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:CSV text
Category:dropped
Size (bytes):15334
Entropy (8bit):5.555125785454221
Encrypted:false
SSDEEP:384:3X6eU/ZfaigPOSJN5E6W1HepPNx6uvnNLEw:3RUxfzOPtREw
MD5:4ED1DF753C330417D290331FD1E18219
SHA1:556BED31DCDFA36166B45D8BCBB04C0D3B66C745
SHA-256:F71F64A0875F365A8C6CA53BC96CFB428C5102F98029459BA2091958802DCFD9
SHA-512:6984EF6D5DFC1062E6AB655E7B0C0A8AB916F1A3D88D8FA7FAD799E2792A2CB06C5C78C2292CCDB983CB6F68BA92B9F6453996B060CFDE7EE9C293FCE5F4D698
Malicious:false
Reputation:unknown
Preview:cryptography-41.0.7.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-41.0.7.dist-info/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-41.0.7.dist-info/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-41.0.7.dist-info/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography-41.0.7.dist-info/METADATA,sha256=NnOOaXHS8g23hDMYWg73kSpIVEqm_3AGUFp9x4UViFk,5292..cryptography-41.0.7.dist-info/RECORD,,..cryptography-41.0.7.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-41.0.7.dist-info/WHEEL,sha256=-EX5DQzNGQEoyL99Q-0P0-D-CXbfqafenaAeiSQ_Ufk,100..cryptography-41.0.7.dist-info/top_level.txt,sha256=KNaT-Sn2K4uxNaEbe6mYdDn3qWDMlp4y-MtWfB73nJc,13..cryptography/__about__.py,sha256=uPXMbbcptt7EzZ_jllGRx0pVdMn-NBsAM4L74hOv-b0,445..cryptography/__init__.py,sha256=iVPlBlXWTJyiFeRedxcbMPhyHB34viOM10d72vGnWuE,364..cryptography/__pycache__/_

C:\Windows\Temp\_MEI15042\cryptography-41.0.7.dist-info\WHEEL

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):100
Entropy (8bit):5.0203365408149025
Encrypted:false
SSDEEP:3:RtEeX7MWcSlVlbY3KgP+tkKc/SKQLn:RtBMwlVCxWKxDQLn
MD5:4B432A99682DE414B29A683A3546B69F
SHA1:F59C5016889EE5E9F62D09B22AEFBC2211A56C93
SHA-256:F845F90D0CCD190128C8BF7D43ED0FD3E0FE0976DFA9A7DE9DA01E89243F51F9
SHA-512:CBBF10E19B6F4072C416EA95D7AE259B9C5A1B89068B7B6660B7C637D6F2437AEA8D8202A2E26A0BEC36DAECD8BBB6B59016FC2DDEB13C545F0868B3E15479CA
Malicious:false
Reputation:unknown
Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp37-abi3-win_amd64..

C:\Windows\Temp\_MEI15042\cryptography-41.0.7.dist-info\top_level.txt

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):13
Entropy (8bit):3.2389012566026314
Encrypted:false
SSDEEP:3:cOv:Nv
MD5:E7274BD06FF93210298E7117D11EA631
SHA1:7132C9EC1FD99924D658CC672F3AFE98AFEFAB8A
SHA-256:28D693F929F62B8BB135A11B7BA9987439F7A960CC969E32F8CB567C1EF79C97
SHA-512:AA6021C4E60A6382630BEBC1E16944F9B312359D645FC61219E9A3F19D876FD600E07DCA6932DCD7A1E15BFDEAC7DBDCEB9FFFCD5CA0E5377B82268ED19DE225
Malicious:false
Reputation:unknown
Preview:cryptography.

C:\Windows\Temp\_MEI15042\cryptography\hazmat\bindings\_rust.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):6673920
Entropy (8bit):6.582002531606852
Encrypted:false
SSDEEP:98304:EzN+T+xtLlk0PPMAiGoTzeDy3x8lGBlWi9Nk:E5Y6Jk0PPMtfTzp3x8c
MD5:486085AAC7BB246A173CEEA0879230AF
SHA1:EF1095843B2A9C6D8285C7D9E8E334A9CE812FAE
SHA-256:C3964FC08E4CA8BC193F131DEF6CC4B4724B18073AA0E12FED8B87C2E627DC83
SHA-512:8A56774A08DA0AB9DD561D21FEBEEBC23A5DEA6F63D5638EA1B608CD923B857DF1F096262865E6EBD56B13EFD3BBA8D714FFDCE8316293229974532C49136460
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......QN.../.../.../...W(../......./......./......./......./...R.../...Z.../..^W.../.../...-../...",......./.../.../......./......./..Rich./..........PE..d...M7ee.........." ...&..M..........L...................................... f...........`......................................... .a.p.....a.|............Pb..............Pe.p...p.[.T.....................[.(...0.[.@............0M..............................text.....M.......M................. ..`.rdata.......0M.......M.............@..@.data........0a.......a.............@....pdata.......Pb.......b.............@..@.reloc..p....Pe.......e.............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\hidapi.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):100352
Entropy (8bit):5.934692072315603
Encrypted:false
SSDEEP:3072:sEujSbDUbXE+Fw+Rt4PQyUN2exeYNTlI:xH8XZFwwtx8EI
MD5:D9152F1CC7198047C19968B405F18CB7
SHA1:BE2F3C405454624AA5010EFD15314CA5182D6B88
SHA-256:E356DF68E5442CEA92CDBB52E5BFF09F11D082AB8067E20B3FDFCBF7199AB071
SHA-512:E8D951EEA4C2158E661BB7B9FB4B3E5192B56E7E34FEB906F2F1A426D3390EF92FC89F4037E75E51890E31F2AB7CDED4D244D19C96AB0534EB6257F00F442DAA
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.3...]...]...].....]...t.].....].5!^...].5!X...].5!Y...]......]...\.h.].!U...].!]...].!....].!_...].Rich..].................PE..d......a.........." ................l0....................................................`......................................... g..d....i..<...................................@V..p............................V...............................................text............................... ..`.rdata..............................@..@.data................b..............@....pdata...............l..............@..@.gfids...............|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\libcrypto-1_1.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):3450648
Entropy (8bit):6.098075450035195
Encrypted:false
SSDEEP:98304:YP+uemAdn67xfxw6rKsK1CPwDv3uFfJz1CmiX:OZemAYxfxw6HK1CPwDv3uFfJzUmA
MD5:9D7A0C99256C50AFD5B0560BA2548930
SHA1:76BD9F13597A46F5283AA35C30B53C21976D0824
SHA-256:9B7B4A0AD212095A8C2E35C71694D8A1764CD72A829E8E17C8AFE3A55F147939
SHA-512:CB39AA99B9D98C735FDACF1C5ED68A4D09D11F30262B91F6AA48C3F8520EFF95E499400D0CE7E280CA7A90FF6D7141D2D893EF0B33A8803A1CADB28BA9A9E3E2
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..$.................................................. 5......%5...`.........................................../..h...Z4.@.....4.|.....2......x4../....4..O....-.8.............................-.@............P4..............................text.....$.......$................. ..`.rdata..&.....%.......$.............@..@.data...!z....2..,....1.............@....pdata........2.......2.............@..@.idata..^#...P4..$....3.............@..@.00cfg..u.....4.......3.............@..@.rsrc...|.....4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

C:\Windows\Temp\_MEI15042\libffi-7.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):32792
Entropy (8bit):6.3566777719925565
Encrypted:false
SSDEEP:384:2nypDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYIoBneEAR8:2l0Vn5Q28J8qsqMttktDxOpWDG4yKRF
MD5:EEF7981412BE8EA459064D3090F4B3AA
SHA1:C60DA4830CE27AFC234B3C3014C583F7F0A5A925
SHA-256:F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
SHA-512:DC9FF4202F74A13CA9949A123DFF4C0223DA969F49E9348FEAF93DA4470F7BE82CFA1D392566EAAA836D77DDE7193FED15A8395509F72A0E9F97C66C0A096016
Malicious:false
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....F...$.......I....................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\libssl-1_1.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):704792
Entropy (8bit):5.5573527806738126
Encrypted:false
SSDEEP:12288:WhO7/rNKmrouK/POt6h+7ToRLgo479dQwwLOpWW/dQ0TGqwfU2lvz2:2is/POtrzbLp5dQ0TGqcU2lvz2
MD5:BEC0F86F9DA765E2A02C9237259A7898
SHA1:3CAA604C3FFF88E71F489977E4293A488FB5671C
SHA-256:D74CE01319AE6F54483A19375524AA39D9F5FD91F06CF7DF238CA25E043130FD
SHA-512:FFBC4E5FFDB49704E7AA6D74533E5AF76BBE5DB297713D8E59BD296143FE5F145FBB616B343EED3C48ECEACCCCC2431630470D8975A4A17C37EAFCC12EDD19F4
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1}q.1}q.1}q.8..=}q.~.p.3}q.z.p.3}q.~.t.=}q.~.u.9}q.~.r.5}q...p.2}q.1}p..|q...u..}q...q.0}q.....0}q...s.0}q.Rich1}q.........PE..d......c.........." ...".D...T......<................................................i....`..........................................A...N..@U..........s........N......./......h.......8...............................@............@..@............................text....B.......D.................. ..`.rdata.../...`...0...H..............@..@.data...AM.......D...x..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............l..............@..@.rsrc...s............n..............@..@.reloc..q............v..............@..B................................................................................................................................................................

C:\Windows\Temp\_MEI15042\psutil\_psutil_windows.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):67072
Entropy (8bit):5.90551713971002
Encrypted:false
SSDEEP:1536:ZhseNxkc7Xva0Y420G1UD+dS4gBeLmRy:Z1kcbi0Y42bUD+dS4oeiRy
MD5:01F9D30DD889A3519E3CA93FE6EFEE70
SHA1:EBF55ADBD8CD938C4C11D076203A3E54D995AEFF
SHA-256:A66444A08A8B9CEAFA05DAEFEB32AA1E65C8009A3C480599F648FA52A20AFB7D
SHA-512:76FED302D62BB38A39E0BF6C9038730E83B6AFFFA2F36E7A62B85770D4847EA6C688098061945509A1FDB799FB7F5C88699F94E7DA1934F88A9C3B6A433EE9EF
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`T..$5..$5..$5..-M3..5..v@..&5..v@..(5..v@..,5..v@.. 5...k..&5..oM..55..$5...5...@..45...@..%5...@_.%5...@..%5..Rich$5..........................PE..d.....~e.........." .........h..............................................@............`.........................................P...`.......@.... .......................0..(.......................................8............................................text............................... ..`.rdata..|I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\pyexpat.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):198936
Entropy (8bit):6.372446720663998
Encrypted:false
SSDEEP:3072:13BAJzkk5dT6F62eqf2A3zVnjIHdAPKReewMP12yGUfT0+SYyWgOmrpjAxvwnVIq:FQg4dT6N5OA3zVnjNed4yGKTKR/
MD5:1118C1329F82CE9072D908CBD87E197C
SHA1:C59382178FE695C2C5576DCA47C96B6DE4BBCFFD
SHA-256:4A2D59993BCE76790C6D923AF81BF404F8E2CB73552E320113663B14CF78748C
SHA-512:29F1B74E96A95B0B777EF00448DA8BD0844E2F1D8248788A284EC868AE098C774A694D234A00BD991B2D22C2372C34F762CDBD9EC523234861E39C0CA752DCAA
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7...sn.Jsn.Jsn.Jz.:J.n.J!..Kqn.J!..K.n.J!..K{n.J!..Kpn.J...Kqn.J8..Kpn.Jsn.J.n.J...Kwn.J...Krn.J..VJrn.J...Krn.JRichsn.J................PE..d.....,d.........." ......................................................................`.........................................p...P................................/...........4..T...........................05..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\python3.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):66328
Entropy (8bit):6.162953246481027
Encrypted:false
SSDEEP:768:t68LeBLeeFtp5V1BfO2yvSk70QZF1nEyjnskQkr/RFB1qucwdBeCw0myou6ZwJqn:t6wewnvtjnsfwxVILL0S7SyuPxHO
MD5:FD4A39E7C1F7F07CF635145A2AF0DC3A
SHA1:05292BA14ACC978BB195818499A294028AB644BD
SHA-256:DC909EB798A23BA8EE9F8E3F307D97755BC0D2DC0CB342CEDAE81FBBAD32A8A9
SHA-512:37D3218BC767C44E8197555D3FA18D5AAD43A536CFE24AC17BF8A3084FB70BD4763CCFD16D2DF405538B657F720871E0CD312DFEB7F592F3AAC34D9D00D5A643
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........A.d.A.d.A.d...l.@.d...d.@.d.....@.d...f.@.d.RichA.d.........PE..d.....,d.........." .................................................................x....`.........................................`...`................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\python310.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):4458776
Entropy (8bit):6.460390021076921
Encrypted:false
SSDEEP:49152:myrXfGIy+Bqk5c5Ad2nwZT3Q6wsV136cR2DZvbK30xLNZcAgVBvcpYcvl1IDWbH3:Uw5tVBlicWdvoDkHUMF7Ph/qe
MD5:63A1FA9259A35EAEAC04174CECB90048
SHA1:0DC0C91BCD6F69B80DCDD7E4020365DD7853885A
SHA-256:14B06796F288BC6599E458FB23A944AB0C843E9868058F02A91D4606533505ED
SHA-512:896CAA053F48B1E4102E0F41A7D13D932A746EEA69A894AE564EF5A84EF50890514DECA6496E915AAE40A500955220DBC1B1016FE0B8BCDDE0AD81B2917DEA8B
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<...<...<...I...<...Sc..<...I...<...I...<...I...<...D...<...D...<...<...=..+I../<..+I...<..+Ia..<..+I...<..Rich.<..........................PE..d.....,d.........." .....V#..v!...............................................E.....".D...`.........................................`.<.....@.=.|.....D......`B.......C../....D..t....$.T...........................P.$.8............p#.8............................text...bT#......V#................. ..`.rdata...B...p#..D...Z#.............@..@.data... .....=.......=.............@....pdata.......`B......HA.............@..@PyRuntim`....pD......VC.............@....rsrc.........D......ZC.............@..@.reloc...t....D..v...dC.............@..B........................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\pywin32_system32\pythoncom310.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):669184
Entropy (8bit):6.03765159448253
Encrypted:false
SSDEEP:6144:zxxMpraRSS9Y68EuBPjIQN5cJzS7bUxgyPxFMH0PIXY3dVVVVAuLpdorrcK/CXjW:zxxMZMX1bQIJO7bazPEQSYNBLpdwNu
MD5:65DD753F51CD492211986E7B700983EF
SHA1:F5B469EC29A4BE76BC479B2219202F7D25A261E2
SHA-256:C3B33BA6C4F646151AED4172562309D9F44A83858DDFD84B2D894A8B7DA72B1E
SHA-512:8BD505E504110E40FA4973FEFF2FAE17EDC310A1CE1DC78B6AF7972EFDD93348087E6F16296BFD57ABFDBBE49AF769178F063BB0AA1DEE661C08659F47A6216D
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..x...+...+...+..P+...+T..*...+T..*...+T..*...+T..*...+..*...+...*...+...*...+...*...+...+U..+..*W..+..*...+..*...+Rich...+................PE..d...k..d.........." ................4.....................................................`..........................................U...c..............l....@...z............... ......T...........................0...8............................................text...#........................... ..`.rdata...$.......&..................@..@.data....I..........................@....pdata...z...@...|..................@..@.rsrc...l...........................@..@.reloc... ......."..................@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\pywin32_system32\pywintypes310.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):134656
Entropy (8bit):5.992653928086484
Encrypted:false
SSDEEP:3072:DLVxziezwPZSMaAXpuuwNNDY/r06trfSsSYOejKVJBtGdI8hvnMu:HfziezwMMaAX2Y/rxjbOejKDBtG681n
MD5:CEB06A956B276CEA73098D145FA64712
SHA1:6F0BA21F0325ACC7CF6BF9F099D9A86470A786BF
SHA-256:C8EC6429D243AEF1F78969863BE23D59273FA6303760A173AB36AB71D5676005
SHA-512:05BAB4A293E4C7EFA85FA2491C32F299AFD46FDB079DCB7EE2CC4C31024E01286DAAF4AEAD5082FC1FD0D4169B2D1BE589D1670FCF875B06C6F15F634E0C6F34
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.$.X.w.X.w.X.w. [w.X.w.-.v.X.w.75w.X.w.-.v.X.w.-.v.X.w.-.v.X.w.3.v.X.wJ1.v.X.w.3.v.X.w.X.w.X.w,-.v.X.w,-.v.X.w,-.v.X.wRich.X.w........................PE..d......d.........." .........................................................P............`......................................... u..dB......,....0..l.......L............@..0...`Q..T............................Q..8............................................text............................... ..`.rdata..R...........................@..@.data....-.......(..................@....pdata..L...........................@..@.rsrc...l....0......................@..@.reloc..0....@......................@..B........................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\select.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):29976
Entropy (8bit):6.627859470728624
Encrypted:false
SSDEEP:768:gUC2hwhVHqOmEVILQG35YiSyvrYPxWEl6:FC2ehVKOmEVILQGp7SyEPxe
MD5:A653F35D05D2F6DEBC5D34DADDD3DFA1
SHA1:1A2CEEC28EA44388F412420425665C3781AF2435
SHA-256:DB85F2F94D4994283E1055057372594538AE11020389D966E45607413851D9E9
SHA-512:5AEDE99C3BE25B1A962261B183AE7A7FB92CB0CB866065DC9CD7BB5FF6F41CC8813D2CC9DE54670A27B3AD07A33B833EAA95A5B46DAD7763CA97DFA0C1CE54C9
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!.F.O.F.O.F.O.O...D.O...N.D.O...J.M.O...K.N.O...L.B.O...N.D.O.F.N...O...N.C.O...B.G.O...O.G.O....G.O...M.G.O.RichF.O.................PE..d.....,d.........." .........0......................................................;\....`.........................................`@..L....@..x....p.......`.......F.../......H....2..T............................2..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata.......`.......6..............@..@.rsrc........p.......:..............@..@.reloc..H............D..............@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\setuptools-60.2.0.dist-info\INSTALLER

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):5
Entropy (8bit):1.9219280948873623
Encrypted:false
SSDEEP:3:Lvn:Lv
MD5:00305BC1FB89E33403A168E6E3E2EC08
SHA1:A39CA102F6B0E1129E63235BCB0AD802A5572195
SHA-256:0B77BDB04E0461147A7C783C200BC11A6591886E59E2509F5D7F6CB7179D01AB
SHA-512:DB43B091F60DE7F8C983F5FC4009DB89673215CCD20FD8B2CED4983365A74B36AC371E2E85397CAC915C021377E26F2C4290915EA96F9E522E341E512C0FC169
Malicious:false
Reputation:unknown
Preview:pip..

C:\Windows\Temp\_MEI15042\setuptools-60.2.0.dist-info\LICENSE

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):1050
Entropy (8bit):5.072538194763298
Encrypted:false
SSDEEP:24:1rmJHcwH0MP3gt8Hw1hj9QHOsUv4eOk4/+/m3oqMSFJ:1aJ8YHvEH5QHOs5exm3oEFJ
MD5:7A7126E068206290F3FE9F8D6C713EA6
SHA1:8E6689D37F82D5617B7F7F7232C94024D41066D1
SHA-256:DB3F0246B1F9278F15845B99FEC478B8B506EB76487993722F8C6E254285FAF8
SHA-512:C9F0870BC5D5EFF8769D9919E6D8DDE1B773543634F7D03503A9E8F191BD4ACC00A97E0399E173785D1B65318BAC79F41D3974AE6855E5C432AC5DACF8D13E8A
Malicious:false
Reputation:unknown
Preview:Copyright Jason R. Coombs..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to.deal in the Software without restriction, including without limitation the.rights to use, copy, modify, merge, publish, distribute, sublicense, and/or.sell copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING.FROM, OUT OF OR IN CONNECTION WITH THE SOFTW

C:\Windows\Temp\_MEI15042\setuptools-60.2.0.dist-info\METADATA

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):5131
Entropy (8bit):5.122995579924766
Encrypted:false
SSDEEP:96:DpwYyJX4a113or1uCDIG0wMHodIDbVWKWddpnzYDiHNlP37POX7FwTtPMk:a4rMYIG0wMHodIDbAd/n7AFwTJ
MD5:FFCB84AF49AB52C4FDD312F814E14B0D
SHA1:89C9D3D82455A1BD5EB8B938DD3E5FCBFB1D36B0
SHA-256:75CDE8A60801D637767D85E414FBBB80B222AA2774199A8B419E197BC245109A
SHA-512:83219D0BF52253309AF3D5F9BF37474C765DF94A5D363ADFDCAE956D88B795D477237107321AAD90BBCF79D438200672C9354B44E4D4D2FD630FBC4AEF248972
Malicious:false
Reputation:unknown
Preview:Metadata-Version: 2.1.Name: setuptools.Version: 60.2.0.Summary: Easily download, build, install, upgrade, and uninstall Python packages.Home-page: https://github.com/pypa/setuptools.Author: Python Packaging Authority.Author-email: distutils-sig@python.org.License: UNKNOWN.Project-URL: Documentation, https://setuptools.pypa.io/.Keywords: CPAN PyPI distutils eggs package management.Platform: UNKNOWN.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Topic :: Software Development :: Libraries :: Python Modules.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: Topic :: System :: Systems Administration.Classifier: Topic :: Utilities.Requires-Python: >=3.7.License-File: LICENSE.Provides-Extra: certs.Provides-Extra: docs.Requires-Dist: sphinx ; extra == 'docs'.Requ

C:\Windows\Temp\_MEI15042\setuptools-60.2.0.dist-info\RECORD

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:CSV text
Category:dropped
Size (bytes):21957
Entropy (8bit):5.622802101148321
Encrypted:false
SSDEEP:384:L46dEofm3e5I9cbmBBdJJa1uy/MqhHH7TPmT2ILwg:LTcY190qhHbT9q5
MD5:B42FD355E6FFFC68D43E12963C0F7D47
SHA1:81E5A1AA111B414DC8BCD642E21363BC17D4538D
SHA-256:1FA525F06E0C9DD86266758AC257D53AA42A4944D07ACA85CBFC5970A0030BB3
SHA-512:19A2AA1C5F1660AC920953F760D8BBA084725727A9E0D2A78659995AF677481C8349765DFE8539C2E0BC1418EC008C5BA89D005CCB9A3602ADF9629A5862D900
Malicious:false
Reputation:unknown
Preview:distutils-precedence.pth,sha256=JjjOniUA5XKl4N5_rtZmHrVp0baW_LoHsN0iPaX10iQ,151._distutils_hack/__init__.py,sha256=YA_zRyutXEbuZDipUW6EQoLC6PuUbvYsGyBg-aL-PCs,4741._distutils_hack/override.py,sha256=Eu_s-NF6VIZ4Cqd0tbbA5wtWky2IZPNd8et6GLt1mzo,44.pkg_resources/__init__.py,sha256=uAnPq8FsTXHAEHFWK7UU9AhdNjE4o5Skfk8CyfbztO8,108573.pkg_resources/_vendor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0.pkg_resources/_vendor/appdirs.py,sha256=MievUEuv3l_mQISH5SF0shDk_BNhHHzYiAPrT3ITN4I,24701.pkg_resources/_vendor/pyparsing.py,sha256=tmrp-lu-qO1i75ZzIN5A12nKRRD1Cm4Vpk-5LR9rims,232055.pkg_resources/_vendor/packaging/__about__.py,sha256=IIRHpOsJlJSgkjq1UoeBoMTqhvNp3gN9FyMb5Kf8El4,661.pkg_resources/_vendor/packaging/__init__.py,sha256=b9Kk5MF7KxhhLgcDmiUWukN-LatWFxPdNug0joPhHSk,497.pkg_resources/_vendor/packaging/_manylinux.py,sha256=XcbiXB-qcjv3bcohp6N98TMpOP4_j3m-iOA8ptK2GWY,11488.pkg_resources/_vendor/packaging/_musllinux.py,sha256=z5yeG1ygOPx4uUyLdqj-p8Dk5UBb5H_b0NIjW9yo8oA,4

C:\Windows\Temp\_MEI15042\setuptools-60.2.0.dist-info\WHEEL

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):92
Entropy (8bit):4.820827594031884
Encrypted:false
SSDEEP:3:RtEeX7MWcSlViZHKRRP+tPCCfA5S:RtBMwlViojWBBf
MD5:4D57030133E279CEB6A8236264823DFD
SHA1:0FDC3988857C560E55D6C36DCC56EE21A51C196D
SHA-256:1B5E87E00DC87A84269CEAD8578B9E6462928E18A95F1F3373C9EEF451A5BCC0
SHA-512:CD98F2A416AC1B13BA82AF073D0819C0EA7C095079143CAB83037D48E9A5450D410DC5CF6B6CFF3F719544EDF1C5F0C7E32E87B746F1C04FE56FAFD614B39826
Malicious:false
Reputation:unknown
Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.37.1).Root-Is-Purelib: true.Tag: py3-none-any..

C:\Windows\Temp\_MEI15042\setuptools-60.2.0.dist-info\entry_points.txt

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):2636
Entropy (8bit):4.537672046416617
Encrypted:false
SSDEEP:24:+MsTUR572Ku3ky1QchLtoZ+kMySDZZdmRxmgidTFLaelXdcEcijVbxS9djdh2PhN:l9Zvy3g6ySDsm90rZh2Phv4hhpTqToq
MD5:57379A87F47EA4C2646046CE29BCC753
SHA1:E339BE8333DA128C7E1BCF193BD8D61D511DE75D
SHA-256:C299E12EB6EDCA4E21675A820B0E3C7024B1A103F350B32122E685AAC07B1B14
SHA-512:EDF64E3354C7C5E07461658894DCB82FECD71B9A1DAC7FAAD6BAB378C43111D4349FAE6DC7FCE87D0F50099E55CB835431F2364A988067A46EEEC8BB81ADA319
Malicious:false
Reputation:unknown
Preview:[distutils.commands].alias = setuptools.command.alias:alias.bdist_egg = setuptools.command.bdist_egg:bdist_egg.bdist_rpm = setuptools.command.bdist_rpm:bdist_rpm.build_clib = setuptools.command.build_clib:build_clib.build_ext = setuptools.command.build_ext:build_ext.build_py = setuptools.command.build_py:build_py.develop = setuptools.command.develop:develop.dist_info = setuptools.command.dist_info:dist_info.easy_install = setuptools.command.easy_install:easy_install.egg_info = setuptools.command.egg_info:egg_info.install = setuptools.command.install:install.install_egg_info = setuptools.command.install_egg_info:install_egg_info.install_lib = setuptools.command.install_lib:install_lib.install_scripts = setuptools.command.install_scripts:install_scripts.rotate = setuptools.command.rotate:rotate.saveopts = setuptools.command.saveopts:saveopts.sdist = setuptools.command.sdist:sdist.setopt = setuptools.command.setopt:setopt.test = setuptools.command.test:test.upload_docs = setuptools.comman

C:\Windows\Temp\_MEI15042\setuptools-60.2.0.dist-info\top_level.txt

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):41
Entropy (8bit):3.9115956018096876
Encrypted:false
SSDEEP:3:3Wd+Nt8AfQYv:3Wd+Nttv
MD5:789A691C859DEA4BB010D18728BAD148
SHA1:AEF2CBCCC6A9A8F43E4E150E7FCF1D7B03F0E249
SHA-256:77DC8BDFDBFF5BBAA62830D21FAB13E1B1348FF2ECD4CDCFD7AD4E1A076C9B88
SHA-512:BC2F7CAAD486EB056CB9F68E6C040D448788C3210FF028397CD9AF1277D0051746CAE58EB172F9E73EA731A65B2076C6091C10BCB54D911A7B09767AA6279EF6
Malicious:false
Reputation:unknown
Preview:_distutils_hack.pkg_resources.setuptools.

C:\Windows\Temp\_MEI15042\unicodedata.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):1123608
Entropy (8bit):5.3853088605790385
Encrypted:false
SSDEEP:12288:6mwlRMmuZ63NTQCb5Pfhnzr0ql8L8kcM7IRG5eeme6VZyrIBHdQLhfFE+uQfk:ulRuUZV0m8UMMREtV6Vo4uYQfk
MD5:81D62AD36CBDDB4E57A91018F3C0816E
SHA1:FE4A4FC35DF240B50DB22B35824E4826059A807B
SHA-256:1FB2D66C056F69E8BBDD8C6C910E72697874DAE680264F8FB4B4DF19AF98AA2E
SHA-512:7D15D741378E671591356DFAAD4E1E03D3F5456CBDF87579B61D02A4A52AB9B6ECBFFAD3274CEDE8C876EA19EAEB8BA4372AD5986744D430A29F50B9CAFFB75D
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.eJ).eJ).eJ)...).eJ)..K(.eJ)..O(.eJ)..N(.eJ)..I(.eJ)|.K(.eJ)..K(.eJ).eK).eJ)|.G(.eJ)|.J(.eJ)|..).eJ)|.H(.eJ)Rich.eJ)........................PE..d.....,d.........." .....B.......... *.......................................@......Q.....`.............................................X............ ..........H......../...0.......`..T........................... a..8............`..x............................text...9A.......B.................. ..`.rdata.......`.......F..............@..@.data...............................@....pdata..H...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\wheel-0.37.1.dist-info\INSTALLER

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):5
Entropy (8bit):1.9219280948873623
Encrypted:false
SSDEEP:3:Lvn:Lv
MD5:00305BC1FB89E33403A168E6E3E2EC08
SHA1:A39CA102F6B0E1129E63235BCB0AD802A5572195
SHA-256:0B77BDB04E0461147A7C783C200BC11A6591886E59E2509F5D7F6CB7179D01AB
SHA-512:DB43B091F60DE7F8C983F5FC4009DB89673215CCD20FD8B2CED4983365A74B36AC371E2E85397CAC915C021377E26F2C4290915EA96F9E522E341E512C0FC169
Malicious:false
Reputation:unknown
Preview:pip..

C:\Windows\Temp\_MEI15042\wheel-0.37.1.dist-info\LICENSE.txt

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):1125
Entropy (8bit):5.143411674177603
Encrypted:false
SSDEEP:24:UYWBarRONJHLH0cPP3gtkHw1h39QHOsUv4eOk4/+jvho3nPz:LtONJbbvE/NQHOs5eNS3n7
MD5:9D66B41BC2A080E7174ACC5DFFECD752
SHA1:53AA128E9D6387E9BB9D945FDCBF1AB4D003BAED
SHA-256:CCA9E20C6AF1FCFBF69408F377769286CBEEBCDED336100C9B4A3F35FBE635E4
SHA-512:12CBE04D36D2F0A856DA2001DC7D98D9E431DA37CCCF08F8AF20DD537F5AE7A19E1A7015C3A5542C0329EFBEC7E582751E4CEBCCB459C779BE804AA5B34D5E95
Malicious:false
Reputation:unknown
Preview:"wheel" copyright (c) 2012-2014 Daniel Holth <dholth@fastmail.fm> and.contributors...The MIT License..Permission is hereby granted, free of charge, to any person obtaining a.copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the.Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included.in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR.OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRA

C:\Windows\Temp\_MEI15042\wheel-0.37.1.dist-info\METADATA

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:Unicode text, UTF-8 text
Category:dropped
Size (bytes):2328
Entropy (8bit):5.1185004431709
Encrypted:false
SSDEEP:48:DE53Cnd+p8d+zztjaaxLiPktzCliwqrwOT8RfkD1UKd+mOl1Awr+:DE5yQPzztjaaxmPktW0lrfOfsUzmbY+
MD5:DE7F3CDD29B458BD18463100490C8EFF
SHA1:F6677870E4F8A9D914C13FCEF5DB1AF2A7BA5624
SHA-256:62679B757C0F42517DF1DA7D57E0B2E01944F8CF9F14CF89F5C3D556F952522F
SHA-512:584491196B7757B108FB6535B687E28B3C4BEB56162CC6DE4911C211B7A000B0AF2B7A26AFAB73422DA6876F568D4CCE23802D27C57CF7D6565BD02877B08A32
Malicious:false
Reputation:unknown
Preview:Metadata-Version: 2.1.Name: wheel.Version: 0.37.1.Summary: A built-package format for Python.Home-page: https://github.com/pypa/wheel.Author: Daniel Holth.Author-email: dholth@fastmail.fm.Maintainer: Alex Gr.nholm.Maintainer-email: alex.gronholm@nextday.fi.License: MIT.Project-URL: Documentation, https://wheel.readthedocs.io/.Project-URL: Changelog, https://wheel.readthedocs.io/en/stable/news.html.Project-URL: Issue Tracker, https://github.com/pypa/wheel/issues.Keywords: wheel,packaging.Platform: UNKNOWN.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 2.Classifier: Programming Language :: Python :: 2.7.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3.5.Classifier: Programming Language :: Python ::

C:\Windows\Temp\_MEI15042\wheel-0.37.1.dist-info\RECORD

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:CSV text
Category:dropped
Size (bytes):2657
Entropy (8bit):5.738906743733574
Encrypted:false
SSDEEP:48:/exuRklpzybyrvGy+myCqTQgYvH6MHIS8mvinJ3yGnJ3ykz1lQERayzYsoRLmlJi:mxVlkmrvZnyCqTQDvH6MHp8uiJCGJCkc
MD5:92F640958CC843ABF1B37B511B6BD5AE
SHA1:5248FD1AAE16910FE6FDF9914CB5FC5B24F0906F
SHA-256:E2028F94F2C8579CB22A3260083CD34D5FD3CD590150F471EB8169BEED7152D5
SHA-512:949991767039F1DB9851F222CD3FA16F0D812CC2BD885A389C78E2091C3B68E9292C4AA876172CC4C48E09F84947013DA6DC2589911A7D192F5748C6DDEF4F86
Malicious:false
Reputation:unknown
Preview:wheel/__init__.py,sha256=yLOqsEZUPaM3VNKOMxQraLgCCyF8q3k10KY4C1Hi_Lo,23.wheel/__main__.py,sha256=lF-YLO4hdQmoWuh4eWZd8YL1U95RSdm76sNLBXa0vjE,417.wheel/bdist_wheel.py,sha256=2vfv3g_b8BvZ5Do9bpLEBdu9dQEcvoMQ1flXpKYFJDU,19075.wheel/macosx_libfile.py,sha256=Xvp-IrFyRJ9RThIrPxfEpVCDGfljJPWRTZiyopk70hI,15930.wheel/metadata.py,sha256=b3kPhZn2w2D9wengltX5nGIZQ3ERUOQ5U-K5vHKPdeg,4344.wheel/pkginfo.py,sha256=GR76kupQzn1x9sKDaXuE6B6FsZ4OkfRtG7pndlXPvQ4,1257.wheel/util.py,sha256=mnNZkJCi9DHLI_q4lTudoD0mW97h_AoAWl7prNPLXJc,938.wheel/wheelfile.py,sha256=NyH8VcFLvu7jUwH6r4KoL_U45OKFVpUyJ5Z7gRAI_Lc,7574.wheel/cli/__init__.py,sha256=GWSoGUpRabTf8bk3FsNTPrc5Fsr8YOv2dX55iY2W7eY,2572.wheel/cli/convert.py,sha256=7F4vj23A2OghDDWn9gX2V-_TeXMza1a5nIejmFGEUJM,9498.wheel/cli/pack.py,sha256=Bfq6KrHicZKrpbktkreeRxIaWwBozUP99JQy2D8-ddY,3364.wheel/cli/unpack.py,sha256=0VWzT7U_xyenTPwEVavxqvdee93GPvAFHnR3Uu91aRc,673.wheel/vendored/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0.wheel/vendored/packag

C:\Windows\Temp\_MEI15042\wheel-0.37.1.dist-info\WHEEL

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):110
Entropy (8bit):4.816968543485036
Encrypted:false
SSDEEP:3:RtEeX7MWcSlViZHKRRP+tPCCf7irO5S:RtBMwlViojWBBwt
MD5:8CFA23CB3A9E0E9F30077848A14BE857
SHA1:E5AC311BA9EEC5C0CCDDC091AC7C0D62A72ECF72
SHA-256:CFD8F4C406BF26650A3299B3EF62B464600B48CFE7FB04159866E5797C765478
SHA-512:039CB61C67F02B3B349102FA40FBB55FCA46D54007309FD08B2707E2CAC74FDDDBB39B18730704209DB4852BB9BB18078EF6A6A57ACF0F0BA4951D7A249521BD
Malicious:false
Reputation:unknown
Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.37.1).Root-Is-Purelib: true.Tag: py2-none-any.Tag: py3-none-any..

C:\Windows\Temp\_MEI15042\wheel-0.37.1.dist-info\entry_points.txt

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):108
Entropy (8bit):4.342039869160156
Encrypted:false
SSDEEP:3:1SSAsVYgh+MWTMhk6WjwVM5t5ln:1rb9WTMhk9jSM5t5ln
MD5:7AB099DD08D127FFF9A98B12A6B127E0
SHA1:8454C246D5A924CC6A13F5BFA188468E00F4D179
SHA-256:37C1DB605493DF2ACD418781DB05D60443D4845B04B4A3513DA0851893F2AB27
SHA-512:866EAFE67528CE8B692F474E7883BF776644CD41D13220D9C7F9446F7E325104C2F4ABF9B08701E470423756511D452885DFA1B875D4661D3472BC2002C28492
Malicious:false
Reputation:unknown
Preview:[console_scripts].wheel = wheel.cli:main..[distutils.commands].bdist_wheel = wheel.bdist_wheel:bdist_wheel..

C:\Windows\Temp\_MEI15042\wheel-0.37.1.dist-info\top_level.txt

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):6
Entropy (8bit):2.2516291673878226
Encrypted:false
SSDEEP:3:/sv:/sv
MD5:EF72659542687B41FB1A4225120F41FA
SHA1:3EF6EE742B2E851DEA1F754CE60A1FC222194799
SHA-256:1F148121B804B2D30F7B87856B0840EBA32AF90607328A5756802771F8DBFF57
SHA-512:A16A6E11367C986B2A7B38C491943B28F402081D3E2D41474C9E61BE44941133E87CB821750AD27A1E46FA2AFF9F93B8584C37247BDE219ABAC12D3D6EE4477C
Malicious:false
Reputation:unknown
Preview:wheel.

C:\Windows\Temp\_MEI15042\win32\_win32sysloader.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):14848
Entropy (8bit):5.112106937352672
Encrypted:false
SSDEEP:192:lGCm72PEO1jIUs0YqEcPbF55UgCWV4rofnbPmitE255qDLWn7ycLmrO/:8ardA0Bzx14r6nbN50W9/
MD5:F9C9445BE13026F8DB777E2BBC26651D
SHA1:E1D58C30E94B00B32AD1E9B806465643F4AFE980
SHA-256:C953DB1F67BBD92114531FF44EE4D76492FDD3CF608DA57D5C04E4FE4FDD1B96
SHA-512:587D9E8521C246865E16695E372A1675CFBC324E6258DD03479892D3238F634138EBB56985ED34E0C8C964C1AB75313182A4E687B598BB09C07FC143B506E9A8
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tSf.02..02..02..9J..22..bG..22..$Y..22..bG..;2..bG..82..bG..32..[..32..02...2...G..12...G..12...G..12..Rich02..................PE..d......d.........." ......................................................................`..........................................;..`...`;..d....p..t....`..................@...|2..T............................2..8............0..p............................text............................... ..`.rdata..$....0......................@..@.data........P......................@....pdata.......`.......0..............@..@.rsrc...t....p.......4..............@..@.reloc..@............8..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\win32\win32api.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):133632
Entropy (8bit):5.849731189887005
Encrypted:false
SSDEEP:3072:l2J5loMoEg9enX4oD8cdf0nlRVFhLaNKP/IyymuqCyqJhe:cblovEgqXHdfqlRVlP/IyzCyy
MD5:00E5DA545C6A4979A6577F8F091E85E1
SHA1:A31A2C85E272234584DACF36F405D102D9C43C05
SHA-256:AC483D60A565CC9CBF91A6F37EA516B2162A45D255888D50FBBB7E5FF12086EE
SHA-512:9E4F834F56007F84E8B4EC1C16FB916E68C3BAADAB1A3F6B82FAF5360C57697DC69BE86F3C2EA6E30F95E7C32413BABBE5D29422D559C99E6CF4242357A85F31
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.uV....................N.......N.......N.......................N...................J...........................Rich............PE..d......d.........." .........................................................P............`..........................................................0..\....................@..$....v..T............................<..8............0..........@....................text............................... ..`.rdata......0......................@..@.data...x(......."..................@....pdata..............................@..@.rsrc...\....0......................@..@.reloc..$....@......................@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\win32\win32event.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):28672
Entropy (8bit):5.557243649975138
Encrypted:false
SSDEEP:384:qwXwVM65Ix6Hey0a4SqSv/L/jhfWddbcQ857W5/hoOn0k/MwGCHRUyGa/:Fn6oDOb/jhfWddbcrwYOn0k/MwJYa
MD5:98D246A539426C3A7A842D6CF286D46D
SHA1:CEF7350297F7E1E2407C9125033DC972C3171122
SHA-256:7461A15657C7516237B020357CCF6DE1D07B1C781149C0DA7892AEA0EA63A825
SHA-512:F2FE96082C333210261A1247155373276A58A9E6128374A6FBA252D39CB78B286A30C48E05D2EB1E0B41653598BB114C0361BC55808FE091E8A13CDE0B59AC5F
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*.@sD.@sD.@sD.I...DsD...E.BsD...A.JsD...@.HsD...G.CsD..E.BsD...E.BsD.T.E.EsD.@sE..sD..M.AsD..D.AsD..F.AsD.Rich@sD.........PE..d......d.........." .....8...4.......3....................................................`..........................................f..T...$g..........d............................Z..T............................Z..8............P...............................text...(6.......8.................. ..`.rdata...#...P...$...<..............@..@.data................`..............@....pdata...............d..............@..@.rsrc...d............j..............@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\win32\win32evtlog.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):73216
Entropy (8bit):5.762045981366128
Encrypted:false
SSDEEP:1536:idrARomwyEvN7xM8v2uuYTtEJaLGDXYBFB8Dmz:qIomwySmm2uuYJEJaLGDXkFB8qz
MD5:20CA43E99D008452833394B4AB4D9239
SHA1:97E6DC871483540551CBF44B7727CE91ADCDA844
SHA-256:28783A9111E539BD0EDBB97C9204C983E1D15DC7A0E7A6D4DE02DF1A3D5E3566
SHA-512:273323375886835BC4E737984586BC31FFDCC185A3FA3CA1181CB65B2D6D1867E527B3226484ECD8DD902A02CF94B4AB8F7C88744235543ED83620206E65E7C0
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u...u...u...|f).s...'k..q...'k..}...'k..v....k..w....w..w...'k..f...au..p...u........k..t....k..t....kE.t....k..t...Richu...................PE..d......d.........." ................P........................................`............`.............................................X...8........@.. ....0..|............P..l.......T...........................`...8...............`.......@....................text............................... ..`.rdata..&\.......^..................@..@.data...............................@....pdata..|....0......................@..@.rsrc... ....@......................@..@.reloc..l....P......................@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\win32\win32file.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):143360
Entropy (8bit):5.9314950978938334
Encrypted:false
SSDEEP:3072:XkXeNNnoGygqaE7Byk+YXR4Ei1HPUb1+JybQhzacKG6t6BU:XkX8Nugqz7Byk+QRVi1vUbc0bCacu
MD5:D09207A5F23C943F911B5FC301BBE97A
SHA1:735C69217D80E1986C681B4B74629E79A3C95934
SHA-256:B1B0A1F9C8903E2EC65B9D6A4AC746E72090DB9A34F2A180B79769C9C5B15085
SHA-512:68BE8558026EBCEECFC29D91F6E040E4DDE2EF4DED2D471CB547C081B4D947CDF15B77CD5CD6C3BAA37FD2C92A297D2A5CA7B2ED2D27B88B09BB521F61725B4A
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=.ahn.ahn.ahn...n.ahn..io.ahn..mo.ahn..lo.ahn..ko.ahne.io.ahn..io.ahn..io.ahn.ain.`hne.ao.ahne.ho.ahne.jo.ahnRich.ahn........PE..d......d.........." .....@...........6.......................................p............`.............................................T...4........P..\....0...............`......x...T..............................8............P...............................text...N?.......@.................. ..`.rdata.......P.......D..............@..@.data....'....... ..................@....pdata.......0......................@..@.rsrc...\....P.......(..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\win32\win32net.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):93184
Entropy (8bit):5.244759668592125
Encrypted:false
SSDEEP:1536:QJCZO2AJy8OCCyNNOYz0/bNFogGC6WEhj9BBP4f:QrtIpAmEhxBl4f
MD5:4404218C4F6A61C338F332B2A9402C10
SHA1:C48DDA2E4C2F06ED406F678131D485DB28294599
SHA-256:E5002A894100FE9F43BACA194013702EBB8F8DF6A6909BE76D79E1C539E58FFD
SHA-512:65E0F0DEE8F6A83951F8091FCF6CA62D559E125B8F0E9B306BF7F0A95EB59FC6CB42A95003E15AACC470DA10AF2CCCFC87518E6A4139FBBCEB117CB63594A75F
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:...T...T...T......T..U...T..Q...T..P...T..W...T.Z.U...T.<.U...T...U...T...U.).T.Z.]...T.Z.T...T.Z.V...T.Rich..T.........PE..d......d.........." ................t.....................................................`.............................................P...`...........\...........................\...T...............................8............................................text............................... ..`.rdata...b.......d..................@..@.data...hQ... ...L..................@....pdata...............R..............@..@.rsrc...\............b..............@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\win32\win32pipe.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):28160
Entropy (8bit):5.501710845558622
Encrypted:false
SSDEEP:384:vvGJPNu6PrVo4r8MhY7jgzgCoASCwz8T8VBBr/kVyhPDmM/f:vv0/DpGXJC6VB5/LhKi
MD5:43C630BE751F1B465DCD77E036797309
SHA1:A10EE078EB475674BB7BCC349B5F4B283E763EB5
SHA-256:DDE06EAA71699359C23D4C564AD25785FA933CE28DD117EBFB374D276537C6EC
SHA-512:6FD2163860D7559C4D3E7E43EE5C462EC8B01FCFAEAC47ED4056CEA74C07E7D46863C5395D52A514D6844369AB7EA031186AAE54CEDFD636B94740A8BB276966
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t..X0...0...0...9.#.6...b..4...$...2...b..;...b..8...b..3......2......3...0...P......1......1......1...Rich0...........PE..d......d.........." .....4...6......T0....................................................`..........................................f..T...Tf..........\.......(...................@Z..T............................Z..8............P..@............................text...@3.......4.................. ..`.rdata..z$...P...&...8..............@..@.data................^..............@....pdata..(............b..............@..@.rsrc...\............h..............@..@.reloc...............l..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\win32\win32trace.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):23552
Entropy (8bit):5.279236779449316
Encrypted:false
SSDEEP:384:peeH8ZmV+zknwMsADuVLw0T8DmrRl2j9BfEAZnpC9QJQ1BA:5+zi/uVDS9dl6pB
MD5:B291ADAB2446DA62F93369A0DD662076
SHA1:A6B6C1054C1F511C64AEFB5F6C031AFE553E70F0
SHA-256:C5AD56E205530780326BD1081E94B212C65082B58E0F69788E3DC60EFFBD6410
SHA-512:847CC9E82B9939DBDC58BFA3E5A9899D614642E0B07CF1508AA866CD69E4AD8C905DBF810A045D225E6C364E1D9F2A45006F0EB0895BCD5AAF9D81EE344D4AEA
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*U@qD.@qD.@qD.I...DqD...E.BqD...A.JqD...@.HqD...G.CqD...E.BqD...E.BqD.T.E.EqD.@qE..qD...M.AqD...D.AqD...F.AqD.Rich@qD.................PE..d......d.........." .....,...,.......(....................................................`..........................................Q..T...dQ..........d....p.......................G..T...........................0H..8............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...(....`.......L..............@....pdata.......p.......R..............@..@.rsrc...d............V..............@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI15042\win32com\shell\shell.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:modified
Size (bytes):527872
Entropy (8bit):6.165923585421349
Encrypted:false
SSDEEP:6144:bXtpsewPjUA2jGZ90SmgopJgUCBKw84O3Rpd0K1VS0cTZdxi2y3:bXtp5sIAN90pleK1VSXXi2g
MD5:C2E1B245D4221BDA4C198CF18D9CA6AF
SHA1:9682B6E966495F7B58255348563A86C63FBD488C
SHA-256:89A8651DAD701DCE6B42B0E20C18B07DF6D08A341123659E05381EE796D23858
SHA-512:C2F57E9303D37547671E40086DDAD4B1FC31C52D43994CFCEC974B259125E125C644873073F216F28066BB0C213CBEB1B9A3C149727C9F1BC50F198AC45A4C8A
Malicious:true
Reputation:unknown
Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......M................).....[......[......[......[...................................................O.................Rich............................PE..d...(..d.........." ....."..........t.....................................................`.............................................L...............L.......xx...............!......T..............................8............@...............................text...^!.......".................. ..`.rdata.......@.......&..............@..@.data...@....0...^..................@....pdata..xx.......z...n..............@..@.rsrc...L...........................@..@.reloc...!......."..................@..B................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_ARC4.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):11264
Entropy (8bit):4.6989965032233245
Encrypted:false
SSDEEP:96:v9VD9daQ2iTrqT+y/ThvQ0I1uLfcC75JiC4Rs89EcYyGDPM0OcX6gY/7ECFV:39damqT3ThITst0E5DPKcqgY/79X
MD5:56976443600793FF2302EE7634E496B3
SHA1:018CE9250732A1794BBD0BDB8164061022B067AA
SHA-256:10F461A94C3D616C19FF1A88DEC1EFEA5194F7150F5D490B38AC4E1B31F673DD
SHA-512:A764C636D5D0B878B91DC61485E8699D7AA36F09AA1F0BD6AF33A8652098F28AEB3D7055008E56EBFC012BD3EA0868242A72E44DED0C83926F13D16866C31415
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_Salsa20.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):13824
Entropy (8bit):5.047528837102683
Encrypted:false
SSDEEP:192:SF/1nb2eqCQtkluknuz4ceS4QDuEA7cqgYvEP:o2P6luLtn4QDHmgYvEP
MD5:30F13366926DDC878B6D761BEC41879E
SHA1:4B98075CCBF72A6CBF882B6C5CADEF8DC6EC91DB
SHA-256:19D5F8081552A8AAFE901601D1FF5C054869308CEF92D03BCBE7BD2BB1291F23
SHA-512:BDCEC85915AB6EC1D37C1D36B075AE2E69AA638B80CD08971D5FDFD9474B4D1CF442ABF8E93AA991F5A8DCF6DB9D79FB67A9FE7148581E6910D9C952A5E166B4
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..L............p..,....3...............................1..@............0...............................text...h........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_chacha20.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):13312
Entropy (8bit):5.0513840905718395
Encrypted:false
SSDEEP:192:7XF/1nb2eqCQtkXnFYIrWjz0YgWDbu5Do0vdvZt49lkVcqgYvEMN:L2P6XTr0zXgWDbui0vdvZt49MgYvEMN
MD5:CDF7D583B5C0150455BD3DAD43A6BF9B
SHA1:9EE9B033892BEB0E9641A67F456975A78122E4FA
SHA-256:4CA725A1CB10672EE5666ED2B18E926CAAE1A8D8722C14AB3BE2D84BABF646F6
SHA-512:96123559D21A61B144E2989F96F16786C4E94E5FA4DDA0C018EAA7FEFFA61DD6F0ADFA9815DF9D224CDEBE2E7849376D2A79D5A0F51A7F3327A2FAA0A444CE9C
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..d............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_pkcs1_decode.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):12800
Entropy (8bit):5.1050594710160535
Encrypted:false
SSDEEP:96:/PTF1siKeai1dqmJo0qVVLf/+NJSC6sc9kJ9oPobXXXP4IIYOxDmO8jcX6gRth2h:/LsiHfq5poUkJ97zIDmOucqgRvE
MD5:7918BFE07DCB7AD21822DBAAA777566D
SHA1:964F5B172759538C4E9E9131CE4BB39885D79842
SHA-256:C00840D02ADA7031D294B1AB94A5F630C813AAE6897F18DD66C731F56931868E
SHA-512:D4A05AB632D4F0EB0ED505D803F6A5C0DBE5117D12BA001CE820674903209F7249B690618555F9C061DB58BED1E03BE58AD5D5FE3BC35FC96DF27635639ABF25
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............l...l...l......l.q.m...l..m...l...m...l.q.i...l.q.h...l.q.o...l...d...l...l...l.......l...n...l.Rich..l.................PE..d....y.e.........." ...#............P.....................................................`.........................................P8..p....8..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@.......*..............@....pdata.......P.......,..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_aes.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):36352
Entropy (8bit):6.55587798283519
Encrypted:false
SSDEEP:384:Of+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuTLg4HPy:WqWB7YJlmLJ3oD/S4j990th9VTsC
MD5:4B032DA3C65EA0CFBDEB8610C4298C51
SHA1:541F9F8D428F4518F96D44BB1037BC348EAE54CF
SHA-256:4AEF77E1359439748E6D3DB1ADB531CF86F4E1A8E437CCD06E8414E83CA28900
SHA-512:2667BF25FD3BF81374750B43AFC5AEFF839EC1FF6DFC3FDD662F1D34A5924F69FC513EA3CD310991F85902A19ADA8B58DED9A9ED7B5D631563F62EA7F2624102
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#.H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_aesni.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):15872
Entropy (8bit):5.2919328525651945
Encrypted:false
SSDEEP:192:oJBjJPqZkEPYinXKccxrEWx4xLquhS3WQ67EIfD4A1ccqgwYUMvEW:6URwin7mrEYCLEGd7/fDnwgwYUMvE
MD5:57E4DF965E41B1F385B02F00EA08AE20
SHA1:583B08C3FC312C8943FECDDD67D6D0A5FC2FF98B
SHA-256:3F64DFFEC486DCF9A2E80CB9D96251B98F08795D5922D43FB69F0A5AC2340FC2
SHA-512:48C3F78AF4E35BFEF3B0023A8039CF83E6B2E496845A11B7A2C2FA8BB62C7CCDE52158D4D37755584716220C34BBF379ECE7F8E3439B009AD099B1890B42A3D9
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|X...................i.......................i.......i.......i.......................................Rich....................PE..d....y.e.........." ...#. ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_arc2.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):16384
Entropy (8bit):5.565187477275172
Encrypted:false
SSDEEP:192:MeDd9Vk3yQ5f8vjVKChhXoJDkq6NS7oE2DDHlWw2XpmdcqgwNeecBU8:1k/5cj4shXED+o2Du8zgwNeO8
MD5:F9C93FA6CA17FDF4FF2F13176684FD6C
SHA1:6B6422B4CAF157147F7C0DD4B4BAB2374BE31502
SHA-256:E9AEBB6F17BA05603E0763DFF1A91CE9D175C61C1C2E80F0881A0DEE8CFFBE3A
SHA-512:09843E40E0D861A2DEE97320779C603550433BC9AB9402052EA284C6C74909E17CE0F6D3FDBA983F5EB6E120E2FE0C2B087420E138760BB0716D2999C10935C1
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#."... ......P.....................................................`.........................................0J.......J..d....p.......`..................,....C...............................B..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...8....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_blowfish.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):20992
Entropy (8bit):6.058843128972375
Encrypted:false
SSDEEP:384:fHU/5cJMOZA0nmwBD+XpJgLa0Mp8Qhg4P2llyM:QK1XBD+DgLa1qTi
MD5:E4969D864420FEB94F54CEF173D0AD4D
SHA1:7F8FE4225BB6FD37F84EBCE8E64DF7192BA50FB6
SHA-256:94D7D7B43E58170CAEA4520D7F741D743BC82B59BE50AA37D3D2FB7B8F1BB061
SHA-512:F02F02A7DE647DDA723A344DBB043B75DA54D0783AE13E5D25EEC83072EA3B2375F672B710D6348D9FC829E30F8313FA44D5C28B4D65FDA8BB863700CAE994B7
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.$...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text....".......$.................. ..`.rdata..L....@... ...(..............@..@.data...8....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..4............P..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_cast.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):25088
Entropy (8bit):6.458942954966616
Encrypted:false
SSDEEP:384:xVcaHLHm+kJ7ZXmrfXA+UA10ol31tuXyZQ7gLWi:8aHrm+kJNXmrXA+NNxWi28LWi
MD5:CD4B96612DEFDAAC5CF923A3960F15B6
SHA1:3F987086C05A4246D8CCA9A65E42523440C7FFEC
SHA-256:5C25283C95FFF9B0E81FCC76614626EB8048EA3B3FD1CD89FE7E2689130E0447
SHA-512:C650860A3ECC852A25839FF1E379526157EB79D4F158B361C90077875B757F5E7A4AA33FFE5F4F49B28DF5D60E3471370889FBE3BF4D9568474ECE511FF5E67D
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.$...@............................................................`.........................................@i.......i..d...............................4....b...............................a..@............@...............................text....".......$.................. ..`.rdata.......@...0...(..............@..@.data...8....p.......X..............@....pdata...............Z..............@..@.rsrc................^..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_cbc.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):12288
Entropy (8bit):4.833693880012467
Encrypted:false
SSDEEP:192:BF/1nb2eqCQtkrAUj8OxKbDbzecqgYvEkrK:t2P6EE8OsbD2gYvEmK
MD5:0C46D7B7CD00B3D474417DE5D6229C41
SHA1:825BDB1EA8BBFE7DE69487B76ABB36196B5FDAC0
SHA-256:9D0A5C9813AD6BA129CAFEF815741636336EB9426AC4204DE7BC0471F7B006E1
SHA-512:D81B17B100A052899D1FD4F8CEA1B1919F907DAA52F1BAD8DC8E3F5AFC230A5BCA465BBAC2E45960E7F8072E51FDD86C00416D06CF2A1F07DB5AD8A4E3930864
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_cfb.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):13824
Entropy (8bit):4.900216636767426
Encrypted:false
SSDEEP:192:YTI1RgPfqLlvIOP3bdS2hkPUDk9oCM/vPXcqgzQkvEmO:YTvYgAdDkUDDCWpgzQkvE
MD5:3142C93A6D9393F071AB489478E16B86
SHA1:4FE99C817ED3BCC7708A6631F100862EBDA2B33D
SHA-256:5EA310E0F85316C8981ED6293086A952FA91A6D12CA3F8AF9581521EE2B15586
SHA-512:DCAFEC54BD9F9F42042E6FA4AC5ED53FEB6CF8D56ADA6A1787CAFC3736AA72F14912BBD1B27D0AF87E79A6D406B0326602ECD1AD394ACDC6275AED4C41CDB9EF
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................?.....q......................q.......q.......q.........................S.............Rich............PE..d....y.e.........." ...#..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_ctr.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):14848
Entropy (8bit):5.302400096950382
Encrypted:false
SSDEEP:192:SJ1gSPqgKkwv0i8NSixSK57NEEE/qexcEtDr+DjRcqgUF6+6vEX:6E1si8NSixS0CqebtD+rgUUjvE
MD5:A34F499EE5F1B69FC4FED692A5AFD3D6
SHA1:6A37A35D4F5F772DAB18E1C2A51BE756DF16319A
SHA-256:4F74BCF6CC81BAC37EA24CB1EF0B17F26B23EDB77F605531857EAA7B07D6C8B2
SHA-512:301F7C31DEE8FF65BB11196F255122E47F3F1B6B592C86B6EC51AB7D9AC8926FECFBE274679AD4F383199378E47482B2DB707E09D73692BEE5E4EC79C244E3A8
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...,...,...,......,.q.-...,..-...,...-...,.q.)...,.q.(...,.q./...,...$...,...,...,.......,.......,.Rich..,.................PE..d....y.e.........." ...#..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_des.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):57856
Entropy (8bit):4.25844209931351
Encrypted:false
SSDEEP:384:1UqVT1dZ/lHkJnYcZiGKdZHDLtiduprZAZB0JAIg+v:nHlHfJid3X
MD5:007BE822C3657687A84A7596531D79B7
SHA1:B24F74FDC6FA04EB7C4D1CD7C757C8F1C08D4674
SHA-256:6CF2B3969E44C88B34FB145166ACCCDE02B53B46949A9D5C37D83CA9C921B8C8
SHA-512:F9A8B070302BDFE39D0CD8D3E779BB16C9278AE207F5FADF5B27E1A69C088EEF272BFBCE6B977BA37F68183C8BBEAC7A31668662178EFE4DF8940E19FBCD9909
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..n...n...n......n.q.o...n...o...n...o...n.q.k...n.q.j...n.q.m...n...f...n...n...n.......n...l...n.Rich..n.........PE..d....y.e.........." ...#.8...................................................0............`.....................................................d...............l............ ..4...................................@...@............P...............................text....7.......8.................. ..`.rdata..f....P.......<..............@..@.data...8...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_des3.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):58368
Entropy (8bit):4.274890605099198
Encrypted:false
SSDEEP:384:4Uqho9weF5/dHkRnYcZiGKdZHDL7idErZBZYmGg:ECndH//iduz
MD5:A883798D95F76DA8513DA6B87D470A2A
SHA1:0507D920C1935CE71461CA1982CDB8077DDB3413
SHA-256:AED194DD10B1B68493481E7E89F0B088EF216AB5DB81959A94D14BB134643BFB
SHA-512:5C65221542B3849CDFBC719A54678BB414E71DE4320196D608E363EFF69F2448520E620B5AA8398592D5B58D7F7EC1CC4C72652AD621308C398D45F294D05C9B
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..n...n...n......n.q.o...n...o...n...o...n.q.k...n.q.j...n.q.m...n...f...n...n...n.......n...l...n.Rich..n.........PE..d....y.e.........." ...#.:...................................................0............`.................................................P...d............................ ..4...................................@...@............P...............................text...x9.......:.................. ..`.rdata.......P.......>..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_ecb.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):10752
Entropy (8bit):4.5811635662773185
Encrypted:false
SSDEEP:192:PzWVddiTHThQTctEEI4qXDc1CkcqgbW6:PzWMdsc+EuXDc0YgbW
MD5:DEDAE3EFDA452BAB95F69CAE7AEBB409
SHA1:520F3D02693D7013EA60D51A605212EFED9CA46B
SHA-256:6248FDF98F949D87D52232DDF61FADA5EF02CD3E404BB222D7541A84A3B07B8A
SHA-512:8C1CAB8F34DE2623A42F0750F182B6B9A7E2AFFA2667912B3660AF620C7D9AD3BD5B46867B3C2D50C0CAE2A1BC03D03E20E4020B7BA0F313B6A599726F022C6C
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_eksblowfish.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):22016
Entropy (8bit):6.1405490084747445
Encrypted:false
SSDEEP:384:WMU/5cRUtPMbNv37t6KjjNrDF6pJgLa0Mp8Qg0gYP2lcCM:WdKR8EbxwKflDFQgLa1AzP
MD5:914EA1707EBA03E4BE45D3662BF2466E
SHA1:3E110C9DBFE1D17E1B4BE69052E65C93DDC0BF26
SHA-256:4D4F22633D5DB0AF58EE260B5233D48B54A6F531FFD58EE98A5305E37A00D376
SHA-512:F6E6323655B351E5B7157231E04C352A488B0B49D7174855FC8594F119C87A26D31C602B3307C587A28AD408C2909A93B8BA8CB41166D0113BD5C6710C4162C3
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_ocb.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):17920
Entropy (8bit):5.350740516564008
Encrypted:false
SSDEEP:384:GPHdP3Mj7Be/yB/MsB3yRcb+IqcOYoQViCBD88g6Vf4A:APcnB8KEsB3ocb+pcOYLMCBDu
MD5:52E481A15C3CE1B0DF8BA3B1B77DF9D0
SHA1:C1F06E1E956DFDE0F89C2E237ADFE42075AAE954
SHA-256:C85A6783557D96BFA6E49FE2F6EA4D2450CF110DA314C6B8DCEDD7590046879B
SHA-512:108FB1344347F0BC27B4D02D3F4E75A76E44DE26EF54323CB2737604DF8860A94FA37121623A627937F452B3B923C3D9671B13102D2E5F1005E4766E80A05A96
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d....y.e.........." ...#.(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Cipher\_raw_ofb.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):12288
Entropy (8bit):4.737329240938157
Encrypted:false
SSDEEP:192:BF/1nb2eqCQtkgU7L9D0T70fcqgYvEJPb:t2P6L9DWAxgYvEJj
MD5:A13584F663393F382C6D8D5C0023BC80
SHA1:D324D5FBD7A5DBA27AA9B0BDB5C2AEBFF17B55B1
SHA-256:13C34A25D10C42C6A12D214B2D027E5DC4AE7253B83F21FD70A091FEDAC1E049
SHA-512:14E4A6F2959BD68F441AA02A4E374740B1657AB1308783A34D588717F637611724BC90A73C80FC6B47BC48DAFB15CF2399DC7020515848F51072F29E4A8B4451
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Hash\_BLAKE2b.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):14848
Entropy (8bit):5.2072665819239585
Encrypted:false
SSDEEP:192:iF/1nb2eqCQtkhlgJ2ycxFzShJD9CAac2QDeJKcqgQx2XY:Y2PKr+2j8JDefJagQx2XY
MD5:104B480CB83BFF78101CF6940588D570
SHA1:6FC56B9CF380B508B01CAB342FCC939494D1F595
SHA-256:BA4F23BBDD1167B5724C04DB116A1305C687001FAC43304CD5119C44C3BA6588
SHA-512:60617865C67115AD070BD6462B346B89B69F834CAF2BFE0EF315FB4296B833E095CD03F3F4D6D9499245C5DA8785F2FBE1AC7427049BD48428EBF74529229040
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d...~y.e.........." ...#..... ......P.....................................................`..........................................9......|:..d....`.......P..@............p..,....3...............................2..@............0...............................text...X........................... ..`.rdata.......0....... ..............@..@.data...8....@.......0..............@....pdata..@....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Hash\_BLAKE2s.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):14336
Entropy (8bit):5.177411248432731
Encrypted:false
SSDEEP:192:mF/1nb2eqCQt7fSxp/CJPvADQZntxSOvbcqgEvcM+:c2PNKxZWPIDexVlgEvL
MD5:06D3E941860BB0ABEDF1BAF1385D9445
SHA1:E8C16C3E8956BA99A2D0DE860DCFC5021F1D7DE5
SHA-256:1C340D2625DAD4F07B88BB04A81D5002AABF429561C92399B0EB8F6A72432325
SHA-512:6F62ACFF39B77C1EC9F161A9BFA94F8E3B932D56E63DAEE0093C041543993B13422E12E29C8231D88BC85C0573AD9077C56AA7F7A307E27F269DA17FBA8EE5A3
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Hash\_MD2.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):14336
Entropy (8bit):5.137579183601755
Encrypted:false
SSDEEP:192:5siHfq5po0ZUp8XnUp8XjEQnlDtW26rcqgcx2:nqDZUp8XUp8AclDN69gcx2
MD5:F938A89AEC5F535AF25BD92221BBC141
SHA1:384E1E92EBF1A6BBE068AB1493A26B50EFE43A7E
SHA-256:774A39E65CC2D122F8D4EB314CED60848AFFF964FB5AD2627E32CB10EF28A6D0
SHA-512:ED0506B9EBCEC26868F484464F9CC38E28F8056D6E55C536ECD2FD98F58F29F2D1CE96C5E574876A9AA6FD22D3756A49BC3EB464A7845CB3F28A1F3D1C98B4D7
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...qy.e.........." ...#..... ......P.....................................................`..........................................9......0:..d....`.......P..(............p..,....4...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Hash\_MD4.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):13824
Entropy (8bit):5.158343521612926
Encrypted:false
SSDEEP:192:jsiHfq5pwUivkwXap8T0NchH73s47iDJxj2wcqgfvE:9qbi8wap8T0Ncp7n7iDbFgfvE
MD5:173EED515A1ADDD1DA0179DD2621F137
SHA1:D02F5E6EDA9FF08ABB4E88C8202BAD7DB926258F
SHA-256:9D9574A71EB0DE0D14570B5EDA06C15C17CC2E989A20D1E8A4821CB813290D5F
SHA-512:8926FBB78A00FD4DC67670670035D9E601AF27CDBE003DC45AD809E8DA1042DDECB997F44ED104BEC13391C8048051B0AAD0C10FDEEDFB7F858BA177E92FDC54
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...qy.e.........." ...#............P.....................................................`.........................................p8...... 9..d....`.......P..(............p..,...@3...............................2..@............0...............................text............................... ..`.rdata..p....0......................@..@.data...p....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Hash\_MD5.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):15360
Entropy (8bit):5.469810464531962
Encrypted:false
SSDEEP:192:RZ9WfqP7M93g8UdsoS1hhiBvzcuiDSjeoGmDZNbRBP0rcqgjPrvE:sA0gHdzS1MwuiDSyoGmD/r89gjPrvE
MD5:39B06A1707FF5FDC5B3170EB744D596D
SHA1:37307B2826607EA8D5029293990EB1476AD6CC42
SHA-256:2E8BB88D768890B6B68D5B6BB86820766ADA22B82F99F31C659F4C11DEF211A1
SHA-512:98C3C45EB8089800EDF99ACEA0810820099BFD6D2C805B80E35D9239626CB67C7599F1D93D2A14D2F3847D435EAA065BF56DF726606BB5E8A96E527E1420633D
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...ry.e.........." ...#. ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Hash\_RIPEMD160.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):13824
Entropy (8bit):5.137646874307781
Encrypted:false
SSDEEP:192:QF/1nb2eqCQtZl9k9VEmosHcBZTHGF31trDbu8oiZmtwcqgk+9TI:q2PXlG9VDos8BZA33rDbuNgk0gk+9U
MD5:1DFC771325DD625DE5A72E0949D90E5F
SHA1:8E1F39AAFD403EDA1E5CD39D5496B9FAA3387B52
SHA-256:13F9ADBBD60D7D80ACEE80D8FFB461D7665C5744F8FF917D06893AA6A4E25E3A
SHA-512:B678FB4AD6DF5F8465A80BFB9A2B0433CF6CFAD4C6A69EEBF951F3C4018FD09CB7F38B752BE5AB55C4BE6C88722F70521D22CBCBBB47F8C46DDB0B1ACBFD7D7E
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d...}y.e.........." ...#..... ......P.....................................................`..........................................9.......:..d....`.......P...............p..,....4..............................P3..@............0...............................text...X........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata.......P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA1.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):17920
Entropy (8bit):5.687377356938656
Encrypted:false
SSDEEP:384:bPHdP3MjeQTh+QAZUUw8lMF6D+1tgj+kf4:xPcKQT3iw8lfDUej+
MD5:9D15862569E033C5AA702F9E4041C928
SHA1:11376E8CB76AD2D9A7D48D11F4A74FB12B78BCF6
SHA-256:8970DF77D2F73350360DBE68F937E0523689FF3D7C0BE95EB7CA5820701F1493
SHA-512:322F0F4947C9D5D2800DEEBFD198EABE730D44209C1B61BB9FD0F7F9ED5F719AE49F8397F7920BDB368BB386A598E9B215502DC46FBE72F9340876CF40AFFC8A
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...sy.e.........." ...#.*..........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA224.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):21504
Entropy (8bit):5.9200472722347675
Encrypted:false
SSDEEP:384:pljwGpJpvrp/LTaqvYHp5RYcARQOj4MSTjqgPmJDcOwwgjxo:Ljw4JbZYtswvqDc51j
MD5:7398EFD589FBE4FEFADE15B52632CD5C
SHA1:5EA575056718D3EC9F57D3CFF4DF87D77D410A4B
SHA-256:F1970DB1DA66EFB4CD8E065C40C888EED795685FF4E5A6FA58CA56A840FE5B80
SHA-512:C26F6FF693782C84460535EBCD35F23AA3C95FB8C0C8A608FB9A849B0EFD735EF45125397549C61248AE06BD068554D2DE05F9A3BA64F363438EDB92DA59481B
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...wy.e.........." ...#.6... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..,............R..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA256.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):21504
Entropy (8bit):5.922439979230845
Encrypted:false
SSDEEP:384:jljwGpJpvrp/LtaqvYHp5RYcARQOj4MSTjqgPmJDcbegjxo:hjw4JVZYtswvqDcb7j
MD5:352F56E35D58ABE96D6F5DBBD40D1FEA
SHA1:5F0C9596B84B8A54D855441C6253303D0C81AA1B
SHA-256:44EED167431151E53A8F119466036F1D60773DDEB8350AF972C82B3789D5D397
SHA-512:CB4862B62ABB780656F1A06DADD3F80AEA453E226C38EFAE4318812928A7B0B6A3A8A86FCC43F65354B84FC07C7235FF384B75C2244553052E00DC85699D422A
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...uy.e.........." ...#.6... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..,............R..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA384.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):26624
Entropy (8bit):5.879121462749493
Encrypted:false
SSDEEP:768:pDLZ9BjjBui0gel9soFdkO66MlPGXmXcnRDbRj:VBfu/FZ6nPxMRDtj
MD5:3C47F387A68629C11C871514962342C1
SHA1:EA3E508A8FB2D3816C80CD54CDD9C8254809DB00
SHA-256:EA8A361B060EB648C987ECAF453AE25034DBEA3D760DC0805B705AC9AA1C7DD9
SHA-512:5C824E4C0E2AB13923DC8330D920DCD890A9B33331D97996BC1C3B73973DF7324FFFB6E940FA5AA92D6B23A0E6971532F3DB4BF899A9DF33CC0DD6CB1AC959DD
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...zy.e.........." ...#.H..."......P.....................................................`......................................... l.......m..d...............................,....e...............................d..@............`...............................text...HG.......H.................. ..`.rdata..X....`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..,............f..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Hash\_SHA512.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):26624
Entropy (8bit):5.937696428849242
Encrypted:false
SSDEEP:768:VYL59Ugjaui0gel9soFdkO66MlPGXmXcXVDuSFAj:60xu/FZ6nPxMlD7Kj
MD5:2F44F1B760EE24C89C13D9E8A06EA124
SHA1:CF8E16D8324A7823B11474211BD7B95ADB321448
SHA-256:7C7B6F59DD250BD0F8CBC5AF5BB2DB9F9E1A2A56BE6442464576CD578F0B2AE0
SHA-512:2AACB2BB6A9EBA89549BF864DDA56A71F3B3FFEDB8F2B7EF3FC552AB3D42BC4B832F5FA0BA87C59F0F899EA9716872198680275A70F3C973D44CA7711DB44A14
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...|y.e.........." ...#.H..."......P.....................................................`..........................................l.......m..d...............................,...@f...............................e..@............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..,............f..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Hash\_ghash_clmul.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):12800
Entropy (8bit):5.027823764756571
Encrypted:false
SSDEEP:192:/RF/1nb2eqCQtkbsAT2fixSrdYDt8ymjcqgQvEW:/d2P6bsK4H+DVwgQvEW
MD5:64604EE3AEBEE62168F837A41BA61DB1
SHA1:4D3FF7AC183BC28B89117240ED1F6D7A7D10AEF1
SHA-256:20C3CC2F50B51397ACDCD461EE24F0326982F2DC0E0A1A71F0FBB2CF973BBEB2
SHA-512:D03EEFF438AFB57E8B921CE080772DF485644DED1074F3D0AC12D3EBB1D6916BD6282E0E971408E89127FF1DAD1D0CB1D214D7B549D686193068DEA137A250CE
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Hash\_ghash_portable.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):13312
Entropy (8bit):5.020783935465456
Encrypted:false
SSDEEP:192:+F/1nb2eqCQtks0iiNqdF4mtPjD0ZA5LPYcqgYvEL2x:02P6fFA/4GjDXcgYvEL2x
MD5:E0EEDBAE588EE4EA1B3B3A59D2ED715A
SHA1:4629B04E585899A7DCB4298138891A98C7F93D0B
SHA-256:F507859F15A1E06A0F21E2A7B060D78491A9219A6A499472AA84176797F9DB02
SHA-512:9FD82784C7E06F00257D387F96E732CE4A4BD065F9EC5B023265396D58051BECC2D129ABDE24D05276D5CD8447B7DED394A02C7B71035CED27CBF094ED82547D
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Hash\_keccak.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):15872
Entropy (8bit):5.2616188776014665
Encrypted:false
SSDEEP:384:JP2T9FRjRskTdf4YBU7YP5yUYDE1give:qHlRl57IC8UYDEG
MD5:1708C4D1B28C303DA19480AF3C6D04FF
SHA1:BAC78207EFAA6D838A8684117E76FB871BD423D5
SHA-256:C90FB9F28AD4E7DEED774597B12AA7785F01DC4458076BE514930BF7AB0D15EC
SHA-512:2A174C1CB712E8B394CBEE20C33974AA277E09631701C80864B8935680F8A4570FD040EA6F59AD71631D421183B329B85C749F0977AEB9DE339DFABE7C23762E
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...}y.e.........." ...#. ... ......P.....................................................`.........................................`9......T:..d....`.......P..p............p..,....3...............................2..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......4..............@....pdata..p....P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Hash\_poly1305.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):15360
Entropy (8bit):5.130670522779765
Encrypted:false
SSDEEP:192:nZNGfqDgvUh43G6coX2SSwmPL4V7wTdDl41Y2cqgWjvE:CFMhuGGF2L4STdDcYWgWjvE
MD5:E08355F3952A748BADCA2DC2E82AA926
SHA1:F24828A3EEFB15A2550D872B5E485E2254C11B48
SHA-256:47C664CB7F738B4791C7D4C21A463E09E9C1AAAE2348E63FB2D13FC3E6E573EB
SHA-512:E7F48A140AFEF5D6F64A4A27D95E25A8D78963BB1F9175B0232D4198D811F6178648280635499C562F398613E0B46D237F7DB74A39B52003D6C8768B80EC6FB6
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d....y.e.........." ...#..... ......P.....................................................`......................................... 9.......9..d....`.......P..|............p..,....3...............................1..@............0...............................text...X........................... ..`.rdata..(....0......."..............@..@.data........@.......2..............@....pdata..|....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Math\_modexp.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):34816
Entropy (8bit):5.935249615462395
Encrypted:false
SSDEEP:768:gb+5F2hqrxS7yZAEfYcwcSPxpMgLp/GQNSpcVaGZ:gb+5Qwc7OAEfYcwJxpMgFJh
MD5:DB56C985DBC562A60325D5D68D2E5C5B
SHA1:854684CF126A10DE3B1C94FA6BCC018277275452
SHA-256:089585F5322ADF572B938D34892C2B4C9F29B62F21A5CF90F481F1B6752BC59F
SHA-512:274D9E4A200CAF6F60AC43F33AADF29C6853CC1A7E04DF7C8CA3E24A6243351E53F1E5D0207F23B34319DFC8EEE0D48B2821457B8F11B6D6A0DBA1AE820ACE43
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..|8k./8k./8k./1.Y/>k./....:k./s...;k./8k./.k./....4k./....0k./....;k./....:k./....9k./..5/9k./....9k./Rich8k./........................PE..d....y.e.........." ...#.\..........`.....................................................`..........................................~..d...$...d...............................,....s...............................q..@............p..(............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data................t..............@....pdata...............~..............@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Protocol\_scrypt.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):12288
Entropy (8bit):4.799861986912974
Encrypted:false
SSDEEP:192:YTIekCffqPSTMeAk4OeR64ADpki6RcqgO5vE:YTNZMcPeR64ADh63gO5vE
MD5:6229A84562A9B1FBB0C3CF891813AADD
SHA1:4FAFB8AF76A7F858418AA18B812FEACADFA87B45
SHA-256:149027958A821CBC2F0EC8A0384D56908761CC544914CED491989B2AD9D5A4DC
SHA-512:599C33F81B77D094E97944BB0A93DA68D2CCB31E6871CE5679179FB6B9B2CE36A9F838617AC7308F131F8424559C5D1A44631E75D0847F3CC63AB7BB57FE1871
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................?.....q......................q.......q.......q.........................S.............Rich............PE..d....y.e.........." ...#............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\PublicKey\_ec_ws.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):754176
Entropy (8bit):7.628627007698131
Encrypted:false
SSDEEP:12288:31ETHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h+b:lETHoxJFf1p34hcrn5Go9yQO6g
MD5:BBB83671232E0BE361E812369A463E03
SHA1:A37DAEC475AB230E14897077D17E20B7A5112B8D
SHA-256:873A3E3E945421917BA780D95C78ECCB92D4E143227987D6812BC9F9E4653BE0
SHA-512:BF6718DE5235F6A7C348A1E2F325FEE59C74356D4722DFA99DA36A2BE1E6386C544EEC09190E2EBBA58B7C6B4157D00409C59F29AE2CC7BC13CBC301B8592586
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.....L...L...L.V+L...LKR.M...L.V.M...L...L...LKR.M...LKR.M...LKR.M...L-S.M...L-S.M...L-SGL...L-S.M...LRich...L................PE..d....y.e.........." ...#.n..........`.....................................................`..........................................p..d...dq..d...............$...............4...@Z...............................Y..@...............(............................text....m.......n.................. ..`.rdata...............r..............@..@.data...x............h..............@....pdata..$............p..............@..@.rsrc................~..............@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\PublicKey\_ed25519.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):27648
Entropy (8bit):5.799740467345125
Encrypted:false
SSDEEP:384:PvRwir5rOF2MZz1n0/kyTMIl9bhgIW0mvBaeoSzra2pftjGQDdsC0MgkbQ0e1r:PJLtg2MTeM+9dmvBaeoCtaQDekf
MD5:7F2C691DEB4FF86F2F3B19F26C55115C
SHA1:63A9D6FA3B149825EA691F5E9FDF81EEC98224AA
SHA-256:BF9224037CAE862FE220094B6D690BC1992C19A79F7267172C90CBED0198582E
SHA-512:3A51F43BF628E44736859781F7CFF0E0A6081CE7E5BDE2F82B3CDB52D75D0E3DFAE92FC2D5F7D003D0B313F6835DBA2E393A0A8436F9409D92E20B65D3AED7E2
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y...............i...................i......i......i......................m...........Rich...........PE..d....y.e.........." ...#.F...(......P.....................................................`..........................................j..0....k..d...............................,...pc..............................0b..@............`...............................text....D.......F.................. ..`.rdata.."....`.......J..............@..@.data................\..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..,............j..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\PublicKey\_ed448.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):67072
Entropy (8bit):6.060804942512998
Encrypted:false
SSDEEP:1536:HqvnErJyGoqQXZKfp23mXKUULBeCFTUCqHF+PELb7MSAEfnctefBd5:HqvnErJyGoqQXZKfp2ayLsCFTUCqHEP4
MD5:AF46798028AB3ED0E56889DFB593999B
SHA1:D4D7B39A473E69774771B2292FDBF43097CE6015
SHA-256:FD4F1F6306950276A362D2B3D46EDBB38FEABA017EDCA3CD3A2304340EC8DD6C
SHA-512:58A80AFEEAC16D7C35F8063D03A1F71CA6D74F200742CAE4ADB3094CF4B3F2CD1A6B3F30A664BD75AB0AF85802D935B90DD9A1C29BFEA1B837C8C800261C6265
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..|8k./8k./8k./1.Y/>k./....:k./s...;k./8k./.k./....4k./....0k./....;k./....:k./....9k./..5/9k./....9k./Rich8k./........................PE..d....y.e.........." ...#.....8......`........................................@............`.............................................h.......d.... .......................0..,.......................................@............................................text............................... ..`.rdata..j...........................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..,....0......................@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\PublicKey\_x25519.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):10752
Entropy (8bit):4.488129745837651
Encrypted:false
SSDEEP:96:kfuF7pVVdJvbrqTuy/Th/Y0IluLfcC75JiC4cs89EfqADQhDsAbcX6gn/7EC:TF/VddiTHThQTctdErDQDsicqgn/7
MD5:F4B7324A8F7908C3655BE4C75EAC36E7
SHA1:11A30562A85A444F580213417483BE8D4D9264AD
SHA-256:5397E3F5762D15DCD84271F49FC52983ED8F2717B258C7EF370B24977A5D374B
SHA-512:66CA15A9BAD39DD4BE7921A28112A034FFE9CD11F91093318845C269E263804AB22A4AF262182D1C6DAC8741D517362C1D595D9F79C2F729216738C3DD79D7C2
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4=.bUS.bUS.bUS.k-..`US..)R.`US.)-R.aUS.bUR.FUS..)V.iUS..)W.jUS..)P.aUS.([.cUS.(S.cUS.(..cUS.(Q.cUS.RichbUS.................PE..d....y.e.........." ...#............P........................................p............`..........................................'..P...0(..P....P.......@...............`..,...P#..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Util\_cpuid_c.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):10240
Entropy (8bit):4.733990521299615
Encrypted:false
SSDEEP:192:PzVVddiTHThQTctEEaEDKDnMRWJcqgbW6:PzTMdsc+EaEDKDnCWvgbW
MD5:3D566506052018F0556ADF9D499D4336
SHA1:C3112FF145FACF47AF56B6C8DCA67DAE36E614A2
SHA-256:B5899A53BC9D3112B3423C362A7F6278736418A297BF86D32FF3BE6A58D2DEEC
SHA-512:0AC6A1FC0379F5C3C80D5C88C34957DFDB656E4BF1F10A9FA715AAD33873994835D1DE131FC55CD8B0DEBDA2997993E978700890308341873B8684C4CD59A411
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`..........................................'..|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Crypto\Util\_strxor.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):10240
Entropy (8bit):4.689063511060661
Encrypted:false
SSDEEP:96:P/ryZVVdJvbrqTuy/Th/Y0IluLfcC75JiCKs89EMz3DIWMot4BcX6gbW6O:PzQVddiTHThQTctEEO3DSoKcqgbW6
MD5:FAE081B2C91072288C1C8BF66AD1ABA5
SHA1:CD23DDB83057D5B056CA2B3AB49C8A51538247DE
SHA-256:AF76A5B10678F477069ADD6E0428E48461FB634D9F35FB518F9F6A10415E12D6
SHA-512:0ADB0B1088CB6C8F089CB9BF7AEC9EEEB1717CF6CF44B61FB0B053761FA70201AB3F7A6461AAAE1BC438D689E4F8B33375D31B78F1972AA5A4BF86AFAD66D3A4
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Pythonwin\mfc140u.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:dropped
Size (bytes):5653424
Entropy (8bit):6.729277267882055
Encrypted:false
SSDEEP:49152:EuEsNcEc8/CK4b11P5ViH8gw0+NVQD5stWIlE7lva8iposS9j5fzSQzs7ID+AVuS:EnL8+5fiEnQFLOAkGkzdnEVomFHKnPS
MD5:03A161718F1D5E41897236D48C91AE3C
SHA1:32B10EB46BAFB9F81A402CB7EFF4767418956BD4
SHA-256:E06C4BD078F4690AA8874A3DEB38E802B2A16CCB602A7EDC2E077E98C05B5807
SHA-512:7ABCC90E845B43D264EE18C9565C7D0CBB383BFD72B9CEBB198BA60C4A46F56DA5480DA51C90FF82957AD4C84A4799FA3EB0CEDFFAA6195F1315B3FF3DA1BE47
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.cu...&...&...&...'...&...'...&...'...&..&...&G..'...&G..'...&...'...&...&..&G..'...&G..'...&G..'...&G..'...&G..&...&G..'...&Rich...&................PE..d....~.a.........." .....(-..X)......X,.......................................V......YV...`A..........................................:.....h.;.......?......`=..8....V..'...PU.0p..p.5.T...........................`...8............@-.P...0.:......................text....&-......(-................. ..`.rdata.......@-......,-.............@..@.data....6... <.......<.............@....pdata...8...`=..:....<.............@..@.didat..H.....?.......?.............@....rsrc.........?.......?.............@..@.reloc..0p...PU..r....T.............@..B................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\Pythonwin\win32ui.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):1142272
Entropy (8bit):6.040548449175261
Encrypted:false
SSDEEP:12288:cLokSyhffpJSf6VJtHUR2L2mVSvya6Lx15IQnpKTlYcf9WBo:cLok/pXJdUzOSMx15dcTlYiK
MD5:B505E88EB8995C2EC46129FB4B389E6C
SHA1:CBFA8650730CBF6C07F5ED37B0744D983ABFE50A
SHA-256:BE7918B4F7E7DE53674894A4B8CFADCACB4726CEA39B7DB477A6C70231C41790
SHA-512:6A51B746D0FBC03F57FF28BE08F7E894AD2E9F2A2F3B61D88EAE22E7491CF35AE299CDB3261E85E4867F41D8FDA012AF5BD1EB8E1498F1A81ADC4354ADACDAAB
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aM.F%,r.%,r.%,r.,T../,r..Ys.',r..Es.',r.1Gs.+,r.wYv.-,r.wYq.!,r.wYw.3,r.%,s.-*r.wYs.",r..Y{..,r..Yr.$,r..Y..$,r..Yp.$,r.Rich%,r.........................PE..d......d.........." .........p......t.....................................................`..............................................T...q..h...............................`\..`...T.......................(.......8................0...........................text............................... ..`.rdata..............................@..@.data...............................@....pdata...............`..............@..@.rsrc...............................@..@.reloc..`\.......^..................@..B........................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\VCRUNTIME140.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:dropped
Size (bytes):98224
Entropy (8bit):6.452201564717313
Encrypted:false
SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:F34EB034AA4A9735218686590CBA2E8B
SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:false
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\VCRUNTIME140_1.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:dropped
Size (bytes):37256
Entropy (8bit):6.297533243519742
Encrypted:false
SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
MD5:135359D350F72AD4BF716B764D39E749
SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
Malicious:false
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\_asyncio.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):65304
Entropy (8bit):6.192082137044192
Encrypted:false
SSDEEP:1536:owmuopcJpmVwR40axzEfRILOnMv7SySmPxe:owmu4/mR40axzEfRILOnw3xe
MD5:33D0B6DE555DDBBBD5CA229BFA91C329
SHA1:03034826675AC93267CE0BF0EAEC9C8499E3FE17
SHA-256:A9A99A2B847E46C0EFCE7FCFEFD27F4BCE58BAF9207277C17BFFD09EF4D274E5
SHA-512:DBBD1DDFA445E22A0170A628387FCF3CB95E6F8B09465D76595555C4A67DA4274974BA7B348C4C81FE71C68D735C13AACB8063D3A964A8A0556FB000D68686B7
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.../../../..../....../...*../...+../...,../.V..../....../....../.V."../.V./../.V..../.V.-../.Rich../.........PE..d.....,d.........." .....T..........`.....................................................`.........................................p...P.......d......................../...........v..T...........................pv..8............p...............................text...aR.......T.................. ..`.rdata...I...p...J...X..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\_bz2.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):83736
Entropy (8bit):6.595094797707322
Encrypted:false
SSDEEP:1536:hXOz78ZqjUyAsIi7W/5+D8W35mjZm35ILCVM7SyfYPxe:pOzwpyAFi7WMgW34jZm35ILCVMZoxe
MD5:86D1B2A9070CD7D52124126A357FF067
SHA1:18E30446FE51CED706F62C3544A8C8FDC08DE503
SHA-256:62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
SHA-512:7DB4B7E0C518A02AE901F4B24E3860122ACC67E38E73F98F993FE99EB20BB3AA539DB1ED40E63D6021861B54F34A5F5A364907FFD7DA182ADEA68BBDD5C2B535
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.>...m...m...m.}<m...m.p.l...m.jRm...m.p.l...m.p.l...m.p.l...mup.l...m.}.l...m...m...mup.l...mup.l...mupPm...mup.l...mRich...m................PE..d.....,d.........." .........\..............................................P............`......................................... ...H...h........0....... ..,......../...@......`...T...............................8............................................text.............................. ..`.rdata...=.......>..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\_cbor2.cp310-win_amd64.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):97280
Entropy (8bit):5.863582949096841
Encrypted:false
SSDEEP:1536:DkpD/iwe/wv2yuaXLGq8AFrx/5SuGfQuTpyTPryTt3EO3O5Hk+FNniLfwy:63SLu8BTpEyTt0OyHniLfw
MD5:D24F4FE64C38018AE7FC9661C67739F6
SHA1:E7B2ECCCCA76C2B27A4A6BBCC97F435435977FE4
SHA-256:CF69E5FD60CE55AB42DDF01D27305F2C4EDBBA63D3DADADF04380B6A4A9C07EF
SHA-512:80C7C79ECAC160350C545D81AAAED8D73C53F43EC61238F0CFCD51CF0EF1A81C40A986ED3D3BFF7726EDA50238871B0C786D77162B13E8F37F74BCA580892191
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w\............................................................................................................Rich....................PE..d...~.c.........." ..."..................................................................`.........................................`I..\....I......................................P6...............................5..@............................................text...8........................... ..`.rdata..............................@..@.data... "...`.......L..............@....pdata...............f..............@..@.rsrc................v..............@..@.reloc...............x..............@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\_cffi_backend.cp310-win_amd64.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):181248
Entropy (8bit):6.188683787528254
Encrypted:false
SSDEEP:3072:rZ1fKD8GVLHASq0TTjfQxnkVB0hcspEsHS7iiSTLkKetJb9Pu:rZNRGVb9TTCnaZsuMXiSTLLeD9
MD5:EBB660902937073EC9695CE08900B13D
SHA1:881537ACEAD160E63FE6BA8F2316A2FBBB5CB311
SHA-256:52E5A0C3CA9B0D4FC67243BD8492F5C305FF1653E8D956A2A3D9D36AF0A3E4FD
SHA-512:19D5000EF6E473D2F533603AFE8D50891F81422C59AE03BEAD580412EC756723DC3379310E20CD0C39E9683CE7C5204791012E1B6B73996EA5CB59E8D371DE24
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ih..-..C-..C-..C$qMC!..C.|.B/..CKf#C)..C.|.B&..C.|.B%..C.|.B)..Cfq.B)..C.|.B...C-..C...C.|.B)..C$qKC,..C.|.B,..C.|!C,..C.|.B,..CRich-..C........PE..d.....e.........." .........@...............................................0............`..........................................g..l...|g..................H............ .......M...............................M..8............................................text...h........................... ..`.rdata..l...........................@..@.data....\.......0...v..............@....pdata..H...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\_ctypes.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):123672
Entropy (8bit):6.047035801914277
Encrypted:false
SSDEEP:3072:0OEESRiaiH6lU1vxqfrId0sx3gVILLPykxA:hj+I1vAfrIRx3gN
MD5:1635A0C5A72DF5AE64072CBB0065AEBE
SHA1:C975865208B3369E71E3464BBCC87B65718B2B1F
SHA-256:1EA3DD3DF393FA9B27BF6595BE4AC859064CD8EF9908A12378A6021BBA1CB177
SHA-512:6E34346EA8A0AACC29CCD480035DA66E280830A7F3D220FD2F12D4CFA3E1C03955D58C0B95C2674AEA698A36A1B674325D3588483505874C2CE018135320FF99
Malicious:true
Reputation:unknown
Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............d...d...d.......d...e...d...a...d...`...d...g...d.d.e...d...`...d...e...d.:.e...d...e.I.d.d.i...d.d.d...d.d...d.d.f...d.Rich..d.........................PE..d.....,d.........." ................@Z..............................................!.....`..........................................P.......P..................D......../..............T...........................0...8...............H............................text............................... ..`.rdata...k.......l..................@..@.data...T>...p...8...\..............@....pdata..D...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\_decimal.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):254744
Entropy (8bit):6.564308911485739
Encrypted:false
SSDEEP:6144:3LT2sto29vTlN5cdIKdo4/3VaV8FlBa9qWMa3pLW1A/T8O51j4iab9M:H2s/9vTlPcdk4vVtFU98iIu
MD5:20C77203DDF9FF2FF96D6D11DEA2EDCF
SHA1:0D660B8D1161E72C993C6E2AB0292A409F6379A5
SHA-256:9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
SHA-512:2B24346ECE2CBD1E9472A0E70768A8B4A5D2C12B3D83934F22EBDC9392D9023DCB44D2322ADA9EDBE2EB0E2C01B5742D2A83FA57CA23054080909EC6EB7CF3CA
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........76..VX..VX..VX.....VX..#Y..VX..#]..VX..#\..VX..#[..VX.t#Y..VX...Y..VX..VY.+VX.t#[..VX.t#U..VX.t#X..VX.t#...VX.t#Z..VX.Rich.VX.........................PE..d.....,d.........." .....|...:.......................................................r....`..........................................T..P...0U...................'......./......<...0...T...............................8............................................text....{.......|.................. ..`.rdata..............................@..@.data....)...p...$...X..............@....pdata...'.......(...|..............@..@.rsrc...............................@..@.reloc..<...........................@..B........................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\_hashlib.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):64792
Entropy (8bit):6.223467179037751
Encrypted:false
SSDEEP:1536:/smKJPganCspF1dqZAC2QjP2RILOIld7SyEPxDF:/smKpgNoF1dqZDnjP2RILOIv2xB
MD5:D4674750C732F0DB4C4DD6A83A9124FE
SHA1:FD8D76817ABC847BB8359A7C268ACADA9D26BFD5
SHA-256:CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
SHA-512:97D57CFB80DD9DD822F2F30F836E13A52F771EE8485BC0FD29236882970F6BFBDFAAC3F2E333BBA5C25C20255E8C0F5AD82D8BC8A6B6E2F7A07EA94A9149C81E
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..b?..b?..b?......b?..>..b?..:..b?..;..b?..<..b?.2.>..b?..>..b?.7.>..b?..b>.pb?.2.2..b?.2.?..b?.2....b?.2.=..b?.Rich.b?.........PE..d.....,d.........." .....P...........<....................................................`............................................P...0............................/......T....k..T............................k..8............`.. ............................text....N.......P.................. ..`.rdata..4P...`...R...T..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\_lzma.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):158488
Entropy (8bit):6.8491143497239655
Encrypted:false
SSDEEP:3072:j0k3SXjD9aWpAn3rb7SbuDlvNgS4fWqEznfo9mNoFTSlXZ8Ax5ILZ1GIxq:j0kiXjD9v8X7Euk4wYOFTafxn
MD5:7447EFD8D71E8A1929BE0FAC722B42DC
SHA1:6080C1B84C2DCBF03DCC2D95306615FF5FCE49A6
SHA-256:60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
SHA-512:C6295D45ED6C4F7534C1A38D47DDC55FEA8B9F62BBDC0743E4D22E8AD0484984F8AB077B73E683D0A92D11BF6588A1AE395456CFA57DA94BB2A6C4A1B07984DE
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.M...M...M...D..I.......O.......F.......E.......N.......N.......O...M...(.......w.......L.......L.......L...RichM...................PE..d...&.,d.........." .....`..........p3...............................................4....`.............................................L.......x....`.......@.......<.../...p..D...H{..T............................{..8............p...............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data........0......................@....pdata.......@......................@..@.rsrc........`.......0..............@..@.reloc..D....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\_msi.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):44824
Entropy (8bit):6.25910509143267
Encrypted:false
SSDEEP:768:6tZrHlbhCeruhfPxoUAIZdeoLuM3uJYVewp2m25SyG5ILCGSF5YiSyvkzLPxWElw:6PbtNruhfpuiVD2LSyG5ILCGSL7Sy83u
MD5:8B07A1F0A073E33A990BAB943CF2F22C
SHA1:D4FBED8732FDFE25FEC37F1152BBCAF3E0FB2D9B
SHA-256:C26236A23EA4B99C19F9F9BB30CAE26BC5FF66D0FDD7FD65726A0BCB667CB160
SHA-512:690A6F9EC6636DF89A43513554BE0BF4821DF8ECB60A578ADA8E0A6112846CD6BAFEF9449F85EF95BCDF91B3D3E0631F3413FC0EED14546F94FF42762270B7FE
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r..r6.|!6.|!6.|!?..!<.|!d.} 4.|!d.y =.|!d.x >.|!d.. 5.|!.} 4.|!}.} ?.|!6.}!L.|!.t 7.|!.| 7.|!.!7.|!.~ 7.|!Rich6.|!........................PE..d.....,d.........." .........T......p2..............................................s.....`..........................................b..H....b..................|......../...........V..T............................V..8............@...............................text....-.......................... ..`.rdata..H/...@...0...2..............@..@.data........p.......b..............@....pdata..|............n..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\_multiprocessing.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):34584
Entropy (8bit):6.41423936733334
Encrypted:false
SSDEEP:768:eZt56pxGyC572edLMILWt3u5YiSyvCVPxWElj:eL5PyC572edLMILWt3E7SyqPx3
MD5:A9A0588711147E01EED59BE23C7944A9
SHA1:122494F75E8BB083DDB6545740C4FAE1F83970C9
SHA-256:7581EDEA33C1DB0A49B8361E51E6291688601640E57D75909FB2007B2104FA4C
SHA-512:6B580F5C53000DB5954DEB5B2400C14CB07F5F8BBCFC069B58C2481719A0F22F0D40854CA640EF8425C498FBAE98C9DE156B5CC04B168577F0DA0C6B13846A88
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........sF.. F.. F.. O.k D.. ...!D.. ...!J.. ...!N.. ...!E.. ...!D.. F.. ... ...!C.. ...!D.. ...!G.. ... G.. ...!G.. RichF.. ................PE..d.....,d.........." .........<......0.....................................................`.........................................0D..`....D..x....p.......`.......X.../..........P3..T............................3..8............0...............................text............................... ..`.rdata..L....0... ..."..............@..@.data........P.......B..............@....pdata.......`.......H..............@..@.rsrc........p.......L..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\_overlapped.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):49944
Entropy (8bit):6.381980613434177
Encrypted:false
SSDEEP:768:8AM30ie6tyw0lTnj1TulWXaSV2cFVNILXtP5YiSyvWPxWElh7:8AM3hacSV2UNILXth7SyuPxd7
MD5:FDF8663B99959031780583CCE98E10F5
SHA1:6C0BAFC48646841A91625D74D6B7D1D53656944D
SHA-256:2EBBB0583259528A5178DD37439A64AFFCB1AB28CF323C6DC36A8C30362AA992
SHA-512:A5371D6F6055B92AC119A3E3B52B21E2D17604E5A5AC241C008EC60D1DB70B3CE4507D82A3C7CE580ED2EB7D83BB718F4EDC2943D10CB1D377FA006F4D0026B6
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........K..%..%..%.....%...$..%... ..%...!..%...&..%...$..%..$...%...$..%...!..%...(..%...%..%......%...'..%.Rich.%.........PE..d.....,d.........." .....>...X...... .....................................................`.........................................0w..X....w.........................../..........`U..T............................U..8............P...............................text....<.......>.................. ..`.rdata..F4...P...6...B..............@..@.data................x..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\_queue.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):31512
Entropy (8bit):6.563116725717513
Encrypted:false
SSDEEP:768:bxrUGCpa6rIxdK/rAwVILQU85YiSyvz5PxWEaAc:trUZIzYrAwVILQUG7SydPxDc
MD5:D8C1B81BBC125B6AD1F48A172181336E
SHA1:3FF1D8DCEC04CE16E97E12263B9233FBF982340C
SHA-256:925F05255F4AAE0997DC4EC94D900FD15950FD840685D5B8AA755427C7422B14
SHA-512:CCC9F0D3ACA66729832F26BE12F8E7021834BBEE1F4A45DA9451B1AA5C2E63126C0031D223AF57CF71FAD2C85860782A56D78D8339B35720194DF139076E0772
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a............................................V...................V......V......V......V......Rich....................PE..d.....,d.........." .........6......................................................N.....`.........................................@C..L....C..d....p.......`.......L.../...........3..T...........................p3..8............0.. ............................text...~........................... ..`.rdata.......0......................@..@.data........P.......8..............@....pdata.......`.......<..............@..@.rsrc........p.......@..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\_socket.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):79128
Entropy (8bit):6.284790077237953
Encrypted:false
SSDEEP:1536:ZmtvsXhgzrojAs9/s+S+pGLypbyxk/DDTBVILLwX7SyiPx9:c56OzyAs9/sT+pGLypb+k/XFVILLwX4f
MD5:819166054FEC07EFCD1062F13C2147EE
SHA1:93868EBCD6E013FDA9CD96D8065A1D70A66A2A26
SHA-256:E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
SHA-512:DA3A440C94CB99B8AF7D2BC8F8F0631AE9C112BD04BADF200EDBF7EA0C48D012843B4A9FB9F1E6D3A9674FD3D4EB6F0FA78FD1121FAD1F01F3B981028538B666
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...3.i.<...h...8...h...6...h...2...h...9.......8...:.......q...=.......;.......;.......;.......;...Rich:...........PE..d.....,d.........." .....l...........%.......................................P............`.............................................P............0....... ..<......../...@..........T..............................8............................................text...fj.......l.................. ..`.rdata..Ts.......t...p..............@..@.data...............................@....pdata..<.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\_ssl.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):160536
Entropy (8bit):6.027748879187965
Encrypted:false
SSDEEP:3072:OwYiZ+PtocHnVXhLlasuvMETxoEBA+nbUtGnBSonJCNI5ILC7Gax1:FYk+PtocHVxx/uvPCEwhGJ
MD5:7910FB2AF40E81BEE211182CFFEC0A06
SHA1:251482ED44840B3C75426DD8E3280059D2CA06C6
SHA-256:D2A7999E234E33828888AD455BAA6AB101D90323579ABC1095B8C42F0F723B6F
SHA-512:BFE6506FEB27A592FE9CF1DB7D567D0D07F148EF1A2C969F1E4F7F29740C6BB8CCF946131E65FE5AA8EDE371686C272B0860BD4C0C223195AAA1A44F59301B27
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.-...-...-.....-...,...-...(...-...)...-.......-.W.,...-.R.,...-...,...-...,...-.W. ...-.W.-...-.W....-.W./...-.Rich..-.................PE..d.....,d.........." ................l*..............................................%.....`.............................................d...........`.......P.......D.../...p..8.......T...............................8............................................text...(........................... ..`.rdata..6...........................@..@.data....j.......f..................@....pdata.......P....... ..............@..@.rsrc........`.......,..............@..@.reloc..8....p.......6..............@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\_uuid.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):25368
Entropy (8bit):6.613762885337037
Encrypted:false
SSDEEP:384:KYnvEaNKFDyuiBXK55ILZw59HQIYiSy1pCQNuPxh8E9VF0Ny8cIh:FTNK4uyXK55ILZwD5YiSyvEPxWEalh
MD5:B68C98113C8E7E83AF56BA98FF3AC84A
SHA1:448938564559570B269E05E745D9C52ECDA37154
SHA-256:990586F2A2BA00D48B59BDD03D3C223B8E9FB7D7FAB6D414BAC2833EB1241CA2
SHA-512:33C69199CBA8E58E235B96684346E748A17CC7F03FC068CFA8A7EC7B5F9F6FA90D90B5CDB43285ABF8B4108E71098D4E87FB0D06B28E2132357964B3EEA3A4F8
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........eG...)...)...)..|....)..q(...)..q,...)..q-...)..q*...).rq(...)..|(...)...(...).rq!...).rq)...).rq....).rq+...).Rich..).........PE..d.....,d.........." .........&...... ........................................p.......-....`......................................... )..L...l)..x....P.......@.......4.../...`..<...."..T...........................`"..8............ ..0............................text...X........................... ..`.rdata..f.... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..<....`.......2..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\base_library.zip

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:Zip archive data, at least v2.0 to extract, compression method=store
Category:dropped
Size (bytes):880569
Entropy (8bit):5.682997344315044
Encrypted:false
SSDEEP:12288:lgYJu4KXWyBC6S4IEZjA4a2Ya2xdOVwx/fpEh+rtSLMN5:lgYJiVB3La2xTVwx/fpEh++MN5
MD5:DCC69176BEA901A300A95298BD53E274
SHA1:8A8227E3C6791393254DA3244630161064B36A30
SHA-256:E1B4724D2A99B6E74B2DE4264302848BB1499DB777A7A76DE347720D0DC040D0
SHA-512:CDF24D139E1240C5E97B702C28551EAF8E853625C4D5D99DEB8E087EDC776977F1DE3EBD27B41F97512A223CDAA28DE0D718AC36C2110C5A00809E911522A93A
Malicious:false
Reputation:unknown
Preview:PK..........!..^".5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Z*e*..Z*e.e*..Z+e*.,....[*d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d*..d*e8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Windows\Temp\_MEI32322\certifi\cacert.pem

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):290282
Entropy (8bit):6.048183244201235
Encrypted:false
SSDEEP:6144:QW1H/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5Np:QWN/TRJLWURrI55MWavdF0L
MD5:302B49C5F476C0AE35571430BB2E4AA0
SHA1:35A7837A3F1B960807BF46B1C95EC22792262846
SHA-256:CF9D37FA81407AFE11DCC0D70FE602561422AA2344708C324E4504DB8C6C5748
SHA-512:1345AF52984B570B1FF223032575FEB36CDFB4F38E75E0BD3B998BC46E9C646F7AC5C583D23A70460219299B9C04875EF672BF5A0D614618731DF9B7A5637D0A
Malicious:false
Reputation:unknown
Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Windows\Temp\_MEI32322\charset_normalizer\md.cp310-win_amd64.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):10752
Entropy (8bit):4.675182011095312
Encrypted:false
SSDEEP:96:FL8Khp72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFaiHrmHcX6g8cim1qeSC:Zj2HzzU2bRYoe4Hmcqgvimoe
MD5:F33CA57D413E6B5313272FA54DBC8BAA
SHA1:4E0CABE7D38FE8D649A0A497ED18D4D1CA5F4C44
SHA-256:9B3D70922DCFAEB02812AFA9030A40433B9D2B58BCF088781F9AB68A74D20664
SHA-512:F17C06F4202B6EDBB66660D68FF938D4F75B411F9FAB48636C3575E42ABAAB6464D66CB57BCE7F84E8E2B5755B6EF757A820A50C13DD5F85FAA63CD553D3FF32
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..^W..^W..^W..W/..\W..K(..\W.../..\W..K(..UW..K(..VW..K(..]W.."..]W..^W..xW..g.._W..g.._W..g.a._W..g.._W..Rich^W..........PE..d....hAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):120320
Entropy (8bit):5.879886869577473
Encrypted:false
SSDEEP:3072:YKBCiXU2SBEUemE+OaOb3OEOz0fEDrF9pQKhN:YJZ2zOfdQKX
MD5:494F5B9ADC1CFB7FDB919C9B1AF346E1
SHA1:4A5FDDD47812D19948585390F76D5435C4220E6B
SHA-256:AD9BCC0DE6815516DFDE91BB2E477F8FB5F099D7F5511D0F54B50FA77B721051
SHA-512:2C0D68DA196075EA30D97B5FD853C673E28949DF2B6BF005AE72FD8B60A0C036F18103C5DE662CAC63BAAEF740B65B4ED2394FCD2E6DA4DFCFBEEF5B64DAB794
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........SRxr.Rxr.Rxr.[...Zxr.G.s.Pxr...s.Pxr.G.w._xr.G.v.Zxr.G.q.Qxr...s.Qxr.Rxs..xr.k.z.Sxr.k.r.Sxr.k...Sxr.k.p.Sxr.RichRxr.........................PE..d....hAe.........." ...%............02....................................... ............`.............................................d..........................................Px...............................w..@............@...............................text...X-.......................... ..`.rdata...X...@...Z...2..............@..@.data...8=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\cryptography-41.0.7.dist-info\INSTALLER

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):4
Entropy (8bit):1.5
Encrypted:false
SSDEEP:3:Mn:M
MD5:365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:false
Reputation:unknown
Preview:pip.

C:\Windows\Temp\_MEI32322\cryptography-41.0.7.dist-info\LICENSE

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):197
Entropy (8bit):4.61968998873571
Encrypted:false
SSDEEP:3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
MD5:8C3617DB4FB6FAE01F1D253AB91511E4
SHA1:E442040C26CD76D1B946822CAF29011A51F75D6D
SHA-256:3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
SHA-512:77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
Malicious:false
Reputation:unknown
Preview:This software is made available under the terms of *either* of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of *both* these licenses..

C:\Windows\Temp\_MEI32322\cryptography-41.0.7.dist-info\LICENSE.APACHE

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):11360
Entropy (8bit):4.426756947907149
Encrypted:false
SSDEEP:192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
MD5:4E168CCE331E5C827D4C2B68A6200E1B
SHA1:DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
SHA-256:AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
SHA-512:F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
Malicious:false
Reputation:unknown
Preview:. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

C:\Windows\Temp\_MEI32322\cryptography-41.0.7.dist-info\LICENSE.BSD

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):1532
Entropy (8bit):5.058591167088024
Encrypted:false
SSDEEP:24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
MD5:5AE30BA4123BC4F2FA49AA0B0DCE887B
SHA1:EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
SHA-256:602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
SHA-512:DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
Malicious:false
Reputation:unknown
Preview:Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

C:\Windows\Temp\_MEI32322\cryptography-41.0.7.dist-info\METADATA

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):5292
Entropy (8bit):5.115440205505611
Encrypted:false
SSDEEP:96:DxapqZink/QIHQIyzQIZQILuQIR8vtklGovxNx6sWwCvCCcTKvIrrg9BMM6VwDjz:sJnkoBs/sqLz8cTKvIrrUiM6VwDjyeWs
MD5:137D13F917D94C83137A0FA5AE12B467
SHA1:01E93402C225BF2A4EE59F9A06F8062CB5E4801E
SHA-256:36738E6971D2F20DB78433185A0EF7912A48544AA6FF7006505A7DC785158859
SHA-512:1B22CBC6E22FA5E2BD5CC4A370443A342D00E7DD53330A4000E9A680DE80262BCA7188764E3568944D01025188291602AC8C53C971630984FBD9FA7D75AAB124
Malicious:false
Reputation:unknown
Preview:Metadata-Version: 2.1..Name: cryptography..Version: 41.0.7..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Author-email: The Python Cryptographic Authority and individual contributors <cryptography-dev@python.org>..License: Apache-2.0 OR BSD-3-Clause..Project-URL: homepage, https://github.com/pyca/cryptography..Project-URL: documentation, https://cryptography.io/..Project-URL: source, https://github.com/pyca/cryptography/..Project-URL: issues, https://github.com/pyca/cryptography/issues..Project-URL: changelog, https://cryptography.io/en/latest/changelog/..Classifier: Development Status :: 5 - Production/Stable..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating Syst

C:\Windows\Temp\_MEI32322\cryptography-41.0.7.dist-info\RECORD

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:CSV text
Category:dropped
Size (bytes):15334
Entropy (8bit):5.555125785454221
Encrypted:false
SSDEEP:384:3X6eU/ZfaigPOSJN5E6W1HepPNx6uvnNLEw:3RUxfzOPtREw
MD5:4ED1DF753C330417D290331FD1E18219
SHA1:556BED31DCDFA36166B45D8BCBB04C0D3B66C745
SHA-256:F71F64A0875F365A8C6CA53BC96CFB428C5102F98029459BA2091958802DCFD9
SHA-512:6984EF6D5DFC1062E6AB655E7B0C0A8AB916F1A3D88D8FA7FAD799E2792A2CB06C5C78C2292CCDB983CB6F68BA92B9F6453996B060CFDE7EE9C293FCE5F4D698
Malicious:false
Reputation:unknown
Preview:cryptography-41.0.7.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-41.0.7.dist-info/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-41.0.7.dist-info/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-41.0.7.dist-info/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography-41.0.7.dist-info/METADATA,sha256=NnOOaXHS8g23hDMYWg73kSpIVEqm_3AGUFp9x4UViFk,5292..cryptography-41.0.7.dist-info/RECORD,,..cryptography-41.0.7.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-41.0.7.dist-info/WHEEL,sha256=-EX5DQzNGQEoyL99Q-0P0-D-CXbfqafenaAeiSQ_Ufk,100..cryptography-41.0.7.dist-info/top_level.txt,sha256=KNaT-Sn2K4uxNaEbe6mYdDn3qWDMlp4y-MtWfB73nJc,13..cryptography/__about__.py,sha256=uPXMbbcptt7EzZ_jllGRx0pVdMn-NBsAM4L74hOv-b0,445..cryptography/__init__.py,sha256=iVPlBlXWTJyiFeRedxcbMPhyHB34viOM10d72vGnWuE,364..cryptography/__pycache__/_

C:\Windows\Temp\_MEI32322\cryptography-41.0.7.dist-info\WHEEL

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):100
Entropy (8bit):5.0203365408149025
Encrypted:false
SSDEEP:3:RtEeX7MWcSlVlbY3KgP+tkKc/SKQLn:RtBMwlVCxWKxDQLn
MD5:4B432A99682DE414B29A683A3546B69F
SHA1:F59C5016889EE5E9F62D09B22AEFBC2211A56C93
SHA-256:F845F90D0CCD190128C8BF7D43ED0FD3E0FE0976DFA9A7DE9DA01E89243F51F9
SHA-512:CBBF10E19B6F4072C416EA95D7AE259B9C5A1B89068B7B6660B7C637D6F2437AEA8D8202A2E26A0BEC36DAECD8BBB6B59016FC2DDEB13C545F0868B3E15479CA
Malicious:false
Reputation:unknown
Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp37-abi3-win_amd64..

C:\Windows\Temp\_MEI32322\cryptography-41.0.7.dist-info\top_level.txt

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):13
Entropy (8bit):3.2389012566026314
Encrypted:false
SSDEEP:3:cOv:Nv
MD5:E7274BD06FF93210298E7117D11EA631
SHA1:7132C9EC1FD99924D658CC672F3AFE98AFEFAB8A
SHA-256:28D693F929F62B8BB135A11B7BA9987439F7A960CC969E32F8CB567C1EF79C97
SHA-512:AA6021C4E60A6382630BEBC1E16944F9B312359D645FC61219E9A3F19D876FD600E07DCA6932DCD7A1E15BFDEAC7DBDCEB9FFFCD5CA0E5377B82268ED19DE225
Malicious:false
Reputation:unknown
Preview:cryptography.

C:\Windows\Temp\_MEI32322\cryptography\hazmat\bindings\_rust.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):6673920
Entropy (8bit):6.582002531606852
Encrypted:false
SSDEEP:98304:EzN+T+xtLlk0PPMAiGoTzeDy3x8lGBlWi9Nk:E5Y6Jk0PPMtfTzp3x8c
MD5:486085AAC7BB246A173CEEA0879230AF
SHA1:EF1095843B2A9C6D8285C7D9E8E334A9CE812FAE
SHA-256:C3964FC08E4CA8BC193F131DEF6CC4B4724B18073AA0E12FED8B87C2E627DC83
SHA-512:8A56774A08DA0AB9DD561D21FEBEEBC23A5DEA6F63D5638EA1B608CD923B857DF1F096262865E6EBD56B13EFD3BBA8D714FFDCE8316293229974532C49136460
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......QN.../.../.../...W(../......./......./......./......./...R.../...Z.../..^W.../.../...-../...",......./.../.../......./......./..Rich./..........PE..d...M7ee.........." ...&..M..........L...................................... f...........`......................................... .a.p.....a.|............Pb..............Pe.p...p.[.T.....................[.(...0.[.@............0M..............................text.....M.......M................. ..`.rdata.......0M.......M.............@..@.data........0a.......a.............@....pdata.......Pb.......b.............@..@.reloc..p....Pe.......e.............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\hidapi.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):100352
Entropy (8bit):5.934692072315603
Encrypted:false
SSDEEP:3072:sEujSbDUbXE+Fw+Rt4PQyUN2exeYNTlI:xH8XZFwwtx8EI
MD5:D9152F1CC7198047C19968B405F18CB7
SHA1:BE2F3C405454624AA5010EFD15314CA5182D6B88
SHA-256:E356DF68E5442CEA92CDBB52E5BFF09F11D082AB8067E20B3FDFCBF7199AB071
SHA-512:E8D951EEA4C2158E661BB7B9FB4B3E5192B56E7E34FEB906F2F1A426D3390EF92FC89F4037E75E51890E31F2AB7CDED4D244D19C96AB0534EB6257F00F442DAA
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.3...]...]...].....]...t.].....].5!^...].5!X...].5!Y...]......]...\.h.].!U...].!]...].!....].!_...].Rich..].................PE..d......a.........." ................l0....................................................`......................................... g..d....i..<...................................@V..p............................V...............................................text............................... ..`.rdata..............................@..@.data................b..............@....pdata...............l..............@..@.gfids...............|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\libcrypto-1_1.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):3450648
Entropy (8bit):6.098075450035195
Encrypted:false
SSDEEP:98304:YP+uemAdn67xfxw6rKsK1CPwDv3uFfJz1CmiX:OZemAYxfxw6HK1CPwDv3uFfJzUmA
MD5:9D7A0C99256C50AFD5B0560BA2548930
SHA1:76BD9F13597A46F5283AA35C30B53C21976D0824
SHA-256:9B7B4A0AD212095A8C2E35C71694D8A1764CD72A829E8E17C8AFE3A55F147939
SHA-512:CB39AA99B9D98C735FDACF1C5ED68A4D09D11F30262B91F6AA48C3F8520EFF95E499400D0CE7E280CA7A90FF6D7141D2D893EF0B33A8803A1CADB28BA9A9E3E2
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..$.................................................. 5......%5...`.........................................../..h...Z4.@.....4.|.....2......x4../....4..O....-.8.............................-.@............P4..............................text.....$.......$................. ..`.rdata..&.....%.......$.............@..@.data...!z....2..,....1.............@....pdata........2.......2.............@..@.idata..^#...P4..$....3.............@..@.00cfg..u.....4.......3.............@..@.rsrc...|.....4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

C:\Windows\Temp\_MEI32322\libffi-7.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):32792
Entropy (8bit):6.3566777719925565
Encrypted:false
SSDEEP:384:2nypDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYIoBneEAR8:2l0Vn5Q28J8qsqMttktDxOpWDG4yKRF
MD5:EEF7981412BE8EA459064D3090F4B3AA
SHA1:C60DA4830CE27AFC234B3C3014C583F7F0A5A925
SHA-256:F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
SHA-512:DC9FF4202F74A13CA9949A123DFF4C0223DA969F49E9348FEAF93DA4470F7BE82CFA1D392566EAAA836D77DDE7193FED15A8395509F72A0E9F97C66C0A096016
Malicious:false
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....F...$.......I....................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\libssl-1_1.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):704792
Entropy (8bit):5.5573527806738126
Encrypted:false
SSDEEP:12288:WhO7/rNKmrouK/POt6h+7ToRLgo479dQwwLOpWW/dQ0TGqwfU2lvz2:2is/POtrzbLp5dQ0TGqcU2lvz2
MD5:BEC0F86F9DA765E2A02C9237259A7898
SHA1:3CAA604C3FFF88E71F489977E4293A488FB5671C
SHA-256:D74CE01319AE6F54483A19375524AA39D9F5FD91F06CF7DF238CA25E043130FD
SHA-512:FFBC4E5FFDB49704E7AA6D74533E5AF76BBE5DB297713D8E59BD296143FE5F145FBB616B343EED3C48ECEACCCCC2431630470D8975A4A17C37EAFCC12EDD19F4
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1}q.1}q.1}q.8..=}q.~.p.3}q.z.p.3}q.~.t.=}q.~.u.9}q.~.r.5}q...p.2}q.1}p..|q...u..}q...q.0}q.....0}q...s.0}q.Rich1}q.........PE..d......c.........." ...".D...T......<................................................i....`..........................................A...N..@U..........s........N......./......h.......8...............................@............@..@............................text....B.......D.................. ..`.rdata.../...`...0...H..............@..@.data...AM.......D...x..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............l..............@..@.rsrc...s............n..............@..@.reloc..q............v..............@..B................................................................................................................................................................

C:\Windows\Temp\_MEI32322\psutil\_psutil_windows.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):67072
Entropy (8bit):5.90551713971002
Encrypted:false
SSDEEP:1536:ZhseNxkc7Xva0Y420G1UD+dS4gBeLmRy:Z1kcbi0Y42bUD+dS4oeiRy
MD5:01F9D30DD889A3519E3CA93FE6EFEE70
SHA1:EBF55ADBD8CD938C4C11D076203A3E54D995AEFF
SHA-256:A66444A08A8B9CEAFA05DAEFEB32AA1E65C8009A3C480599F648FA52A20AFB7D
SHA-512:76FED302D62BB38A39E0BF6C9038730E83B6AFFFA2F36E7A62B85770D4847EA6C688098061945509A1FDB799FB7F5C88699F94E7DA1934F88A9C3B6A433EE9EF
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`T..$5..$5..$5..-M3..5..v@..&5..v@..(5..v@..,5..v@.. 5...k..&5..oM..55..$5...5...@..45...@..%5...@_.%5...@..%5..Rich$5..........................PE..d.....~e.........." .........h..............................................@............`.........................................P...`.......@.... .......................0..(.......................................8............................................text............................... ..`.rdata..|I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\pyexpat.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):198936
Entropy (8bit):6.372446720663998
Encrypted:false
SSDEEP:3072:13BAJzkk5dT6F62eqf2A3zVnjIHdAPKReewMP12yGUfT0+SYyWgOmrpjAxvwnVIq:FQg4dT6N5OA3zVnjNed4yGKTKR/
MD5:1118C1329F82CE9072D908CBD87E197C
SHA1:C59382178FE695C2C5576DCA47C96B6DE4BBCFFD
SHA-256:4A2D59993BCE76790C6D923AF81BF404F8E2CB73552E320113663B14CF78748C
SHA-512:29F1B74E96A95B0B777EF00448DA8BD0844E2F1D8248788A284EC868AE098C774A694D234A00BD991B2D22C2372C34F762CDBD9EC523234861E39C0CA752DCAA
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7...sn.Jsn.Jsn.Jz.:J.n.J!..Kqn.J!..K.n.J!..K{n.J!..Kpn.J...Kqn.J8..Kpn.Jsn.J.n.J...Kwn.J...Krn.J..VJrn.J...Krn.JRichsn.J................PE..d.....,d.........." ......................................................................`.........................................p...P................................/...........4..T...........................05..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\python3.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):66328
Entropy (8bit):6.162953246481027
Encrypted:false
SSDEEP:768:t68LeBLeeFtp5V1BfO2yvSk70QZF1nEyjnskQkr/RFB1qucwdBeCw0myou6ZwJqn:t6wewnvtjnsfwxVILL0S7SyuPxHO
MD5:FD4A39E7C1F7F07CF635145A2AF0DC3A
SHA1:05292BA14ACC978BB195818499A294028AB644BD
SHA-256:DC909EB798A23BA8EE9F8E3F307D97755BC0D2DC0CB342CEDAE81FBBAD32A8A9
SHA-512:37D3218BC767C44E8197555D3FA18D5AAD43A536CFE24AC17BF8A3084FB70BD4763CCFD16D2DF405538B657F720871E0CD312DFEB7F592F3AAC34D9D00D5A643
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........A.d.A.d.A.d...l.@.d...d.@.d.....@.d...f.@.d.RichA.d.........PE..d.....,d.........." .................................................................x....`.........................................`...`................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\python310.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):4458776
Entropy (8bit):6.460390021076921
Encrypted:false
SSDEEP:49152:myrXfGIy+Bqk5c5Ad2nwZT3Q6wsV136cR2DZvbK30xLNZcAgVBvcpYcvl1IDWbH3:Uw5tVBlicWdvoDkHUMF7Ph/qe
MD5:63A1FA9259A35EAEAC04174CECB90048
SHA1:0DC0C91BCD6F69B80DCDD7E4020365DD7853885A
SHA-256:14B06796F288BC6599E458FB23A944AB0C843E9868058F02A91D4606533505ED
SHA-512:896CAA053F48B1E4102E0F41A7D13D932A746EEA69A894AE564EF5A84EF50890514DECA6496E915AAE40A500955220DBC1B1016FE0B8BCDDE0AD81B2917DEA8B
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<...<...<...I...<...Sc..<...I...<...I...<...I...<...D...<...D...<...<...=..+I../<..+I...<..+Ia..<..+I...<..Rich.<..........................PE..d.....,d.........." .....V#..v!...............................................E.....".D...`.........................................`.<.....@.=.|.....D......`B.......C../....D..t....$.T...........................P.$.8............p#.8............................text...bT#......V#................. ..`.rdata...B...p#..D...Z#.............@..@.data... .....=.......=.............@....pdata.......`B......HA.............@..@PyRuntim`....pD......VC.............@....rsrc.........D......ZC.............@..@.reloc...t....D..v...dC.............@..B........................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\pywin32_system32\pythoncom310.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):669184
Entropy (8bit):6.03765159448253
Encrypted:false
SSDEEP:6144:zxxMpraRSS9Y68EuBPjIQN5cJzS7bUxgyPxFMH0PIXY3dVVVVAuLpdorrcK/CXjW:zxxMZMX1bQIJO7bazPEQSYNBLpdwNu
MD5:65DD753F51CD492211986E7B700983EF
SHA1:F5B469EC29A4BE76BC479B2219202F7D25A261E2
SHA-256:C3B33BA6C4F646151AED4172562309D9F44A83858DDFD84B2D894A8B7DA72B1E
SHA-512:8BD505E504110E40FA4973FEFF2FAE17EDC310A1CE1DC78B6AF7972EFDD93348087E6F16296BFD57ABFDBBE49AF769178F063BB0AA1DEE661C08659F47A6216D
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..x...+...+...+..P+...+T..*...+T..*...+T..*...+T..*...+..*...+...*...+...*...+...*...+...+U..+..*W..+..*...+..*...+Rich...+................PE..d...k..d.........." ................4.....................................................`..........................................U...c..............l....@...z............... ......T...........................0...8............................................text...#........................... ..`.rdata...$.......&..................@..@.data....I..........................@....pdata...z...@...|..................@..@.rsrc...l...........................@..@.reloc... ......."..................@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\pywin32_system32\pywintypes310.dll

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):134656
Entropy (8bit):5.992653928086484
Encrypted:false
SSDEEP:3072:DLVxziezwPZSMaAXpuuwNNDY/r06trfSsSYOejKVJBtGdI8hvnMu:HfziezwMMaAX2Y/rxjbOejKDBtG681n
MD5:CEB06A956B276CEA73098D145FA64712
SHA1:6F0BA21F0325ACC7CF6BF9F099D9A86470A786BF
SHA-256:C8EC6429D243AEF1F78969863BE23D59273FA6303760A173AB36AB71D5676005
SHA-512:05BAB4A293E4C7EFA85FA2491C32F299AFD46FDB079DCB7EE2CC4C31024E01286DAAF4AEAD5082FC1FD0D4169B2D1BE589D1670FCF875B06C6F15F634E0C6F34
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.$.X.w.X.w.X.w. [w.X.w.-.v.X.w.75w.X.w.-.v.X.w.-.v.X.w.-.v.X.w.3.v.X.wJ1.v.X.w.3.v.X.w.X.w.X.w,-.v.X.w,-.v.X.w,-.v.X.wRich.X.w........................PE..d......d.........." .........................................................P............`......................................... u..dB......,....0..l.......L............@..0...`Q..T............................Q..8............................................text............................... ..`.rdata..R...........................@..@.data....-.......(..................@....pdata..L...........................@..@.rsrc...l....0......................@..@.reloc..0....@......................@..B........................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\select.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):29976
Entropy (8bit):6.627859470728624
Encrypted:false
SSDEEP:768:gUC2hwhVHqOmEVILQG35YiSyvrYPxWEl6:FC2ehVKOmEVILQGp7SyEPxe
MD5:A653F35D05D2F6DEBC5D34DADDD3DFA1
SHA1:1A2CEEC28EA44388F412420425665C3781AF2435
SHA-256:DB85F2F94D4994283E1055057372594538AE11020389D966E45607413851D9E9
SHA-512:5AEDE99C3BE25B1A962261B183AE7A7FB92CB0CB866065DC9CD7BB5FF6F41CC8813D2CC9DE54670A27B3AD07A33B833EAA95A5B46DAD7763CA97DFA0C1CE54C9
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!.F.O.F.O.F.O.O...D.O...N.D.O...J.M.O...K.N.O...L.B.O...N.D.O.F.N...O...N.C.O...B.G.O...O.G.O....G.O...M.G.O.RichF.O.................PE..d.....,d.........." .........0......................................................;\....`.........................................`@..L....@..x....p.......`.......F.../......H....2..T............................2..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata.......`.......6..............@..@.rsrc........p.......:..............@..@.reloc..H............D..............@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\setuptools-60.2.0.dist-info\INSTALLER

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):5
Entropy (8bit):1.9219280948873623
Encrypted:false
SSDEEP:3:Lvn:Lv
MD5:00305BC1FB89E33403A168E6E3E2EC08
SHA1:A39CA102F6B0E1129E63235BCB0AD802A5572195
SHA-256:0B77BDB04E0461147A7C783C200BC11A6591886E59E2509F5D7F6CB7179D01AB
SHA-512:DB43B091F60DE7F8C983F5FC4009DB89673215CCD20FD8B2CED4983365A74B36AC371E2E85397CAC915C021377E26F2C4290915EA96F9E522E341E512C0FC169
Malicious:false
Reputation:unknown
Preview:pip..

C:\Windows\Temp\_MEI32322\setuptools-60.2.0.dist-info\LICENSE

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):1050
Entropy (8bit):5.072538194763298
Encrypted:false
SSDEEP:24:1rmJHcwH0MP3gt8Hw1hj9QHOsUv4eOk4/+/m3oqMSFJ:1aJ8YHvEH5QHOs5exm3oEFJ
MD5:7A7126E068206290F3FE9F8D6C713EA6
SHA1:8E6689D37F82D5617B7F7F7232C94024D41066D1
SHA-256:DB3F0246B1F9278F15845B99FEC478B8B506EB76487993722F8C6E254285FAF8
SHA-512:C9F0870BC5D5EFF8769D9919E6D8DDE1B773543634F7D03503A9E8F191BD4ACC00A97E0399E173785D1B65318BAC79F41D3974AE6855E5C432AC5DACF8D13E8A
Malicious:false
Reputation:unknown
Preview:Copyright Jason R. Coombs..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to.deal in the Software without restriction, including without limitation the.rights to use, copy, modify, merge, publish, distribute, sublicense, and/or.sell copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING.FROM, OUT OF OR IN CONNECTION WITH THE SOFTW

C:\Windows\Temp\_MEI32322\setuptools-60.2.0.dist-info\METADATA

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):5131
Entropy (8bit):5.122995579924766
Encrypted:false
SSDEEP:96:DpwYyJX4a113or1uCDIG0wMHodIDbVWKWddpnzYDiHNlP37POX7FwTtPMk:a4rMYIG0wMHodIDbAd/n7AFwTJ
MD5:FFCB84AF49AB52C4FDD312F814E14B0D
SHA1:89C9D3D82455A1BD5EB8B938DD3E5FCBFB1D36B0
SHA-256:75CDE8A60801D637767D85E414FBBB80B222AA2774199A8B419E197BC245109A
SHA-512:83219D0BF52253309AF3D5F9BF37474C765DF94A5D363ADFDCAE956D88B795D477237107321AAD90BBCF79D438200672C9354B44E4D4D2FD630FBC4AEF248972
Malicious:false
Reputation:unknown
Preview:Metadata-Version: 2.1.Name: setuptools.Version: 60.2.0.Summary: Easily download, build, install, upgrade, and uninstall Python packages.Home-page: https://github.com/pypa/setuptools.Author: Python Packaging Authority.Author-email: distutils-sig@python.org.License: UNKNOWN.Project-URL: Documentation, https://setuptools.pypa.io/.Keywords: CPAN PyPI distutils eggs package management.Platform: UNKNOWN.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Topic :: Software Development :: Libraries :: Python Modules.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: Topic :: System :: Systems Administration.Classifier: Topic :: Utilities.Requires-Python: >=3.7.License-File: LICENSE.Provides-Extra: certs.Provides-Extra: docs.Requires-Dist: sphinx ; extra == 'docs'.Requ

C:\Windows\Temp\_MEI32322\setuptools-60.2.0.dist-info\RECORD

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:CSV text
Category:dropped
Size (bytes):21957
Entropy (8bit):5.622802101148321
Encrypted:false
SSDEEP:384:L46dEofm3e5I9cbmBBdJJa1uy/MqhHH7TPmT2ILwg:LTcY190qhHbT9q5
MD5:B42FD355E6FFFC68D43E12963C0F7D47
SHA1:81E5A1AA111B414DC8BCD642E21363BC17D4538D
SHA-256:1FA525F06E0C9DD86266758AC257D53AA42A4944D07ACA85CBFC5970A0030BB3
SHA-512:19A2AA1C5F1660AC920953F760D8BBA084725727A9E0D2A78659995AF677481C8349765DFE8539C2E0BC1418EC008C5BA89D005CCB9A3602ADF9629A5862D900
Malicious:false
Reputation:unknown
Preview:distutils-precedence.pth,sha256=JjjOniUA5XKl4N5_rtZmHrVp0baW_LoHsN0iPaX10iQ,151._distutils_hack/__init__.py,sha256=YA_zRyutXEbuZDipUW6EQoLC6PuUbvYsGyBg-aL-PCs,4741._distutils_hack/override.py,sha256=Eu_s-NF6VIZ4Cqd0tbbA5wtWky2IZPNd8et6GLt1mzo,44.pkg_resources/__init__.py,sha256=uAnPq8FsTXHAEHFWK7UU9AhdNjE4o5Skfk8CyfbztO8,108573.pkg_resources/_vendor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0.pkg_resources/_vendor/appdirs.py,sha256=MievUEuv3l_mQISH5SF0shDk_BNhHHzYiAPrT3ITN4I,24701.pkg_resources/_vendor/pyparsing.py,sha256=tmrp-lu-qO1i75ZzIN5A12nKRRD1Cm4Vpk-5LR9rims,232055.pkg_resources/_vendor/packaging/__about__.py,sha256=IIRHpOsJlJSgkjq1UoeBoMTqhvNp3gN9FyMb5Kf8El4,661.pkg_resources/_vendor/packaging/__init__.py,sha256=b9Kk5MF7KxhhLgcDmiUWukN-LatWFxPdNug0joPhHSk,497.pkg_resources/_vendor/packaging/_manylinux.py,sha256=XcbiXB-qcjv3bcohp6N98TMpOP4_j3m-iOA8ptK2GWY,11488.pkg_resources/_vendor/packaging/_musllinux.py,sha256=z5yeG1ygOPx4uUyLdqj-p8Dk5UBb5H_b0NIjW9yo8oA,4

C:\Windows\Temp\_MEI32322\setuptools-60.2.0.dist-info\WHEEL

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):92
Entropy (8bit):4.820827594031884
Encrypted:false
SSDEEP:3:RtEeX7MWcSlViZHKRRP+tPCCfA5S:RtBMwlViojWBBf
MD5:4D57030133E279CEB6A8236264823DFD
SHA1:0FDC3988857C560E55D6C36DCC56EE21A51C196D
SHA-256:1B5E87E00DC87A84269CEAD8578B9E6462928E18A95F1F3373C9EEF451A5BCC0
SHA-512:CD98F2A416AC1B13BA82AF073D0819C0EA7C095079143CAB83037D48E9A5450D410DC5CF6B6CFF3F719544EDF1C5F0C7E32E87B746F1C04FE56FAFD614B39826
Malicious:false
Reputation:unknown
Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.37.1).Root-Is-Purelib: true.Tag: py3-none-any..

C:\Windows\Temp\_MEI32322\setuptools-60.2.0.dist-info\entry_points.txt

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):2636
Entropy (8bit):4.537672046416617
Encrypted:false
SSDEEP:24:+MsTUR572Ku3ky1QchLtoZ+kMySDZZdmRxmgidTFLaelXdcEcijVbxS9djdh2PhN:l9Zvy3g6ySDsm90rZh2Phv4hhpTqToq
MD5:57379A87F47EA4C2646046CE29BCC753
SHA1:E339BE8333DA128C7E1BCF193BD8D61D511DE75D
SHA-256:C299E12EB6EDCA4E21675A820B0E3C7024B1A103F350B32122E685AAC07B1B14
SHA-512:EDF64E3354C7C5E07461658894DCB82FECD71B9A1DAC7FAAD6BAB378C43111D4349FAE6DC7FCE87D0F50099E55CB835431F2364A988067A46EEEC8BB81ADA319
Malicious:false
Reputation:unknown
Preview:[distutils.commands].alias = setuptools.command.alias:alias.bdist_egg = setuptools.command.bdist_egg:bdist_egg.bdist_rpm = setuptools.command.bdist_rpm:bdist_rpm.build_clib = setuptools.command.build_clib:build_clib.build_ext = setuptools.command.build_ext:build_ext.build_py = setuptools.command.build_py:build_py.develop = setuptools.command.develop:develop.dist_info = setuptools.command.dist_info:dist_info.easy_install = setuptools.command.easy_install:easy_install.egg_info = setuptools.command.egg_info:egg_info.install = setuptools.command.install:install.install_egg_info = setuptools.command.install_egg_info:install_egg_info.install_lib = setuptools.command.install_lib:install_lib.install_scripts = setuptools.command.install_scripts:install_scripts.rotate = setuptools.command.rotate:rotate.saveopts = setuptools.command.saveopts:saveopts.sdist = setuptools.command.sdist:sdist.setopt = setuptools.command.setopt:setopt.test = setuptools.command.test:test.upload_docs = setuptools.comman

C:\Windows\Temp\_MEI32322\setuptools-60.2.0.dist-info\top_level.txt

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):41
Entropy (8bit):3.9115956018096876
Encrypted:false
SSDEEP:3:3Wd+Nt8AfQYv:3Wd+Nttv
MD5:789A691C859DEA4BB010D18728BAD148
SHA1:AEF2CBCCC6A9A8F43E4E150E7FCF1D7B03F0E249
SHA-256:77DC8BDFDBFF5BBAA62830D21FAB13E1B1348FF2ECD4CDCFD7AD4E1A076C9B88
SHA-512:BC2F7CAAD486EB056CB9F68E6C040D448788C3210FF028397CD9AF1277D0051746CAE58EB172F9E73EA731A65B2076C6091C10BCB54D911A7B09767AA6279EF6
Malicious:false
Reputation:unknown
Preview:_distutils_hack.pkg_resources.setuptools.

C:\Windows\Temp\_MEI32322\unicodedata.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):1123608
Entropy (8bit):5.3853088605790385
Encrypted:false
SSDEEP:12288:6mwlRMmuZ63NTQCb5Pfhnzr0ql8L8kcM7IRG5eeme6VZyrIBHdQLhfFE+uQfk:ulRuUZV0m8UMMREtV6Vo4uYQfk
MD5:81D62AD36CBDDB4E57A91018F3C0816E
SHA1:FE4A4FC35DF240B50DB22B35824E4826059A807B
SHA-256:1FB2D66C056F69E8BBDD8C6C910E72697874DAE680264F8FB4B4DF19AF98AA2E
SHA-512:7D15D741378E671591356DFAAD4E1E03D3F5456CBDF87579B61D02A4A52AB9B6ECBFFAD3274CEDE8C876EA19EAEB8BA4372AD5986744D430A29F50B9CAFFB75D
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.eJ).eJ).eJ)...).eJ)..K(.eJ)..O(.eJ)..N(.eJ)..I(.eJ)|.K(.eJ)..K(.eJ).eK).eJ)|.G(.eJ)|.J(.eJ)|..).eJ)|.H(.eJ)Rich.eJ)........................PE..d.....,d.........." .....B.......... *.......................................@......Q.....`.............................................X............ ..........H......../...0.......`..T........................... a..8............`..x............................text...9A.......B.................. ..`.rdata.......`.......F..............@..@.data...............................@....pdata..H...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\wheel-0.37.1.dist-info\INSTALLER

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):5
Entropy (8bit):1.9219280948873623
Encrypted:false
SSDEEP:3:Lvn:Lv
MD5:00305BC1FB89E33403A168E6E3E2EC08
SHA1:A39CA102F6B0E1129E63235BCB0AD802A5572195
SHA-256:0B77BDB04E0461147A7C783C200BC11A6591886E59E2509F5D7F6CB7179D01AB
SHA-512:DB43B091F60DE7F8C983F5FC4009DB89673215CCD20FD8B2CED4983365A74B36AC371E2E85397CAC915C021377E26F2C4290915EA96F9E522E341E512C0FC169
Malicious:false
Reputation:unknown
Preview:pip..

C:\Windows\Temp\_MEI32322\wheel-0.37.1.dist-info\LICENSE.txt

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):1125
Entropy (8bit):5.143411674177603
Encrypted:false
SSDEEP:24:UYWBarRONJHLH0cPP3gtkHw1h39QHOsUv4eOk4/+jvho3nPz:LtONJbbvE/NQHOs5eNS3n7
MD5:9D66B41BC2A080E7174ACC5DFFECD752
SHA1:53AA128E9D6387E9BB9D945FDCBF1AB4D003BAED
SHA-256:CCA9E20C6AF1FCFBF69408F377769286CBEEBCDED336100C9B4A3F35FBE635E4
SHA-512:12CBE04D36D2F0A856DA2001DC7D98D9E431DA37CCCF08F8AF20DD537F5AE7A19E1A7015C3A5542C0329EFBEC7E582751E4CEBCCB459C779BE804AA5B34D5E95
Malicious:false
Reputation:unknown
Preview:"wheel" copyright (c) 2012-2014 Daniel Holth <dholth@fastmail.fm> and.contributors...The MIT License..Permission is hereby granted, free of charge, to any person obtaining a.copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the.Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included.in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR.OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRA

C:\Windows\Temp\_MEI32322\wheel-0.37.1.dist-info\METADATA

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:Unicode text, UTF-8 text
Category:dropped
Size (bytes):2328
Entropy (8bit):5.1185004431709
Encrypted:false
SSDEEP:48:DE53Cnd+p8d+zztjaaxLiPktzCliwqrwOT8RfkD1UKd+mOl1Awr+:DE5yQPzztjaaxmPktW0lrfOfsUzmbY+
MD5:DE7F3CDD29B458BD18463100490C8EFF
SHA1:F6677870E4F8A9D914C13FCEF5DB1AF2A7BA5624
SHA-256:62679B757C0F42517DF1DA7D57E0B2E01944F8CF9F14CF89F5C3D556F952522F
SHA-512:584491196B7757B108FB6535B687E28B3C4BEB56162CC6DE4911C211B7A000B0AF2B7A26AFAB73422DA6876F568D4CCE23802D27C57CF7D6565BD02877B08A32
Malicious:false
Reputation:unknown
Preview:Metadata-Version: 2.1.Name: wheel.Version: 0.37.1.Summary: A built-package format for Python.Home-page: https://github.com/pypa/wheel.Author: Daniel Holth.Author-email: dholth@fastmail.fm.Maintainer: Alex Gr.nholm.Maintainer-email: alex.gronholm@nextday.fi.License: MIT.Project-URL: Documentation, https://wheel.readthedocs.io/.Project-URL: Changelog, https://wheel.readthedocs.io/en/stable/news.html.Project-URL: Issue Tracker, https://github.com/pypa/wheel/issues.Keywords: wheel,packaging.Platform: UNKNOWN.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 2.Classifier: Programming Language :: Python :: 2.7.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3.5.Classifier: Programming Language :: Python ::

C:\Windows\Temp\_MEI32322\wheel-0.37.1.dist-info\RECORD

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:CSV text
Category:dropped
Size (bytes):2657
Entropy (8bit):5.738906743733574
Encrypted:false
SSDEEP:48:/exuRklpzybyrvGy+myCqTQgYvH6MHIS8mvinJ3yGnJ3ykz1lQERayzYsoRLmlJi:mxVlkmrvZnyCqTQDvH6MHp8uiJCGJCkc
MD5:92F640958CC843ABF1B37B511B6BD5AE
SHA1:5248FD1AAE16910FE6FDF9914CB5FC5B24F0906F
SHA-256:E2028F94F2C8579CB22A3260083CD34D5FD3CD590150F471EB8169BEED7152D5
SHA-512:949991767039F1DB9851F222CD3FA16F0D812CC2BD885A389C78E2091C3B68E9292C4AA876172CC4C48E09F84947013DA6DC2589911A7D192F5748C6DDEF4F86
Malicious:false
Reputation:unknown
Preview:wheel/__init__.py,sha256=yLOqsEZUPaM3VNKOMxQraLgCCyF8q3k10KY4C1Hi_Lo,23.wheel/__main__.py,sha256=lF-YLO4hdQmoWuh4eWZd8YL1U95RSdm76sNLBXa0vjE,417.wheel/bdist_wheel.py,sha256=2vfv3g_b8BvZ5Do9bpLEBdu9dQEcvoMQ1flXpKYFJDU,19075.wheel/macosx_libfile.py,sha256=Xvp-IrFyRJ9RThIrPxfEpVCDGfljJPWRTZiyopk70hI,15930.wheel/metadata.py,sha256=b3kPhZn2w2D9wengltX5nGIZQ3ERUOQ5U-K5vHKPdeg,4344.wheel/pkginfo.py,sha256=GR76kupQzn1x9sKDaXuE6B6FsZ4OkfRtG7pndlXPvQ4,1257.wheel/util.py,sha256=mnNZkJCi9DHLI_q4lTudoD0mW97h_AoAWl7prNPLXJc,938.wheel/wheelfile.py,sha256=NyH8VcFLvu7jUwH6r4KoL_U45OKFVpUyJ5Z7gRAI_Lc,7574.wheel/cli/__init__.py,sha256=GWSoGUpRabTf8bk3FsNTPrc5Fsr8YOv2dX55iY2W7eY,2572.wheel/cli/convert.py,sha256=7F4vj23A2OghDDWn9gX2V-_TeXMza1a5nIejmFGEUJM,9498.wheel/cli/pack.py,sha256=Bfq6KrHicZKrpbktkreeRxIaWwBozUP99JQy2D8-ddY,3364.wheel/cli/unpack.py,sha256=0VWzT7U_xyenTPwEVavxqvdee93GPvAFHnR3Uu91aRc,673.wheel/vendored/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0.wheel/vendored/packag

C:\Windows\Temp\_MEI32322\wheel-0.37.1.dist-info\WHEEL

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):110
Entropy (8bit):4.816968543485036
Encrypted:false
SSDEEP:3:RtEeX7MWcSlViZHKRRP+tPCCf7irO5S:RtBMwlViojWBBwt
MD5:8CFA23CB3A9E0E9F30077848A14BE857
SHA1:E5AC311BA9EEC5C0CCDDC091AC7C0D62A72ECF72
SHA-256:CFD8F4C406BF26650A3299B3EF62B464600B48CFE7FB04159866E5797C765478
SHA-512:039CB61C67F02B3B349102FA40FBB55FCA46D54007309FD08B2707E2CAC74FDDDBB39B18730704209DB4852BB9BB18078EF6A6A57ACF0F0BA4951D7A249521BD
Malicious:false
Reputation:unknown
Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.37.1).Root-Is-Purelib: true.Tag: py2-none-any.Tag: py3-none-any..

C:\Windows\Temp\_MEI32322\wheel-0.37.1.dist-info\entry_points.txt

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):108
Entropy (8bit):4.342039869160156
Encrypted:false
SSDEEP:3:1SSAsVYgh+MWTMhk6WjwVM5t5ln:1rb9WTMhk9jSM5t5ln
MD5:7AB099DD08D127FFF9A98B12A6B127E0
SHA1:8454C246D5A924CC6A13F5BFA188468E00F4D179
SHA-256:37C1DB605493DF2ACD418781DB05D60443D4845B04B4A3513DA0851893F2AB27
SHA-512:866EAFE67528CE8B692F474E7883BF776644CD41D13220D9C7F9446F7E325104C2F4ABF9B08701E470423756511D452885DFA1B875D4661D3472BC2002C28492
Malicious:false
Reputation:unknown
Preview:[console_scripts].wheel = wheel.cli:main..[distutils.commands].bdist_wheel = wheel.bdist_wheel:bdist_wheel..

C:\Windows\Temp\_MEI32322\wheel-0.37.1.dist-info\top_level.txt

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text
Category:dropped
Size (bytes):6
Entropy (8bit):2.2516291673878226
Encrypted:false
SSDEEP:3:/sv:/sv
MD5:EF72659542687B41FB1A4225120F41FA
SHA1:3EF6EE742B2E851DEA1F754CE60A1FC222194799
SHA-256:1F148121B804B2D30F7B87856B0840EBA32AF90607328A5756802771F8DBFF57
SHA-512:A16A6E11367C986B2A7B38C491943B28F402081D3E2D41474C9E61BE44941133E87CB821750AD27A1E46FA2AFF9F93B8584C37247BDE219ABAC12D3D6EE4477C
Malicious:false
Reputation:unknown
Preview:wheel.

C:\Windows\Temp\_MEI32322\win32\_win32sysloader.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):14848
Entropy (8bit):5.112106937352672
Encrypted:false
SSDEEP:192:lGCm72PEO1jIUs0YqEcPbF55UgCWV4rofnbPmitE255qDLWn7ycLmrO/:8ardA0Bzx14r6nbN50W9/
MD5:F9C9445BE13026F8DB777E2BBC26651D
SHA1:E1D58C30E94B00B32AD1E9B806465643F4AFE980
SHA-256:C953DB1F67BBD92114531FF44EE4D76492FDD3CF608DA57D5C04E4FE4FDD1B96
SHA-512:587D9E8521C246865E16695E372A1675CFBC324E6258DD03479892D3238F634138EBB56985ED34E0C8C964C1AB75313182A4E687B598BB09C07FC143B506E9A8
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tSf.02..02..02..9J..22..bG..22..$Y..22..bG..;2..bG..82..bG..32..[..32..02...2...G..12...G..12...G..12..Rich02..................PE..d......d.........." ......................................................................`..........................................;..`...`;..d....p..t....`..................@...|2..T............................2..8............0..p............................text............................... ..`.rdata..$....0......................@..@.data........P......................@....pdata.......`.......0..............@..@.rsrc...t....p.......4..............@..@.reloc..@............8..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\win32\win32api.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):133632
Entropy (8bit):5.849731189887005
Encrypted:false
SSDEEP:3072:l2J5loMoEg9enX4oD8cdf0nlRVFhLaNKP/IyymuqCyqJhe:cblovEgqXHdfqlRVlP/IyzCyy
MD5:00E5DA545C6A4979A6577F8F091E85E1
SHA1:A31A2C85E272234584DACF36F405D102D9C43C05
SHA-256:AC483D60A565CC9CBF91A6F37EA516B2162A45D255888D50FBBB7E5FF12086EE
SHA-512:9E4F834F56007F84E8B4EC1C16FB916E68C3BAADAB1A3F6B82FAF5360C57697DC69BE86F3C2EA6E30F95E7C32413BABBE5D29422D559C99E6CF4242357A85F31
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.uV....................N.......N.......N.......................N...................J...........................Rich............PE..d......d.........." .........................................................P............`..........................................................0..\....................@..$....v..T............................<..8............0..........@....................text............................... ..`.rdata......0......................@..@.data...x(......."..................@....pdata..............................@..@.rsrc...\....0......................@..@.reloc..$....@......................@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\win32\win32event.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):28672
Entropy (8bit):5.557243649975138
Encrypted:false
SSDEEP:384:qwXwVM65Ix6Hey0a4SqSv/L/jhfWddbcQ857W5/hoOn0k/MwGCHRUyGa/:Fn6oDOb/jhfWddbcrwYOn0k/MwJYa
MD5:98D246A539426C3A7A842D6CF286D46D
SHA1:CEF7350297F7E1E2407C9125033DC972C3171122
SHA-256:7461A15657C7516237B020357CCF6DE1D07B1C781149C0DA7892AEA0EA63A825
SHA-512:F2FE96082C333210261A1247155373276A58A9E6128374A6FBA252D39CB78B286A30C48E05D2EB1E0B41653598BB114C0361BC55808FE091E8A13CDE0B59AC5F
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*.@sD.@sD.@sD.I...DsD...E.BsD...A.JsD...@.HsD...G.CsD..E.BsD...E.BsD.T.E.EsD.@sE..sD..M.AsD..D.AsD..F.AsD.Rich@sD.........PE..d......d.........." .....8...4.......3....................................................`..........................................f..T...$g..........d............................Z..T............................Z..8............P...............................text...(6.......8.................. ..`.rdata...#...P...$...<..............@..@.data................`..............@....pdata...............d..............@..@.rsrc...d............j..............@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\win32\win32evtlog.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):73216
Entropy (8bit):5.762045981366128
Encrypted:false
SSDEEP:1536:idrARomwyEvN7xM8v2uuYTtEJaLGDXYBFB8Dmz:qIomwySmm2uuYJEJaLGDXkFB8qz
MD5:20CA43E99D008452833394B4AB4D9239
SHA1:97E6DC871483540551CBF44B7727CE91ADCDA844
SHA-256:28783A9111E539BD0EDBB97C9204C983E1D15DC7A0E7A6D4DE02DF1A3D5E3566
SHA-512:273323375886835BC4E737984586BC31FFDCC185A3FA3CA1181CB65B2D6D1867E527B3226484ECD8DD902A02CF94B4AB8F7C88744235543ED83620206E65E7C0
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u...u...u...|f).s...'k..q...'k..}...'k..v....k..w....w..w...'k..f...au..p...u........k..t....k..t....kE.t....k..t...Richu...................PE..d......d.........." ................P........................................`............`.............................................X...8........@.. ....0..|............P..l.......T...........................`...8...............`.......@....................text............................... ..`.rdata..&\.......^..................@..@.data...............................@....pdata..|....0......................@..@.rsrc... ....@......................@..@.reloc..l....P......................@..B................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\win32\win32file.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):143360
Entropy (8bit):5.9314950978938334
Encrypted:false
SSDEEP:3072:XkXeNNnoGygqaE7Byk+YXR4Ei1HPUb1+JybQhzacKG6t6BU:XkX8Nugqz7Byk+QRVi1vUbc0bCacu
MD5:D09207A5F23C943F911B5FC301BBE97A
SHA1:735C69217D80E1986C681B4B74629E79A3C95934
SHA-256:B1B0A1F9C8903E2EC65B9D6A4AC746E72090DB9A34F2A180B79769C9C5B15085
SHA-512:68BE8558026EBCEECFC29D91F6E040E4DDE2EF4DED2D471CB547C081B4D947CDF15B77CD5CD6C3BAA37FD2C92A297D2A5CA7B2ED2D27B88B09BB521F61725B4A
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=.ahn.ahn.ahn...n.ahn..io.ahn..mo.ahn..lo.ahn..ko.ahne.io.ahn..io.ahn..io.ahn.ain.`hne.ao.ahne.ho.ahne.jo.ahnRich.ahn........PE..d......d.........." .....@...........6.......................................p............`.............................................T...4........P..\....0...............`......x...T..............................8............P...............................text...N?.......@.................. ..`.rdata.......P.......D..............@..@.data....'....... ..................@....pdata.......0......................@..@.rsrc...\....P.......(..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\win32\win32net.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):93184
Entropy (8bit):5.244759668592125
Encrypted:false
SSDEEP:1536:QJCZO2AJy8OCCyNNOYz0/bNFogGC6WEhj9BBP4f:QrtIpAmEhxBl4f
MD5:4404218C4F6A61C338F332B2A9402C10
SHA1:C48DDA2E4C2F06ED406F678131D485DB28294599
SHA-256:E5002A894100FE9F43BACA194013702EBB8F8DF6A6909BE76D79E1C539E58FFD
SHA-512:65E0F0DEE8F6A83951F8091FCF6CA62D559E125B8F0E9B306BF7F0A95EB59FC6CB42A95003E15AACC470DA10AF2CCCFC87518E6A4139FBBCEB117CB63594A75F
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:...T...T...T......T..U...T..Q...T..P...T..W...T.Z.U...T.<.U...T...U...T...U.).T.Z.]...T.Z.T...T.Z.V...T.Rich..T.........PE..d......d.........." ................t.....................................................`.............................................P...`...........\...........................\...T...............................8............................................text............................... ..`.rdata...b.......d..................@..@.data...hQ... ...L..................@....pdata...............R..............@..@.rsrc...\............b..............@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\win32\win32pipe.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):28160
Entropy (8bit):5.501710845558622
Encrypted:false
SSDEEP:384:vvGJPNu6PrVo4r8MhY7jgzgCoASCwz8T8VBBr/kVyhPDmM/f:vv0/DpGXJC6VB5/LhKi
MD5:43C630BE751F1B465DCD77E036797309
SHA1:A10EE078EB475674BB7BCC349B5F4B283E763EB5
SHA-256:DDE06EAA71699359C23D4C564AD25785FA933CE28DD117EBFB374D276537C6EC
SHA-512:6FD2163860D7559C4D3E7E43EE5C462EC8B01FCFAEAC47ED4056CEA74C07E7D46863C5395D52A514D6844369AB7EA031186AAE54CEDFD636B94740A8BB276966
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t..X0...0...0...9.#.6...b..4...$...2...b..;...b..8...b..3......2......3...0...P......1......1......1...Rich0...........PE..d......d.........." .....4...6......T0....................................................`..........................................f..T...Tf..........\.......(...................@Z..T............................Z..8............P..@............................text...@3.......4.................. ..`.rdata..z$...P...&...8..............@..@.data................^..............@....pdata..(............b..............@..@.rsrc...\............h..............@..@.reloc...............l..............@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\win32\win32trace.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):23552
Entropy (8bit):5.279236779449316
Encrypted:false
SSDEEP:384:peeH8ZmV+zknwMsADuVLw0T8DmrRl2j9BfEAZnpC9QJQ1BA:5+zi/uVDS9dl6pB
MD5:B291ADAB2446DA62F93369A0DD662076
SHA1:A6B6C1054C1F511C64AEFB5F6C031AFE553E70F0
SHA-256:C5AD56E205530780326BD1081E94B212C65082B58E0F69788E3DC60EFFBD6410
SHA-512:847CC9E82B9939DBDC58BFA3E5A9899D614642E0B07CF1508AA866CD69E4AD8C905DBF810A045D225E6C364E1D9F2A45006F0EB0895BCD5AAF9D81EE344D4AEA
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*U@qD.@qD.@qD.I...DqD...E.BqD...A.JqD...@.HqD...G.CqD...E.BqD...E.BqD.T.E.EqD.@qE..qD...M.AqD...D.AqD...F.AqD.Rich@qD.................PE..d......d.........." .....,...,.......(....................................................`..........................................Q..T...dQ..........d....p.......................G..T...........................0H..8............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...(....`.......L..............@....pdata.......p.......R..............@..@.rsrc...d............V..............@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\_MEI32322\win32com\shell\shell.pyd

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:dropped
Size (bytes):527872
Entropy (8bit):6.165923585421349
Encrypted:false
SSDEEP:6144:bXtpsewPjUA2jGZ90SmgopJgUCBKw84O3Rpd0K1VS0cTZdxi2y3:bXtp5sIAN90pleK1VSXXi2g
MD5:C2E1B245D4221BDA4C198CF18D9CA6AF
SHA1:9682B6E966495F7B58255348563A86C63FBD488C
SHA-256:89A8651DAD701DCE6B42B0E20C18B07DF6D08A341123659E05381EE796D23858
SHA-512:C2F57E9303D37547671E40086DDAD4B1FC31C52D43994CFCEC974B259125E125C644873073F216F28066BB0C213CBEB1B9A3C149727C9F1BC50F198AC45A4C8A
Malicious:true
Reputation:unknown
Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......M................).....[......[......[......[...................................................O.................Rich............................PE..d...(..d.........." ....."..........t.....................................................`.............................................L...............L.......xx...............!......T..............................8............@...............................text...^!.......".................. ..`.rdata.......@.......&..............@..@.data...@....0...^..................@....pdata..xx.......z...n..............@..@.rsrc...L...........................@..@.reloc...!......."..................@..B................................................................................................................................................................................................................

C:\Windows\Temp\o_woaijh

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):4
Entropy (8bit):2.0
Encrypted:false
SSDEEP:3:qn:qn
MD5:3F1D1D8D87177D3D8D897D7E421F84D6
SHA1:DD082D742A5CB751290F1DB2BD519C286AA86D95
SHA-256:F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
SHA-512:2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
Malicious:false
Reputation:unknown
Preview:blat

C:\Windows\Temp\rnfug_5i

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):4
Entropy (8bit):2.0
Encrypted:false
SSDEEP:3:qn:qn
MD5:3F1D1D8D87177D3D8D897D7E421F84D6
SHA1:DD082D742A5CB751290F1DB2BD519C286AA86D95
SHA-256:F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
SHA-512:2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
Malicious:false
Reputation:unknown
Preview:blat

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1028\license.rtf

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:dropped
Size (bytes):18127
Entropy (8bit):4.036737741619669
Encrypted:false
SSDEEP:192:xaz+aCQbjdBCLCgfvtfLEmmVxJzLKLIW7cBFCoSM0fvJ93eyryH1MqG1xcRY/c5f:seh/IMHexG4q2
MD5:B7F65A3A169484D21FA075CCA79083ED
SHA1:5DBFA18928529A798FF84C14FD333CB08B3377C0
SHA-256:32585B93E69272B6D42DAC718E04D954769FE31AC9217C6431510E9EEAD78C49
SHA-512:EDA2F946C2E35464E4272B1C3E4A8DC5F17093C05DAB9A685DBEFD5A870B9D872D8A1645ED6F5B9A72BBB2A59D22DFA58FBF420F6440278CCBE07B6D0555C283
Malicious:false
Reputation:unknown
Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'dc\'9b\'f3\'77\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'ca\'c7\'d9\'46\'d3\'c3\'91\'f4\'c5\'63\f0 Microsoft Corporation (\f1\'bb\'f2\'c6\'e4\'ea\'50\'82\'53\'c6\'f3\'98\'49\'a3\'ac\'d2\'95\'d9\'46\'d3\'c3\'91\'f4\'cb\'f9\'be\'d3\'d7\'a1\'b5\'c4\'b5\'d8\'fc\'63\'b6\'f8\'b6\'a8\f0 ) \f1\'d6\'ae\'e9\'67\'b3\'c9\'c1\'a2\'b5\'c4\'ba\'cf\'bc\'73\'a1\'a3\'cb\'fb\'82\'83\'df\'6d\'d3\'c3\'ec\'b6\'c9\'cf\'ca\'f6\'dc\'9b\'f3\'77\'a3\'ac\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'d2\'e0\'df\'6d\'d3\'c3\'ec\'b6\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'84\'d5\'bb\'f2\'b1\'be\'dc\'9b\'f3\'77\'d6\'ae\'b8\'fc\'d0\'c2\'a3

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1028\thm.wxl

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:dropped
Size (bytes):2980
Entropy (8bit):6.163758160900388
Encrypted:false
SSDEEP:48:c5DiTlOtMes9T/JhDXsA9EHSniarRFeOrw8N3mZNNTN2N08CEjMUWFPmDlTKJKy2:uDiTlFrDDsA9tfHP8+8nhM0WamzqDFqD
MD5:472ABBEDCBAD24DBA5B5F5E8D02C340F
SHA1:974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
SHA-256:8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
SHA-512:676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ................. ......................../passive | /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1029\license.rtf

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:dropped
Size (bytes):13053
Entropy (8bit):5.125552901367032
Encrypted:false
SSDEEP:192:TKwfs7OUpXLa5HEXQwNCNvZSjotXxiwH++3kamdEj6ZDbugDHgbGNlv6NbrYGY9x:Lfs7c5DRH0aHmJGpafU0AliwGra2
MD5:B408556A89FCE3B47CD61302ECA64AC9
SHA1:AAC1CDAF085162EFF5EAABF562452C93B73370CB
SHA-256:21DDCBB0B0860E15FF9294CBB3C4E25B1FE48619210B8A1FDEC90BDCDC8C04BC
SHA-512:BDE33918E68388C60750C964CDC213EC069CE1F6430C2AA7CF1626E6785C7C865094E59420D00026918E04B9B8D19FA22AC440F851ADC360759977676F8891E7
Malicious:false
Reputation:unknown
Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 LICEN\f1\'c8N\f0\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\f1\'c8NOSTI MICROSOFT\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Tyto licen\f1\'e8n\f0\'ed podm\'ednky p\f1\'f8edstavuj\f0\'ed smlouvu mezi spole\f1\'e8nost\f0\'ed Microsoft Corporation (nebo n\f1\'eckterou z\~jej\f0\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte) a\~v\'e1mi. Vztahuj\'ed se na v\'fd\f1\'9ae uveden\f0\'fd software. Podm\'ednky se rovn\f1\'ec\'9e vztahuj\f0\'ed na jak\'e9koli slu\f1\'9eby Microsoft nebo aktualizace pro software, pokud se na slu\'9eby nebo aktualizace nevztahuj\f0\'ed odli\f1\'9an\f0\'e9 podm\'ednky.\par..\b DODR\f1\'8e\f0\'cdTE-LI TYTO

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1029\thm.wxl

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:dropped
Size (bytes):3333
Entropy (8bit):5.370651462060085
Encrypted:false
SSDEEP:48:c5DiTlOtesM6H2hDdxHOjZxsaIIy3Iy5sDMN3mkNFN7NwcfiPc3hKPnWZLF0hKqZ:uDiTlVxxHOy/9xXfpZJYnL8xK2S
MD5:16343005D29EC431891B02F048C7F581
SHA1:85A14C40C482D9351271F6119D272D19407C3CE9
SHA-256:07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
SHA-512:FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive | /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1031\license.rtf

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:dropped
Size (bytes):11936
Entropy (8bit):5.194264396634094
Encrypted:false
SSDEEP:192:+XkOmRUOl6WBsl4kA+sn+mvtI0qHl4qj+iPqk6kVV9iX9GzYNvQ8yOejIpRMrhC2:DDHMFPCeV3i4zOHyOejIpkC2
MD5:C2CFA4CE43DFF1FCD200EDD2B1212F0A
SHA1:E8286E843192802E5EBF1BE67AE30BCAD75AC4BB
SHA-256:F861DB23B972FAAA54520558810387D742878947057CF853DC74E5F6432E6A1B
SHA-512:6FDF02A2DC9EF10DD52404F19C300429E7EA40469F00A43CA627F3B7F3868D1724450F99C65B70B9B7B1F2E1FA9D62B8BE1833A8C5AA3CD31C940459F359F30B
Malicious:false
Reputation:unknown
Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT-SOFTWARE-LIZENZBESTIMMUNGEN\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Diese Lizenzbestimmungen sind ein Vertrag zwischen Ihnen und der Microsoft Corporation (bzw. abh\'e4ngig von Ihrem Wohnsitz einem mit Microsoft verbundenen Unternehmen). Sie gelten f\'fcr die oben angef\'fchrte Software. Die Bestimmungen gelten ebenso f\'fcr jegliche von Microsoft angebotenen Dienste oder Updates f\'fcr die Software, sofern diesen keine anderen Bestimmungen beiliegen.\par..\b SOFERN SIE DIESE LIZENZBESTIMMUNGEN EINHALTEN, SIND SIE ZU FOLGENDEM BERECHTIGT:\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 RECHTE ZUR INSTALLATION UND NUTZUNG. \

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1031\thm.wxl

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:dropped
Size (bytes):3379
Entropy (8bit):5.094097800535488
Encrypted:false
SSDEEP:48:c5DiTlOZuesXJhDEVTORNxSMoZN3mteNSiNGNsZuiAXEqicMwhPXbhu9KwKlK8Kq:uDiTl3N7xSbu0N8+AhSNnm
MD5:561F3F32DB2453647D1992D4D932E872
SHA1:109548642FB7C5CC0159BEDDBCF7752B12B264C0
SHA-256:8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
SHA-512:CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive | /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1036\license.rtf

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:dropped
Size (bytes):11593
Entropy (8bit):5.106817099949188
Encrypted:false
SSDEEP:192:aRAbNYjVk+z5GUSLse5GgALEXmAWL+/3FEShP9sJgi8+Ra8woh+89EQdhwQPely6:K4yrPqm9LcVEg9sVp2ohHVdKoXJXci9a
MD5:F0FF747B85B1088A317399B0E11D2101
SHA1:F13902A39CEAE703A4713AC883D55CFEE5F1876C
SHA-256:4D9B7F06BE847E9E135AB3373F381ED7A841E51631E3C2D16E5C40B535DA3BCF
SHA-512:AA850F05571FFC361A764A14CA9C1A465E2646A8307DEEE0589852E6ACC61AF145AEF26B502835724D7245900F9F0D441451DD8C055404788CE64415F5B79506
Malicious:false
Reputation:unknown
Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMES DU CONTRAT DE LICENCE LOGICIEL MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Les pr\'e9sents termes du contrat de licence constituent un contrat entre Microsoft Corporation (ou, en fonction de votre lieu de r\'e9sidence, l\rquote un de ses affili\'e9s) et vous. Ils s\rquote appliquent au logiciel vis\'e9 ci-dessus. Les termes s\rquote appliquent \'e9galement \'e0 tout service et \'e0 toute mise \'e0 jour Microsoft pour ce logiciel, \'e0 moins que d\rquote autres termes n\rquote accompagnent ces \'e9l\'e9ments.\par..\b SI VOUS VOUS CONFORMEZ AUX PR\'c9SENTS TERMES DU CONTRAT DE LICENCE, VOUS AVEZ LES DROITS CI-DESSOUS.\par....\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\s

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1036\thm.wxl

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:dropped
Size (bytes):3366
Entropy (8bit):5.0912204406356905
Encrypted:false
SSDEEP:48:c5DiTlO1BesgKLhD1K8cocDSN3m4NlN2ZfNmXL8ePZFcZkLPqUf9fQKRLKeKqZfj:uDiTlABzH1/qt4qgcXY
MD5:7B46AE8698459830A0F9116BC27DE7DF
SHA1:D9BB14D483B88996A591392AE03E245CAE19C6C3
SHA-256:704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
SHA-512:FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive | /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1040\license.rtf

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:dropped
Size (bytes):11281
Entropy (8bit):5.046489958240229
Encrypted:false
SSDEEP:192:WBGNX6UXR2+5SmgS/ChMErYkQvowHVw6zdgkycEGCDLQ+n3YJ2d8XSiej+T4Ma8f:gAzSVARBR5jEPLQY3YJpSjTP2
MD5:9D98044BAC59684489C4CF66C3B34C85
SHA1:36AAE7F10A19D336C725CAFC8583B26D1F5E2325
SHA-256:A3F745C01DEA84CE746BA630814E68C7C592B965B048DDC4B1BBE1D6E533BE22
SHA-512:D849BBB6C87C182CC98C4E2314C0829BB48BAD483D0CD97BF409E75457C3695049C3A8ADFE865E1ECBC989A910096D2C1CDF333705AAC4D22025DF91B355278E
Malicious:false
Reputation:unknown
Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 CONTRATTO DI LICENZA PER IL SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario, Tali condizioni si applicano al software Microsoft di cui sopra. Le condizioni si applicano inoltre a qualsiasi servizio o aggiornamento di Microsoft relativo al software, a meno che questo non sia accompagnato da condizioni differenti.\par..\b QUALORA IL LICENZIATARIO SI ATTENGA ALLE PRESENTI CONDIZIONI DI LICENZA, DISPORR\'c0 DEI DIRITTI INDICATI DI SEGUITO.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\p

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1040\thm.wxl

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:dropped
Size (bytes):3319
Entropy (8bit):5.019774955491369
Encrypted:false
SSDEEP:48:c5DiTlO1eesy+hD9BOtBFv5Vo8BbQhMNDJN3msNlNohNNz+wcPclM+PAoYKp+K/u:uDiTlfQvo8WutJ/s9FHNOJp
MD5:D90BC60FA15299925986A52861B8E5D5
SHA1:FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
SHA-256:0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
SHA-512:11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive | /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1041\license.rtf

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:dropped
Size (bytes):28232
Entropy (8bit):3.7669201853275722
Encrypted:false
SSDEEP:192:Qkb65jNkzrUJVbpEiTskXHH1AZWoJxfnVnkDYUqfQFXBue6hX2JSfR7q05kWZxhY:epCD3y/ybox2yrk2
MD5:8C49936EC4CF0F64CA2398191C462698
SHA1:CC069FE8F8BC3B6EE2085A4EACF40DB26C842BAC
SHA-256:7355367B7C48F1BBACC66DFFE1D4BF016C16156D020D4156F288C2B2207ED1C2
SHA-512:4381147FF6707C3D31C5AE591F68BC61897811112CB507831EFF5E71DD281009400EDA3300E7D3EFDE3545B89BCB71F2036F776C6FDFC73B6B2B2B8FBC084499
Malicious:false
Reputation:unknown
Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset128 MS Gothic;}{\f1\fnil\fcharset0 MS Gothic;}{\f2\fnil\fcharset134 SimSun;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67 \'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41 \'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\par..\f1 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\'82\'cd\f2\'a1\'a2\f1 Microsoft Corporation (\f0\'82\'dc\'82\'bd\'82\'cd\'82\'a8\'8b\'71\'97\'6c\'82\'cc\'8f\'8a\'8d\'dd\'92\'6e\'82\'c9\'89\'9e\'82\'b6\'82\'c4\'82\'cd\'82\'bb\'82\'cc\'8a\'d6\'98\'41\'89\'ef\'8e\'d0) \'82\'c6\'82\'a8\'8b\'71\'97\'6c\'82\'c6\'82\'cc\'8c\'5f\'96\'f1\'82\'f0\'8d\'5c\'90\'ac\'82\'b5\'82\'dc\'82\'b7\'81\'42\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1041\thm.wxl

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:dropped
Size (bytes):3959
Entropy (8bit):5.955167044943003
Encrypted:false
SSDEEP:96:uDiTlDuB1n+RNmvFo6bnpojeTPk0R/vueX5OA17IHdGWz:5uB1+gD1DU4EdGE
MD5:DC81ED54FD28FC6DB6F139C8DA1BDED6
SHA1:9C719C32844F78AAE523ADB8EE42A54D019C2B05
SHA-256:6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
SHA-512:FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ............ ......... .........................

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1042\license.rtf

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:dropped
Size (bytes):27936
Entropy (8bit):3.871317037004171
Encrypted:false
SSDEEP:384:kKIgbA2uBsarNG/HxPvCL1ewjxsXmEw4C7C7R4jAeqCBO968y7yNRylBSFfQv9yH:d3ar8Xa/XAeqoc0wfBB4qN
MD5:184D94082717E684EAF081CEC3CBA4B1
SHA1:960B9DA48F4CDDF29E78BBAE995B52204B26D51B
SHA-256:A4C25DA9E3FBCED47464152C10538F16EE06D8E06BC62E1CF4808D293AA1AFA2
SHA-512:E4016C0CA348299B5EF761F456E3B5AD9B99E5E100C07ACAB1369DFEC214E75AA88E9AD2A0952C0CC1B707E2732779E6E3810B3DA6C839F0181DC81E3560CBDA
Malicious:false
Reputation:unknown
Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset129 Malgun Gothic;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 Microsoft \f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'bc\'ad\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'ba\'bb\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'c0\'ba\f0 Microsoft Corporation(\f1\'b6\'c7\'b4\'c2\f0 \f1\'b0\'c5\'c1\'d6\f0 \f1\'c1\'f6\'bf\'aa\'bf\'a1\f0 \f1\'b5\'fb\'b6\'f3\f0 \f1\'b0\'e8\'bf\'ad\'bb\'e7\f0 \f1\'c1\'df\f0 \f1\'c7\'cf\'b3\'aa\f0 )\f1\'b0\'fa\f0 \f1\'b1\'cd\'c7\'cf\f0 \f1\'b0\'a3\'bf\'a1\f0 \f1\'c3\'bc\'b0\'e1\'b5\'c7\'b4\'c2\f0 \f1\'b0\'e8\'be\'e0\'c0\'d4\'b4\'cf\'b4\'d9\f0 . \f1\'ba\'bb\f0 \f1\'c1\'b6\'b0\'c7\'c0\'ba\f0 \f1\'c0\'a7\'bf\'a1\f0 \f1\'b8\'ed\'bd\'c3\'b5\'c8\f0 \f1

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1042\thm.wxl

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:dropped
Size (bytes):3249
Entropy (8bit):5.985100495461761
Encrypted:false
SSDEEP:48:c5DiTlO4TesKOwhDNJCkt1NhEN3m/NFNkbKNdExpVgUnqx6IPaRc0KoUK9TKz0KR:uDiTlUJJCsgqf6YVoz4uU5vI54U5TY
MD5:B3399648C2F30930487F20B50378CEC1
SHA1:CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
SHA-256:AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
SHA-512:C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive | /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1045\license.rtf

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:dropped
Size (bytes):13265
Entropy (8bit):5.358483628484379
Encrypted:false
SSDEEP:192:TKpWRd0NE41Y/od7V/sHFos7YLQY9DbLM5D+Vw1VAOb0P4/sHLS7VHwHMPw95a+Q:uy0CG9KZ7qQCw1VAOZ/sHOJfcY2wf6p2
MD5:5B9DF97FC98938BF2936437430E31ECA
SHA1:AB1DA8FECDF85CF487709774033F5B4B79DFF8DE
SHA-256:8CB5EB330AA07ACCD6D1C8961F715F66A4F3D69FB291765F8D9F1850105AF617
SHA-512:4EF61A484DF85C487BE326AB4F95870813B9D0644DF788CE22D3BEB6E062CDF80732CB0B77FCDA5D4C951A0D67AECF8F5DCD94EA6FA028CFCA11D85AA97714E3
Malicious:false
Reputation:unknown
Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 POSTANOWIENIA LICENCYJNE DOTYCZ\f1\'a5CE OPROGRAMOWANIA\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Niniejsze postanowienia licencyjne stanowi\f1\'b9 umow\'ea mi\'eadzy Microsoft Corporation (lub, w\~zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jednym z\~podmiot\f0\'f3w stowarzyszonych Microsoft Corporation) a\~Licencjobiorc\f1\'b9. Maj\'b9 one zastosowanie do wskazanego powy\'bfej oprogramowania. Niniejsze postanowienia maj\'b9 r\f0\'f3wnie\f1\'bf zastosowanie do wszelkich us\'b3ug i aktualizacji Microsoft dla niniejszego oprogramowania, z wyj\'b9tkiem tych, kt\f0\'f3rym towarzysz\f1\'b9 inne postanowienia.\par..\b\

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1045\thm.wxl

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:dropped
Size (bytes):3212
Entropy (8bit):5.268378763359481
Encrypted:false
SSDEEP:48:c5DiTlOPesar4hDo7zGriQjDCN3mDNN0NrsNGl3vxkIP2hUdKLK0KbK4n6W0sfNM:uDiTlusPGriQw8n2rOij4JsU
MD5:15172EAF5C2C2E2B008DE04A250A62A1
SHA1:ED60F870C473EE87DF39D1584880D964796E6888
SHA-256:440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
SHA-512:48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive | /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1046\license.rtf

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:dropped
Size (bytes):10656
Entropy (8bit):5.092962528947159
Encrypted:false
SSDEEP:192:WIPAufWXXF0+YkR6E0/CiTS0CsGlHIMqf29H7KxLY/aYzApT3anawLXCBX2:VPAufb+YSSCYrCb5BmW4UDaTqzLwX2
MD5:360FC4A7FFCDB915A7CF440221AFAD36
SHA1:009F36BBDAD5B9972E8069E53855FC656EA05800
SHA-256:9BF79B54F4D62BE501FF53EEDEB18683052A4AE38FF411750A764B3A59077F52
SHA-512:9550A99641F194BB504A76DE011D07C1183EE1D83371EE49782FC3D05BF779415630450174DD0C03CB182A5575F6515012337B899E2D084203717D9F110A6FFE
Malicious:false
Reputation:unknown
Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMOS DE LICEN\'c7A PARA SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Estes termos de licen\'e7a formam um contrato firmado entre a Microsoft Corporation (ou com base no seu pa\'eds de resid\'eancia, uma de suas afiliadas) e voc\'ea. Eles se aplicam ao software indicado acima. Os termos tamb\'e9m se aplicam a quaisquer servi\'e7os ou atualiza\'e7\'f5es da Microsoft para o software, exceto at\'e9 a extens\'e3o de que eles tenham termos diferentes.\par..\b SE VOC\'ca CONCORDAR COM ESTES TERMOS DE LICEN\'c7A, TER\'c1 OS DIREITOS INDICADOS ABAIXO.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\t

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1046\thm.wxl

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:dropped
Size (bytes):3095
Entropy (8bit):5.150868216959352
Encrypted:false
SSDEEP:48:c5DiTlO5es/4ThDzmU6lDj4N3mBl0N+NWNP4hHCc9skPDXeKKeK9KfKt4eJ2RQdg:uDiTlJhJGl2UsZMLe6
MD5:BE27B98E086D2B8068B16DBF43E18D50
SHA1:6FAF34A36C8D9DE55650D0466563852552927603
SHA-256:F52B54A0E0D0E8F12CBA9823D88E9FD6822B669074DD1DC69DAD6553F7CB8913
SHA-512:3B7C773EF72D40A8B123FDB8FC11C4F354A3B152CF6D247F02E494B0770C28483392C76F3C222E3719CF500FE98F535014192ACDDD2ED9EF971718EA3EC0A73E
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [diret.rio - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive | /quiet - exibe a IU m.nima sem nenhum prompt ou n.o exibe nenhuma IU e.. nenhum prompt. Por padr.o, a IU e todos os prompts s.o exibidos...../norestart - suprime qualquer tentativa de reiniciar. Por padr.o, a IU perguntar. antes de reiniciar

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1049\license.rtf

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:dropped
Size (bytes):31915
Entropy (8bit):3.6440775919653996
Encrypted:false
SSDEEP:384:ntaMxngQEqQUaAEJxkSjjujcme51oVwuZOFsrnkGxunWxGc9wtvVYgCzkSxN1S2:npgnmWWNEvVYgCzxD
MD5:A59C893E2C2B4063AE821E42519F9812
SHA1:C00D0B11F6B25246357053F6620E57D990EFC698
SHA-256:0EC8368E87B3DFC92141885A2930BDD99371526E09FC52B84B764C91C5FC47B8
SHA-512:B9AD8223DDA2208EC2068DBB85742A03BE0291942E60D4498E3DAB4DDF559AA6DCF9879952F5819223CFC5F4CB71D4E06E4103E129727AACFB8EFE48403A04FA
Malicious:false
Reputation:unknown
Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset204 Tahoma;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset204 Garamond;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang1049\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c5 \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'c5 MICROSOFT\par..\f1\lang9 MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0\f0\lang1049\'cd\'e0\'f1\'f2\'ee\'ff\'f9\'e8\'e5 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \'ec\'e5\'e6\'e4\'f3 \'ea\'ee\'f0\'ef\'ee\'f0\'e0\'f6\'e8\'e5\'e9 Microsoft (\'e8\'eb\'e8, \'e2 \'e7\'e0\'e2\'e8\'f1\'e8\'ec\'ee\'f1\'f2\'e8 \'ee\'f2 \'ec\'e5\'f1\'f2\'e0 \'e2\'e0\'f8\'e5\'e3\'ee \'ef\'f0\'ee\'e6\'e8\'e2\'e0\'ed\'e8\'ff, \'ee\

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1049\thm.wxl

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:dropped
Size (bytes):4150
Entropy (8bit):5.444436038992627
Encrypted:false
SSDEEP:48:c5DiTlDhQt9esbrohDTWJt49kAr7DHN3m5GNDCNvNLIkflhrWncPingGdZwK1Kqp:uDiTlDYVgmt4xJ88k193ipzjvL
MD5:17C652452E5EE930A7F1E5E312C17324
SHA1:59F3308B87143D8EA0EA319A1F1A1F5DA5759DD3
SHA-256:7333BC8E52548821D82B53DBD7D7C4AA1703C85155480CB83CEFD78380C95661
SHA-512:53FD207B96D6BCF0A442E2D90B92E26CBB3ECC6ED71B753A416730E8067E831E9EB32981A9E9368C4CCA16AFBCB2051483FDCFC474EA8F0D652FCA934634FBE8
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.... <String Id="Caption">......... ......... [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [.......] - ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... - ............../passive | /quiet - ........... ....

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1055\license.rtf

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:dropped
Size (bytes):13379
Entropy (8bit):5.214715951393874
Encrypted:false
SSDEEP:192:1fGkc01jIjZTUDUTvXt2QpfC5VAlCPpDwuOfH7df3YwnnbZIWG2XjQeoO9uBO8CA:Iiqx4Uh2QpMVA8haDdv9nbZzG6oQR2
MD5:BD2DC15DFEE66076BBA6D15A527089E7
SHA1:8768518F2318F1B8A3F8908A056213042A377CC4
SHA-256:62A07232017702A32F4B6E43E9C6F063B67098A1483EEDDB31D7C73EAF80A6AF
SHA-512:9C9467A2F2D0886FF4302A44AEA89734FCEFBD3CBE04D895BCEACBA1586AB746E62391800E07B6228E054014BE51F14FF63BA71237268F94019063C8C8B7EF74
Malicious:false
Reputation:unknown
Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT YAZILIMI L\f1\u304?SANS KO\'aaULLARI\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Bu lisans ko\f1\'baullar\u305?, Microsoft Corporation (veya ya\'baad\u305?\u287?\u305?n\u305?z yere g\f0\'f6re bir ba\f1\u287?l\u305? \'bairketi) ile sizin aran\u305?zda yap\u305?lan anla\'bamay\u305? olu\'baturur. Bu ko\'baullar, yukar\u305?da ad\u305? ge\f0\'e7en yaz\f1\u305?l\u305?m i\f0\'e7in ge\'e7erlidir. \f1\'aaartlar, yaz\u305?l\u305?m i\f0\'e7in t\'fcm Microsoft hizmetleri veya g\'fcncelle\f1\'batirmeleri i\f0\'e7in, beraberlerinde farkl\f1\u305? \'baartlar bulunmad\u305?\u287?\u305? s\f0\'fcrece ge\'e7erlidir.\par..\b BU L\f1\u304?SANS \'aaARTLARINA UYDU\u286?UNUZ TAKD\u304?RDE A\'aaA\u286?IDAK\u3

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\1055\thm.wxl

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:dropped
Size (bytes):3221
Entropy (8bit):5.280530692056262
Encrypted:false
SSDEEP:48:c5DiTlOaesHEqhDTHV4zVy6oBzdp0DYK2GP2ZmN3majyNXNoNKQXVvChcPc+WKb0:uDiTl3PHcIflKNTPgdi12xgg
MD5:DEFBEA001DC4EB66553630AC7CE47CCA
SHA1:90CED64EC7C861F03484B5D5616FDBCDA8F64788
SHA-256:E5ABE3CB3BF84207DAC4E6F5BBA1E693341D01AEA076DD2D91EAA21C6A6CB925
SHA-512:B3B7A22D0CDADA21A977F1DCEAF2D73212A4CDDBD298532B1AC97575F36113D45E8D71C60A6D8F8CC2E9DBF18EE1000167CFBF0B2E7ED6F05462D77E0BCA0E90
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive | /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler g.r.nt.lenir...../norestart - yeniden ba.lama denemelerini engeller. Varsay.lan olarak UI yeniden ba.l

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\2052\license.rtf

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:dropped
Size (bytes):17863
Entropy (8bit):3.9617786349452775
Encrypted:false
SSDEEP:192:BxoqPyOj+/8Tk5VigWgijAlk5xWvSCI5lgios0EhGXxGMLVGW+uUoqyLZDvAJxMx:vbIeaE7q3KGgzD2
MD5:3CF16377C0D1B2E16FFD6E32BF139AC5
SHA1:D1A8C3730231D51C7BB85A7A15B948794E99BDCE
SHA-256:E95CA64C326A0EF7EF3CED6CDAB072509096356C15D1761646E3C7FDA744D0E0
SHA-512:E9862FD0E8EC2B2C2180183D06535A16A527756F6907E6A1D2DB85092636F72C497508E793EE8F2CC8E0D1A5E090C6CCF465F78BC1FA8E68DAF7C68815A0EE16
Malicious:false
Reputation:unknown
Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset134 SimSun;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'ce\'a2\'c8\'ed\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f1\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'d5\'e2\'d0\'a9\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\f1 Microsoft Corporation\f0\'a3\'a8\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\f1 Microsoft \f0\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\'a3\'a9\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'ca\'ca\'d3\'c3\'d3\'da\'c9\'cf\'ca\'f6\'c8\'ed\'bc\'fe\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'d2\'b2\'ca\'ca\'d3\'c3\'d3\'da\'d5\'eb\'b6\'d4\'b8\'c3\'c8\'ed\'bc\'fe\'b5\'c4\'c8\'ce\'ba\'ce\'ce\'a2\'c8\'ed\'b7\'fe\'ce\'f1\'bb\'f2\'b8\'fc\'d0\'c2\'a3\'ac\'b5\'ab\'d3\'d0\'b2\'bb\'cd\

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\2052\thm.wxl

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:dropped
Size (bytes):2978
Entropy (8bit):6.135205733555905
Encrypted:false
SSDEEP:48:c5DiTlOtKesi+hDtkQf7lz+W0gopN3m5+3cNONeN1ra8vWqPtlTKxKUTKlKXRoR+:uDiTlV5kQR9GLeE0ZxV6gIV
MD5:3D1E15DEEACE801322E222969A574F17
SHA1:58074C83775E1A884FED6679ACF9AC78ABB8A169
SHA-256:2AC8B7C19A5189662DE36A0581C90DBAD96DF259EC00A28F609B644C3F39F9CA
SHA-512:10797919845C57C5831234E866D730EBD13255E5BF8BA8087D53F1D0FC5D72DC6D5F6945DBEBEE69ACC6A2E20378750C4B78083AE0390632743C184532358E10
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [..] - .......... ..................Install ........../passive | /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ..................... UI.../log log.txt - ............. %TEMP% ...

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\3082\license.rtf

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:dropped
Size (bytes):10714
Entropy (8bit):5.122578090102117
Encrypted:false
SSDEEP:192:WthGE/9wd8eQF/hJOmQeNrXT77uOlQ+v3AqHqc3wpXGYdjvsk2cwBb2:mhGuhj+ed388Bb2
MD5:FBF293EE95AFEF818EAF07BB088A1596
SHA1:BBA1991BA6459C9F19B235C43A9B781A24324606
SHA-256:1FEC058E374C20CB213F53EB3C44392DDFB2CAA1E04B7120FFD3FA7A296C83E2
SHA-512:6971F20964EF74B19077EE81F953342DC6D2895A8640EC84855CECCEA5AEB581E6A628BCD3BA97A5D3ACB6CBE7971FDF84EF670BDDF901857C3CD28855212019
Malicious:false
Reputation:unknown
Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 T\'c9RMINOS DE LA LICENCIA DE SOFTWARE DE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0 Estos t\'e9rminos de licencia constituyen un contrato entre Microsoft Corporation (o, en funci\'f3n de donde resida, una de sus filiales) y usted. Se aplican al software antes mencionado. Los t\'e9rminos tambi\'e9n se aplican a cualquier servicio o actualizaci\'f3n de Microsoft para el software, excepto en la medida que tengan t\'e9rminos diferentes.\par..\b SI USTED CUMPLE CON LOS PRESENTES T\'c9RMINOS DE ESTA LICENCIA, DISPONDR\'c1 DE LOS DERECHOS QUE SE DESCRIBEN A CONTINUACI\'d3N.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\3082\thm.wxl

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:dropped
Size (bytes):3265
Entropy (8bit):5.0491645049584655
Encrypted:false
SSDEEP:48:c5DiTlO/esS6VGhDv4tiUiyRUqzC4U+aD6N3m7xNh1NWNGbPz+9o3PWeKK9K9KfT:uDiTlxouUTiySqyIwz9sgxqvjIk8
MD5:47F9F8D342C9C22D0C9636BC7362FA8F
SHA1:3922D1589E284CE76AB39800E2B064F71123C1C5
SHA-256:9CBB2B312C100B309A1B1495E84E2228B937612885F7A642FBBD67969B632C3A
SHA-512:E458DF875E9B0622AEBE3C1449868AA6A2826A1F851DB71165A872B2897CF870CCF85046944FF51FFC13BB15E54E9D9424EC36CAF5A2F38CE8B7D6DC0E9B2363
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="HelpHeader">Ayuda de configuraci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. La opci.n predeterminada es la instalaci.n...../passive | /quiet - muestra una IU m.nima sin solicitudes o no muestra ninguna IU ni.. solicitud. De forma predeterminada, se muestran la IU y todas las solicitudes...../norestart - elimina cualquier intento

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\BootstrapperApplicationData.xml

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (633), with CRLF line terminators
Category:dropped
Size (bytes):15322
Entropy (8bit):3.743290405091565
Encrypted:false
SSDEEP:192:X0s1IDnH5zHqQHG0Hd8Hz7HE06HA0rH3pNpbZZtHxLU7CzLG0LXFYtHJq5b0vI0Q:X0sGdLbmnoNPZtRkuJpYtnIsVEpJEg
MD5:C798D20CD6935F46A91F16B26E4D7A2F
SHA1:F6415ED976A9EF75ACCB417FEBD540AEF7815978
SHA-256:1C4192698669988EF08043C0CA96D5A2DC1669B0611568AF60E2E5717E7CB888
SHA-512:E330A1CC57F778E51F7765945FB970C4A3560AB37963F3163506CFF3E2706885E2CEE27E948E88970443DF97BFF823DD9EEE6B0BDAB1C92A0704422F59B09A93
Malicious:false
Reputation:unknown
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T.6.4. .&.g.t.;.=. .v.6...0. .O.R. .(.V.e.r.s.i.o.n.N.T.6.4. .=. .v.5...2. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .X.P. .S.P.1. .(.x.6.4.). .a.n.d. .n.e.w.e.r. .p.l.a.t.f.o.r.m.s...". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.6.4.). .-. .1.4...2.9...3.0.1.3.9.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".y.e.

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\license.rtf

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:dropped
Size (bytes):9046
Entropy (8bit):5.157073875669985
Encrypted:false
SSDEEP:192:W8lZ1UVDWkgWZTIsvPhghtQ1Qf4lCfnEtHixEGx736wHqItfSpOy2:9T15WZMgAYlOnjt5HLoL2
MD5:2EABBB391ACB89942396DF5C1CA2BAD8
SHA1:182A6F93703549290BCDE92920D37BC1DEC712BB
SHA-256:E3156D170014CED8D17A02B3C4FF63237615E5C2A8983B100A78CB1F881D6F38
SHA-512:20D656A123A220CD3CA3CCBF61CC58E924B44F1F0A74E70D6850F39CECD101A69BCE73C5ED14018456E022E85B62958F046AA4BD1398AA27303C2E86407C3899
Malicious:false
Reputation:unknown
Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT SOFTWARE LICENSE TERMS\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software, except to the extent those have different terms.\par..\b IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 INSTALLATION AND USE RIGHTS. \b0\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-363\

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\logo.png

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:PNG image data, 64 x 64, 8-bit colormap, non-interlaced
Category:dropped
Size (bytes):1861
Entropy (8bit):6.868587546770907
Encrypted:false
SSDEEP:24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
MD5:D6BD210F227442B3362493D046CEA233
SHA1:FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
SHA-256:335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
SHA-512:464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
Malicious:false
Reputation:unknown
Preview:.PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#|i${j$|n*~n*.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\thm.wxl

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):2952
Entropy (8bit):5.052095286906672
Encrypted:false
SSDEEP:48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
MD5:FBFCBC4DACC566A3C426F43CE10907B6
SHA1:63C45F9A771161740E100FAF710F30EED017D723
SHA-256:70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
SHA-512:063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\thm.xml

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):8332
Entropy (8bit):5.184632608060528
Encrypted:false
SSDEEP:96:8L2HdQG+3VzHfz96zYFGaPSWXdhRAmImlqFQKFBiUxn7Ke5A82rkO/pWk3nswP:ZHAzZ/3
MD5:F62729C6D2540015E072514226C121C7
SHA1:C1E189D693F41AC2EAFCC363F7890FC0FEA6979C
SHA-256:F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
SHA-512:CBBFBFA7E013A2B85B78D71D32FDF65323534816978E7544CA6CEA5286A0F6E8E7E5FFC4C538200211F11B94373D5658732D5D8AA1D01F9CCFDBF20F154F1471
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Heig

C:\Windows\Temp\{482F33F5-46E3-4A27-BA43-905A3A18653E}\.ba\wixstdba.dll

Download File
Process:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):195600
Entropy (8bit):6.682530937585544
Encrypted:false
SSDEEP:3072:OXoiFK6b0k77I+QfaIl191rSJHvlalB+8BHkY6v53EfcUzN0m6I+WxBlnKzeZuqt:OXoQNb++gDrSJdr8BHkPh3wIgnK/IU1a
MD5:EAB9CAF4277829ABDF6223EC1EFA0EDD
SHA1:74862ECF349A9BEDD32699F2A7A4E00B4727543D
SHA-256:A4EFBDB2CE55788FFE92A244CB775EFD475526EF5B61AD78DE2BCDFADDAC7041
SHA-512:45B15ADE68E0A90EA7300AEB6DCA9BC9E347A63DBA5CE72A635957564D1BDF0B1584A5E34191916498850FC7B3B7ECFBCBFCB246B39DBF59D47F66BC825C6FD2
Malicious:false
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..R...R...R..h.N..R..h.L.R..h.M..R.......R.......R.......R...*<..R...*,..R...R...S..K....R..K....R..N.@..R...R(..R..K....R..Rich.R..................PE..L......Z...........!................d.....................................................@..............................................................D......,.......T...............................@...............X............................text............................... ..`.rdata.............................@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe

Download File
Process:C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):649368
Entropy (8bit):7.2207843016075115
Encrypted:false
SSDEEP:12288:vnMwHskY7gjcjhVIEhqgM7bWvcsi6aVEbIyoYw8EU40vy3W/ceKSHM9iFyex9VP/:/MysZgjS1hqgSC/izwfo/8fjymk4HM6Z
MD5:24323F69876BDA1B9909A0D0D6B981BA
SHA1:75761D5303828E5CDEB9A3BA0BD9EBAEDB56E9B0
SHA-256:7B1B012D525323F4E6C2E3B53E9F55BDA9D01D8761A86F03317E46D4F28AE808
SHA-512:01ED192274BD3559DF05ADB8DE057A6D26BC77376C0FBC2D7AB8A8306620E8515CFBFFABD2289417F3513982BBF2B7ED68897C649F14848858690985C9B262C3
Malicious:true
Reputation:unknown
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;..........p...((...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):7.998282879971225
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
File size:42'660'808 bytes
MD5:9bae70489ffa1fd07797f8964350af30
SHA1:274d484c8de888ba87f3232f451c888e436337b5
SHA256:38afba1a62ee831a679ed728da8ca167b4c80a432a3ddf575c784bdd29d33975
SHA512:fed7c1bc02fba7047a40749ccb4b490f10de960fec66ffdbae612ff32d3d45dba24eeb32fabc6b03ba8a251c0077aace51ce46494b623c8b2adafabb68758080
SSDEEP:786432:DDXX2y7L9rwbfDRqaLpFNuLbT4U4VXpbmAlf2+oEcuQdU8N/IbwUI:DDH2y7h2dqEpFNuLbTh4lpSe++oSor1
TLSH:F59733C6B6486E35F8F0833B4461698CBE396CA77251E5DA7218B656CF3F57340E8A0C
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...l..d.................j.........

File Icon

Icon Hash:183d47474b433d85

Static PE Info

General

Entrypoint:0x403532
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0x64A0DC6C [Sun Jul 2 02:09:48 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:f4639a0b3116c2cfc71144b88a929cfd

Authenticode Signature

Signature Valid:false
Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:-2146762495
Not Before, Not After
  • 08/05/2024 21:43:05 15/06/2025 22:25:45
Subject Chain
  • CN=IDMELON TECHNOLOGIES INC., O=IDMELON TECHNOLOGIES INC., L=Vancouver, S=British Columbia, C=CA, OID.1.3.6.1.4.1.311.60.2.1.2=British Columbia, OID.1.3.6.1.4.1.311.60.2.1.3=CA, SERIALNUMBER=BC1233812, OID.2.5.4.15=Private Organization
Version:3
Thumbprint MD5:BFF7C718161D1B0634325495D4B5FD56
Thumbprint SHA-1:02C6A1A590289496DCA4D0C7997872B2081DF44F
Thumbprint SHA-256:5D1F98182AB7C9B075B727E829DBB46C0C7A69ECEC32C5C9C7230713EDA617BA
Serial:5D1D6B9CF96BC0FC88A26BE6

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007FA4B852384Ah
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007FA4B8523818h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [004347B8h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:
  • [EXP] VC++ 6.0 SP5 build 8804

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x86080xa0.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x480000x1afd8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x28ae1a00x1228
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x68d80x6a00742185983fa6320c910f81782213e56fFalse0.6695165094339622data6.478461709868021IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x80000x14640x1600a995b118b38426885fc6ccaa984c8b7aFalse0.4314630681818182data4.969091535632612IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xa0000x2a8180x6009a9bf385a30f1656fc362172b16d9268False0.5247395833333334data4.172601271908501IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata0x350000x130000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x480000x1afd80x1b000626eb3cb5ec0a37aa78d99cea5be314cFalse0.14038990162037038data3.616410153321358IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x482f80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 8504 x 8504 px/mEnglishUnited States0.04499881698805158
RT_ICON0x58b200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 8504 x 8504 px/mEnglishUnited States0.08384506376948513
RT_ICON0x5cd480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 8504 x 8504 px/mEnglishUnited States0.11784232365145228
RT_ICON0x5f2f00x1c6bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9774570446735396
RT_ICON0x60f600x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 8504 x 8504 px/mEnglishUnited States0.16674484052532834
RT_ICON0x620080x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 8504 x 8504 px/mEnglishUnited States0.32092198581560283
RT_DIALOG0x624700x202dataEnglishUnited States0.4085603112840467
RT_DIALOG0x626780xf8dataEnglishUnited States0.6290322580645161
RT_DIALOG0x627700xa0dataEnglishUnited States0.60625
RT_DIALOG0x628100xeedataEnglishUnited States0.6302521008403361
RT_GROUP_ICON0x629000x5adataEnglishUnited States0.7777777777777778
RT_VERSION0x629600x248dataEnglishUnited States0.5085616438356164
RT_MANIFEST0x62ba80x42eXML 1.0 document, ASCII text, with very long lines (1070), with no line terminatorsEnglishUnited States0.5130841121495328

Imports

DLLImport
ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Jul 4, 2024 06:27:18.910907984 CEST5103953192.168.2.71.1.1.1

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
Jul 4, 2024 06:27:18.910907984 CEST192.168.2.71.1.1.10x1c96Standard query (0)time.windows.comA (IP address)IN (0x0001)false

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Jul 4, 2024 06:27:18.917490005 CEST1.1.1.1192.168.2.70x1c96No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:00:27:16
Start date:04/07/2024
Path:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"
Imagebase:0x400000
File size:42'660'808 bytes
MD5 hash:9BAE70489FFA1FD07797F8964350AF30
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:00:27:16
Start date:04/07/2024
Path:C:\Windows\System32\dllhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Imagebase:0x7ff7d8730000
File size:21'312 bytes
MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

General

Target ID:2
Start time:00:27:17
Start date:04/07/2024
Path:C:\Windows\System32\svchost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Imagebase:0x7ff7b4ee0000
File size:55'320 bytes
MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:true
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:3
Start time:00:27:22
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exe
Wow64 process (32bit):true
Commandline:"C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" /quiet
Imagebase:0x9f0000
File size:25'226'464 bytes
MD5 hash:35431D059197B67227CD12F841733539
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 0%, ReversingLabs
Reputation:moderate
Has exited:true

General

Target ID:4
Start time:00:27:22
Start date:04/07/2024
Path:C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\Temp\{D6B00576-3B46-471A-8B96-389BB18060B2}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" -burn.filehandle.attached=524 -burn.filehandle.self=544 /quiet
Imagebase:0x2c0000
File size:649'368 bytes
MD5 hash:24323F69876BDA1B9909A0D0D6B981BA
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:5
Start time:00:27:23
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" install IDmelonFidoCredentialProviderService "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Imagebase:0x140000000
File size:373'288 bytes
MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 14%, ReversingLabs
Reputation:low
Has exited:true

General

Target ID:6
Start time:00:27:23
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:7
Start time:00:27:23
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Application "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Imagebase:0x140000000
File size:373'288 bytes
MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:8
Start time:00:27:23
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:00:27:23
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppDirectory "C:\Program Files (x86)\IDmelon\FCP"
Imagebase:0x140000000
File size:373'288 bytes
MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:10
Start time:00:27:23
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:11
Start time:00:27:24
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdout "C:\Program Files (x86)\IDmelon\FCP\logs.log"
Imagebase:0x140000000
File size:373'288 bytes
MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:12
Start time:00:27:24
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:13
Start time:00:27:24
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderr "C:\Program Files (x86)\IDmelon\FCP\logs.log"
Imagebase:0x140000000
File size:373'288 bytes
MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:14
Start time:00:27:24
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:15
Start time:00:27:24
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Description "Handles the FIDO authentication of IDmelon credential provider."
Imagebase:0x140000000
File size:373'288 bytes
MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:16
Start time:00:27:24
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:17
Start time:00:27:24
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdoutCreationDisposition 4
Imagebase:0x140000000
File size:373'288 bytes
MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:18
Start time:00:27:24
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:00:27:24
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderrCreationDisposition 4
Imagebase:0x140000000
File size:373'288 bytes
MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:20
Start time:00:27:25
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:21
Start time:00:27:25
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateFiles 1
Imagebase:0x140000000
File size:373'288 bytes
MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:22
Start time:00:27:25
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7b4ee0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:00:27:25
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateOnline 0
Imagebase:0x140000000
File size:373'288 bytes
MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:24
Start time:00:27:25
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:25
Start time:00:27:25
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateSeconds 14400
Imagebase:0x140000000
File size:373'288 bytes
MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:26
Start time:00:27:26
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:27
Start time:00:27:26
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateBytes 5000000
Imagebase:0x140000000
File size:373'288 bytes
MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:28
Start time:00:27:26
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:29
Start time:00:27:26
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Start SERVICE_AUTO_START
Imagebase:0x140000000
File size:373'288 bytes
MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:30
Start time:00:27:26
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:31
Start time:00:27:26
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" restart IDmelonFidoCredentialProviderService
Imagebase:0x140000000
File size:373'288 bytes
MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:32
Start time:00:27:26
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:33
Start time:00:27:26
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe"
Imagebase:0x140000000
File size:373'288 bytes
MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:false

General

Target ID:34
Start time:00:27:26
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:35
Start time:00:27:26
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Imagebase:0x7ff600530000
File size:17'194'344 bytes
MD5 hash:2B087903208E385308BF23C41F82E872
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 100%, Avira
  • Detection: 5%, ReversingLabs
Has exited:true

General

Target ID:36
Start time:00:27:26
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:37
Start time:00:27:28
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" status IDmelonFidoCredentialProviderService
Imagebase:0x140000000
File size:373'288 bytes
MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:38
Start time:00:27:28
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:39
Start time:00:27:28
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" start IDmelonFidoCredentialProviderService
Imagebase:0x140000000
File size:373'288 bytes
MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:40
Start time:00:27:28
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:41
Start time:00:27:29
Start date:04/07/2024
Path:C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):true
Commandline:CACLS "C:\Program Files (x86)\IDmelon\FCP\cashedData.xml" /e /p Everyone:f
Imagebase:0x250000
File size:27'648 bytes
MD5 hash:00BAAE10C69DAD58F169A3ED638D6C59
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:42
Start time:00:27:29
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:43
Start time:00:27:29
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Imagebase:0x7ff600530000
File size:17'194'344 bytes
MD5 hash:2B087903208E385308BF23C41F82E872
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:44
Start time:00:27:29
Start date:04/07/2024
Path:C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):true
Commandline:CACLS "C:\Program Files (x86)\IDmelon\FCP\service_log.lo" /e /p Everyone:f
Imagebase:0x250000
File size:27'648 bytes
MD5 hash:00BAAE10C69DAD58F169A3ED638D6C59
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:45
Start time:00:27:29
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:46
Start time:00:27:29
Start date:04/07/2024
Path:C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):true
Commandline:icacls "C:\Program Files (x86)\IDmelon\FCP" /inheritance:d
Imagebase:0x990000
File size:29'696 bytes
MD5 hash:2E49585E4E08565F52090B144062F97E
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:47
Start time:00:27:29
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:48
Start time:00:27:29
Start date:04/07/2024
Path:C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):true
Commandline:icacls "C:\Program Files (x86)\IDmelon\FCP" /grant:r everyone:(OI)(CI)(F) /T
Imagebase:0x990000
File size:29'696 bytes
MD5 hash:2E49585E4E08565F52090B144062F97E
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:49
Start time:00:27:29
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:50
Start time:00:27:29
Start date:04/07/2024
Path:C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):true
Commandline:netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
Imagebase:0x1770000
File size:82'432 bytes
MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:51
Start time:00:27:30
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:52
Start time:00:27:30
Start date:04/07/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\cmd.exe /c "ver"
Imagebase:0x7ff7532b0000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:53
Start time:00:27:30
Start date:04/07/2024
Path:C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):true
Commandline:netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=out program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
Imagebase:0x1770000
File size:82'432 bytes
MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:54
Start time:00:27:30
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:55
Start time:00:27:30
Start date:04/07/2024
Path:C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):true
Commandline:netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
Imagebase:0x1770000
File size:82'432 bytes
MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:56
Start time:00:27:30
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:58
Start time:00:27:31
Start date:04/07/2024
Path:C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):true
Commandline:netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=out program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
Imagebase:0x1770000
File size:82'432 bytes
MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:59
Start time:00:27:31
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:60
Start time:00:27:33
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:61
Start time:00:27:33
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Imagebase:0x7ff600530000
File size:17'194'344 bytes
MD5 hash:2B087903208E385308BF23C41F82E872
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:false

General

Target ID:62
Start time:00:27:34
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:false

General

Target ID:63
Start time:02:13:20
Start date:04/07/2024
Path:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Imagebase:0x7ff600530000
File size:17'194'344 bytes
MD5 hash:2B087903208E385308BF23C41F82E872
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:false

General

Target ID:64
Start time:02:13:21
Start date:04/07/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\cmd.exe /c "ver"
Imagebase:0x7ff7532b0000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:65
Start time:02:13:44
Start date:04/07/2024
Path:C:\Windows\System32\svchost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:0x7ff7b4ee0000
File size:55'320 bytes
MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:true
Has administrator privileges:false
Programmed in:C, C++ or other language
Has exited:false

General

Target ID:67
Start time:02:13:57
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff75da10000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:false
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:27.9%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:16.5%
    Total number of Nodes:1346
    Total number of Limit Nodes:45
    execution_graph 3825 404f43 GetDlgItem GetDlgItem 3826 404f95 7 API calls 3825->3826 3834 4051ba 3825->3834 3827 40503c DeleteObject 3826->3827 3828 40502f SendMessageW 3826->3828 3829 405045 3827->3829 3828->3827 3830 40507c 3829->3830 3835 406594 21 API calls 3829->3835 3832 4044d6 22 API calls 3830->3832 3831 40529c 3833 405348 3831->3833 3838 4051ad 3831->3838 3844 4052f5 SendMessageW 3831->3844 3837 405090 3832->3837 3839 405352 SendMessageW 3833->3839 3840 40535a 3833->3840 3834->3831 3859 405229 3834->3859 3879 404e91 SendMessageW 3834->3879 3836 40505e SendMessageW SendMessageW 3835->3836 3836->3829 3843 4044d6 22 API calls 3837->3843 3841 40453d 8 API calls 3838->3841 3839->3840 3847 405373 3840->3847 3848 40536c ImageList_Destroy 3840->3848 3855 405383 3840->3855 3846 405549 3841->3846 3860 4050a1 3843->3860 3844->3838 3850 40530a SendMessageW 3844->3850 3845 40528e SendMessageW 3845->3831 3851 40537c GlobalFree 3847->3851 3847->3855 3848->3847 3849 4054fd 3849->3838 3856 40550f ShowWindow GetDlgItem ShowWindow 3849->3856 3853 40531d 3850->3853 3851->3855 3852 40517c GetWindowLongW SetWindowLongW 3854 405195 3852->3854 3864 40532e SendMessageW 3853->3864 3857 4051b2 3854->3857 3858 40519a ShowWindow 3854->3858 3855->3849 3872 4053be 3855->3872 3884 404f11 3855->3884 3856->3838 3878 40450b SendMessageW 3857->3878 3877 40450b SendMessageW 3858->3877 3859->3831 3859->3845 3860->3852 3863 4050f4 SendMessageW 3860->3863 3865 405177 3860->3865 3866 405132 SendMessageW 3860->3866 3867 405146 SendMessageW 3860->3867 3863->3860 3864->3833 3865->3852 3865->3854 3866->3860 3867->3860 3869 4054c8 3870 4054d3 InvalidateRect 3869->3870 3874 4054df 3869->3874 3870->3874 3871 4053ec SendMessageW 3873 405402 3871->3873 3872->3871 3872->3873 3873->3869 3875 405476 SendMessageW SendMessageW 3873->3875 3874->3849 3893 404e4c 3874->3893 3875->3873 3877->3838 3878->3834 3880 404ef0 SendMessageW 3879->3880 3881 404eb4 GetMessagePos ScreenToClient SendMessageW 3879->3881 3882 404ee8 3880->3882 3881->3882 3883 404eed 3881->3883 3882->3859 3883->3880 3896 406557 lstrcpynW 3884->3896 3886 404f24 3897 40649e wsprintfW 3886->3897 3888 404f2e 3889 40140b 2 API calls 3888->3889 3890 404f37 3889->3890 3898 406557 lstrcpynW 3890->3898 3892 404f3e 3892->3872 3899 404d83 3893->3899 3895 404e61 3895->3849 3896->3886 3897->3888 3898->3892 3900 404d9c 3899->3900 3901 406594 21 API calls 3900->3901 3902 404e00 3901->3902 3903 406594 21 API calls 3902->3903 3904 404e0b 3903->3904 3905 406594 21 API calls 3904->3905 3906 404e21 lstrlenW wsprintfW SetDlgItemTextW 3905->3906 3906->3895 3907 402643 3908 402672 3907->3908 3909 402657 3907->3909 3911 4026a2 3908->3911 3912 402677 3908->3912 3910 402d89 21 API calls 3909->3910 3921 40265e 3910->3921 3914 402dab 21 API calls 3911->3914 3913 402dab 21 API calls 3912->3913 3915 40267e 3913->3915 3916 4026a9 lstrlenW 3914->3916 3924 406579 WideCharToMultiByte 3915->3924 3916->3921 3918 402692 lstrlenA 3918->3921 3919 4026d6 3920 4026ec 3919->3920 3922 4060f9 WriteFile 3919->3922 3921->3919 3921->3920 3925 406128 SetFilePointer 3921->3925 3922->3920 3924->3918 3926 406144 3925->3926 3927 40615c 3925->3927 3928 4060ca ReadFile 3926->3928 3927->3919 3929 406150 3928->3929 3929->3927 3930 406165 SetFilePointer 3929->3930 3931 40618d SetFilePointer 3929->3931 3930->3931 3932 406170 3930->3932 3931->3927 3933 4060f9 WriteFile 3932->3933 3933->3927 3040 4015c6 3041 402dab 21 API calls 3040->3041 3042 4015cd 3041->3042 3059 405ed1 CharNextW CharNextW 3042->3059 3044 401636 3046 401668 3044->3046 3047 40163b 3044->3047 3045 405e53 CharNextW 3048 4015d6 3045->3048 3050 401423 28 API calls 3046->3050 3071 401423 3047->3071 3048->3044 3048->3045 3057 40161c GetFileAttributesW 3048->3057 3065 405b22 3048->3065 3068 405aab CreateDirectoryW 3048->3068 3075 405b05 CreateDirectoryW 3048->3075 3056 401660 3050->3056 3055 40164f SetCurrentDirectoryW 3055->3056 3057->3048 3060 405eee 3059->3060 3063 405f00 3059->3063 3062 405efb CharNextW 3060->3062 3060->3063 3061 405f24 3061->3048 3062->3061 3063->3061 3064 405e53 CharNextW 3063->3064 3064->3063 3066 40694b 5 API calls 3065->3066 3067 405b29 3066->3067 3067->3048 3069 405af7 3068->3069 3070 405afb GetLastError 3068->3070 3069->3048 3070->3069 3078 4055dc 3071->3078 3074 406557 lstrcpynW 3074->3055 3076 405b15 3075->3076 3077 405b19 GetLastError 3075->3077 3076->3048 3077->3076 3079 4055f7 3078->3079 3080 401431 3078->3080 3081 405613 lstrlenW 3079->3081 3084 406594 21 API calls 3079->3084 3080->3074 3082 405621 lstrlenW 3081->3082 3083 40563c 3081->3083 3082->3080 3085 405633 lstrcatW 3082->3085 3086 405642 SetWindowTextW 3083->3086 3087 40564f 3083->3087 3084->3081 3085->3083 3086->3087 3087->3080 3088 405655 SendMessageW SendMessageW SendMessageW 3087->3088 3088->3080 3089 401946 3090 401948 3089->3090 3091 402dab 21 API calls 3090->3091 3092 40194d 3091->3092 3095 405c63 3092->3095 3131 405f2e 3095->3131 3098 405ca2 3100 405dc2 3098->3100 3145 406557 lstrcpynW 3098->3145 3099 405c8b DeleteFileW 3128 401956 3099->3128 3100->3128 3163 4068b4 FindFirstFileW 3100->3163 3102 405cc8 3103 405cdb 3102->3103 3104 405cce lstrcatW 3102->3104 3146 405e72 lstrlenW 3103->3146 3105 405ce1 3104->3105 3108 405cf1 lstrcatW 3105->3108 3110 405cfc lstrlenW FindFirstFileW 3105->3110 3108->3110 3110->3100 3112 405d1e 3110->3112 3114 405da5 FindNextFileW 3112->3114 3124 405c63 64 API calls 3112->3124 3126 4055dc 28 API calls 3112->3126 3129 4055dc 28 API calls 3112->3129 3150 406557 lstrcpynW 3112->3150 3151 405c1b 3112->3151 3159 406317 MoveFileExW 3112->3159 3114->3112 3118 405dbb FindClose 3114->3118 3115 405c1b 5 API calls 3117 405dfd 3115->3117 3119 405e17 3117->3119 3120 405e01 3117->3120 3118->3100 3122 4055dc 28 API calls 3119->3122 3123 4055dc 28 API calls 3120->3123 3120->3128 3122->3128 3125 405e0e 3123->3125 3124->3112 3127 406317 40 API calls 3125->3127 3126->3114 3127->3128 3129->3112 3169 406557 lstrcpynW 3131->3169 3133 405f3f 3134 405ed1 4 API calls 3133->3134 3135 405f45 3134->3135 3136 405c83 3135->3136 3137 406805 5 API calls 3135->3137 3136->3098 3136->3099 3143 405f55 3137->3143 3138 405f86 lstrlenW 3139 405f91 3138->3139 3138->3143 3141 405e26 3 API calls 3139->3141 3140 4068b4 2 API calls 3140->3143 3142 405f96 GetFileAttributesW 3141->3142 3142->3136 3143->3136 3143->3138 3143->3140 3144 405e72 2 API calls 3143->3144 3144->3138 3145->3102 3147 405e80 3146->3147 3148 405e92 3147->3148 3149 405e86 CharPrevW 3147->3149 3148->3105 3149->3147 3149->3148 3150->3112 3170 406022 GetFileAttributesW 3151->3170 3154 405c48 3154->3112 3155 405c36 RemoveDirectoryW 3157 405c44 3155->3157 3156 405c3e DeleteFileW 3156->3157 3157->3154 3158 405c54 SetFileAttributesW 3157->3158 3158->3154 3160 40632b 3159->3160 3162 406338 3159->3162 3173 40619d 3160->3173 3162->3112 3164 405de7 3163->3164 3165 4068ca FindClose 3163->3165 3164->3128 3166 405e26 lstrlenW CharPrevW 3164->3166 3165->3164 3167 405e42 lstrcatW 3166->3167 3168 405df1 3166->3168 3167->3168 3168->3115 3169->3133 3171 405c27 3170->3171 3172 406034 SetFileAttributesW 3170->3172 3171->3154 3171->3155 3171->3156 3172->3171 3174 4061f3 GetShortPathNameW 3173->3174 3175 4061cd 3173->3175 3177 406312 3174->3177 3178 406208 3174->3178 3200 406047 GetFileAttributesW CreateFileW 3175->3200 3177->3162 3178->3177 3179 406210 wsprintfA 3178->3179 3181 406594 21 API calls 3179->3181 3180 4061d7 CloseHandle GetShortPathNameW 3180->3177 3182 4061eb 3180->3182 3183 406238 3181->3183 3182->3174 3182->3177 3201 406047 GetFileAttributesW CreateFileW 3183->3201 3185 406245 3185->3177 3186 406254 GetFileSize GlobalAlloc 3185->3186 3187 406276 3186->3187 3188 40630b CloseHandle 3186->3188 3202 4060ca ReadFile 3187->3202 3188->3177 3193 406295 lstrcpyA 3196 4062b7 3193->3196 3194 4062a9 3195 405fac 4 API calls 3194->3195 3195->3196 3197 4062ee SetFilePointer 3196->3197 3209 4060f9 WriteFile 3197->3209 3200->3180 3201->3185 3203 4060e8 3202->3203 3203->3188 3204 405fac lstrlenA 3203->3204 3205 405fed lstrlenA 3204->3205 3206 405ff5 3205->3206 3207 405fc6 lstrcmpiA 3205->3207 3206->3193 3206->3194 3207->3206 3208 405fe4 CharNextA 3207->3208 3208->3205 3210 406117 GlobalFree 3209->3210 3210->3188 3934 404646 lstrlenW 3935 404665 3934->3935 3936 404667 WideCharToMultiByte 3934->3936 3935->3936 3937 4049c7 3938 4049f3 3937->3938 3939 404a04 3937->3939 3998 405b9b GetDlgItemTextW 3938->3998 3941 404a10 GetDlgItem 3939->3941 3943 404a6f 3939->3943 3942 404a24 3941->3942 3947 404a38 SetWindowTextW 3942->3947 3950 405ed1 4 API calls 3942->3950 3944 404b53 3943->3944 3952 406594 21 API calls 3943->3952 3996 404d02 3943->3996 3944->3996 4000 405b9b GetDlgItemTextW 3944->4000 3945 4049fe 3946 406805 5 API calls 3945->3946 3946->3939 3951 4044d6 22 API calls 3947->3951 3949 40453d 8 API calls 3954 404d16 3949->3954 3955 404a2e 3950->3955 3956 404a54 3951->3956 3957 404ae3 SHBrowseForFolderW 3952->3957 3953 404b83 3958 405f2e 18 API calls 3953->3958 3955->3947 3962 405e26 3 API calls 3955->3962 3959 4044d6 22 API calls 3956->3959 3957->3944 3960 404afb CoTaskMemFree 3957->3960 3961 404b89 3958->3961 3963 404a62 3959->3963 3964 405e26 3 API calls 3960->3964 4001 406557 lstrcpynW 3961->4001 3962->3947 3999 40450b SendMessageW 3963->3999 3971 404b08 3964->3971 3967 404a68 3970 40694b 5 API calls 3967->3970 3968 404b3f SetDlgItemTextW 3968->3944 3969 404ba0 3972 40694b 5 API calls 3969->3972 3970->3943 3971->3968 3973 406594 21 API calls 3971->3973 3979 404ba7 3972->3979 3974 404b27 lstrcmpiW 3973->3974 3974->3968 3976 404b38 lstrcatW 3974->3976 3975 404be8 4002 406557 lstrcpynW 3975->4002 3976->3968 3978 404bef 3980 405ed1 4 API calls 3978->3980 3979->3975 3984 405e72 2 API calls 3979->3984 3985 404c40 3979->3985 3981 404bf5 GetDiskFreeSpaceW 3980->3981 3983 404c19 MulDiv 3981->3983 3981->3985 3983->3985 3984->3979 3986 404cb1 3985->3986 3988 404e4c 24 API calls 3985->3988 3987 404cd4 3986->3987 3989 40140b 2 API calls 3986->3989 4003 4044f8 KiUserCallbackDispatcher 3987->4003 3990 404c9e 3988->3990 3989->3987 3992 404cb3 SetDlgItemTextW 3990->3992 3993 404ca3 3990->3993 3992->3986 3994 404d83 24 API calls 3993->3994 3994->3986 3995 404cf0 3995->3996 4004 404920 3995->4004 3996->3949 3998->3945 3999->3967 4000->3953 4001->3969 4002->3978 4003->3995 4005 404933 SendMessageW 4004->4005 4006 40492e 4004->4006 4005->3996 4006->4005 3211 401c48 3212 402d89 21 API calls 3211->3212 3213 401c4f 3212->3213 3214 402d89 21 API calls 3213->3214 3215 401c5c 3214->3215 3216 401c71 3215->3216 3217 402dab 21 API calls 3215->3217 3218 402dab 21 API calls 3216->3218 3222 401c81 3216->3222 3217->3216 3218->3222 3219 401cd8 3221 402dab 21 API calls 3219->3221 3220 401c8c 3223 402d89 21 API calls 3220->3223 3224 401cdd 3221->3224 3222->3219 3222->3220 3225 401c91 3223->3225 3226 402dab 21 API calls 3224->3226 3227 402d89 21 API calls 3225->3227 3229 401ce6 FindWindowExW 3226->3229 3228 401c9d 3227->3228 3230 401cc8 SendMessageW 3228->3230 3231 401caa SendMessageTimeoutW 3228->3231 3232 401d08 3229->3232 3230->3232 3231->3232 4007 4028c9 4008 4028cf 4007->4008 4009 4028d7 FindClose 4008->4009 4010 402c2f 4008->4010 4009->4010 3262 403b4f 3263 403b67 3262->3263 3264 403b59 CloseHandle 3262->3264 3269 403b94 3263->3269 3264->3263 3267 405c63 71 API calls 3268 403b78 3267->3268 3270 403ba2 3269->3270 3271 403b6c 3270->3271 3272 403ba7 FreeLibrary GlobalFree 3270->3272 3271->3267 3272->3271 3272->3272 4014 405550 4015 405560 4014->4015 4016 405574 4014->4016 4018 405566 4015->4018 4019 4055bd 4015->4019 4017 40557c IsWindowVisible 4016->4017 4025 405593 4016->4025 4017->4019 4021 405589 4017->4021 4020 404522 SendMessageW 4018->4020 4022 4055c2 CallWindowProcW 4019->4022 4023 405570 4020->4023 4024 404e91 5 API calls 4021->4024 4022->4023 4024->4025 4025->4022 4026 404f11 4 API calls 4025->4026 4026->4019 4027 4016d1 4028 402dab 21 API calls 4027->4028 4029 4016d7 GetFullPathNameW 4028->4029 4030 4016f1 4029->4030 4031 401713 4029->4031 4030->4031 4034 4068b4 2 API calls 4030->4034 4032 401728 GetShortPathNameW 4031->4032 4033 402c2f 4031->4033 4032->4033 4035 401703 4034->4035 4035->4031 4037 406557 lstrcpynW 4035->4037 4037->4031 4038 401e53 GetDC 4039 402d89 21 API calls 4038->4039 4040 401e65 GetDeviceCaps MulDiv ReleaseDC 4039->4040 4041 402d89 21 API calls 4040->4041 4042 401e96 4041->4042 4043 406594 21 API calls 4042->4043 4044 401ed3 CreateFontIndirectW 4043->4044 4045 40263d 4044->4045 3616 402955 3617 402dab 21 API calls 3616->3617 3618 402961 3617->3618 3619 402977 3618->3619 3620 402dab 21 API calls 3618->3620 3621 406022 2 API calls 3619->3621 3620->3619 3622 40297d 3621->3622 3644 406047 GetFileAttributesW CreateFileW 3622->3644 3624 40298a 3625 402a40 3624->3625 3628 4029a5 GlobalAlloc 3624->3628 3629 402a28 3624->3629 3626 402a47 DeleteFileW 3625->3626 3627 402a5a 3625->3627 3626->3627 3628->3629 3630 4029be 3628->3630 3631 4032b9 35 API calls 3629->3631 3645 4034ea SetFilePointer 3630->3645 3633 402a35 CloseHandle 3631->3633 3633->3625 3634 4029c4 3635 4034d4 ReadFile 3634->3635 3636 4029cd GlobalAlloc 3635->3636 3637 402a11 3636->3637 3638 4029dd 3636->3638 3640 4060f9 WriteFile 3637->3640 3639 4032b9 35 API calls 3638->3639 3642 4029ea 3639->3642 3641 402a1d GlobalFree 3640->3641 3641->3629 3643 402a08 GlobalFree 3642->3643 3643->3637 3644->3624 3645->3634 3646 403fd7 3647 404150 3646->3647 3648 403fef 3646->3648 3650 404161 GetDlgItem GetDlgItem 3647->3650 3666 4041a1 3647->3666 3648->3647 3649 403ffb 3648->3649 3651 404006 SetWindowPos 3649->3651 3652 404019 3649->3652 3653 4044d6 22 API calls 3650->3653 3651->3652 3657 404022 ShowWindow 3652->3657 3658 404064 3652->3658 3654 40418b SetClassLongW 3653->3654 3659 40140b 2 API calls 3654->3659 3655 4041fb 3656 404522 SendMessageW 3655->3656 3663 40414b 3655->3663 3685 40420d 3656->3685 3664 404042 GetWindowLongW 3657->3664 3665 40410e 3657->3665 3660 404083 3658->3660 3661 40406c DestroyWindow 3658->3661 3659->3666 3668 404088 SetWindowLongW 3660->3668 3669 404099 3660->3669 3667 40445f 3661->3667 3662 401389 2 API calls 3670 4041d3 3662->3670 3664->3665 3672 40405b ShowWindow 3664->3672 3726 40453d 3665->3726 3666->3655 3666->3662 3667->3663 3677 404490 ShowWindow 3667->3677 3668->3663 3669->3665 3674 4040a5 GetDlgItem 3669->3674 3670->3655 3675 4041d7 SendMessageW 3670->3675 3672->3658 3673 404461 DestroyWindow KiUserCallbackDispatcher 3673->3667 3678 4040d3 3674->3678 3679 4040b6 SendMessageW IsWindowEnabled 3674->3679 3675->3663 3676 40140b 2 API calls 3676->3685 3677->3663 3681 4040e0 3678->3681 3683 404127 SendMessageW 3678->3683 3684 4040f3 3678->3684 3691 4040d8 3678->3691 3679->3663 3679->3678 3680 406594 21 API calls 3680->3685 3681->3683 3681->3691 3683->3665 3686 404110 3684->3686 3687 4040fb 3684->3687 3685->3663 3685->3673 3685->3676 3685->3680 3688 4044d6 22 API calls 3685->3688 3708 4043a1 DestroyWindow 3685->3708 3717 4044d6 3685->3717 3689 40140b 2 API calls 3686->3689 3690 40140b 2 API calls 3687->3690 3688->3685 3689->3691 3690->3691 3691->3665 3723 4044af 3691->3723 3693 404288 GetDlgItem 3694 4042a5 ShowWindow KiUserCallbackDispatcher 3693->3694 3695 40429d 3693->3695 3720 4044f8 KiUserCallbackDispatcher 3694->3720 3695->3694 3697 4042cf KiUserCallbackDispatcher 3702 4042e3 3697->3702 3698 4042e8 GetSystemMenu EnableMenuItem SendMessageW 3699 404318 SendMessageW 3698->3699 3698->3702 3699->3702 3701 403fb8 22 API calls 3701->3702 3702->3698 3702->3701 3721 40450b SendMessageW 3702->3721 3722 406557 lstrcpynW 3702->3722 3704 404347 lstrlenW 3705 406594 21 API calls 3704->3705 3706 40435d SetWindowTextW 3705->3706 3707 401389 2 API calls 3706->3707 3707->3685 3708->3667 3709 4043bb CreateDialogParamW 3708->3709 3709->3667 3710 4043ee 3709->3710 3711 4044d6 22 API calls 3710->3711 3712 4043f9 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3711->3712 3713 401389 2 API calls 3712->3713 3714 40443f 3713->3714 3714->3663 3715 404447 ShowWindow 3714->3715 3716 404522 SendMessageW 3715->3716 3716->3667 3718 406594 21 API calls 3717->3718 3719 4044e1 SetDlgItemTextW 3718->3719 3719->3693 3720->3697 3721->3702 3722->3704 3724 4044b6 3723->3724 3725 4044bc SendMessageW 3723->3725 3724->3725 3725->3665 3727 404555 GetWindowLongW 3726->3727 3737 404600 3726->3737 3728 40456a 3727->3728 3727->3737 3729 404597 GetSysColor 3728->3729 3730 40459a 3728->3730 3728->3737 3729->3730 3731 4045a0 SetTextColor 3730->3731 3732 4045aa SetBkMode 3730->3732 3731->3732 3733 4045c2 GetSysColor 3732->3733 3734 4045c8 3732->3734 3733->3734 3735 4045d9 3734->3735 3736 4045cf SetBkColor 3734->3736 3735->3737 3738 4045f3 CreateBrushIndirect 3735->3738 3739 4045ec DeleteObject 3735->3739 3736->3735 3737->3663 3738->3737 3739->3738 4046 4014d7 4047 402d89 21 API calls 4046->4047 4048 4014dd Sleep 4047->4048 4050 402c2f 4048->4050 4051 40195b 4052 402dab 21 API calls 4051->4052 4053 401962 lstrlenW 4052->4053 4054 40263d 4053->4054 3799 4020dd 3800 4021a1 3799->3800 3801 4020ef 3799->3801 3803 401423 28 API calls 3800->3803 3802 402dab 21 API calls 3801->3802 3804 4020f6 3802->3804 3810 4022fb 3803->3810 3805 402dab 21 API calls 3804->3805 3806 4020ff 3805->3806 3807 402115 LoadLibraryExW 3806->3807 3808 402107 GetModuleHandleW 3806->3808 3807->3800 3809 402126 3807->3809 3808->3807 3808->3809 3819 4069ba 3809->3819 3813 402170 3815 4055dc 28 API calls 3813->3815 3814 402137 3816 401423 28 API calls 3814->3816 3817 402147 3814->3817 3815->3817 3816->3817 3817->3810 3818 402193 FreeLibrary 3817->3818 3818->3810 3824 406579 WideCharToMultiByte 3819->3824 3821 4069d7 3822 402131 3821->3822 3823 4069de GetProcAddress 3821->3823 3822->3813 3822->3814 3823->3822 3824->3821 4055 402b5e 4056 402bb0 4055->4056 4057 402b65 4055->4057 4058 40694b 5 API calls 4056->4058 4060 402d89 21 API calls 4057->4060 4063 402bae 4057->4063 4059 402bb7 4058->4059 4061 402dab 21 API calls 4059->4061 4062 402b73 4060->4062 4064 402bc0 4061->4064 4065 402d89 21 API calls 4062->4065 4064->4063 4066 402bc4 IIDFromString 4064->4066 4069 402b7f 4065->4069 4066->4063 4067 402bd3 4066->4067 4067->4063 4073 406557 lstrcpynW 4067->4073 4072 40649e wsprintfW 4069->4072 4070 402bf0 CoTaskMemFree 4070->4063 4072->4063 4073->4070 3013 401761 3019 402dab 3013->3019 3017 40176f 3018 406076 2 API calls 3017->3018 3018->3017 3020 402db7 3019->3020 3021 406594 21 API calls 3020->3021 3023 402dd8 3021->3023 3022 401768 3025 406076 3022->3025 3023->3022 3024 406805 5 API calls 3023->3024 3024->3022 3026 406083 GetTickCount GetTempFileNameW 3025->3026 3027 4060bd 3026->3027 3028 4060b9 3026->3028 3027->3017 3028->3026 3028->3027 4074 401d62 4075 402d89 21 API calls 4074->4075 4076 401d73 SetWindowLongW 4075->4076 4077 402c2f 4076->4077 3029 401ee3 3037 402d89 3029->3037 3031 401ee9 3032 402d89 21 API calls 3031->3032 3033 401ef5 3032->3033 3034 401f01 ShowWindow 3033->3034 3035 401f0c EnableWindow 3033->3035 3036 402c2f 3034->3036 3035->3036 3038 406594 21 API calls 3037->3038 3039 402d9e 3038->3039 3039->3031 4078 4028e3 4079 4028eb 4078->4079 4080 4028ef FindNextFileW 4079->4080 4082 402901 4079->4082 4081 402948 4080->4081 4080->4082 4084 406557 lstrcpynW 4081->4084 4084->4082 4085 403be7 4086 403bf2 4085->4086 4087 403bf6 4086->4087 4088 403bf9 GlobalAlloc 4086->4088 4088->4087 4089 401568 4090 402ba9 4089->4090 4093 40649e wsprintfW 4090->4093 4092 402bae 4093->4092 4094 40196d 4095 402d89 21 API calls 4094->4095 4096 401974 4095->4096 4097 402d89 21 API calls 4096->4097 4098 401981 4097->4098 4099 402dab 21 API calls 4098->4099 4100 401998 lstrlenW 4099->4100 4102 4019a9 4100->4102 4101 4019ea 4102->4101 4106 406557 lstrcpynW 4102->4106 4104 4019da 4104->4101 4105 4019df lstrlenW 4104->4105 4105->4101 4106->4104 4107 40166f 4108 402dab 21 API calls 4107->4108 4109 401675 4108->4109 4110 4068b4 2 API calls 4109->4110 4111 40167b 4110->4111 4112 402af0 4113 402d89 21 API calls 4112->4113 4114 402af6 4113->4114 4115 406594 21 API calls 4114->4115 4116 402933 4114->4116 4115->4116 4117 4026f1 4118 402d89 21 API calls 4117->4118 4119 402700 4118->4119 4120 40274a ReadFile 4119->4120 4121 4060ca ReadFile 4119->4121 4122 40278a MultiByteToWideChar 4119->4122 4123 40283f 4119->4123 4124 406128 5 API calls 4119->4124 4126 4027b0 SetFilePointer MultiByteToWideChar 4119->4126 4127 402850 4119->4127 4129 40283d 4119->4129 4120->4119 4120->4129 4121->4119 4122->4119 4130 40649e wsprintfW 4123->4130 4124->4119 4126->4119 4128 402871 SetFilePointer 4127->4128 4127->4129 4128->4129 4130->4129 3575 401774 3576 402dab 21 API calls 3575->3576 3577 40177b 3576->3577 3578 4017a3 3577->3578 3579 40179b 3577->3579 3615 406557 lstrcpynW 3578->3615 3614 406557 lstrcpynW 3579->3614 3582 4017a1 3586 406805 5 API calls 3582->3586 3583 4017ae 3584 405e26 3 API calls 3583->3584 3585 4017b4 lstrcatW 3584->3585 3585->3582 3596 4017c0 3586->3596 3587 4068b4 2 API calls 3587->3596 3588 406022 2 API calls 3588->3596 3590 4017d2 CompareFileTime 3590->3596 3591 401892 3592 4055dc 28 API calls 3591->3592 3594 40189c 3592->3594 3593 4055dc 28 API calls 3595 40187e 3593->3595 3597 4032b9 35 API calls 3594->3597 3596->3587 3596->3588 3596->3590 3596->3591 3600 406594 21 API calls 3596->3600 3605 406557 lstrcpynW 3596->3605 3610 405bb7 MessageBoxIndirectW 3596->3610 3611 401869 3596->3611 3613 406047 GetFileAttributesW CreateFileW 3596->3613 3598 4018af 3597->3598 3599 4018c3 SetFileTime 3598->3599 3601 4018d5 FindCloseChangeNotification 3598->3601 3599->3601 3600->3596 3601->3595 3602 4018e6 3601->3602 3603 4018eb 3602->3603 3604 4018fe 3602->3604 3606 406594 21 API calls 3603->3606 3607 406594 21 API calls 3604->3607 3605->3596 3608 4018f3 lstrcatW 3606->3608 3609 401906 3607->3609 3608->3609 3612 405bb7 MessageBoxIndirectW 3609->3612 3610->3596 3611->3593 3611->3595 3612->3595 3613->3596 3614->3582 3615->3583 4131 4014f5 SetForegroundWindow 4132 402c2f 4131->4132 4133 401a77 4134 402d89 21 API calls 4133->4134 4135 401a80 4134->4135 4136 402d89 21 API calls 4135->4136 4137 401a25 4136->4137 4138 401578 4139 401591 4138->4139 4140 401588 ShowWindow 4138->4140 4141 402c2f 4139->4141 4142 40159f ShowWindow 4139->4142 4140->4139 4142->4141 4143 4023f9 4144 402dab 21 API calls 4143->4144 4145 402408 4144->4145 4146 402dab 21 API calls 4145->4146 4147 402411 4146->4147 4148 402dab 21 API calls 4147->4148 4149 40241b GetPrivateProfileStringW 4148->4149 4150 401ffb 4151 402dab 21 API calls 4150->4151 4152 402002 4151->4152 4153 4068b4 2 API calls 4152->4153 4154 402008 4153->4154 4156 402019 4154->4156 4157 40649e wsprintfW 4154->4157 4157->4156 4158 401b7c 4159 402dab 21 API calls 4158->4159 4160 401b83 4159->4160 4161 402d89 21 API calls 4160->4161 4162 401b8c wsprintfW 4161->4162 4163 402c2f 4162->4163 4164 401000 4165 401037 BeginPaint GetClientRect 4164->4165 4166 40100c DefWindowProcW 4164->4166 4168 4010f3 4165->4168 4171 401179 4166->4171 4169 401073 CreateBrushIndirect FillRect DeleteObject 4168->4169 4170 4010fc 4168->4170 4169->4168 4172 401102 CreateFontIndirectW 4170->4172 4173 401167 EndPaint 4170->4173 4172->4173 4174 401112 6 API calls 4172->4174 4173->4171 4174->4173 4175 404980 4176 404990 4175->4176 4177 4049b6 4175->4177 4178 4044d6 22 API calls 4176->4178 4179 40453d 8 API calls 4177->4179 4181 40499d SetDlgItemTextW 4178->4181 4180 4049c2 4179->4180 4181->4177 4182 401680 4183 402dab 21 API calls 4182->4183 4184 401687 4183->4184 4185 402dab 21 API calls 4184->4185 4186 401690 4185->4186 4187 402dab 21 API calls 4186->4187 4188 401699 MoveFileW 4187->4188 4189 4016ac 4188->4189 4195 4016a5 4188->4195 4191 4068b4 2 API calls 4189->4191 4192 4022fb 4189->4192 4190 401423 28 API calls 4190->4192 4193 4016bb 4191->4193 4193->4192 4194 406317 40 API calls 4193->4194 4194->4195 4195->4190 4196 401503 4197 401508 4196->4197 4199 401520 4196->4199 4198 402d89 21 API calls 4197->4198 4198->4199 4200 401a04 4201 402dab 21 API calls 4200->4201 4202 401a0b 4201->4202 4203 402dab 21 API calls 4202->4203 4204 401a14 4203->4204 4205 401a1b lstrcmpiW 4204->4205 4206 401a2d lstrcmpW 4204->4206 4207 401a21 4205->4207 4206->4207 4208 402304 4209 402dab 21 API calls 4208->4209 4210 40230a 4209->4210 4211 402dab 21 API calls 4210->4211 4212 402313 4211->4212 4213 402dab 21 API calls 4212->4213 4214 40231c 4213->4214 4215 4068b4 2 API calls 4214->4215 4216 402325 4215->4216 4217 402336 lstrlenW lstrlenW 4216->4217 4218 402329 4216->4218 4220 4055dc 28 API calls 4217->4220 4219 4055dc 28 API calls 4218->4219 4222 402331 4218->4222 4219->4222 4221 402374 SHFileOperationW 4220->4221 4221->4218 4221->4222 4223 401d86 4224 401d99 GetDlgItem 4223->4224 4225 401d8c 4223->4225 4227 401d93 4224->4227 4226 402d89 21 API calls 4225->4226 4226->4227 4228 401dda GetClientRect LoadImageW SendMessageW 4227->4228 4229 402dab 21 API calls 4227->4229 4231 401e38 4228->4231 4233 401e44 4228->4233 4229->4228 4232 401e3d DeleteObject 4231->4232 4231->4233 4232->4233 4234 402388 4235 40238f 4234->4235 4238 4023a2 4234->4238 4236 406594 21 API calls 4235->4236 4237 40239c 4236->4237 4239 405bb7 MessageBoxIndirectW 4237->4239 4239->4238 3259 402c0a SendMessageW 3260 402c24 InvalidateRect 3259->3260 3261 402c2f 3259->3261 3260->3261 4240 40460c lstrcpynW lstrlenW 3273 40248f 3274 402dab 21 API calls 3273->3274 3275 4024a1 3274->3275 3276 402dab 21 API calls 3275->3276 3277 4024ab 3276->3277 3290 402e3b 3277->3290 3280 402dab 21 API calls 3284 4024d9 lstrlenW 3280->3284 3281 4024e3 3282 4024ef 3281->3282 3285 402d89 21 API calls 3281->3285 3283 40250e RegSetValueExW 3282->3283 3294 4032b9 3282->3294 3287 402524 RegCloseKey 3283->3287 3284->3281 3285->3282 3289 402933 3287->3289 3291 402e56 3290->3291 3314 4063f2 3291->3314 3296 4032d2 3294->3296 3295 403300 3318 4034d4 3295->3318 3296->3295 3321 4034ea SetFilePointer 3296->3321 3300 40346d 3302 4034af 3300->3302 3307 403471 3300->3307 3301 40331d GetTickCount 3303 403457 3301->3303 3310 40336c 3301->3310 3304 4034d4 ReadFile 3302->3304 3303->3283 3304->3303 3305 4034d4 ReadFile 3305->3310 3306 4034d4 ReadFile 3306->3307 3307->3303 3307->3306 3308 4060f9 WriteFile 3307->3308 3308->3307 3309 4033c2 GetTickCount 3309->3310 3310->3303 3310->3305 3310->3309 3311 4033e7 MulDiv wsprintfW 3310->3311 3313 4060f9 WriteFile 3310->3313 3312 4055dc 28 API calls 3311->3312 3312->3310 3313->3310 3315 406401 3314->3315 3316 4024bb 3315->3316 3317 40640c RegCreateKeyExW 3315->3317 3316->3280 3316->3281 3316->3289 3317->3316 3319 4060ca ReadFile 3318->3319 3320 40330b 3319->3320 3320->3300 3320->3301 3320->3303 3321->3295 4241 402910 4242 402dab 21 API calls 4241->4242 4243 402917 FindFirstFileW 4242->4243 4244 40293f 4243->4244 4248 40292a 4243->4248 4249 40649e wsprintfW 4244->4249 4246 402948 4250 406557 lstrcpynW 4246->4250 4249->4246 4250->4248 4251 401911 4252 401948 4251->4252 4253 402dab 21 API calls 4252->4253 4254 40194d 4253->4254 4255 405c63 71 API calls 4254->4255 4256 401956 4255->4256 4257 401491 4258 4055dc 28 API calls 4257->4258 4259 401498 4258->4259 4260 401914 4261 402dab 21 API calls 4260->4261 4262 40191b 4261->4262 4263 405bb7 MessageBoxIndirectW 4262->4263 4264 401924 4263->4264 4265 404695 4267 4047c7 4265->4267 4268 4046ad 4265->4268 4266 404831 4269 4048fb 4266->4269 4270 40483b GetDlgItem 4266->4270 4267->4266 4267->4269 4274 404802 GetDlgItem SendMessageW 4267->4274 4271 4044d6 22 API calls 4268->4271 4276 40453d 8 API calls 4269->4276 4272 404855 4270->4272 4273 4048bc 4270->4273 4275 404714 4271->4275 4272->4273 4277 40487b SendMessageW LoadCursorW SetCursor 4272->4277 4273->4269 4278 4048ce 4273->4278 4298 4044f8 KiUserCallbackDispatcher 4274->4298 4280 4044d6 22 API calls 4275->4280 4287 4048f6 4276->4287 4299 404944 4277->4299 4282 4048e4 4278->4282 4283 4048d4 SendMessageW 4278->4283 4285 404721 CheckDlgButton 4280->4285 4282->4287 4288 4048ea SendMessageW 4282->4288 4283->4282 4284 40482c 4289 404920 SendMessageW 4284->4289 4296 4044f8 KiUserCallbackDispatcher 4285->4296 4288->4287 4289->4266 4291 40473f GetDlgItem 4297 40450b SendMessageW 4291->4297 4293 404755 SendMessageW 4294 404772 GetSysColor 4293->4294 4295 40477b SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4293->4295 4294->4295 4295->4287 4296->4291 4297->4293 4298->4284 4302 405b7d ShellExecuteExW 4299->4302 4301 4048aa LoadCursorW SetCursor 4301->4273 4302->4301 4303 402896 4304 40289d 4303->4304 4306 402bae 4303->4306 4305 402d89 21 API calls 4304->4305 4307 4028a4 4305->4307 4308 4028b3 SetFilePointer 4307->4308 4308->4306 4309 4028c3 4308->4309 4311 40649e wsprintfW 4309->4311 4311->4306 4312 401f17 4313 402dab 21 API calls 4312->4313 4314 401f1d 4313->4314 4315 402dab 21 API calls 4314->4315 4316 401f26 4315->4316 4317 402dab 21 API calls 4316->4317 4318 401f2f 4317->4318 4319 402dab 21 API calls 4318->4319 4320 401f38 4319->4320 4321 401423 28 API calls 4320->4321 4322 401f3f 4321->4322 4329 405b7d ShellExecuteExW 4322->4329 4324 401f87 4325 4069f6 5 API calls 4324->4325 4327 402933 4324->4327 4326 401fa4 FindCloseChangeNotification 4325->4326 4326->4327 4329->4324 4330 402f98 4331 402fc3 4330->4331 4332 402faa SetTimer 4330->4332 4333 403018 4331->4333 4334 402fdd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4331->4334 4332->4331 4334->4333 3750 40571b 3751 4058c5 3750->3751 3752 40573c GetDlgItem GetDlgItem GetDlgItem 3750->3752 3754 4058f6 3751->3754 3755 4058ce GetDlgItem CreateThread FindCloseChangeNotification 3751->3755 3795 40450b SendMessageW 3752->3795 3757 405921 3754->3757 3759 405946 3754->3759 3760 40590d ShowWindow ShowWindow 3754->3760 3755->3754 3798 4056af 5 API calls 3755->3798 3756 4057ac 3765 4057b3 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3756->3765 3758 405981 3757->3758 3762 405935 3757->3762 3763 40595b ShowWindow 3757->3763 3758->3759 3772 40598f SendMessageW 3758->3772 3764 40453d 8 API calls 3759->3764 3797 40450b SendMessageW 3760->3797 3766 4044af SendMessageW 3762->3766 3768 40597b 3763->3768 3769 40596d 3763->3769 3767 405954 3764->3767 3770 405821 3765->3770 3771 405805 SendMessageW SendMessageW 3765->3771 3766->3759 3777 4044af SendMessageW 3768->3777 3776 4055dc 28 API calls 3769->3776 3773 405834 3770->3773 3774 405826 SendMessageW 3770->3774 3771->3770 3772->3767 3775 4059a8 CreatePopupMenu 3772->3775 3779 4044d6 22 API calls 3773->3779 3774->3773 3778 406594 21 API calls 3775->3778 3776->3768 3777->3758 3780 4059b8 AppendMenuW 3778->3780 3781 405844 3779->3781 3782 4059d5 GetWindowRect 3780->3782 3783 4059e8 TrackPopupMenu 3780->3783 3784 405881 GetDlgItem SendMessageW 3781->3784 3785 40584d ShowWindow 3781->3785 3782->3783 3783->3767 3786 405a03 3783->3786 3784->3767 3789 4058a8 SendMessageW SendMessageW 3784->3789 3787 405870 3785->3787 3788 405863 ShowWindow 3785->3788 3790 405a1f SendMessageW 3786->3790 3796 40450b SendMessageW 3787->3796 3788->3787 3789->3767 3790->3790 3791 405a3c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3790->3791 3793 405a61 SendMessageW 3791->3793 3793->3793 3794 405a8a GlobalUnlock SetClipboardData CloseClipboard 3793->3794 3794->3767 3795->3756 3796->3784 3797->3757 4335 401d1c 4336 402d89 21 API calls 4335->4336 4337 401d22 IsWindow 4336->4337 4338 401a25 4337->4338 4339 404d1d 4340 404d49 4339->4340 4341 404d2d 4339->4341 4342 404d7c 4340->4342 4343 404d4f SHGetPathFromIDListW 4340->4343 4350 405b9b GetDlgItemTextW 4341->4350 4345 404d5f 4343->4345 4349 404d66 SendMessageW 4343->4349 4347 40140b 2 API calls 4345->4347 4346 404d3a SendMessageW 4346->4340 4347->4349 4349->4342 4350->4346 4351 40149e 4352 4014ac PostQuitMessage 4351->4352 4353 4023a2 4351->4353 4352->4353 2935 401ba0 2936 401bf1 2935->2936 2937 401bad 2935->2937 2938 401bf6 2936->2938 2939 401c1b GlobalAlloc 2936->2939 2943 401c36 2937->2943 2946 401bc4 2937->2946 2945 4023a2 2938->2945 2973 406557 lstrcpynW 2938->2973 2954 406594 2939->2954 2941 406594 21 API calls 2944 40239c 2941->2944 2943->2941 2943->2945 2974 405bb7 2944->2974 2971 406557 lstrcpynW 2946->2971 2947 401c08 GlobalFree 2947->2945 2949 401bd3 2972 406557 lstrcpynW 2949->2972 2952 401be2 2978 406557 lstrcpynW 2952->2978 2969 40659f 2954->2969 2955 4067e6 2956 4067ff 2955->2956 3001 406557 lstrcpynW 2955->3001 2956->2943 2958 4067b7 lstrlenW 2958->2969 2959 4066b0 GetSystemDirectoryW 2959->2969 2960 406594 15 API calls 2960->2958 2964 4066c6 GetWindowsDirectoryW 2964->2969 2965 406594 15 API calls 2965->2969 2966 406758 lstrcatW 2966->2969 2969->2955 2969->2958 2969->2959 2969->2960 2969->2964 2969->2965 2969->2966 2970 406728 SHGetPathFromIDListW CoTaskMemFree 2969->2970 2979 406425 2969->2979 2984 40694b GetModuleHandleA 2969->2984 2990 406805 2969->2990 2999 40649e wsprintfW 2969->2999 3000 406557 lstrcpynW 2969->3000 2970->2969 2971->2949 2972->2952 2973->2947 2975 405bcc 2974->2975 2976 405c18 2975->2976 2977 405be0 MessageBoxIndirectW 2975->2977 2976->2945 2977->2976 2978->2945 3002 4063c4 2979->3002 2982 406489 2982->2969 2983 406459 RegQueryValueExW RegCloseKey 2983->2982 2985 406971 GetProcAddress 2984->2985 2986 406967 2984->2986 2987 406980 2985->2987 3006 4068db GetSystemDirectoryW 2986->3006 2987->2969 2989 40696d 2989->2985 2989->2987 2996 406812 2990->2996 2991 40688d CharPrevW 2992 406888 2991->2992 2992->2991 2994 4068ae 2992->2994 2993 40687b CharNextW 2993->2992 2993->2996 2994->2969 2996->2992 2996->2993 2997 406867 CharNextW 2996->2997 2998 406876 CharNextW 2996->2998 3009 405e53 2996->3009 2997->2996 2998->2993 2999->2969 3000->2969 3001->2956 3003 4063d3 3002->3003 3004 4063d7 3003->3004 3005 4063dc RegOpenKeyExW 3003->3005 3004->2982 3004->2983 3005->3004 3007 4068fd wsprintfW LoadLibraryExW 3006->3007 3007->2989 3010 405e59 3009->3010 3011 405e6f 3010->3011 3012 405e60 CharNextW 3010->3012 3011->2996 3012->3010 4354 402621 4355 402dab 21 API calls 4354->4355 4356 402628 4355->4356 4359 406047 GetFileAttributesW CreateFileW 4356->4359 4358 402634 4359->4358 4360 4025a3 4361 402deb 21 API calls 4360->4361 4362 4025ad 4361->4362 4363 402d89 21 API calls 4362->4363 4364 4025b6 4363->4364 4365 402933 4364->4365 4366 4025d2 RegEnumKeyW 4364->4366 4367 4025de RegEnumValueW 4364->4367 4368 4025f3 RegCloseKey 4366->4368 4367->4368 4368->4365 4370 4015a8 4371 402dab 21 API calls 4370->4371 4372 4015af SetFileAttributesW 4371->4372 4373 4015c1 4372->4373 3233 401fa9 3234 402dab 21 API calls 3233->3234 3235 401faf 3234->3235 3236 4055dc 28 API calls 3235->3236 3237 401fb9 3236->3237 3246 405b3a CreateProcessW 3237->3246 3240 402933 3243 401fd4 3244 401fe2 FindCloseChangeNotification 3243->3244 3254 40649e wsprintfW 3243->3254 3244->3240 3247 401fbf 3246->3247 3248 405b6d CloseHandle 3246->3248 3247->3240 3247->3244 3249 4069f6 WaitForSingleObject 3247->3249 3248->3247 3250 406a10 3249->3250 3251 406a22 GetExitCodeProcess 3250->3251 3255 406987 3250->3255 3251->3243 3254->3244 3256 4069a4 PeekMessageW 3255->3256 3257 4069b4 WaitForSingleObject 3256->3257 3258 40699a DispatchMessageW 3256->3258 3257->3250 3258->3256 3322 40252f 3333 402deb 3322->3333 3325 402dab 21 API calls 3326 402542 3325->3326 3327 40254d RegQueryValueExW 3326->3327 3332 402933 3326->3332 3328 402573 RegCloseKey 3327->3328 3329 40256d 3327->3329 3328->3332 3329->3328 3338 40649e wsprintfW 3329->3338 3334 402dab 21 API calls 3333->3334 3335 402e02 3334->3335 3336 4063c4 RegOpenKeyExW 3335->3336 3337 402539 3336->3337 3337->3325 3338->3328 4374 40202f 4375 402dab 21 API calls 4374->4375 4376 402036 4375->4376 4377 40694b 5 API calls 4376->4377 4378 402045 4377->4378 4379 402061 GlobalAlloc 4378->4379 4382 4020d1 4378->4382 4380 402075 4379->4380 4379->4382 4381 40694b 5 API calls 4380->4381 4383 40207c 4381->4383 4384 40694b 5 API calls 4383->4384 4385 402086 4384->4385 4385->4382 4389 40649e wsprintfW 4385->4389 4387 4020bf 4390 40649e wsprintfW 4387->4390 4389->4387 4390->4382 4391 4021af 4392 402dab 21 API calls 4391->4392 4393 4021b6 4392->4393 4394 402dab 21 API calls 4393->4394 4395 4021c0 4394->4395 4396 402dab 21 API calls 4395->4396 4397 4021ca 4396->4397 4398 402dab 21 API calls 4397->4398 4399 4021d4 4398->4399 4400 402dab 21 API calls 4399->4400 4401 4021de 4400->4401 4402 40221d CoCreateInstance 4401->4402 4403 402dab 21 API calls 4401->4403 4404 40223c 4402->4404 4403->4402 4405 401423 28 API calls 4404->4405 4406 4022fb 4404->4406 4405->4406 3339 403532 SetErrorMode GetVersionExW 3340 403586 GetVersionExW 3339->3340 3341 4035be 3339->3341 3340->3341 3342 403615 3341->3342 3343 40694b 5 API calls 3341->3343 3344 4068db 3 API calls 3342->3344 3343->3342 3345 40362b lstrlenA 3344->3345 3345->3342 3346 40363b 3345->3346 3347 40694b 5 API calls 3346->3347 3348 403642 3347->3348 3349 40694b 5 API calls 3348->3349 3350 403649 3349->3350 3351 40694b 5 API calls 3350->3351 3355 403655 #17 OleInitialize SHGetFileInfoW 3351->3355 3354 4036a4 GetCommandLineW 3428 406557 lstrcpynW 3354->3428 3427 406557 lstrcpynW 3355->3427 3357 4036b6 3358 405e53 CharNextW 3357->3358 3359 4036dc CharNextW 3358->3359 3367 4036ee 3359->3367 3360 4037f0 3361 403804 GetTempPathW 3360->3361 3429 403501 3361->3429 3363 40381c 3364 403820 GetWindowsDirectoryW lstrcatW 3363->3364 3365 403876 DeleteFileW 3363->3365 3368 403501 12 API calls 3364->3368 3439 403082 GetTickCount GetModuleFileNameW 3365->3439 3366 405e53 CharNextW 3366->3367 3367->3360 3367->3366 3373 4037f2 3367->3373 3370 40383c 3368->3370 3370->3365 3372 403840 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3370->3372 3371 40388a 3374 403a7d ExitProcess OleUninitialize 3371->3374 3378 403931 3371->3378 3382 405e53 CharNextW 3371->3382 3375 403501 12 API calls 3372->3375 3523 406557 lstrcpynW 3373->3523 3376 403ab3 3374->3376 3377 403a8f 3374->3377 3380 40386e 3375->3380 3383 403b37 ExitProcess 3376->3383 3384 403abb GetCurrentProcess OpenProcessToken 3376->3384 3381 405bb7 MessageBoxIndirectW 3377->3381 3467 403c29 3378->3467 3380->3365 3380->3374 3390 403a9d ExitProcess 3381->3390 3395 4038a9 3382->3395 3386 403ad3 LookupPrivilegeValueW AdjustTokenPrivileges 3384->3386 3387 403b07 3384->3387 3386->3387 3391 40694b 5 API calls 3387->3391 3388 403941 3388->3374 3392 403b0e 3391->3392 3397 403b23 ExitWindowsEx 3392->3397 3400 403b30 3392->3400 3393 403907 3398 405f2e 18 API calls 3393->3398 3394 40394a 3396 405b22 5 API calls 3394->3396 3395->3393 3395->3394 3399 40394f lstrlenW 3396->3399 3397->3383 3397->3400 3401 403913 3398->3401 3526 406557 lstrcpynW 3399->3526 3528 40140b 3400->3528 3401->3374 3524 406557 lstrcpynW 3401->3524 3404 403969 3406 403981 3404->3406 3527 406557 lstrcpynW 3404->3527 3410 4039a7 wsprintfW 3406->3410 3424 4039d3 3406->3424 3407 403926 3525 406557 lstrcpynW 3407->3525 3411 406594 21 API calls 3410->3411 3411->3406 3412 405b05 2 API calls 3412->3424 3413 405aab 2 API calls 3413->3424 3414 4039e3 GetFileAttributesW 3416 4039ef DeleteFileW 3414->3416 3414->3424 3415 403a1d SetCurrentDirectoryW 3417 406317 40 API calls 3415->3417 3416->3424 3419 403a2c CopyFileW 3417->3419 3418 403a1b 3418->3374 3419->3418 3419->3424 3420 405c63 71 API calls 3420->3424 3421 406317 40 API calls 3421->3424 3422 406594 21 API calls 3422->3424 3423 405b3a 2 API calls 3423->3424 3424->3406 3424->3410 3424->3412 3424->3413 3424->3414 3424->3415 3424->3418 3424->3420 3424->3421 3424->3422 3424->3423 3425 403aa5 CloseHandle 3424->3425 3426 4068b4 2 API calls 3424->3426 3425->3418 3426->3424 3427->3354 3428->3357 3430 406805 5 API calls 3429->3430 3432 40350d 3430->3432 3431 403517 3431->3363 3432->3431 3433 405e26 3 API calls 3432->3433 3434 40351f 3433->3434 3435 405b05 2 API calls 3434->3435 3436 403525 3435->3436 3437 406076 2 API calls 3436->3437 3438 403530 3437->3438 3438->3363 3531 406047 GetFileAttributesW CreateFileW 3439->3531 3441 4030c2 3461 4030d2 3441->3461 3532 406557 lstrcpynW 3441->3532 3443 4030e8 3444 405e72 2 API calls 3443->3444 3445 4030ee 3444->3445 3533 406557 lstrcpynW 3445->3533 3447 4030f9 GetFileSize 3448 403110 3447->3448 3449 4031f3 3447->3449 3448->3449 3452 4034d4 ReadFile 3448->3452 3454 40325f 3448->3454 3448->3461 3463 40301e 6 API calls 3448->3463 3534 40301e 3449->3534 3451 4031fc 3453 40322c GlobalAlloc 3451->3453 3451->3461 3546 4034ea SetFilePointer 3451->3546 3452->3448 3545 4034ea SetFilePointer 3453->3545 3458 40301e 6 API calls 3454->3458 3457 403247 3460 4032b9 35 API calls 3457->3460 3458->3461 3459 403215 3462 4034d4 ReadFile 3459->3462 3465 403253 3460->3465 3461->3371 3464 403220 3462->3464 3463->3448 3464->3453 3464->3461 3465->3461 3466 403290 SetFilePointer 3465->3466 3466->3461 3468 40694b 5 API calls 3467->3468 3469 403c3d 3468->3469 3470 403c43 3469->3470 3471 403c55 3469->3471 3562 40649e wsprintfW 3470->3562 3472 406425 3 API calls 3471->3472 3473 403c85 3472->3473 3474 403ca4 lstrcatW 3473->3474 3477 406425 3 API calls 3473->3477 3476 403c53 3474->3476 3547 403eff 3476->3547 3477->3474 3480 405f2e 18 API calls 3481 403cd6 3480->3481 3482 403d6a 3481->3482 3485 406425 3 API calls 3481->3485 3483 405f2e 18 API calls 3482->3483 3484 403d70 3483->3484 3486 403d80 LoadImageW 3484->3486 3488 406594 21 API calls 3484->3488 3487 403d08 3485->3487 3489 403e26 3486->3489 3490 403da7 RegisterClassW 3486->3490 3487->3482 3491 403d29 lstrlenW 3487->3491 3494 405e53 CharNextW 3487->3494 3488->3486 3493 40140b 2 API calls 3489->3493 3492 403ddd SystemParametersInfoW CreateWindowExW 3490->3492 3522 403e30 3490->3522 3495 403d37 lstrcmpiW 3491->3495 3496 403d5d 3491->3496 3492->3489 3497 403e2c 3493->3497 3498 403d26 3494->3498 3495->3496 3499 403d47 GetFileAttributesW 3495->3499 3500 405e26 3 API calls 3496->3500 3502 403eff 22 API calls 3497->3502 3497->3522 3498->3491 3501 403d53 3499->3501 3503 403d63 3500->3503 3501->3496 3504 405e72 2 API calls 3501->3504 3505 403e3d 3502->3505 3563 406557 lstrcpynW 3503->3563 3504->3496 3507 403e49 ShowWindow 3505->3507 3508 403ecc 3505->3508 3510 4068db 3 API calls 3507->3510 3555 4056af OleInitialize 3508->3555 3512 403e61 3510->3512 3511 403ed2 3514 403ed6 3511->3514 3515 403eee 3511->3515 3513 403e6f GetClassInfoW 3512->3513 3516 4068db 3 API calls 3512->3516 3518 403e83 GetClassInfoW RegisterClassW 3513->3518 3519 403e99 DialogBoxParamW 3513->3519 3521 40140b 2 API calls 3514->3521 3514->3522 3517 40140b 2 API calls 3515->3517 3516->3513 3517->3522 3518->3519 3520 40140b 2 API calls 3519->3520 3520->3522 3521->3522 3522->3388 3523->3361 3524->3407 3525->3378 3526->3404 3527->3406 3529 401389 2 API calls 3528->3529 3530 401420 3529->3530 3530->3383 3531->3441 3532->3443 3533->3447 3535 403027 3534->3535 3536 40303f 3534->3536 3537 403030 DestroyWindow 3535->3537 3538 403037 3535->3538 3539 403047 3536->3539 3540 40304f GetTickCount 3536->3540 3537->3538 3538->3451 3543 406987 2 API calls 3539->3543 3541 403080 3540->3541 3542 40305d CreateDialogParamW ShowWindow 3540->3542 3541->3451 3542->3541 3544 40304d 3543->3544 3544->3451 3545->3457 3546->3459 3548 403f13 3547->3548 3564 40649e wsprintfW 3548->3564 3550 403f84 3565 403fb8 3550->3565 3552 403cb4 3552->3480 3553 403f89 3553->3552 3554 406594 21 API calls 3553->3554 3554->3553 3568 404522 3555->3568 3557 4056f9 3558 404522 SendMessageW 3557->3558 3559 40570b OleUninitialize 3558->3559 3559->3511 3561 4056d2 3561->3557 3571 401389 3561->3571 3562->3476 3563->3482 3564->3550 3566 406594 21 API calls 3565->3566 3567 403fc6 SetWindowTextW 3566->3567 3567->3553 3569 40453a 3568->3569 3570 40452b SendMessageW 3568->3570 3569->3561 3570->3569 3573 401390 3571->3573 3572 4013fe 3572->3561 3573->3572 3574 4013cb MulDiv SendMessageW 3573->3574 3574->3573 4407 401a35 4408 402dab 21 API calls 4407->4408 4409 401a3e ExpandEnvironmentStringsW 4408->4409 4410 401a52 4409->4410 4412 401a65 4409->4412 4411 401a57 lstrcmpW 4410->4411 4410->4412 4411->4412 3740 4023b7 3741 4023c5 3740->3741 3742 4023bf 3740->3742 3744 4023d3 3741->3744 3745 402dab 21 API calls 3741->3745 3743 402dab 21 API calls 3742->3743 3743->3741 3746 4023e1 3744->3746 3747 402dab 21 API calls 3744->3747 3745->3744 3748 402dab 21 API calls 3746->3748 3747->3746 3749 4023ea WritePrivateProfileStringW 3748->3749 4418 4014b8 4419 4014be 4418->4419 4420 401389 2 API calls 4419->4420 4421 4014c6 4420->4421 4422 402439 4423 402441 4422->4423 4424 40246c 4422->4424 4426 402deb 21 API calls 4423->4426 4425 402dab 21 API calls 4424->4425 4427 402473 4425->4427 4428 402448 4426->4428 4433 402e69 4427->4433 4430 402dab 21 API calls 4428->4430 4432 402480 4428->4432 4431 402459 RegDeleteValueW RegCloseKey 4430->4431 4431->4432 4434 402e76 4433->4434 4435 402e7d 4433->4435 4434->4432 4435->4434 4437 402eae 4435->4437 4438 4063c4 RegOpenKeyExW 4437->4438 4439 402edc 4438->4439 4440 402eec RegEnumValueW 4439->4440 4445 402f0f 4439->4445 4448 402f86 4439->4448 4441 402f76 RegCloseKey 4440->4441 4440->4445 4441->4448 4442 402f4b RegEnumKeyW 4443 402f54 RegCloseKey 4442->4443 4442->4445 4444 40694b 5 API calls 4443->4444 4446 402f64 4444->4446 4445->4441 4445->4442 4445->4443 4447 402eae 6 API calls 4445->4447 4446->4448 4449 402f68 RegDeleteKeyW 4446->4449 4447->4445 4448->4434 4449->4448 4450 40173a 4451 402dab 21 API calls 4450->4451 4452 401741 SearchPathW 4451->4452 4453 40175c 4452->4453 4454 401d3d 4455 402d89 21 API calls 4454->4455 4456 401d44 4455->4456 4457 402d89 21 API calls 4456->4457 4458 401d50 GetDlgItem 4457->4458 4459 40263d 4458->4459

    Executed Functions

    Function 00403532 Relevance: 88.0, APIs: 33, Strings: 17, Instructions: 464stringfilecomCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 403532-403584 SetErrorMode GetVersionExW 1 403586-4035b6 GetVersionExW 0->1 2 4035be-4035c3 0->2 1->2 3 4035c5 2->3 4 4035cb-40360d 2->4 3->4 5 403620 4->5 6 40360f-403617 call 40694b 4->6 7 403625-403639 call 4068db lstrlenA 5->7 6->5 12 403619 6->12 13 40363b-403657 call 40694b * 3 7->13 12->5 20 403668-4036cc #17 OleInitialize SHGetFileInfoW call 406557 GetCommandLineW call 406557 13->20 21 403659-40365f 13->21 28 4036d5-4036e9 call 405e53 CharNextW 20->28 29 4036ce-4036d0 20->29 21->20 26 403661 21->26 26->20 32 4037e4-4037ea 28->32 29->28 33 4037f0 32->33 34 4036ee-4036f4 32->34 37 403804-40381e GetTempPathW call 403501 33->37 35 4036f6-4036fb 34->35 36 4036fd-403704 34->36 35->35 35->36 39 403706-40370b 36->39 40 40370c-403710 36->40 44 403820-40383e GetWindowsDirectoryW lstrcatW call 403501 37->44 45 403876-403890 DeleteFileW call 403082 37->45 39->40 42 4037d1-4037e0 call 405e53 40->42 43 403716-40371c 40->43 42->32 61 4037e2-4037e3 42->61 47 403736-40376f 43->47 48 40371e-403725 43->48 44->45 64 403840-403870 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403501 44->64 66 403896-40389c 45->66 67 403a7d-403a8d ExitProcess OleUninitialize 45->67 49 403771-403776 47->49 50 40378c-4037c6 47->50 54 403727-40372a 48->54 55 40372c 48->55 49->50 56 403778-403780 49->56 58 4037c8-4037cc 50->58 59 4037ce-4037d0 50->59 54->47 54->55 55->47 62 403782-403785 56->62 63 403787 56->63 58->59 65 4037f2-4037ff call 406557 58->65 59->42 61->32 62->50 62->63 63->50 64->45 64->67 65->37 71 4038a2-4038ad call 405e53 66->71 72 403935-40393c call 403c29 66->72 69 403ab3-403ab9 67->69 70 403a8f-403a9f call 405bb7 ExitProcess 67->70 77 403b37-403b3f 69->77 78 403abb-403ad1 GetCurrentProcess OpenProcessToken 69->78 87 4038fb-403905 71->87 88 4038af-4038e4 71->88 82 403941-403945 72->82 83 403b41 77->83 84 403b45-403b49 ExitProcess 77->84 80 403ad3-403b01 LookupPrivilegeValueW AdjustTokenPrivileges 78->80 81 403b07-403b15 call 40694b 78->81 80->81 97 403b23-403b2e ExitWindowsEx 81->97 98 403b17-403b21 81->98 82->67 83->84 92 403907-403915 call 405f2e 87->92 93 40394a-403970 call 405b22 lstrlenW call 406557 87->93 90 4038e6-4038ea 88->90 94 4038f3-4038f7 90->94 95 4038ec-4038f1 90->95 92->67 107 40391b-403931 call 406557 * 2 92->107 110 403981-403999 93->110 111 403972-40397c call 406557 93->111 94->90 100 4038f9 94->100 95->94 95->100 97->77 102 403b30-403b32 call 40140b 97->102 98->97 98->102 100->87 102->77 107->72 114 40399e-4039a2 110->114 111->110 116 4039a7-4039d1 wsprintfW call 406594 114->116 120 4039d3-4039d8 call 405aab 116->120 121 4039da call 405b05 116->121 124 4039df-4039e1 120->124 121->124 126 4039e3-4039ed GetFileAttributesW 124->126 127 403a1d-403a3c SetCurrentDirectoryW call 406317 CopyFileW 124->127 128 403a0e-403a19 126->128 129 4039ef-4039f8 DeleteFileW 126->129 135 403a7b 127->135 136 403a3e-403a5f call 406317 call 406594 call 405b3a 127->136 128->114 132 403a1b 128->132 129->128 131 4039fa-403a0c call 405c63 129->131 131->116 131->128 132->67 135->67 144 403a61-403a6b 136->144 145 403aa5-403ab1 CloseHandle 136->145 144->135 146 403a6d-403a75 call 4068b4 144->146 145->135 146->116 146->135
    APIs
    • SetErrorMode.KERNELBASE ref: 00403555
    • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403580
    • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403593
    • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040362C
    • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403669
    • OleInitialize.OLE32(00000000), ref: 00403670
    • SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 0040368F
    • GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A4
    • CharNextW.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe",00000020,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036DD
    • GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403815
    • GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403826
    • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 00403832
    • GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
    • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 0040384E
    • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385F
    • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403867
    • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387B
    • lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403954
      • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
    • wsprintfW.USER32 ref: 004039B1
    • GetFileAttributesW.KERNEL32(00437800,C:\Users\user~1\AppData\Local\Temp\), ref: 004039E4
    • DeleteFileW.KERNEL32(00437800), ref: 004039F0
    • SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 00403A1E
      • Part of subcall function 00406317: MoveFileExW.KERNEL32(?,?,00000005,00405E15,?,00000000,000000F1,?,?,?,?,?), ref: 00406321
    • CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,00437800,00000001,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00403A34
      • Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
      • Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
      • Part of subcall function 004068B4: FindFirstFileW.KERNELBASE(771B3420,0042FAB8,C:\,00405F77,C:\,C:\,00000000,C:\,C:\,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C83,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 004068BF
      • Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB
    • ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A7D
    • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A82
    • ExitProcess.KERNEL32 ref: 00403A9F
    • CloseHandle.KERNEL32(00000000,00438000,00438000,?,00437800,00000000), ref: 00403AA6
    • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AC2
    • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC9
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADE
    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B01
    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B26
    • ExitProcess.KERNEL32 ref: 00403B49
      • Part of subcall function 00405B05: CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: File$Process$Exit$CloseDirectory$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
    • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"$1033$C:\Program Files (x86)\IDmelon$C:\Program Files (x86)\IDmelon\FCP$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$error$~nsu%X.tmp
    • API String ID: 2017177436-805316621
    • Opcode ID: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
    • Instruction ID: 6c1349364f4d22fadfcc29bbd5f82b0434b4f5ba6e08f6571c64e8404a3f48da
    • Opcode Fuzzy Hash: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
    • Instruction Fuzzy Hash: 64F10270604301ABD320AF659D45B2B7AE8EF8570AF10483EF581B22D1DB7DDA45CB6E
    Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 149 40571b-405736 150 4058c5-4058cc 149->150 151 40573c-405803 GetDlgItem * 3 call 40450b call 404e64 GetClientRect GetSystemMetrics SendMessageW * 2 149->151 153 4058f6-405903 150->153 154 4058ce-4058f0 GetDlgItem CreateThread FindCloseChangeNotification 150->154 173 405821-405824 151->173 174 405805-40581f SendMessageW * 2 151->174 156 405921-40592b 153->156 157 405905-40590b 153->157 154->153 158 405981-405985 156->158 159 40592d-405933 156->159 161 405946-40594f call 40453d 157->161 162 40590d-40591c ShowWindow * 2 call 40450b 157->162 158->161 168 405987-40598d 158->168 164 405935-405941 call 4044af 159->164 165 40595b-40596b ShowWindow 159->165 170 405954-405958 161->170 162->156 164->161 171 40597b-40597c call 4044af 165->171 172 40596d-405976 call 4055dc 165->172 168->161 175 40598f-4059a2 SendMessageW 168->175 171->158 172->171 176 405834-40584b call 4044d6 173->176 177 405826-405832 SendMessageW 173->177 174->173 178 405aa4-405aa6 175->178 179 4059a8-4059d3 CreatePopupMenu call 406594 AppendMenuW 175->179 188 405881-4058a2 GetDlgItem SendMessageW 176->188 189 40584d-405861 ShowWindow 176->189 177->176 178->170 186 4059d5-4059e5 GetWindowRect 179->186 187 4059e8-4059fd TrackPopupMenu 179->187 186->187 187->178 190 405a03-405a1a 187->190 188->178 193 4058a8-4058c0 SendMessageW * 2 188->193 191 405870 189->191 192 405863-40586e ShowWindow 189->192 194 405a1f-405a3a SendMessageW 190->194 195 405876-40587c call 40450b 191->195 192->195 193->178 194->194 196 405a3c-405a5f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 194->196 195->188 198 405a61-405a88 SendMessageW 196->198 198->198 199 405a8a-405a9e GlobalUnlock SetClipboardData CloseClipboard 198->199 199->178
    APIs
    • GetDlgItem.USER32(?,00000403), ref: 00405779
    • GetDlgItem.USER32(?,000003EE), ref: 00405788
    • GetClientRect.USER32(?,?), ref: 004057C5
    • GetSystemMetrics.USER32(00000002), ref: 004057CC
    • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057ED
    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FE
    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405811
    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581F
    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405832
    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405854
    • ShowWindow.USER32(?,00000008), ref: 00405868
    • GetDlgItem.USER32(?,000003EC), ref: 00405889
    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405899
    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058B2
    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BE
    • GetDlgItem.USER32(?,000003F8), ref: 00405797
      • Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
    • GetDlgItem.USER32(?,000003EC), ref: 004058DB
    • CreateThread.KERNELBASE(00000000,00000000,Function_000056AF,00000000), ref: 004058E9
    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004058F0
    • ShowWindow.USER32(00000000), ref: 00405914
    • ShowWindow.USER32(?,00000008), ref: 00405919
    • ShowWindow.USER32(00000008), ref: 00405963
    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405997
    • CreatePopupMenu.USER32 ref: 004059A8
    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059BC
    • GetWindowRect.USER32(?,?), ref: 004059DC
    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F5
    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2D
    • OpenClipboard.USER32(00000000), ref: 00405A3D
    • EmptyClipboard.USER32 ref: 00405A43
    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4F
    • GlobalLock.KERNEL32(00000000), ref: 00405A59
    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6D
    • GlobalUnlock.KERNEL32(00000000), ref: 00405A8D
    • SetClipboardData.USER32(0000000D,00000000), ref: 00405A98
    • CloseClipboard.USER32 ref: 00405A9E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
    • String ID: {
    • API String ID: 4154960007-366298937
    • Opcode ID: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
    • Instruction ID: 234ab3d0ec1f6487b719ed7b99e1d6b4405f443d9e8d78e252fa94ab3ac4d3a1
    • Opcode Fuzzy Hash: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
    • Instruction Fuzzy Hash: 34B139B1900608FFDB11AF60DD89AAE7B79FB48355F00813AFA41BA1A0C7785A51DF58
    Function 00405C63 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 507 405c63-405c89 call 405f2e 510 405ca2-405ca9 507->510 511 405c8b-405c9d DeleteFileW 507->511 513 405cab-405cad 510->513 514 405cbc-405ccc call 406557 510->514 512 405e1f-405e23 511->512 515 405cb3-405cb6 513->515 516 405dcd-405dd2 513->516 520 405cdb-405cdc call 405e72 514->520 521 405cce-405cd9 lstrcatW 514->521 515->514 515->516 516->512 519 405dd4-405dd7 516->519 522 405de1-405de9 call 4068b4 519->522 523 405dd9-405ddf 519->523 524 405ce1-405ce5 520->524 521->524 522->512 530 405deb-405dff call 405e26 call 405c1b 522->530 523->512 527 405cf1-405cf7 lstrcatW 524->527 528 405ce7-405cef 524->528 531 405cfc-405d18 lstrlenW FindFirstFileW 527->531 528->527 528->531 547 405e01-405e04 530->547 548 405e17-405e1a call 4055dc 530->548 533 405dc2-405dc6 531->533 534 405d1e-405d26 531->534 533->516 538 405dc8 533->538 535 405d46-405d5a call 406557 534->535 536 405d28-405d30 534->536 549 405d71-405d7c call 405c1b 535->549 550 405d5c-405d64 535->550 539 405d32-405d3a 536->539 540 405da5-405db5 FindNextFileW 536->540 538->516 539->535 543 405d3c-405d44 539->543 540->534 546 405dbb-405dbc FindClose 540->546 543->535 543->540 546->533 547->523 551 405e06-405e15 call 4055dc call 406317 547->551 548->512 560 405d9d-405da0 call 4055dc 549->560 561 405d7e-405d81 549->561 550->540 552 405d66-405d6f call 405c63 550->552 551->512 552->540 560->540 564 405d83-405d93 call 4055dc call 406317 561->564 565 405d95-405d9b 561->565 564->540 565->540
    APIs
    • DeleteFileW.KERNELBASE(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"), ref: 00405C8C
    • lstrcatW.KERNEL32(0042EA70,\*.*), ref: 00405CD4
    • lstrcatW.KERNEL32(?,0040A014), ref: 00405CF7
    • lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"), ref: 00405CFD
    • FindFirstFileW.KERNELBASE(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"), ref: 00405D0D
    • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAD
    • FindClose.KERNEL32(00000000), ref: 00405DBC
    Strings
    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405C70
    • "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe", xrefs: 00405C6C
    • \*.*, xrefs: 00405CCE
    • pB, xrefs: 00405CBC
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
    • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"$C:\Users\user~1\AppData\Local\Temp\$\*.*$pB
    • API String ID: 2035342205-2685322715
    • Opcode ID: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
    • Instruction ID: 3df5019795aaf58f6817f8e3609a5bcb0d9fa216103f8ca083ea3247371bac5c
    • Opcode Fuzzy Hash: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
    • Instruction Fuzzy Hash: 2441B231400A14BADB21BB65DC8DAAF7678EF81714F24813BF801B11D1DB7C4A81DEAE
    Function 004068B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileW.KERNELBASE(771B3420,0042FAB8,C:\,00405F77,C:\,C:\,00000000,C:\,C:\,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C83,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 004068BF
    • FindClose.KERNEL32(00000000), ref: 004068CB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Find$CloseFileFirst
    • String ID: C:\
    • API String ID: 2295610775-3404278061
    • Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
    • Instruction ID: 0f602bcf77736d61886636fd33b874369bd8b56ce32760b4adaf045605f9a717
    • Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
    • Instruction Fuzzy Hash: 24D012725161309BC2406738AD0C84B7B58AF15331751CA37F56BF21E0D7348C6387A9
    Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 200 403fd7-403fe9 201 404150-40415f 200->201 202 403fef-403ff5 200->202 204 404161-4041a9 GetDlgItem * 2 call 4044d6 SetClassLongW call 40140b 201->204 205 4041ae-4041c3 201->205 202->201 203 403ffb-404004 202->203 208 404006-404013 SetWindowPos 203->208 209 404019-404020 203->209 204->205 206 404203-404208 call 404522 205->206 207 4041c5-4041c8 205->207 222 40420d-404228 206->222 212 4041ca-4041d5 call 401389 207->212 213 4041fb-4041fd 207->213 208->209 215 404022-40403c ShowWindow 209->215 216 404064-40406a 209->216 212->213 238 4041d7-4041f6 SendMessageW 212->238 213->206 221 4044a3 213->221 223 404042-404055 GetWindowLongW 215->223 224 40413d-40414b call 40453d 215->224 218 404083-404086 216->218 219 40406c-40407e DestroyWindow 216->219 228 404088-404094 SetWindowLongW 218->228 229 404099-40409f 218->229 226 404480-404486 219->226 227 4044a5-4044ac 221->227 232 404231-404237 222->232 233 40422a-40422c call 40140b 222->233 223->224 234 40405b-40405e ShowWindow 223->234 224->227 226->221 241 404488-40448e 226->241 228->227 229->224 237 4040a5-4040b4 GetDlgItem 229->237 235 404461-40447a DestroyWindow KiUserCallbackDispatcher 232->235 236 40423d-404248 232->236 233->232 234->216 235->226 236->235 243 40424e-40429b call 406594 call 4044d6 * 3 GetDlgItem 236->243 244 4040d3-4040d6 237->244 245 4040b6-4040cd SendMessageW IsWindowEnabled 237->245 238->227 241->221 242 404490-404499 ShowWindow 241->242 242->221 272 4042a5-4042e1 ShowWindow KiUserCallbackDispatcher call 4044f8 KiUserCallbackDispatcher 243->272 273 40429d-4042a2 243->273 247 4040d8-4040d9 244->247 248 4040db-4040de 244->248 245->221 245->244 250 404109-40410e call 4044af 247->250 251 4040e0-4040e6 248->251 252 4040ec-4040f1 248->252 250->224 255 404127-404137 SendMessageW 251->255 256 4040e8-4040ea 251->256 252->255 257 4040f3-4040f9 252->257 255->224 256->250 260 404110-404119 call 40140b 257->260 261 4040fb-404101 call 40140b 257->261 260->224 270 40411b-404125 260->270 268 404107 261->268 268->250 270->268 276 4042e3-4042e4 272->276 277 4042e6 272->277 273->272 278 4042e8-404316 GetSystemMenu EnableMenuItem SendMessageW 276->278 277->278 279 404318-404329 SendMessageW 278->279 280 40432b 278->280 281 404331-404370 call 40450b call 403fb8 call 406557 lstrlenW call 406594 SetWindowTextW call 401389 279->281 280->281 281->222 292 404376-404378 281->292 292->222 293 40437e-404382 292->293 294 4043a1-4043b5 DestroyWindow 293->294 295 404384-40438a 293->295 294->226 297 4043bb-4043e8 CreateDialogParamW 294->297 295->221 296 404390-404396 295->296 296->222 298 40439c 296->298 297->226 299 4043ee-404445 call 4044d6 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 297->299 298->221 299->221 304 404447-40445a ShowWindow call 404522 299->304 306 40445f 304->306 306->226
    APIs
    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404013
    • ShowWindow.USER32(?), ref: 00404033
    • GetWindowLongW.USER32(?,000000F0), ref: 00404045
    • ShowWindow.USER32(?,00000004), ref: 0040405E
    • DestroyWindow.USER32 ref: 00404072
    • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040408B
    • GetDlgItem.USER32(?,?), ref: 004040AA
    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BE
    • IsWindowEnabled.USER32(00000000), ref: 004040C5
    • GetDlgItem.USER32(?,00000001), ref: 00404170
    • GetDlgItem.USER32(?,00000002), ref: 0040417A
    • SetClassLongW.USER32(?,000000F2,?), ref: 00404194
    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E5
    • GetDlgItem.USER32(?,00000003), ref: 0040428B
    • ShowWindow.USER32(00000000,?), ref: 004042AC
    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042BE
    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042D9
    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EF
    • EnableMenuItem.USER32(00000000), ref: 004042F6
    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430E
    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404321
    • lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040434B
    • SetWindowTextW.USER32(?,0042CA68), ref: 0040435F
    • ShowWindow.USER32(?,0000000A), ref: 00404493
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$Item$MessageSendShow$Long$CallbackDispatcherMenuUser$ClassDestroyEnableEnabledSystemTextlstrlen
    • String ID:
    • API String ID: 3964124867-0
    • Opcode ID: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
    • Instruction ID: 911e0a6aef898d83942fe666095560f38e6effa11f08765efd6836b1f10f2e9c
    • Opcode Fuzzy Hash: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
    • Instruction Fuzzy Hash: 29C1B0B1500204BBDB206F61EE89A2B3A68FB85756F01053EF781B51F0CB3958929B2D
    Function 00403C29 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 307 403c29-403c41 call 40694b 310 403c43-403c53 call 40649e 307->310 311 403c55-403c8c call 406425 307->311 320 403caf-403cd8 call 403eff call 405f2e 310->320 315 403ca4-403caa lstrcatW 311->315 316 403c8e-403c9f call 406425 311->316 315->320 316->315 325 403d6a-403d72 call 405f2e 320->325 326 403cde-403ce3 320->326 331 403d80-403da5 LoadImageW 325->331 332 403d74-403d7b call 406594 325->332 326->325 327 403ce9-403d03 call 406425 326->327 333 403d08-403d11 327->333 336 403e26-403e2e call 40140b 331->336 337 403da7-403dd7 RegisterClassW 331->337 332->331 333->325 334 403d13-403d17 333->334 338 403d29-403d35 lstrlenW 334->338 339 403d19-403d26 call 405e53 334->339 350 403e30-403e33 336->350 351 403e38-403e43 call 403eff 336->351 340 403ef5 337->340 341 403ddd-403e21 SystemParametersInfoW CreateWindowExW 337->341 345 403d37-403d45 lstrcmpiW 338->345 346 403d5d-403d65 call 405e26 call 406557 338->346 339->338 344 403ef7-403efe 340->344 341->336 345->346 349 403d47-403d51 GetFileAttributesW 345->349 346->325 353 403d53-403d55 349->353 354 403d57-403d58 call 405e72 349->354 350->344 360 403e49-403e63 ShowWindow call 4068db 351->360 361 403ecc-403ecd call 4056af 351->361 353->346 353->354 354->346 366 403e65-403e6a call 4068db 360->366 367 403e6f-403e81 GetClassInfoW 360->367 364 403ed2-403ed4 361->364 368 403ed6-403edc 364->368 369 403eee-403ef0 call 40140b 364->369 366->367 372 403e83-403e93 GetClassInfoW RegisterClassW 367->372 373 403e99-403ebc DialogBoxParamW call 40140b 367->373 368->350 374 403ee2-403ee9 call 40140b 368->374 369->340 372->373 377 403ec1-403eca call 403b79 373->377 374->350 377->344
    APIs
      • Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
      • Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978
    • lstrcatW.KERNEL32(1033,0042CA68), ref: 00403CAA
    • lstrlenW.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files (x86)\IDmelon,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,771B3420), ref: 00403D2A
    • lstrcmpiW.KERNEL32(?,.exe,Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files (x86)\IDmelon,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D3D
    • GetFileAttributesW.KERNEL32(Remove folder: ), ref: 00403D48
    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files (x86)\IDmelon), ref: 00403D91
      • Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB
    • RegisterClassW.USER32(004336A0), ref: 00403DCE
    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE6
    • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1B
    • ShowWindow.USER32(00000005,00000000), ref: 00403E51
    • GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E7D
    • GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403E8A
    • RegisterClassW.USER32(004336A0), ref: 00403E93
    • DialogBoxParamW.USER32(?,00000000,00403FD7,00000000), ref: 00403EB2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
    • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Program Files (x86)\IDmelon$C:\Users\user~1\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
    • API String ID: 1975747703-1669361303
    • Opcode ID: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
    • Instruction ID: b78af383561608ccb802af496d710159af2d94eef556b4765221653e5b422f1b
    • Opcode Fuzzy Hash: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
    • Instruction Fuzzy Hash: 9F61C270100640BED220AF66ED46F2B3A6CEB85B5AF50013FF945B62E2DB7C59418B6D
    Function 00403082 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 381 403082-4030d0 GetTickCount GetModuleFileNameW call 406047 384 4030d2-4030d7 381->384 385 4030dc-40310a call 406557 call 405e72 call 406557 GetFileSize 381->385 386 4032b2-4032b6 384->386 393 403110 385->393 394 4031f5-403203 call 40301e 385->394 396 403115-40312c 393->396 400 403205-403208 394->400 401 403258-40325d 394->401 398 403130-403139 call 4034d4 396->398 399 40312e 396->399 406 40325f-403267 call 40301e 398->406 407 40313f-403146 398->407 399->398 404 40320a-403222 call 4034ea call 4034d4 400->404 405 40322c-403256 GlobalAlloc call 4034ea call 4032b9 400->405 401->386 404->401 428 403224-40322a 404->428 405->401 432 403269-40327a 405->432 406->401 410 4031c2-4031c6 407->410 411 403148-40315c call 406002 407->411 418 4031d0-4031d6 410->418 419 4031c8-4031cf call 40301e 410->419 411->418 430 40315e-403165 411->430 423 4031e5-4031ed 418->423 424 4031d8-4031e2 call 406a38 418->424 419->418 423->396 431 4031f3 423->431 424->423 428->401 428->405 430->418 434 403167-40316e 430->434 431->394 435 403282-403287 432->435 436 40327c 432->436 434->418 437 403170-403177 434->437 438 403288-40328e 435->438 436->435 437->418 439 403179-403180 437->439 438->438 440 403290-4032ab SetFilePointer call 406002 438->440 439->418 442 403182-4031a2 439->442 443 4032b0 440->443 442->401 444 4031a8-4031ac 442->444 443->386 445 4031b4-4031bc 444->445 446 4031ae-4031b2 444->446 445->418 447 4031be-4031c0 445->447 446->431 446->445 447->418
    APIs
    • GetTickCount.KERNEL32 ref: 00403093
    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,00000400), ref: 004030AF
      • Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,80000000,00000003), ref: 0040604B
      • Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
    • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,80000000,00000003), ref: 004030FB
    • GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231
    Strings
    • Error launching installer, xrefs: 004030D2
    • soft, xrefs: 00403170
    • Inst, xrefs: 00403167
    • Null, xrefs: 00403179
    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403089
    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258
    • "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe", xrefs: 00403088
    • C:\Users\user\Desktop, xrefs: 004030DD, 004030E2, 004030E8
    • C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, xrefs: 00403099, 004030A8, 004030BC, 004030DC
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
    • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
    • API String ID: 2803837635-3123369064
    • Opcode ID: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
    • Instruction ID: 68b8bf8592918c5e7f10339d86c9767fe938295b8d0ed8def850c2c8f1d184f5
    • Opcode Fuzzy Hash: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
    • Instruction Fuzzy Hash: 8251A071A00204ABDB20AF65DD85B9E7EACEB49356F10417BF900B62D1C77C9F408BAD
    Function 00406594 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 204stringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 448 406594-40659d 449 4065b0-4065ca 448->449 450 40659f-4065ae 448->450 451 4065d0-4065dc 449->451 452 4067da-4067e0 449->452 450->449 451->452 453 4065e2-4065e9 451->453 454 4067e6-4067f3 452->454 455 4065ee-4065fb 452->455 453->452 457 4067f5-4067fa call 406557 454->457 458 4067ff-406802 454->458 455->454 456 406601-40660a 455->456 459 406610-406653 456->459 460 4067c7 456->460 457->458 464 406659-406665 459->464 465 40676b-40676f 459->465 462 4067d5-4067d8 460->462 463 4067c9-4067d3 460->463 462->452 463->452 466 406667 464->466 467 40666f-406671 464->467 468 406771-406778 465->468 469 4067a3-4067a7 465->469 466->467 474 406673-406691 call 406425 467->474 475 4066ab-4066ae 467->475 472 406788-406794 call 406557 468->472 473 40677a-406786 call 40649e 468->473 470 4067b7-4067c5 lstrlenW 469->470 471 4067a9-4067b2 call 406594 469->471 470->452 471->470 482 406799-40679f 472->482 473->482 487 406696-406699 474->487 476 4066b0-4066bc GetSystemDirectoryW 475->476 477 4066c1-4066c4 475->477 483 40674e-406751 476->483 484 4066d6-4066da 477->484 485 4066c6-4066d2 GetWindowsDirectoryW 477->485 482->470 488 4067a1 482->488 489 406763-406769 call 406805 483->489 490 406753-406756 483->490 484->483 491 4066dc-4066fa 484->491 485->484 487->490 492 40669f-4066a6 call 406594 487->492 488->489 489->470 490->489 494 406758-40675e lstrcatW 490->494 496 4066fc-40670c 491->496 497 40670e-406726 call 40694b 491->497 492->483 494->489 496->497 503 406748-40674c 496->503 505 406728-40673b SHGetPathFromIDListW CoTaskMemFree 497->505 506 40673d-406746 497->506 503->483 505->503 505->506 506->491 506->503
    APIs
    • GetSystemDirectoryW.KERNEL32(Remove folder: ,00000400), ref: 004066B6
    • GetWindowsDirectoryW.KERNEL32(Remove folder: ,00000400,00000000,Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,?,?,00000000,00000000,00845189,771B23A0), ref: 004066CC
    • SHGetPathFromIDListW.SHELL32(00000000,Remove folder: ), ref: 0040672A
    • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406733
    • lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040675E
    • lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,?,?,00000000,00000000,00845189,771B23A0), ref: 004067B8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
    • String ID: Remove folder: $Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$error
    • API String ID: 4024019347-2608409514
    • Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
    • Instruction ID: fc62ecdfc612bfadb4c03fc2fb2820e4449372332e166df7cb208319b666a0da
    • Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
    • Instruction Fuzzy Hash: 7D612571A046009BD720AF24DD84B6A76E8EF95328F16053FF643B32D0DB7C9961875E
    Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 571 401774-401799 call 402dab call 405e9d 576 4017a3-4017b5 call 406557 call 405e26 lstrcatW 571->576 577 40179b-4017a1 call 406557 571->577 582 4017ba-4017bb call 406805 576->582 577->582 586 4017c0-4017c4 582->586 587 4017c6-4017d0 call 4068b4 586->587 588 4017f7-4017fa 586->588 596 4017e2-4017f4 587->596 597 4017d2-4017e0 CompareFileTime 587->597 590 401802-40181e call 406047 588->590 591 4017fc-4017fd call 406022 588->591 598 401820-401823 590->598 599 401892-4018bb call 4055dc call 4032b9 590->599 591->590 596->588 597->596 600 401874-40187e call 4055dc 598->600 601 401825-401863 call 406557 * 2 call 406594 call 406557 call 405bb7 598->601 613 4018c3-4018cf SetFileTime 599->613 614 4018bd-4018c1 599->614 611 401887-40188d 600->611 601->586 633 401869-40186a 601->633 615 402c38 611->615 617 4018d5-4018e0 FindCloseChangeNotification 613->617 614->613 614->617 621 402c3a-402c3e 615->621 618 4018e6-4018e9 617->618 619 402c2f-402c32 617->619 622 4018eb-4018fc call 406594 lstrcatW 618->622 623 4018fe-401901 call 406594 618->623 619->615 629 401906-4023a7 call 405bb7 622->629 623->629 629->619 629->621 633->611 635 40186c-40186d 633->635 635->600
    APIs
    • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B5
    • CompareFileTime.KERNEL32(-00000014,?,show,show,00000000,00000000,show,C:\Program Files (x86)\IDmelon\FCP,?,?,00000031), ref: 004017DA
      • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
      • Part of subcall function 004055DC: lstrlenW.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,00000000,00845189,771B23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
      • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,00000000,00845189,771B23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
      • Part of subcall function 004055DC: lstrcatW.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,0040341D), ref: 00405637
      • Part of subcall function 004055DC: SetWindowTextW.USER32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\), ref: 00405649
      • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
      • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
      • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
    • String ID: C:\Program Files (x86)\IDmelon\FCP$C:\Users\user~1\AppData\Local\Temp\nstC680.tmp$C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\InstallOptions.dll$show
    • API String ID: 1941528284-3368399969
    • Opcode ID: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
    • Instruction ID: f3bec3fd9c2ad120a03a9c06557e7274b723a0da437845685234e4033458a62e
    • Opcode Fuzzy Hash: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
    • Instruction Fuzzy Hash: 0B419471800108BACB11BFA5DD85DBE76B9EF45328B21423FF412B10E2DB3C8A519A2D
    Function 004032B9 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 637 4032b9-4032d0 638 4032d2 637->638 639 4032d9-4032e2 637->639 638->639 640 4032e4 639->640 641 4032eb-4032f0 639->641 640->641 642 403300-40330d call 4034d4 641->642 643 4032f2-4032fb call 4034ea 641->643 647 4034c2 642->647 648 403313-403317 642->648 643->642 649 4034c4-4034c5 647->649 650 40346d-40346f 648->650 651 40331d-403366 GetTickCount 648->651 654 4034cd-4034d1 649->654 652 403471-403474 650->652 653 4034af-4034b2 650->653 655 4034ca 651->655 656 40336c-403374 651->656 652->655 659 403476 652->659 657 4034b4 653->657 658 4034b7-4034c0 call 4034d4 653->658 655->654 660 403376 656->660 661 403379-403387 call 4034d4 656->661 657->658 658->647 670 4034c7 658->670 663 403479-40347f 659->663 660->661 661->647 669 40338d-403396 661->669 667 403481 663->667 668 403483-403491 call 4034d4 663->668 667->668 668->647 674 403493-403498 call 4060f9 668->674 672 40339c-4033bc call 406aa6 669->672 670->655 679 4033c2-4033d5 GetTickCount 672->679 680 403465-403467 672->680 678 40349d-40349f 674->678 681 4034a1-4034ab 678->681 682 403469-40346b 678->682 683 403420-403422 679->683 684 4033d7-4033df 679->684 680->649 681->663 685 4034ad 681->685 682->649 688 403424-403428 683->688 689 403459-40345d 683->689 686 4033e1-4033e5 684->686 687 4033e7-403418 MulDiv wsprintfW call 4055dc 684->687 685->655 686->683 686->687 695 40341d 687->695 692 40342a-403431 call 4060f9 688->692 693 40343f-40344a 688->693 689->656 690 403463 689->690 690->655 698 403436-403438 692->698 694 40344d-403451 693->694 694->672 697 403457 694->697 695->683 697->655 698->682 699 40343a-40343d 698->699 699->694
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CountTick$wsprintf
    • String ID: *B$ A$ A$... %d%%
    • API String ID: 551687249-3485722521
    • Opcode ID: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
    • Instruction ID: 982be0e2f69b4341102b9ffd21d6361bbd2cc6e706b5ad6adcc0aeecd99e7a45
    • Opcode Fuzzy Hash: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
    • Instruction Fuzzy Hash: 1A516F71910219EBCB11CF65DA44B9E7FB8AF04756F10827BE814BB2D1C7789A40CB99
    Function 004055DC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 700 4055dc-4055f1 701 4055f7-405608 700->701 702 4056a8-4056ac 700->702 703 405613-40561f lstrlenW 701->703 704 40560a-40560e call 406594 701->704 705 405621-405631 lstrlenW 703->705 706 40563c-405640 703->706 704->703 705->702 708 405633-405637 lstrcatW 705->708 709 405642-405649 SetWindowTextW 706->709 710 40564f-405653 706->710 708->706 709->710 711 405655-405697 SendMessageW * 3 710->711 712 405699-40569b 710->712 711->712 712->702 713 40569d-4056a0 712->713 713->702
    APIs
    • lstrlenW.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,00000000,00845189,771B23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
    • lstrlenW.KERNEL32(0040341D,Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,00000000,00845189,771B23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
    • lstrcatW.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,0040341D), ref: 00405637
    • SetWindowTextW.USER32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\), ref: 00405649
    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
    • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: MessageSend$lstrlen$TextWindowlstrcat
    • String ID: Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\
    • API String ID: 2531174081-1017858641
    • Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
    • Instruction ID: 906fe2e33ec339045028823105f1a28636d6cdc7c4a53a0106b9bb612f22f5f3
    • Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
    • Instruction Fuzzy Hash: 9121A171900158BACB119F65DD449CFBFB4EF45350F50843AF508B62A0C3794A50CFA8
    Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 714 402955-40296e call 402dab call 405e9d 719 402970-402972 call 402dab 714->719 720 402977-402990 call 406022 call 406047 714->720 719->720 726 402a40-402a45 720->726 727 402996-40299f 720->727 728 402a47-402a53 DeleteFileW 726->728 729 402a5a 726->729 730 4029a5-4029bc GlobalAlloc 727->730 731 402a28-402a30 call 4032b9 727->731 728->729 730->731 732 4029be-4029db call 4034ea call 4034d4 GlobalAlloc 730->732 735 402a35-402a3a CloseHandle 731->735 739 402a11-402a24 call 4060f9 GlobalFree 732->739 740 4029dd-4029e5 call 4032b9 732->740 735->726 739->731 743 4029ea 740->743 745 402a04-402a06 743->745 746 402a08-402a0b GlobalFree 745->746 747 4029ec-402a01 call 406002 745->747 746->739 747->745
    APIs
    • GlobalAlloc.KERNELBASE(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
    • GlobalFree.KERNEL32(?), ref: 00402A0B
    • GlobalFree.KERNELBASE(00000000), ref: 00402A1E
    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Global$AllocFree$CloseDeleteFileHandle
    • String ID:
    • API String ID: 2667972263-0
    • Opcode ID: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
    • Instruction ID: 9240dae09012554c896714223f9a1d047de53ad28ef79bac3653223f28d0231c
    • Opcode Fuzzy Hash: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
    • Instruction Fuzzy Hash: 3931AD71D00124BBCF21AFA5CE89D9E7E79AF49324F10423AF521762E1CB794D419BA8
    Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 750 4068db-4068fb GetSystemDirectoryW 751 4068fd 750->751 752 4068ff-406901 750->752 751->752 753 406912-406914 752->753 754 406903-40690c 752->754 756 406915-406948 wsprintfW LoadLibraryExW 753->756 754->753 755 40690e-406910 754->755 755->756
    APIs
    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
    • wsprintfW.USER32 ref: 0040692D
    • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406941
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: DirectoryLibraryLoadSystemwsprintf
    • String ID: %s%S.dll$UXTHEME
    • API String ID: 2200240437-1106614640
    • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
    • Instruction ID: a217f45d9ff01499786c61cea798a126a457230594f844882b590dd92c6ddc53
    • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
    • Instruction Fuzzy Hash: 69F0F671501219A6CF14BB68DD0DF9B376CAB40304F21447AA646F20E0EB789B69CBA8
    Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 757 401c48-401c68 call 402d89 * 2 762 401c74-401c78 757->762 763 401c6a-401c71 call 402dab 757->763 765 401c84-401c8a 762->765 766 401c7a-401c81 call 402dab 762->766 763->762 769 401cd8-401d02 call 402dab * 2 FindWindowExW 765->769 770 401c8c-401ca8 call 402d89 * 2 765->770 766->765 782 401d08 769->782 780 401cc8-401cd6 SendMessageW 770->780 781 401caa-401cc6 SendMessageTimeoutW 770->781 780->782 783 401d0b-401d0e 781->783 782->783 784 401d14 783->784 785 402c2f-402c3e 783->785 784->785
    APIs
    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: MessageSend$Timeout
    • String ID: !
    • API String ID: 1777923405-2657877971
    • Opcode ID: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
    • Instruction ID: 3d1946e732457e70d46414fe723373bc78a31951f468440fe5e33f287296c6aa
    • Opcode Fuzzy Hash: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
    • Instruction Fuzzy Hash: BC21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941DB98
    Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 788 40248f-4024c0 call 402dab * 2 call 402e3b 795 4024c6-4024d0 788->795 796 402c2f-402c3e 788->796 797 4024d2-4024df call 402dab lstrlenW 795->797 798 4024e3-4024e6 795->798 797->798 801 4024e8-4024f9 call 402d89 798->801 802 4024fa-4024fd 798->802 801->802 804 40250e-402522 RegSetValueExW 802->804 805 4024ff-402509 call 4032b9 802->805 810 402524 804->810 811 402527-402608 RegCloseKey 804->811 805->804 810->811 811->796 813 402933-40293a 811->813 813->796
    APIs
    • lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nstC680.tmp,00000023,00000011,00000002), ref: 004024DA
    • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user~1\AppData\Local\Temp\nstC680.tmp,00000000,00000011,00000002), ref: 0040251A
    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nstC680.tmp,00000000,00000011,00000002), ref: 00402602
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseValuelstrlen
    • String ID: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp
    • API String ID: 2655323295-3054734393
    • Opcode ID: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
    • Instruction ID: e3d4462d3b771ebaa4f16124ca1672ddbf53c4078f16fd27a1e0ad00bfdc49f7
    • Opcode Fuzzy Hash: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
    • Instruction Fuzzy Hash: 8B117F31900118BEEB10EFA5DE59EAEBAB4EF54358F11443FF504B71C1D7B88E419A58
    Function 00405F2E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 814 405f2e-405f49 call 406557 call 405ed1 819 405f4b-405f4d 814->819 820 405f4f-405f5c call 406805 814->820 821 405fa7-405fa9 819->821 824 405f6c-405f70 820->824 825 405f5e-405f64 820->825 826 405f86-405f8f lstrlenW 824->826 825->819 827 405f66-405f6a 825->827 828 405f91-405fa5 call 405e26 GetFileAttributesW 826->828 829 405f72-405f79 call 4068b4 826->829 827->819 827->824 828->821 834 405f80-405f81 call 405e72 829->834 835 405f7b-405f7e 829->835 834->826 835->819 835->834
    APIs
      • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
      • Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C83,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"), ref: 00405EDF
      • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
      • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC
    • lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C83,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"), ref: 00405F87
    • GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C83,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 00405F97
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CharNext$AttributesFilelstrcpynlstrlen
    • String ID: C:\$C:\Users\user~1\AppData\Local\Temp\
    • API String ID: 3248276644-1077792641
    • Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
    • Instruction ID: 0bce86d1d95a7c790b53086ee47358a3377499fb664fcb231eb74dc800c81f90
    • Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
    • Instruction Fuzzy Hash: 7AF0F43A105E1269D622733A5C09AAF1555CE86360B5A457BFC91B22C6CF3C8A42CCBE
    Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
    Download Yara Rule
    APIs
    • GetTickCount.KERNEL32 ref: 00406094
    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403530,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C), ref: 004060AF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CountFileNameTempTick
    • String ID: C:\Users\user~1\AppData\Local\Temp\$nsa
    • API String ID: 1716503409-3083371207
    • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
    • Instruction ID: 86e06e500a6970b3bc5bd370241205c1b86a0a172d82c816bfbfc8c597d973d5
    • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
    • Instruction Fuzzy Hash: 65F09076B50204FBEB10CF69ED05F9EB7ACEB95750F11803AED05F7240E6B099548768
    Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C83,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"), ref: 00405EDF
      • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
      • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC
    • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F
      • Part of subcall function 00405AAB: CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405AED
    • SetCurrentDirectoryW.KERNELBASE(?,C:\Program Files (x86)\IDmelon\FCP,?,00000000,000000F0), ref: 00401652
    Strings
    • C:\Program Files (x86)\IDmelon\FCP, xrefs: 00401645
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CharNext$Directory$AttributesCreateCurrentFile
    • String ID: C:\Program Files (x86)\IDmelon\FCP
    • API String ID: 1892508949-3348486767
    • Opcode ID: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
    • Instruction ID: 6fd3d265dcb44280b24f8e6f21651466162e19908bb00ba525d5af3adea1cd3c
    • Opcode Fuzzy Hash: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
    • Instruction Fuzzy Hash: F211E231404104ABCF206FA5CD0159F36B0EF04368B25493FE945B22F1DA3D4A81DA5E
    Function 00401F17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00405B7D: ShellExecuteExW.SHELL32(?), ref: 00405B8C
      • Part of subcall function 004069F6: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
      • Part of subcall function 004069F6: GetExitCodeProcess.KERNELBASE(?,?), ref: 00406A29
    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?), ref: 00401FF0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ChangeCloseCodeExecuteExitFindNotificationObjectProcessShellSingleWait
    • String ID: @$C:\Program Files (x86)\IDmelon\FCP
    • API String ID: 4215836453-3369818710
    • Opcode ID: 89d337900e9320f3d95684fda7007bf5c26350ccfaa4596f3b29f985b3d04bce
    • Instruction ID: 66913655aa2032d7cc32b7d8541d21132be3f6ae7d0383c2f6415210fa0a2f56
    • Opcode Fuzzy Hash: 89d337900e9320f3d95684fda7007bf5c26350ccfaa4596f3b29f985b3d04bce
    • Instruction Fuzzy Hash: 11115B71E042189ADB50EFB9DA49B8DB6F0AF04308F20457FE105F72D2DBBC8945AB18
    Function 00406425 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
    Download Yara Rule
    APIs
    • RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,Remove folder: ,?,00000000,00406696,80000002), ref: 0040646B
    • RegCloseKey.KERNELBASE(?), ref: 00406476
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseQueryValue
    • String ID: Remove folder:
    • API String ID: 3356406503-1958208860
    • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
    • Instruction ID: 70129269225b3d2074805611e9e9ab3b6623f97616b55adb64abfcd2b3eb4ee3
    • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
    • Instruction Fuzzy Hash: 3F017172540209AADF21CF51CC05EDB3BA8EB54364F114439FD1596190D738D964DBA4
    Function 00403B94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • FreeLibrary.KERNELBASE(?,771B3420,00000000,C:\Users\user~1\AppData\Local\Temp\,00403B6C,00403A82,?,?,00000008,0000000A,0000000C), ref: 00403BAE
    • GlobalFree.KERNEL32(00000000), ref: 00403BB5
    Strings
    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403B94
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Free$GlobalLibrary
    • String ID: C:\Users\user~1\AppData\Local\Temp\
    • API String ID: 1100898210-2382934351
    • Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
    • Instruction ID: cb28855b84c3abb27e6c937247341fa4f051846acd49e0d4b6103447305c23c4
    • Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
    • Instruction Fuzzy Hash: 5DE0C23362083097C6311F55EE04B1A7778AF89B2AF01402AEC407B2618B74AC538FCC
    Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402108
      • Part of subcall function 004055DC: lstrlenW.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,00000000,00845189,771B23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
      • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,00000000,00845189,771B23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
      • Part of subcall function 004055DC: lstrcatW.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,0040341D), ref: 00405637
      • Part of subcall function 004055DC: SetWindowTextW.USER32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\), ref: 00405649
      • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
      • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
      • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
    • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402119
    • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402196
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
    • String ID:
    • API String ID: 334405425-0
    • Opcode ID: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
    • Instruction ID: 3664ba2fa099400b069473e4dbd5787d756d46fb785c5e03f539e90392346bbf
    • Opcode Fuzzy Hash: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
    • Instruction Fuzzy Hash: C9219231904108BADF11AFA5CF49A9D7A71FF84358F20413FF201B91E1CBBD8982AA5D
    Function 00401BA0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
    Download Yara Rule
    APIs
    • GlobalFree.KERNEL32(007EEE10), ref: 00401C10
    • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C22
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Global$AllocFree
    • String ID: show
    • API String ID: 3394109436-839833857
    • Opcode ID: b2bf5aa3fb98d5d7659b4efbfb09c2738223d3c1d5b8947c58a47baf3ffb3ed2
    • Instruction ID: 52bd34c5afe528d1e7f7705a0b64ffdd7bdb14472fd10e075fda9825736fe234
    • Opcode Fuzzy Hash: b2bf5aa3fb98d5d7659b4efbfb09c2738223d3c1d5b8947c58a47baf3ffb3ed2
    • Instruction Fuzzy Hash: B221F972900254E7D720BF98DD89E5E73B5AB04718711093FF552B76C0D7B8AC019B9D
    Function 00405C1B Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00406022: GetFileAttributesW.KERNELBASE(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
      • Part of subcall function 00406022: SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040603B
    • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405DFD), ref: 00405C36
    • DeleteFileW.KERNELBASE(?,?,?,00000000,00405DFD), ref: 00405C3E
    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C56
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: File$Attributes$DeleteDirectoryRemove
    • String ID:
    • API String ID: 1655745494-0
    • Opcode ID: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
    • Instruction ID: 2cd832b5149a82f614695d38d41b3aba95dfe4f26efc6ce9164d7e3db346642e
    • Opcode Fuzzy Hash: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
    • Instruction Fuzzy Hash: 9AE02B3110D7915AE32077705E0CB5F2AD8DF86324F05093AF492F10C0DB78488A8A7E
    Function 004069F6 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
    • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00406A1C
    • GetExitCodeProcess.KERNELBASE(?,?), ref: 00406A29
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ObjectSingleWait$CodeExitProcess
    • String ID:
    • API String ID: 2567322000-0
    • Opcode ID: 17a38a5c847dd8245057c7588e6ed0bb749bee8eb0eab1a955a98d2ec77b2a61
    • Instruction ID: 7df20da1addfcb38db7f968568525e0055db05351d7e2d981a5b9d81d63ff89b
    • Opcode Fuzzy Hash: 17a38a5c847dd8245057c7588e6ed0bb749bee8eb0eab1a955a98d2ec77b2a61
    • Instruction Fuzzy Hash: 6BE09271600208BBDB00AB54DD01D9E7B6EDB85700F104032BA45BA190C6B19E62DEA4
    Function 004044AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000408,?,00000000,0040410E), ref: 004044CD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: x
    • API String ID: 3850602802-2363233923
    • Opcode ID: 940325285312ba596bb559440598d7c93f49923121e0d523c76edeea93f158b3
    • Instruction ID: e4beb0b61e00574a7040becb46ffa3e71e1b9d270ded7914af4e103d951df844
    • Opcode Fuzzy Hash: 940325285312ba596bb559440598d7c93f49923121e0d523c76edeea93f158b3
    • Instruction Fuzzy Hash: 49C012B1180200BADB106B80DE01F067BA0E7A4B02F11A43DF380240B487706462DB0C
    Function 0040252F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
    Download Yara Rule
    APIs
    • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402560
    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nstC680.tmp,00000000,00000011,00000002), ref: 00402602
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseQueryValue
    • String ID:
    • API String ID: 3356406503-0
    • Opcode ID: de231594f5fd9ed2f3d170b787f0c7ae88dddfe38e809d01203d2a2c86ad2b9e
    • Instruction ID: fa4e9c421320e09d3f2bb14c05bc69cdd2f01bdd483ca55c6e8c3e2e171c6fbc
    • Opcode Fuzzy Hash: de231594f5fd9ed2f3d170b787f0c7ae88dddfe38e809d01203d2a2c86ad2b9e
    • Instruction Fuzzy Hash: 11116A71900219EBDB14DFA0DA989AEB7B4FF04349B20447FE406B62C0D7B85A45EB5E
    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
    Download Yara Rule
    APIs
    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
    • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: MessageSend
    • String ID:
    • API String ID: 3850602802-0
    • Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
    • Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
    • Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
    • Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C
    Function 004056AF Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
    Download Yara Rule
    APIs
    • OleInitialize.OLE32(00000000), ref: 004056BF
      • Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534
    • OleUninitialize.OLE32(00000404,00000000), ref: 0040570B
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: InitializeMessageSendUninitialize
    • String ID:
    • API String ID: 2896919175-0
    • Opcode ID: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
    • Instruction ID: 02e921673ef7eca27cac182cfb7c492375eb89174892ab9280a6a273fd68093a
    • Opcode Fuzzy Hash: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
    • Instruction Fuzzy Hash: 62F0F0728006009BE7011794AE01B9773A4EBC5316F15543BFF89632A0CB3658018B5D
    Function 00405AAB Relevance: 3.0, APIs: 2, Instructions: 26COMMON
    Download Yara Rule
    APIs
    • CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405AED
    • GetLastError.KERNEL32 ref: 00405AFB
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateDirectoryErrorLast
    • String ID:
    • API String ID: 1375471231-0
    • Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
    • Instruction ID: ed7a645988c2e2a06802fdc928ba12763e2e88a5fcf473fdfb2f1107ef0c66eb
    • Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
    • Instruction Fuzzy Hash: 56F0F970D0060DDBDB00CFA4C5497DFBBB4AB04305F00812AD545B6281D7B95248CBA9
    Function 00401EE3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
    Download Yara Rule
    APIs
    • ShowWindow.USER32(00000000,00000000), ref: 00401F01
    • EnableWindow.USER32(00000000,00000000), ref: 00401F0C
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$EnableShow
    • String ID:
    • API String ID: 1136574915-0
    • Opcode ID: 25d484baa04e9b6e4f62fc7871d61afe8f606dd1a39771946dafa5186f6494a1
    • Instruction ID: 5ff066b55785a601c9e0ac29068a23864f952070569c454aea33db173c3c2586
    • Opcode Fuzzy Hash: 25d484baa04e9b6e4f62fc7871d61afe8f606dd1a39771946dafa5186f6494a1
    • Instruction Fuzzy Hash: 29E09A369082048FE705EBA4AE494AEB3B4EB80325B200A7FE001F11C0CBB84C00966C
    Function 00405B3A Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
    Download Yara Rule
    APIs
    • CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
    • CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseCreateHandleProcess
    • String ID:
    • API String ID: 3712363035-0
    • Opcode ID: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
    • Instruction ID: b1032d8704f3223f2a9afbe03a7757fefc60a77e8ecf1711bb84520e71ece662
    • Opcode Fuzzy Hash: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
    • Instruction Fuzzy Hash: 91E09AB4600219BFEB109B74AD06F7B767CE704604F408475BD15E2151D774A8158A78
    Function 0040694B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
    • GetProcAddress.KERNEL32(00000000,?), ref: 00406978
      • Part of subcall function 004068DB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
      • Part of subcall function 004068DB: wsprintfW.USER32 ref: 0040692D
      • Part of subcall function 004068DB: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406941
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
    • String ID:
    • API String ID: 2547128583-0
    • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
    • Instruction ID: ff64ee7455e026c1647d72c339307a336527f79dacb59e64982fca04d7429b22
    • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
    • Instruction Fuzzy Hash: 38E08673504210AFD61057705D04D27B3A89F85740302443EF946F2140DB34DC32ABA9
    Function 00402C0A Relevance: 3.0, APIs: 2, Instructions: 21windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,0000000B,?), ref: 00402C19
    • InvalidateRect.USER32(?), ref: 00402C29
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: InvalidateMessageRectSend
    • String ID:
    • API String ID: 909852535-0
    • Opcode ID: cfe8654151a7fb919b36f8ec236feca4529e6266032f4a9ef2e5c0ddbf65b270
    • Instruction ID: 6ec3fe71324e92017d20d312ec94b5ca5b3924548e9ea94678a24fca9ce03f75
    • Opcode Fuzzy Hash: cfe8654151a7fb919b36f8ec236feca4529e6266032f4a9ef2e5c0ddbf65b270
    • Instruction Fuzzy Hash: 88E0ECB2650108FFEB11DB94EE85DAEB7B9EB80355B00047EF101E1060D7745D95DB28
    Function 00406047 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
    Download Yara Rule
    APIs
    • GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,80000000,00000003), ref: 0040604B
    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: File$AttributesCreate
    • String ID:
    • API String ID: 415043291-0
    • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
    • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
    • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
    • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
    Function 00406022 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesW.KERNELBASE(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
    • SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040603B
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID:
    • API String ID: 3188754299-0
    • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
    • Instruction ID: 97cbb32404f08d1f6fed837f871d2b37f55cf766f9720be9b575451f5cdabe77
    • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
    • Instruction Fuzzy Hash: A3D0C972504220AFC2102728AE0889BBB55EB542717028A35FCA9A22B0CB304CA68694
    Function 00403B4F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(FFFFFFFF,00403A82,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B5A
    Strings
    • C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\, xrefs: 00403B6E
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\
    • API String ID: 2962429428-4016859606
    • Opcode ID: ae973bb0dca4e4815b90d97470301ae31a1ae4600fd43aa67c366af3984d4a62
    • Instruction ID: 69482a2579ef2b85c2ad9764c5c762c9eb4f19b2fcf4b87e51b14fafea8afdc0
    • Opcode Fuzzy Hash: ae973bb0dca4e4815b90d97470301ae31a1ae4600fd43aa67c366af3984d4a62
    • Instruction Fuzzy Hash: EDC0123090470496F1206F79AE8FA153A64574073DBA48726B0B8B10F3CB7C5659555D
    Function 00405B05 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
    • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B19
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateDirectoryErrorLast
    • String ID:
    • API String ID: 1375471231-0
    • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
    • Instruction ID: 8c4969e502f5bc4c8dfdefb7e9c2ba363b64d1215f12130c86bef4ebeef6f559
    • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
    • Instruction Fuzzy Hash: 19C08C30310902DACA802B209F087173960AB80340F158439A683E00B4CA30A065C92D
    Function 00401FA9 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004055DC: lstrlenW.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,00000000,00845189,771B23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
      • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,00000000,00845189,771B23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
      • Part of subcall function 004055DC: lstrcatW.KERNEL32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,0040341D), ref: 00405637
      • Part of subcall function 004055DC: SetWindowTextW.USER32(Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\,Remove folder: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\), ref: 00405649
      • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
      • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
      • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
      • Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
      • Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?), ref: 00401FF0
      • Part of subcall function 004069F6: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
      • Part of subcall function 004069F6: GetExitCodeProcess.KERNELBASE(?,?), ref: 00406A29
      • Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: MessageSend$CloseProcesslstrlen$ChangeCodeCreateExitFindHandleNotificationObjectSingleTextWaitWindowlstrcatwsprintf
    • String ID:
    • API String ID: 1543427666-0
    • Opcode ID: f3bc0ec1b70cec7457a4bdbd95c89a475c59590d6f8743061159391c9333bea6
    • Instruction ID: 72ab4701d282d41bfb99937ccb951c9b3d992b5a19319da95f503844dddfcbd3
    • Opcode Fuzzy Hash: f3bc0ec1b70cec7457a4bdbd95c89a475c59590d6f8743061159391c9333bea6
    • Instruction Fuzzy Hash: EEF0F032804015ABCB20BBA199849DE72B5CF00318B21413FE102B21D1C77C0E42AA6E
    Function 004023B7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023EE
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: PrivateProfileStringWrite
    • String ID:
    • API String ID: 390214022-0
    • Opcode ID: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
    • Instruction ID: 95154b02373db31601182c66ccc42c3a1d246cd64da090b0d32e859a1de181fa
    • Opcode Fuzzy Hash: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
    • Instruction Fuzzy Hash: 7DE04F31900524BADB5036B15ECDDBE20685FC8318B14063FFA12B61C2D9FC0C43466D
    Function 004063F2 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
    Download Yara Rule
    APIs
    • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E5C,00000000,?,?), ref: 0040641B
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Create
    • String ID:
    • API String ID: 2289755597-0
    • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
    • Instruction ID: 64249f1610b479570df181ce2e9e182bf10c6facee3c5f7fb09e5bef7ea49c41
    • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
    • Instruction Fuzzy Hash: E6E0E672010109BFEF095F90DD4AD7B7B1DE708310F11492EF906D5051E6B5E9305674
    Function 004060CA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
    Download Yara Rule
    APIs
    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E7,00000000,00000000,0040330B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DE
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FileRead
    • String ID:
    • API String ID: 2738559852-0
    • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
    • Instruction ID: a77d82ba430c16999eb1f2306cb11816df14181100402a9e04059793f1b3015d
    • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
    • Instruction Fuzzy Hash: 21E08632150219ABCF10DF948C00EEB3B9CFF04390F018436FD11E3040D630E92197A4
    Function 004060F9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
    Download Yara Rule
    APIs
    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349D,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040610D
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
    • Instruction ID: 78408803ccc59d93ae5352641a5e7b8f709900c8df5e8e9e13d69f82a1dcf02f
    • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
    • Instruction Fuzzy Hash: 8FE08C3220021ABBCF109E908C00EEB3FACEB003A0F014432FA26E6050D670E83097A4
    Function 004063C4 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,00406452,?,?,?,?,Remove folder: ,?,00000000), ref: 004063E8
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Open
    • String ID:
    • API String ID: 71445658-0
    • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
    • Instruction ID: e31b8ecfa4924c4a0859a1c58e61cb12282203f41ec30ad4fda9f6d7c72ae418
    • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
    • Instruction Fuzzy Hash: 68D0123200020DBBDF115E91ED01FAB3B1DAB08310F014426FE16E5091D776D570A764
    Function 004044D6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • SetDlgItemTextW.USER32(?,?,00000000), ref: 004044F0
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ItemText
    • String ID:
    • API String ID: 3367045223-0
    • Opcode ID: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
    • Instruction ID: 7de84c17979d9acd04fe2f10fa0cd34772232dcf8a9dc4315206a1648baec08d
    • Opcode Fuzzy Hash: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
    • Instruction Fuzzy Hash: 96C08C31048300BFD242AB04CC42F0FB3E8EF9431AF00C42EB05CE00D2C638A8208A26
    Function 00404522 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: MessageSend
    • String ID:
    • API String ID: 3850602802-0
    • Opcode ID: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
    • Instruction ID: 7d988476d572be30e71f68111afb2513933db934ea5b2002f3fecefde51a3b0c
    • Opcode Fuzzy Hash: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
    • Instruction Fuzzy Hash: ACC04C717402007BDA209F50AD49F07775467A0702F1494797341E51E0C674E550D61C
    Function 0040450B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: MessageSend
    • String ID:
    • API String ID: 3850602802-0
    • Opcode ID: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
    • Instruction ID: 777369a795cbaa9bd4fd16da76cbada5404ff361b75e364c58eeef3f96c31ac9
    • Opcode Fuzzy Hash: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
    • Instruction Fuzzy Hash: 6BB09235181600AADA115B40DE09F867BA2E7A4701F029438B340640B0CBB210A0DB08
    Function 004034EA Relevance: 1.5, APIs: 1, Instructions: 6COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034F8
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FilePointer
    • String ID:
    • API String ID: 973152223-0
    • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
    • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
    • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
    • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
    Function 004044F8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
    Download Yara Rule
    APIs
    • KiUserCallbackDispatcher.NTDLL(?,004042CF), ref: 00404502
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CallbackDispatcherUser
    • String ID:
    • API String ID: 2492992576-0
    • Opcode ID: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
    • Instruction ID: 186c68f4495094c0cebc3eb7279f68ffc90812dad8dfd9e689695b78415bb769
    • Opcode Fuzzy Hash: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
    • Instruction Fuzzy Hash: 43A00176544A04ABCE12EB50EF4990ABB62BBA4B01B618879A285514388B325921EB19

    Non-executed Functions

    Function 004049C7 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,000003FB), ref: 00404A16
    • SetWindowTextW.USER32(00000000,?), ref: 00404A40
    • SHBrowseForFolderW.SHELL32(?), ref: 00404AF1
    • CoTaskMemFree.OLE32(00000000), ref: 00404AFC
    • lstrcmpiW.KERNEL32(Remove folder: ,0042CA68,00000000,?,?), ref: 00404B2E
    • lstrcatW.KERNEL32(?,Remove folder: ), ref: 00404B3A
    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B4C
      • Part of subcall function 00405B9B: GetDlgItemTextW.USER32(?,?,00000400,00404B83), ref: 00405BAE
      • Part of subcall function 00406805: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,0040350D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
      • Part of subcall function 00406805: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
      • Part of subcall function 00406805: CharNextW.USER32(?,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,0040350D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
      • Part of subcall function 00406805: CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,0040350D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F
    • GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C0F
    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C2A
      • Part of subcall function 00404D83: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
      • Part of subcall function 00404D83: wsprintfW.USER32 ref: 00404E2D
      • Part of subcall function 00404D83: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
    • String ID: A$C:\Program Files (x86)\IDmelon$Remove folder: $error
    • API String ID: 2624150263-719220190
    • Opcode ID: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
    • Instruction ID: 8a45afd3ee22384d80319c7ed67abe130e578f1d2b392c1e8909742cb30e522b
    • Opcode Fuzzy Hash: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
    • Instruction Fuzzy Hash: FCA192B1900208ABDB11EFA5DD45BAFB7B8EF84314F11803BF611B62D1D77C9A418B69
    Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
    Download Yara Rule
    APIs
    • CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E
    Strings
    • C:\Program Files (x86)\IDmelon\FCP, xrefs: 0040226E
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateInstance
    • String ID: C:\Program Files (x86)\IDmelon\FCP
    • API String ID: 542301482-3348486767
    • Opcode ID: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
    • Instruction ID: f0c409d0c9855dc16f3492d495f607d4fcaf843261c47ee8c1995525671fe781
    • Opcode Fuzzy Hash: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
    • Instruction Fuzzy Hash: 76411471A00208AFCB40DFE4C989EAD7BB5FF48308B20457AF515EB2D1DB799982CB54
    Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FileFindFirst
    • String ID:
    • API String ID: 1974802433-0
    • Opcode ID: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
    • Instruction ID: 4f8030157269cd498ea314d5a86e386b0cfb994e1dea9c94a4400a3869289cfc
    • Opcode Fuzzy Hash: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
    • Instruction Fuzzy Hash: 17F08C71A04104AAD701EBE4EE499AEB378EF14324F60457BE102F31E0DBB85E159B2A
    Function 00406DC6 Relevance: .3, Instructions: 334COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
    • Instruction ID: a5eb8001d75a17d38d83411349fde439c8a9064fda1b18d7f978e280ae41e255
    • Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
    • Instruction Fuzzy Hash: ACE19C71A04709DFCB24CF58C880BAABBF1FF45305F15852EE496A72D1E378AA51CB05
    Function 0040759D Relevance: .3, Instructions: 300COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
    • Instruction ID: e409ec8ffb443055957628c835c79614664982182129ebc37b3e11cb9bcd83e5
    • Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
    • Instruction Fuzzy Hash: ECC14772E04219CBCF18CF68C4905EEBBB2BF98354F25866AD85677380D7346942CF95
    Function 00404F43 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,000003F9), ref: 00404F5B
    • GetDlgItem.USER32(?,00000408), ref: 00404F66
    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404FB0
    • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC7
    • SetWindowLongW.USER32(?,000000FC,00405550), ref: 00404FE0
    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF4
    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405006
    • SendMessageW.USER32(?,00001109,00000002), ref: 0040501C
    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405028
    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040503A
    • DeleteObject.GDI32(00000000), ref: 0040503D
    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405068
    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405074
    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510F
    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513F
      • Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405153
    • GetWindowLongW.USER32(?,000000F0), ref: 00405181
    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518F
    • ShowWindow.USER32(?,00000005), ref: 0040519F
    • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040529A
    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FF
    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405314
    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405338
    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405358
    • ImageList_Destroy.COMCTL32(?), ref: 0040536D
    • GlobalFree.KERNEL32(?), ref: 0040537D
    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F6
    • SendMessageW.USER32(?,00001102,?,?), ref: 0040549F
    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AE
    • InvalidateRect.USER32(?,00000000,00000001), ref: 004054D9
    • ShowWindow.USER32(?,00000000), ref: 00405527
    • GetDlgItem.USER32(?,000003FE), ref: 00405532
    • ShowWindow.USER32(00000000), ref: 00405539
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
    • String ID: $M$N
    • API String ID: 2564846305-813528018
    • Opcode ID: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
    • Instruction ID: 91097811874ce85ba3cc7540bcf7dd58db25a3d6f071223140e4d1ec27d7ea12
    • Opcode Fuzzy Hash: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
    • Instruction Fuzzy Hash: 6C029C70900608AFDF20DF94DD85AAF7BB5FB85314F10817AE611BA2E1D7798A41CF58
    Function 00404695 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
    Download Yara Rule
    APIs
    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404733
    • GetDlgItem.USER32(?,000003E8), ref: 00404747
    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404764
    • GetSysColor.USER32(?), ref: 00404775
    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404783
    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404791
    • lstrlenW.KERNEL32(?), ref: 00404796
    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A3
    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B8
    • GetDlgItem.USER32(?,0000040A), ref: 00404811
    • SendMessageW.USER32(00000000), ref: 00404818
    • GetDlgItem.USER32(?,000003E8), ref: 00404843
    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404886
    • LoadCursorW.USER32(00000000,00007F02), ref: 00404894
    • SetCursor.USER32(00000000), ref: 00404897
    • LoadCursorW.USER32(00000000,00007F00), ref: 004048B0
    • SetCursor.USER32(00000000), ref: 004048B3
    • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048E2
    • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
    • String ID: N$Remove folder:
    • API String ID: 3103080414-3051863454
    • Opcode ID: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
    • Instruction ID: 3ad42440e7936429012ccc374b67200ab01768f99e4ad58672f49272ac14a637
    • Opcode Fuzzy Hash: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
    • Instruction Fuzzy Hash: 2E6181B1900209BFDB10AF60DD85EAA7B69FB84315F00853AFA05B62D0C779A951DF98
    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
    Download Yara Rule
    APIs
    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
    • BeginPaint.USER32(?,?), ref: 00401047
    • GetClientRect.USER32(?,?), ref: 0040105B
    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
    • DeleteObject.GDI32(?), ref: 004010ED
    • CreateFontIndirectW.GDI32(?), ref: 00401105
    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
    • SelectObject.GDI32(00000000,?), ref: 00401140
    • DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
    • SelectObject.GDI32(00000000,00000000), ref: 00401160
    • DeleteObject.GDI32(?), ref: 00401165
    • EndPaint.USER32(?,?), ref: 0040116E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
    • String ID: F
    • API String ID: 941294808-1304234792
    • Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
    • Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
    • Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
    • Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4
    Function 0040619D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406338,?,?), ref: 004061D8
    • GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 004061E1
      • Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
      • Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE
    • GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061FE
    • wsprintfA.USER32 ref: 0040621C
    • GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406257
    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406266
    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629E
    • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F4
    • GlobalFree.KERNEL32(00000000), ref: 00406305
    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040630C
      • Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,80000000,00000003), ref: 0040604B
      • Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
    • String ID: %ls=%ls$[Rename]
    • API String ID: 2171350718-461813615
    • Opcode ID: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
    • Instruction ID: 2f157a22eecee44515c187ff3daf75b9e7e255f904fde787f0dd9ddf92a1116e
    • Opcode Fuzzy Hash: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
    • Instruction Fuzzy Hash: C9312271200315BBD2206B619D49F2B3A5CEF85718F16043EFD42FA2C2DB7D99258ABD
    Function 00406805 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,0040350D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
    • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
    • CharNextW.USER32(?,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,0040350D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
    • CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,0040350D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F
    Strings
    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406806
    • "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe", xrefs: 00406849
    • *?|<>/":, xrefs: 00406857
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Char$Next$Prev
    • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
    • API String ID: 589700163-3750269992
    • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
    • Instruction ID: fa9c0ef9ae643832d728fa0671e6943ea0b093c18f887e6db6f7fe1f852dcfd9
    • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
    • Instruction Fuzzy Hash: F111932780221299DB303B148C40E7766E8AF54794F52C43FED8A722C0F77C4C9286AD
    Function 0040453D Relevance: 12.1, APIs: 8, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • GetWindowLongW.USER32(?,000000EB), ref: 0040455A
    • GetSysColor.USER32(00000000), ref: 00404598
    • SetTextColor.GDI32(?,00000000), ref: 004045A4
    • SetBkMode.GDI32(?,?), ref: 004045B0
    • GetSysColor.USER32(?), ref: 004045C3
    • SetBkColor.GDI32(?,?), ref: 004045D3
    • DeleteObject.GDI32(?), ref: 004045ED
    • CreateBrushIndirect.GDI32(?), ref: 004045F7
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
    • String ID:
    • API String ID: 2320649405-0
    • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
    • Instruction ID: 069c4eaec478219780f05c004fc5973679282d3c2eb16bc8cec9dcb23997e36d
    • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
    • Instruction Fuzzy Hash: 592151B1500704ABCB20DF68DE08A5B7BF8AF41714B05892EEA96A22E0D739E944CF54
    Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
    Download Yara Rule
    APIs
    • ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
    • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1
      • Part of subcall function 00406128: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613E
    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: File$Pointer$ByteCharMultiWide$Read
    • String ID: 9
    • API String ID: 163830602-2366072709
    • Opcode ID: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
    • Instruction ID: e892b7cb172a86a35cdf2d5061c859a119b49b65f2ae0b0c69c9b35c58dd84de
    • Opcode Fuzzy Hash: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
    • Instruction Fuzzy Hash: F151FB75D0411AABDF24DFD4CA85AAEBBB9FF04344F10817BE901B62D0D7B49D828B58
    Function 00404E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EAC
    • GetMessagePos.USER32 ref: 00404EB4
    • ScreenToClient.USER32(?,?), ref: 00404ECE
    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EE0
    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F06
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Message$Send$ClientScreen
    • String ID: f
    • API String ID: 41195575-1993550816
    • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
    • Instruction ID: eb967d7d92909976ed67768bbc6bf91133f1097352fa1b537f2083fc5134d3bd
    • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
    • Instruction Fuzzy Hash: AB019E71900219BADB00DB94DD81FFEBBBCAF95710F10412BFB11B61C0C7B4AA018BA4
    Function 00401E53 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(?), ref: 00401E56
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
    • ReleaseDC.USER32(?,00000000), ref: 00401E89
    • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CapsCreateDeviceFontIndirectRelease
    • String ID: MS Shell Dlg
    • API String ID: 3808545654-76309092
    • Opcode ID: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
    • Instruction ID: a825ad976d3f878f3d1ae6f085165680ecf176d60430839047bda31eedf7821d
    • Opcode Fuzzy Hash: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
    • Instruction Fuzzy Hash: 62017571905240EFE7005BB4EE49BDD3FA4AB15301F10867AF541B61E2C7B904458BED
    Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
    Download Yara Rule
    APIs
    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
    • MulDiv.KERNEL32(028AE197,00000064,028AF3C8), ref: 00402FE1
    • wsprintfW.USER32 ref: 00402FF1
    • SetWindowTextW.USER32(?,?), ref: 00403001
    • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013
    Strings
    • verifying installer: %d%%, xrefs: 00402FEB
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Text$ItemTimerWindowwsprintf
    • String ID: verifying installer: %d%%
    • API String ID: 1451636040-82062127
    • Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
    • Instruction ID: b4a4546c530c1255e03538258eeb387f0310dfe45b0532776fb26864182fd6cc
    • Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
    • Instruction Fuzzy Hash: 8D014F71640208BBEF209F60DE49FEE3B79AB04344F108039FA02B91D0DBB99A559B59
    Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
    Download Yara Rule
    APIs
    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseEnum$DeleteValue
    • String ID:
    • API String ID: 1354259210-0
    • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
    • Instruction ID: 7c59605d0ca35e0e1f1170af87acd2d95b5481229a772e02f8b12e0d157fbf49
    • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
    • Instruction Fuzzy Hash: 2A216B7150010ABFDF119F90CE89EEF7B7DEB54398F100076B949B21E0D7B49E54AA68
    Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,?), ref: 00401D9F
    • GetClientRect.USER32(?,?), ref: 00401DEA
    • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
    • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
    • DeleteObject.GDI32(00000000), ref: 00401E3E
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
    • String ID:
    • API String ID: 1849352358-0
    • Opcode ID: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
    • Instruction ID: ff9804e90d7d2423da96771145ec8c84d1acc30631874d8c14b803c0354ed8c3
    • Opcode Fuzzy Hash: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
    • Instruction Fuzzy Hash: 73210772900119AFCB05DF98EE45AEEBBB5EF08314F14003AF945F62A0D7789D81DB98
    Function 00404D83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
    • wsprintfW.USER32 ref: 00404E2D
    • SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ItemTextlstrlenwsprintf
    • String ID: %u.%u%s%s
    • API String ID: 3540041739-3551169577
    • Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
    • Instruction ID: 0fe25742dfe6cfa92c38baccc724587d3b65f537d6828788df476db8ac6fa50e
    • Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
    • Instruction Fuzzy Hash: B111EB336042283BDB109A6DAC45E9E329CDF85374F250237FA65F71D1E978DC2282E8
    Function 00405ED1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
    Download Yara Rule
    APIs
    • CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C83,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"), ref: 00405EDF
    • CharNextW.USER32(00000000), ref: 00405EE4
    • CharNextW.USER32(00000000), ref: 00405EFC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CharNext
    • String ID: C:\
    • API String ID: 3213498283-3404278061
    • Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
    • Instruction ID: 143c5bdbadb979d876a68ad22b5e9fde56015454fa81a7c55dbcd1e73dec783f
    • Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
    • Instruction Fuzzy Hash: 03F09072D04A2395DB317B649C45B7756BCEB587A0B54843BE601F72C0DBBC48818ADA
    Function 00405E26 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,0040351F,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E2C
    • CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,0040351F,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E36
    • lstrcatW.KERNEL32(?,0040A014), ref: 00405E48
    Strings
    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405E26
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CharPrevlstrcatlstrlen
    • String ID: C:\Users\user~1\AppData\Local\Temp\
    • API String ID: 2659869361-2382934351
    • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
    • Instruction ID: dcb1dcffde27bcde4b46a4bd7655c85b8e924b1ae314dab144fc932f30a80b76
    • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
    • Instruction Fuzzy Hash: 9DD0A731501534BAC212AB54AD04DDF62AC9F46344381443BF141B30A5C77C5D51D7FD
    Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\InstallOptions.dll), ref: 0040269A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: lstrlen
    • String ID: C:\Users\user~1\AppData\Local\Temp\nstC680.tmp$C:\Users\user~1\AppData\Local\Temp\nstC680.tmp\InstallOptions.dll
    • API String ID: 1659193697-3224196505
    • Opcode ID: 8f503f056602079ae9f30a52096cd2433ded43a0881ed6245ce1ccacdc846449
    • Instruction ID: 71653ae2733df7adc71dfdbaa34589fb2472b89c06e6b839d1f3baa03dac964a
    • Opcode Fuzzy Hash: 8f503f056602079ae9f30a52096cd2433ded43a0881ed6245ce1ccacdc846449
    • Instruction Fuzzy Hash: E011E772A40205BBCB00ABB19E56AAE7671AF50748F21443FF402B71C1EAFD4891565E
    Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
    Download Yara Rule
    APIs
    • DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
    • GetTickCount.KERNEL32 ref: 0040304F
    • CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
    • ShowWindow.USER32(00000000,00000005), ref: 0040307A
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$CountCreateDestroyDialogParamShowTick
    • String ID:
    • API String ID: 2102729457-0
    • Opcode ID: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
    • Instruction ID: 9291db8f65f8f9a8906298ccab22143765a9ea5c3e1cf5a275661437a5304794
    • Opcode Fuzzy Hash: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
    • Instruction Fuzzy Hash: 22F08970602A21AFC6306F50FE09A9B7F68FB45B52B51053AF445B11ACCB345C91CB9D
    Function 00405550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
    Download Yara Rule
    APIs
    • IsWindowVisible.USER32(?), ref: 0040557F
    • CallWindowProcW.USER32(?,?,?,?), ref: 004055D0
      • Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$CallMessageProcSendVisible
    • String ID:
    • API String ID: 3748168415-3916222277
    • Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
    • Instruction ID: 994decb8795c597c60d879b60f38f30bda4d2919c1ffc13ce94f3a2918c86729
    • Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
    • Instruction Fuzzy Hash: 1C01717120060CBFEF219F11DD84A9B3B67EB84794F144037FA41761D5C7398D529A6D
    Function 00405E72 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,80000000,00000003), ref: 00405E78
    • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,80000000,00000003), ref: 00405E88
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CharPrevlstrlen
    • String ID: C:\Users\user\Desktop
    • API String ID: 2709904686-3976562730
    • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
    • Instruction ID: c6f1eefeac9f22653a6718740f6635ad40246fc98af2d22d27e4b5974eb8f820
    • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
    • Instruction Fuzzy Hash: E1D0A7B3400930EEC312AB04EC04DAF73ACEF123007868827F980A7165D7785D81C6EC
    Function 00405FAC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD4
    • CharNextA.USER32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE5
    • lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE
    Memory Dump Source
    • Source File: 00000000.00000002.1489801637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1489771448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489832144.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1489865835.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1490063188.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: lstrlen$CharNextlstrcmpi
    • String ID:
    • API String ID: 190613189-0
    • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
    • Instruction ID: e9567a821587a5f0376c4e2be66d4cfc8c6f540c5076303c4651ac02cb4e93c6
    • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
    • Instruction Fuzzy Hash: E1F09631105519FFC7029FA5DE00D9FBBA8EF05350B2540B9F840F7250D678DE01AB69

    Executed Functions

    Function 009F3BC3 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 311fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 516 9f3bc3-9f3c50 call a1f670 * 2 GetFileAttributesW 521 9f3c84-9f3c87 516->521 522 9f3c52-9f3c6d GetLastError 516->522 524 9f3c8d-9f3c90 521->524 525 9f3fd3 521->525 522->521 523 9f3c6f-9f3c70 522->523 526 9f3c75-9f3c7f call 9f37d3 523->526 528 9f3cc9-9f3cd0 524->528 529 9f3c92-9f3ca5 SetFileAttributesW 524->529 527 9f3fd8-9f3fe1 525->527 531 9f3fea-9f3ff1 526->531 527->531 532 9f3fe3-9f3fe4 FindClose 527->532 534 9f3cdf-9f3ce7 528->534 535 9f3cd2-9f3cd9 528->535 529->528 533 9f3ca7-9f3cc7 GetLastError 529->533 537 9f3ffe-9f4010 call a1de36 531->537 538 9f3ff3-9f3ff9 call a354ef 531->538 532->531 533->526 540 9f3ce9-9f3cfd GetTempPathW 534->540 541 9f3d24-9f3d3f call 9f2d79 534->541 535->534 539 9f3f57 535->539 538->537 545 9f3f5d-9f3f6b RemoveDirectoryW 539->545 540->541 546 9f3cff-9f3d1f GetLastError 540->546 541->531 550 9f3d45-9f3d61 FindFirstFileW 541->550 545->527 549 9f3f6d-9f3f83 GetLastError 545->549 546->526 551 9f3f9f-9f3fa1 549->551 552 9f3f85-9f3f87 549->552 554 9f3d88-9f3d92 550->554 555 9f3d63-9f3d7e GetLastError 550->555 551->527 553 9f3fa3-9f3fa9 551->553 552->553 556 9f3f89-9f3f9b MoveFileExW 552->556 557 9f3ef9-9f3f03 call 9f37d3 553->557 558 9f3db9-9f3ddf call 9f2d79 554->558 559 9f3d94-9f3d9d 554->559 555->554 556->553 560 9f3f9d 556->560 557->527 558->527 572 9f3de5-9f3df2 558->572 562 9f3ebc-9f3ecc FindNextFileW 559->562 563 9f3da3-9f3daa 559->563 560->551 565 9f3ece-9f3ed4 562->565 566 9f3f4c-9f3f51 GetLastError 562->566 563->558 568 9f3dac-9f3db3 563->568 565->554 570 9f3fae-9f3fce GetLastError 566->570 571 9f3f53-9f3f55 566->571 568->558 568->562 570->557 571->545 573 9f3df4-9f3df6 572->573 574 9f3e21-9f3e28 572->574 573->574 577 9f3df8-9f3e08 call 9f2b2e 573->577 575 9f3e2e-9f3e30 574->575 576 9f3eb6 574->576 578 9f3e4b-9f3e59 DeleteFileW 575->578 579 9f3e32-9f3e45 SetFileAttributesW 575->579 576->562 577->527 584 9f3e0e-9f3e17 call 9f3bc3 577->584 578->576 583 9f3e5b-9f3e5d 578->583 579->578 582 9f3ed9-9f3ef4 GetLastError 579->582 582->557 585 9f3f2a-9f3f4a GetLastError 583->585 586 9f3e63-9f3e80 GetTempFileNameW 583->586 590 9f3e1c 584->590 585->557 588 9f3f08-9f3f28 GetLastError 586->588 589 9f3e86-9f3ea3 MoveFileExW 586->589 588->557 591 9f3eae 589->591 592 9f3ea5-9f3eac 589->592 590->576 593 9f3eb4 MoveFileExW 591->593 592->593 593->576
    APIs
    • GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 009F3C3F
    • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 009F3C52
    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 009F3C9D
    • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 009F3CA7
    • GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 009F3CF5
    • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 009F3CFF
    • FindFirstFileW.KERNELBASE(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 009F3D52
    • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 009F3D63
    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 009F3E3D
    • DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,00000001,00000000,?), ref: 009F3E51
    • GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 009F3E78
    • MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 009F3E9B
    • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 009F3EB4
    • FindNextFileW.KERNELBASE(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 009F3EC4
    • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 009F3ED9
    • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 009F3F08
    • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 009F3F2A
    • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 009F3F4C
    • RemoveDirectoryW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 009F3F63
    • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 009F3F6D
    • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 009F3F93
    • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 009F3FAE
    • FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 009F3FE4
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
    • String ID: *.*$DEL$dirutil.cpp
    • API String ID: 1544372074-1252831301
    • Opcode ID: 70012ca02a34bf64205e2dedad0cfb712f4e6098c319098cd77d40528182010e
    • Instruction ID: ce4694ae4463e27de9c9cb79e1632d9c15ff1ae06ddf1a6c9375b3e6c830ecaf
    • Opcode Fuzzy Hash: 70012ca02a34bf64205e2dedad0cfb712f4e6098c319098cd77d40528182010e
    • Instruction Fuzzy Hash: CDB1BA71E1023DABEB309A758C45BB6B6B9AF44750F0142A5FF09F7190D7798E90CBA0
    Function 009F1070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 77fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009F33D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,009F10DD,?,00000000), ref: 009F33F8
    • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 009F10F6
      • Part of subcall function 009F1174: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,009F111A,cabinet.dll,00000009,?,?,00000000), ref: 009F1185
      • Part of subcall function 009F1174: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,009F111A,cabinet.dll,00000009,?,?,00000000), ref: 009F1190
      • Part of subcall function 009F1174: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 009F119E
      • Part of subcall function 009F1174: GetLastError.KERNEL32(?,?,?,?,009F111A,cabinet.dll,00000009,?,?,00000000), ref: 009F11B9
      • Part of subcall function 009F1174: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 009F11C1
      • Part of subcall function 009F1174: GetLastError.KERNEL32(?,?,?,?,009F111A,cabinet.dll,00000009,?,?,00000000), ref: 009F11D6
    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,00A3B4C0,?,cabinet.dll,00000009,?,?,00000000), ref: 009F1131
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AddressErrorFileLastModuleProc$ChangeCloseCreateFindHandleHeapInformationNameNotification
    • String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
    • API String ID: 2670336470-3151496603
    • Opcode ID: 1818cca69f297051e3e3ad9792bda11b50d82dfa1c3c89242bcee8f517d602b8
    • Instruction ID: 15c8b3c141476ce6e34e70ca2cb30614bf9deea7168e0ed8daac023203c578bc
    • Opcode Fuzzy Hash: 1818cca69f297051e3e3ad9792bda11b50d82dfa1c3c89242bcee8f517d602b8
    • Instruction Fuzzy Hash: EC216D71A1020CABDB10DFA5CC45BEEBBB9EF45310F504119FB20B6291DB709908CBB4
    Function 00A09EB7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON
    Download Yara Rule
    Strings
    • Failed create working folder., xrefs: 00A09EEA
    • Failed to calculate working folder to ensure it exists., xrefs: 00A09ED4
    • Failed to copy working folder., xrefs: 00A09F12
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CurrentDirectoryErrorLastProcessWindows
    • String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
    • API String ID: 3841436932-2072961686
    • Opcode ID: 5897588af68fd79b5f7b2b442ef51341ac7a707b27f54a95dd45d63b9f39382c
    • Instruction ID: 1602328495ec9634ed0085cb538b6ff1015f61d5d8d7c758e2ae37b8aea3cda0
    • Opcode Fuzzy Hash: 5897588af68fd79b5f7b2b442ef51341ac7a707b27f54a95dd45d63b9f39382c
    • Instruction Fuzzy Hash: A301A732D0462DFBCB22AB59ED06CAF7A79EFC1B20B104255F904A7252DB318E10A7D0
    Function 00A24812 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000000,?,00A247E8,00000000,00A57CF8,0000000C,00A2493F,00000000,00000002,00000000), ref: 00A24833
    • TerminateProcess.KERNEL32(00000000,?,00A247E8,00000000,00A57CF8,0000000C,00A2493F,00000000,00000002,00000000), ref: 00A2483A
    • ExitProcess.KERNEL32 ref: 00A2484C
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: 51c75252c5650811c4b2869b7d0be40ec8b027ac264cb8672847fa7a093539f4
    • Instruction ID: e56ca778543c527457b8f12dba1b82e2dcbc28c6e8549862babea5e44791a760
    • Opcode Fuzzy Hash: 51c75252c5650811c4b2869b7d0be40ec8b027ac264cb8672847fa7a093539f4
    • Instruction Fuzzy Hash: A2E0BF31420658ABCF11AFA9ED09A5A3F6AFB45341F050524FD158B131CB35DD42DA94
    Function 009F38D4 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(?,000001C7,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38E5
    • RtlAllocateHeap.NTDLL(00000000,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38EC
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Heap$AllocateProcess
    • String ID:
    • API String ID: 1357844191-0
    • Opcode ID: c50ba0f8c66f50892126896db7dacd57f67f55398147b6a8ecd7b4861e33956e
    • Instruction ID: f751ad3cfacf83869dda95d967bd8ea79183c3fdc9376a731bae8a7f18bfbfbe
    • Opcode Fuzzy Hash: c50ba0f8c66f50892126896db7dacd57f67f55398147b6a8ecd7b4861e33956e
    • Instruction Fuzzy Hash: D1C012321A0208A78B009FF4DC0EC9937ADA7546027008501B605C2110C73CE0149770
    Function 009FF86E Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 445COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 9ff86e-9ff8a4 call a3388a 3 9ff8b8-9ff8d1 call a331c7 0->3 4 9ff8a6-9ff8b3 call a3012f 0->4 9 9ff8dd-9ff8f2 call a331c7 3->9 10 9ff8d3-9ff8d8 3->10 11 9ffda0-9ffda5 4->11 22 9ff8fe-9ff90b call 9fe936 9->22 23 9ff8f4-9ff8f9 9->23 12 9ffd97-9ffd9e call a3012f 10->12 14 9ffdad-9ffdb2 11->14 15 9ffda7-9ffda9 11->15 28 9ffd9f 12->28 18 9ffdba-9ffdbf 14->18 19 9ffdb4-9ffdb6 14->19 15->14 20 9ffdc7-9ffdcb 18->20 21 9ffdc1-9ffdc3 18->21 19->18 25 9ffdcd-9ffdd0 call a354ef 20->25 26 9ffdd5-9ffddc 20->26 21->20 31 9ff90d-9ff912 22->31 32 9ff917-9ff92c call a331c7 22->32 23->12 25->26 28->11 31->12 35 9ff92e-9ff933 32->35 36 9ff938-9ff94a call a34b5a 32->36 35->12 39 9ff94c-9ff954 36->39 40 9ff959-9ff96e call a331c7 36->40 41 9ffc23-9ffc2c call a3012f 39->41 45 9ff97a-9ff98f call a331c7 40->45 46 9ff970-9ff975 40->46 41->28 50 9ff99b-9ff9ad call a333db 45->50 51 9ff991-9ff996 45->51 46->12 54 9ff9af-9ff9b4 50->54 55 9ff9b9-9ff9cf call a3388a 50->55 51->12 54->12 58 9ffc7e-9ffc98 call 9febb2 55->58 59 9ff9d5-9ff9d7 55->59 66 9ffc9a-9ffc9f 58->66 67 9ffca4-9ffcbc call a3388a 58->67 60 9ff9d9-9ff9de 59->60 61 9ff9e3-9ff9f8 call a333db 59->61 60->12 68 9ff9fa-9ff9ff 61->68 69 9ffa04-9ffa19 call a331c7 61->69 66->12 74 9ffd86-9ffd87 call 9fefe5 67->74 75 9ffcc2-9ffcc4 67->75 68->12 77 9ffa1b-9ffa1d 69->77 78 9ffa29-9ffa3e call a331c7 69->78 81 9ffd8c-9ffd90 74->81 79 9ffcc6-9ffccb 75->79 80 9ffcd0-9ffcee call a331c7 75->80 77->78 82 9ffa1f-9ffa24 77->82 88 9ffa4e-9ffa63 call a331c7 78->88 89 9ffa40-9ffa42 78->89 79->12 90 9ffcfa-9ffd12 call a331c7 80->90 91 9ffcf0-9ffcf5 80->91 81->28 85 9ffd92 81->85 82->12 85->12 99 9ffa65-9ffa67 88->99 100 9ffa73-9ffa88 call a331c7 88->100 89->88 92 9ffa44-9ffa49 89->92 97 9ffd1f-9ffd37 call a331c7 90->97 98 9ffd14-9ffd16 90->98 91->12 92->12 107 9ffd39-9ffd3b 97->107 108 9ffd44-9ffd5c call a331c7 97->108 98->97 101 9ffd18-9ffd1d 98->101 99->100 102 9ffa69-9ffa6e 99->102 109 9ffa8a-9ffa8c 100->109 110 9ffa98-9ffaad call a331c7 100->110 101->12 102->12 107->108 111 9ffd3d-9ffd42 107->111 117 9ffd5e-9ffd63 108->117 118 9ffd65-9ffd7d call a331c7 108->118 109->110 112 9ffa8e-9ffa93 109->112 119 9ffaaf-9ffab1 110->119 120 9ffabd-9ffad2 call a331c7 110->120 111->12 112->12 117->12 118->74 126 9ffd7f-9ffd84 118->126 119->120 122 9ffab3-9ffab8 119->122 127 9ffad4-9ffad6 120->127 128 9ffae2-9ffaf7 call a331c7 120->128 122->12 126->12 127->128 129 9ffad8-9ffadd 127->129 132 9ffaf9-9ffafb 128->132 133 9ffb07-9ffb1c call a331c7 128->133 129->12 132->133 134 9ffafd-9ffb02 132->134 137 9ffb1e-9ffb20 133->137 138 9ffb2c-9ffb44 call a331c7 133->138 134->12 137->138 140 9ffb22-9ffb27 137->140 142 9ffb46-9ffb48 138->142 143 9ffb54-9ffb6c call a331c7 138->143 140->12 142->143 144 9ffb4a-9ffb4f 142->144 147 9ffb6e-9ffb70 143->147 148 9ffb7c-9ffb91 call a331c7 143->148 144->12 147->148 149 9ffb72-9ffb77 147->149 152 9ffb97-9ffbb4 CompareStringW 148->152 153 9ffc31-9ffc33 148->153 149->12 156 9ffbbe-9ffbd3 CompareStringW 152->156 157 9ffbb6-9ffbbc 152->157 154 9ffc3e-9ffc40 153->154 155 9ffc35-9ffc3c 153->155 160 9ffc4c-9ffc64 call a333db 154->160 161 9ffc42-9ffc47 154->161 155->154 158 9ffbd5-9ffbdf 156->158 159 9ffbe1-9ffbf6 CompareStringW 156->159 162 9ffbff-9ffc04 157->162 158->162 163 9ffbf8 159->163 164 9ffc06-9ffc1e call 9f37d3 159->164 160->58 168 9ffc66-9ffc68 160->168 161->12 162->154 163->162 164->41 170 9ffc6a-9ffc6f 168->170 171 9ffc74 168->171 170->12 171->58
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID:
    • String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
    • API String ID: 0-2956246334
    • Opcode ID: 791f982df9ce669ae5710a236966ccaa355dcbf36f592a8f9f2df330c31228e4
    • Instruction ID: ca0fe596f26d048394ca7992e467ff40fdf954b3ceabca93316a1ac9168c364b
    • Opcode Fuzzy Hash: 791f982df9ce669ae5710a236966ccaa355dcbf36f592a8f9f2df330c31228e4
    • Instruction Fuzzy Hash: DAE1A237E8466DBACF219AA0CD62EFD7A68BF40750F110A75FF14B6190D7A1AD809780
    Function 009FB389 Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 565fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 172 9fb389-9fb3fd call a1f670 * 2 177 9fb3ff-9fb42a GetLastError call 9f37d3 172->177 178 9fb435-9fb450 SetFilePointerEx 172->178 190 9fb42f-9fb430 177->190 179 9fb484-9fb49e ReadFile 178->179 180 9fb452-9fb482 GetLastError call 9f37d3 178->180 183 9fb4d5-9fb4dc 179->183 184 9fb4a0-9fb4d0 GetLastError call 9f37d3 179->184 180->190 188 9fbad3-9fbae7 call 9f37d3 183->188 189 9fb4e2-9fb4eb 183->189 184->190 201 9fbaec 188->201 189->188 194 9fb4f1-9fb501 SetFilePointerEx 189->194 191 9fbaed-9fbaf3 call a3012f 190->191 207 9fbaf4-9fbb06 call a1de36 191->207 197 9fb538-9fb550 ReadFile 194->197 198 9fb503-9fb52e GetLastError call 9f37d3 194->198 199 9fb587-9fb58e 197->199 200 9fb552-9fb57d GetLastError call 9f37d3 197->200 198->197 205 9fbab8-9fbad1 call 9f37d3 199->205 206 9fb594-9fb59e 199->206 200->199 201->191 205->201 206->205 211 9fb5a4-9fb5c7 SetFilePointerEx 206->211 214 9fb5fe-9fb616 ReadFile 211->214 215 9fb5c9-9fb5f4 GetLastError call 9f37d3 211->215 218 9fb64d-9fb665 ReadFile 214->218 219 9fb618-9fb643 GetLastError call 9f37d3 214->219 215->214 220 9fb69c-9fb6b7 SetFilePointerEx 218->220 221 9fb667-9fb692 GetLastError call 9f37d3 218->221 219->218 225 9fb6b9-9fb6e7 GetLastError call 9f37d3 220->225 226 9fb6f1-9fb710 ReadFile 220->226 221->220 225->226 230 9fba79-9fbaad GetLastError call 9f37d3 226->230 231 9fb716-9fb718 226->231 239 9fbaae-9fbab6 call a3012f 230->239 234 9fb719-9fb720 231->234 236 9fb726-9fb732 234->236 237 9fba54-9fba71 call 9f37d3 234->237 240 9fb73d-9fb746 236->240 241 9fb734-9fb73b 236->241 250 9fba76-9fba77 237->250 239->207 242 9fb74c-9fb772 ReadFile 240->242 243 9fba17-9fba2e call 9f37d3 240->243 241->240 246 9fb780-9fb787 241->246 242->230 247 9fb778-9fb77e 242->247 258 9fba33-9fba39 call a3012f 243->258 248 9fb789-9fb7ab call 9f37d3 246->248 249 9fb7b0-9fb7c7 call 9f38d4 246->249 247->234 248->250 259 9fb7eb-9fb800 SetFilePointerEx 249->259 260 9fb7c9-9fb7e6 call 9f37d3 249->260 250->239 266 9fba3f-9fba40 258->266 263 9fb802-9fb830 GetLastError call 9f37d3 259->263 264 9fb840-9fb865 ReadFile 259->264 260->191 276 9fb835-9fb83b call a3012f 263->276 267 9fb89c-9fb8a8 264->267 268 9fb867-9fb89a GetLastError call 9f37d3 264->268 271 9fba41-9fba43 266->271 273 9fb8cb-9fb8cf 267->273 274 9fb8aa-9fb8c6 call 9f37d3 267->274 268->276 271->207 277 9fba49-9fba4f call 9f3999 271->277 280 9fb90a-9fb91d call a348cb 273->280 281 9fb8d1-9fb905 call 9f37d3 call a3012f 273->281 274->258 276->266 277->207 291 9fb91f-9fb924 280->291 292 9fb929-9fb933 280->292 281->271 291->276 295 9fb93d-9fb945 292->295 296 9fb935-9fb93b 292->296 298 9fb947-9fb94f 295->298 299 9fb951-9fb954 295->299 297 9fb956-9fb9b6 call 9f38d4 296->297 302 9fb9da-9fb9fb call a1f0f0 call 9fb106 297->302 303 9fb9b8-9fb9d4 call 9f37d3 297->303 298->297 299->297 302->271 310 9fb9fd-9fba0d call 9f37d3 302->310 303->302 310->243
    APIs
    • GetLastError.KERNEL32(?,?,?,00000000,7774C3F0,00000000), ref: 009FB3FF
    • SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 009FB44C
    • GetLastError.KERNEL32(?,?,?,00000000,7774C3F0,00000000), ref: 009FB452
    • ReadFile.KERNELBASE(00000000,009F435C,00000040,?,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 009FB49A
    • GetLastError.KERNEL32(?,?,?,00000000,7774C3F0,00000000), ref: 009FB4A0
    • SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 009FB4FD
    • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 009FB503
    • ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 009FB54C
    • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 009FB552
    • SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 009FB5C3
    • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 009FB5C9
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast$File$Pointer$Read
    • String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
    • API String ID: 2600052162-695169583
    • Opcode ID: cf4cfd7e17f03922d8be3122c38ea8f22d2bb8aef35c5d6869a817d6ca898a6c
    • Instruction ID: c198ddb82e6a51b0d4debdf9601390d868769267d03a5496620520ec02cb04ea
    • Opcode Fuzzy Hash: cf4cfd7e17f03922d8be3122c38ea8f22d2bb8aef35c5d6869a817d6ca898a6c
    • Instruction Fuzzy Hash: B912AF71A40329BBEB20EE65CC85FBBB6E9AF44750F014165BE09EB180E7748D418BA1
    Function 009FCCB6 Relevance: 73.9, APIs: 3, Strings: 39, Instructions: 366COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 313 9fccb6-9fcce2 call a33803 316 9fccf6-9fcd07 313->316 317 9fcce4 313->317 322 9fcd09-9fcd0e 316->322 323 9fcd10-9fcd15 316->323 318 9fcce9-9fccf1 call a3012f 317->318 324 9fd04b-9fd050 318->324 322->318 323->324 325 9fcd1b-9fcd2e call 9f38d4 323->325 327 9fd058-9fd05d 324->327 328 9fd052-9fd054 324->328 332 9fcd54-9fcd61 325->332 333 9fcd30-9fcd4f call 9f37d3 call a3012f 325->333 329 9fd05f-9fd061 327->329 330 9fd065-9fd069 327->330 328->327 329->330 334 9fd06b-9fd06e call a354ef 330->334 335 9fd073-9fd079 330->335 338 9fd047 332->338 339 9fcd67-9fcd69 332->339 345 9fd04a 333->345 334->335 342 9fd049 338->342 341 9fcd6c-9fcd82 call a33760 339->341 348 9fcd88-9fcd9a call a331c7 341->348 349 9fd121 341->349 342->345 345->324 354 9fd11a-9fd11f 348->354 355 9fcda0-9fcdac call a331c7 348->355 351 9fd126-9fd12e call a3012f 349->351 351->342 354->351 358 9fcdb1-9fcdb5 355->358 359 9fcdbb-9fcdd0 call a331c7 358->359 360 9fd113-9fd118 358->360 363 9fd10c-9fd111 359->363 364 9fcdd6-9fcdf1 CompareStringW 359->364 360->351 363->351 365 9fcdfc-9fce11 CompareStringW 364->365 366 9fcdf3-9fcdfa 364->366 368 9fce18-9fce2d CompareStringW 365->368 369 9fce13-9fce16 365->369 367 9fce3a-9fce3e 366->367 372 9fce82-9fce9b call a333db 367->372 373 9fce40-9fce59 call a331c7 367->373 370 9fce33 368->370 371 9fd0f1-9fd0f9 368->371 369->367 370->367 375 9fd0fe-9fd107 call a3012f 371->375 380 9fce9d-9fce9f 372->380 381 9fcea5-9fcebe call a331c7 372->381 383 9fce5b-9fce5f 373->383 384 9fce61-9fce63 373->384 375->342 380->381 387 9fd090-9fd095 380->387 392 9fcec6-9fcec8 381->392 393 9fcec0-9fcec4 381->393 383->372 383->384 385 9fce69-9fce7c call 9fc0a9 384->385 386 9fd086-9fd08b 384->386 385->372 394 9fd07c-9fd084 385->394 386->351 387->351 395 9fcece-9fcee7 call a331c7 392->395 396 9fd0ea-9fd0ef 392->396 393->392 393->395 394->375 399 9fceef-9fcef1 395->399 400 9fcee9-9fceed 395->400 396->351 401 9fcef7-9fcf10 call a331c7 399->401 402 9fd0e3-9fd0e8 399->402 400->399 400->401 405 9fcf32-9fcf4b call a331c7 401->405 406 9fcf12-9fcf14 401->406 402->351 413 9fcf6f-9fcf88 call a331c7 405->413 414 9fcf4d-9fcf4f 405->414 407 9fcf1a-9fcf2c call 9f2a22 406->407 408 9fd0a4-9fd0a9 406->408 407->405 416 9fd09a-9fd09f 407->416 408->351 421 9fcfac-9fcfc1 call a331c7 413->421 422 9fcf8a-9fcf8c 413->422 417 9fcf55-9fcf69 call 9f200b 414->417 418 9fd0b2-9fd0b7 414->418 416->351 417->413 424 9fd0ab-9fd0b0 417->424 418->351 431 9fd0dc-9fd0e1 421->431 432 9fcfc7-9fcfdb call 9f200b 421->432 425 9fcf92-9fcfa6 call 9f200b 422->425 426 9fd0c0-9fd0c5 422->426 424->351 425->421 433 9fd0b9-9fd0be 425->433 426->351 431->351 436 9fd0d5-9fd0da 432->436 437 9fcfe1-9fcffa call a331c7 432->437 433->351 436->351 440 9fd01d-9fd022 437->440 441 9fcffc-9fcffe 437->441 444 9fd02e-9fd041 440->444 445 9fd024-9fd02a 440->445 442 9fd0ce-9fd0d3 441->442 443 9fd004-9fd017 call 9fc780 441->443 442->351 443->440 449 9fd0c7-9fd0cc 443->449 444->338 444->341 445->444 449->351
    APIs
      • Part of subcall function 009F38D4: GetProcessHeap.KERNEL32(?,000001C7,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38E5
      • Part of subcall function 009F38D4: RtlAllocateHeap.NTDLL(00000000,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38EC
    • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,009F5355,00000000,00A3CA64,009F533D,00000000), ref: 009FCDEC
    Strings
    • Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 009FD0B2
    • Failed to hex decode @CertificateRootThumbprint., xrefs: 009FD0B9
    • embedded, xrefs: 009FCDFE
    • FileSize, xrefs: 009FCEFB
    • DownloadUrl, xrefs: 009FCED2
    • Failed to get @LayoutOnly., xrefs: 009FD090
    • Failed to get @SourcePath., xrefs: 009FD0EA
    • FilePath, xrefs: 009FCDA4
    • Failed to allocate memory for payload structs., xrefs: 009FCD42
    • Failed to get @Id., xrefs: 009FD11A
    • Failed to parse @FileSize., xrefs: 009FD09A
    • Packaging, xrefs: 009FCDBF
    • LayoutOnly, xrefs: 009FCE86
    • download, xrefs: 009FCDDE
    • Failed to get @Packaging., xrefs: 009FD10C
    • Catalog, xrefs: 009FCFE5
    • Failed to select payload nodes., xrefs: 009FCCE4
    • Failed to get next node., xrefs: 009FD121
    • Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 009FD0AB
    • Failed to get @Container., xrefs: 009FD086
    • Failed to get @DownloadUrl., xrefs: 009FD0E3
    • Failed to hex decode the Payload/@Hash., xrefs: 009FD0D5
    • Hash, xrefs: 009FCFB0
    • Failed to get @Hash., xrefs: 009FD0DC
    • payload.cpp, xrefs: 009FCD38
    • Failed to get @Catalog., xrefs: 009FD0CE
    • Failed to get @FileSize., xrefs: 009FD0A4
    • Container, xrefs: 009FCE44
    • CertificateRootThumbprint, xrefs: 009FCF73
    • Failed to find catalog., xrefs: 009FD0C7
    • external, xrefs: 009FCE1A
    • SourcePath, xrefs: 009FCEA9
    • CertificateRootPublicKeyIdentifier, xrefs: 009FCF36
    • Failed to to find container: %ls, xrefs: 009FD07F
    • Failed to get @CertificateRootThumbprint., xrefs: 009FD0C0
    • Payload, xrefs: 009FCCD1
    • Failed to get payload node count., xrefs: 009FCD09
    • Invalid value for @Packaging: %ls, xrefs: 009FD0F9
    • Failed to get @FilePath., xrefs: 009FD113
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Heap$AllocateCompareProcessString
    • String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$download$embedded$external$payload.cpp
    • API String ID: 1171520630-3127305756
    • Opcode ID: 909729b1bdd9acfbc6f83d55cdb3a086692449326b8072c6dfa8ddf3ae41f442
    • Instruction ID: f64b2f8ae11f2cd012a0d9816d6d6fc6730b3397904077b79260fdc1deea7dc2
    • Opcode Fuzzy Hash: 909729b1bdd9acfbc6f83d55cdb3a086692449326b8072c6dfa8ddf3ae41f442
    • Instruction Fuzzy Hash: 2FC1F472E5622DBFCB21DA50CE01EBEBB79BB04764F144A65FA00B7190CB75AE01D790
    Function 00A10A77 Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 288synchronizationCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 450 a10a77-a10a90 SetEvent 451 a10a92-a10ac5 GetLastError call 9f37d3 450->451 452 a10aca-a10ad6 WaitForSingleObject 450->452 463 a10e25-a10e26 call a3012f 451->463 454 a10b10-a10b1b ResetEvent 452->454 455 a10ad8-a10b0b GetLastError call 9f37d3 452->455 456 a10b55-a10b5b 454->456 457 a10b1d-a10b50 GetLastError call 9f37d3 454->457 455->463 461 a10b96-a10baf call 9f21bc 456->461 462 a10b5d-a10b60 456->462 457->463 476 a10bb1-a10bc5 call a3012f 461->476 477 a10bca-a10bd5 SetEvent 461->477 466 a10b62-a10b87 call 9f37d3 call a3012f 462->466 467 a10b8c-a10b91 462->467 472 a10e2b-a10e2c 463->472 466->472 471 a10e2d-a10e2f 467->471 475 a10e30-a10e40 471->475 472->471 476->471 479 a10c00-a10c0c WaitForSingleObject 477->479 480 a10bd7-a10bf6 GetLastError 477->480 483 a10c37-a10c42 ResetEvent 479->483 484 a10c0e-a10c2d GetLastError 479->484 480->479 486 a10c44-a10c63 GetLastError 483->486 487 a10c6d-a10c74 483->487 484->483 486->487 488 a10ce3-a10d05 CreateFileW 487->488 489 a10c76-a10c79 487->489 490 a10d42-a10d57 SetFilePointerEx 488->490 491 a10d07-a10d38 GetLastError call 9f37d3 488->491 492 a10ca0-a10ca7 call 9f38d4 489->492 493 a10c7b-a10c7e 489->493 498 a10d91-a10d9c SetEndOfFile 490->498 499 a10d59-a10d8c GetLastError call 9f37d3 490->499 491->490 503 a10cac-a10cb1 492->503 496 a10c80-a10c83 493->496 497 a10c99-a10c9b 493->497 496->467 505 a10c89-a10c8f 496->505 497->475 501 a10dd3-a10df0 SetFilePointerEx 498->501 502 a10d9e-a10dd1 GetLastError call 9f37d3 498->502 499->463 501->471 510 a10df2-a10e20 GetLastError call 9f37d3 501->510 502->463 508 a10cb3-a10ccd call 9f37d3 503->508 509 a10cd2-a10cde 503->509 505->497 508->463 509->471 510->463
    APIs
    • SetEvent.KERNEL32(?,?,?,?,00000000,00000000,?,00A10621,?,?), ref: 00A10A85
    • GetLastError.KERNEL32(?,?,?,00000000,00000000,?,00A10621,?,?), ref: 00A10A92
    • WaitForSingleObject.KERNEL32(?,?,?,?,?,00000000,00000000,?,00A10621,?,?), ref: 00A10ACE
    • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,00A10621,?,?), ref: 00A10AD8
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast$EventObjectSingleWait
    • String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
    • API String ID: 3600396749-2104912459
    • Opcode ID: f1b86bc8a2de77c4e103f767d1373848d0a5ba92b808873c78a23a7cf0c39bf6
    • Instruction ID: e52237821ee74fefbf6cd92b5f1f06e4dc6df8df18764868390807a3f1b50127
    • Opcode Fuzzy Hash: f1b86bc8a2de77c4e103f767d1373848d0a5ba92b808873c78a23a7cf0c39bf6
    • Instruction Fuzzy Hash: 8B910472B80721BBE720ABB99D49FA775E5FF04750F014225FE06EA5E0D7A58C8086E1
    Function 009F508D Relevance: 44.1, APIs: 5, Strings: 20, Instructions: 322COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 594 9f508d-9f513b call a1f670 * 2 GetModuleHandleW call a303f0 call a305a2 call 9f1209 605 9f513d 594->605 606 9f5151-9f5162 call 9f41d2 594->606 607 9f5142-9f514c call a3012f 605->607 612 9f516b-9f5187 call 9f5525 CoInitializeEx 606->612 613 9f5164-9f5169 606->613 614 9f53cc-9f53d3 607->614 619 9f5189-9f518e 612->619 620 9f5190-9f519c call a2fbad 612->620 613->607 617 9f53d5-9f53db call a354ef 614->617 618 9f53e0-9f53e2 614->618 617->618 622 9f5407-9f5425 call 9fd723 call a0a6d0 call a0a91e 618->622 623 9f53e4-9f53eb 618->623 619->607 631 9f519e 620->631 632 9f51b0-9f51bf call a30cd1 620->632 643 9f5427-9f542f 622->643 644 9f5453-9f5466 call 9f4e9c 622->644 623->622 625 9f53ed-9f5402 call a3041b 623->625 625->622 634 9f51a3-9f51ab call a3012f 631->634 641 9f51c8-9f51d7 call a329b3 632->641 642 9f51c1-9f51c6 632->642 634->614 649 9f51d9-9f51de 641->649 650 9f51e0-9f51ef call a3343b 641->650 642->634 643->644 646 9f5431-9f5434 643->646 655 9f546d-9f5474 644->655 656 9f5468 call a33911 644->656 646->644 651 9f5436-9f5451 call a0416a call 9f550f 646->651 649->634 663 9f51f8-9f5217 GetVersionExW 650->663 664 9f51f1-9f51f6 650->664 651->644 658 9f547b-9f5482 655->658 659 9f5476 call a32dd0 655->659 656->655 665 9f5489-9f5490 658->665 666 9f5484 call a31317 658->666 659->658 668 9f5219-9f524c GetLastError call 9f37d3 663->668 669 9f5251-9f5296 call 9f33d7 call 9f550f 663->669 664->634 671 9f5497-9f5499 665->671 672 9f5492 call a2fcbc 665->672 666->665 668->634 693 9f52a9-9f52b9 call a07337 669->693 694 9f5298-9f52a3 call a354ef 669->694 677 9f549b CoUninitialize 671->677 678 9f54a1-9f54a8 671->678 672->671 677->678 681 9f54aa-9f54ac 678->681 682 9f54e3-9f54ec call a3000b 678->682 685 9f54ae-9f54b0 681->685 686 9f54b2-9f54b8 681->686 691 9f54ee call 9f44e9 682->691 692 9f54f3-9f550c call a306f5 call a1de36 682->692 687 9f54ba-9f54d3 call a03c30 call 9f550f 685->687 686->687 687->682 709 9f54d5-9f54e2 call 9f550f 687->709 691->692 706 9f52bb 693->706 707 9f52c5-9f52ce 693->707 694->693 706->707 710 9f5396-9f53a3 call 9f4c33 707->710 711 9f52d4-9f52d7 707->711 709->682 716 9f53a8-9f53ac 710->716 714 9f536e-9f538a call 9f49df 711->714 715 9f52dd-9f52e0 711->715 722 9f53b8-9f53ca 714->722 731 9f538c 714->731 718 9f5346-9f5362 call 9f47e9 715->718 719 9f52e2-9f52e5 715->719 721 9f53ae 716->721 716->722 718->722 733 9f5364 718->733 724 9f531e-9f533a call 9f4982 719->724 725 9f52e7-9f52ea 719->725 721->722 722->614 724->722 735 9f533c 724->735 729 9f52ec-9f52f1 725->729 730 9f52fb-9f530e call 9f4b80 725->730 729->730 730->722 737 9f5314 730->737 731->710 733->714 735->718 737->724
    APIs
    • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 009F510F
      • Part of subcall function 00A303F0: InitializeCriticalSection.KERNEL32(00A5B60C,?,009F511B,00000000,?,?,?,?,?,?), ref: 00A30407
      • Part of subcall function 009F1209: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,009F5137,00000000,?), ref: 009F1247
      • Part of subcall function 009F1209: GetLastError.KERNEL32(?,?,?,009F5137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 009F1251
    • CoInitializeEx.OLE32(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 009F517D
      • Part of subcall function 00A30CD1: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00A30CF2
    • GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 009F520F
    • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 009F5219
    • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 009F549B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
    • String ID: 3.10.4.4718$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$Setup$_Failed$engine.cpp$txt
    • API String ID: 3262001429-867073019
    • Opcode ID: 7874efe4ae79f9430d08062b3c5621e7b7eeddf9005855681eef33bd5b9e5296
    • Instruction ID: 84a8d778ab74c5d53fa2d114c31fd01a45d1b15b7ee8f765c98bf8f6fe0ce2b9
    • Opcode Fuzzy Hash: 7874efe4ae79f9430d08062b3c5621e7b7eeddf9005855681eef33bd5b9e5296
    • Instruction Fuzzy Hash: 8DB1C671E44A2DABDB32AF64CD46BFE76B9AF44311F020195FB08B6251D7709E808F90
    Function 009F4C33 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 219COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 738 9f4c33-9f4c7b call a1f670 call 9f33d7 743 9f4c8f-9f4c99 call a096f2 738->743 744 9f4c7d-9f4c8a call a3012f 738->744 750 9f4c9b-9f4ca0 743->750 751 9f4ca2-9f4cb1 call a096f8 743->751 749 9f4e2b-9f4e35 744->749 752 9f4e37-9f4e3c CloseHandle 749->752 753 9f4e40-9f4e44 749->753 754 9f4cd7-9f4cf2 call 9f1f20 750->754 758 9f4cb6-9f4cba 751->758 752->753 756 9f4e4f-9f4e53 753->756 757 9f4e46-9f4e4b CloseHandle 753->757 765 9f4cfb-9f4d0f call a06859 754->765 766 9f4cf4-9f4cf9 754->766 761 9f4e5e-9f4e60 756->761 762 9f4e55-9f4e5a CloseHandle 756->762 757->756 763 9f4cbc 758->763 764 9f4cd1-9f4cd4 758->764 767 9f4e65-9f4e79 call 9f2793 * 2 761->767 768 9f4e62-9f4e63 CloseHandle 761->768 762->761 769 9f4cc1-9f4ccc call a3012f 763->769 764->754 776 9f4d29-9f4d3d call a06915 765->776 777 9f4d11 765->777 766->769 784 9f4e7b-9f4e7e call a354ef 767->784 785 9f4e83-9f4e87 767->785 768->767 769->749 789 9f4d3f-9f4d44 776->789 790 9f4d46-9f4d61 call 9f1f62 776->790 779 9f4d16 777->779 782 9f4d1b-9f4d24 call a3012f 779->782 796 9f4e28 782->796 784->785 786 9f4e89-9f4e8c call a354ef 785->786 787 9f4e91-9f4e99 785->787 786->787 789->779 797 9f4d6d-9f4d86 call 9f1f62 790->797 798 9f4d63-9f4d68 790->798 796->749 801 9f4d88-9f4d8d 797->801 802 9f4d92-9f4dbe CreateProcessW 797->802 798->769 801->769 803 9f4dfb-9f4e11 call a30917 802->803 804 9f4dc0-9f4df6 GetLastError call 9f37d3 802->804 808 9f4e16-9f4e1a 803->808 804->782 808->749 809 9f4e1c-9f4e23 call a3012f 808->809 809->796
    APIs
      • Part of subcall function 009F33D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,009F10DD,?,00000000), ref: 009F33F8
    • CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 009F4E3A
    • CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 009F4E49
    • CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 009F4E58
    • CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 009F4E63
    Strings
    • Failed to append %ls, xrefs: 009F4D16
    • D, xrefs: 009F4DA3
    • burn.filehandle.self, xrefs: 009F4D3F
    • "%ls" %ls, xrefs: 009F4D74
    • burn.clean.room, xrefs: 009F4CD8
    • burn.filehandle.attached, xrefs: 009F4D11
    • Failed to launch clean room process: %ls, xrefs: 009F4DF1
    • Failed to wait for clean room process: %ls, xrefs: 009F4E1D
    • -%ls="%ls", xrefs: 009F4CE0
    • %ls %ls, xrefs: 009F4D4F
    • engine.cpp, xrefs: 009F4DE4
    • Failed to get path for current process., xrefs: 009F4C7D
    • Failed to allocate full command-line., xrefs: 009F4D88
    • Failed to allocate parameters for unelevated process., xrefs: 009F4CF4
    • Failed to cache to clean room., xrefs: 009F4CBC
    • Failed to append original command line., xrefs: 009F4D63
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseHandle$FileModuleName
    • String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$engine.cpp
    • API String ID: 3884789274-2391192076
    • Opcode ID: 8c03fe2c51a999d713c43d0ce0367fa52f3cb78bbe9a8b6e0b9e2706eb0fc807
    • Instruction ID: 95d7572455f54471cc2d54e7fc33aec12fa95eda2b71598040672bd36d9b531d
    • Opcode Fuzzy Hash: 8c03fe2c51a999d713c43d0ce0367fa52f3cb78bbe9a8b6e0b9e2706eb0fc807
    • Instruction Fuzzy Hash: 60717032D0122DBADF21AAA4CD41EEFBB79BF44720F104625FB14B6291DB745A018BA1
    Function 00A07337 Relevance: 35.3, APIs: 1, Strings: 19, Instructions: 277COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 916 a07337-a0737c call a1f670 call 9f7503 921 a07388-a07399 call 9fc2a1 916->921 922 a0737e-a07383 916->922 928 a073a5-a073b6 call 9fc108 921->928 929 a0739b-a073a0 921->929 923 a07602-a07609 call a3012f 922->923 931 a0760a-a0760f 923->931 935 a073c2-a073d7 call 9fc362 928->935 936 a073b8-a073bd 928->936 929->923 933 a07611-a07612 call a354ef 931->933 934 a07617-a0761b 931->934 933->934 938 a07625-a0762a 934->938 939 a0761d-a07620 call a354ef 934->939 948 a073e3-a073f3 call a1bdc9 935->948 949 a073d9-a073de 935->949 936->923 942 a07632-a0763f call 9fc055 938->942 943 a0762c-a0762d call a354ef 938->943 939->938 950 a07641-a07644 call a354ef 942->950 951 a07649-a0764d 942->951 943->942 960 a073f5-a073fa 948->960 961 a073ff-a07472 call a05a35 948->961 949->923 950->951 954 a07657-a0765b 951->954 955 a0764f-a07652 call a354ef 951->955 958 a07665-a0766d 954->958 959 a0765d-a07660 call 9f3999 954->959 955->954 959->958 960->923 965 a07474-a07479 961->965 966 a0747e-a074a6 call 9f550f GetCurrentProcess call a3076c 961->966 965->923 970 a074ab-a074c2 call 9f8152 966->970 973 a074c4-a074d7 call a3012f 970->973 974 a074dc-a074e1 970->974 973->931 976 a074e3-a074f5 call 9f80f6 974->976 977 a0753d-a07542 974->977 989 a07501-a07511 call 9f3446 976->989 990 a074f7-a074fc 976->990 978 a07562-a0756b 977->978 979 a07544-a07556 call 9f80f6 977->979 983 a07577-a0758b call a0a307 978->983 984 a0756d-a07570 978->984 979->978 993 a07558-a0755d 979->993 996 a07594 983->996 997 a0758d-a07592 983->997 984->983 988 a07572-a07575 984->988 988->983 994 a0759a-a0759d 988->994 1000 a07513-a07518 989->1000 1001 a0751d-a07531 call 9f80f6 989->1001 990->923 993->923 998 a075a4-a075ba call 9fd497 994->998 999 a0759f-a075a2 994->999 996->994 997->923 1006 a075c3-a075db call 9fcabe 998->1006 1007 a075bc-a075c1 998->1007 999->931 999->998 1000->923 1001->977 1008 a07533-a07538 1001->1008 1011 a075e4-a075fb call 9fc7df 1006->1011 1012 a075dd-a075e2 1006->1012 1007->923 1008->923 1011->931 1015 a075fd 1011->1015 1012->923 1015->923
    Strings
    • WixBundleSourceProcessFolder, xrefs: 00A07522
    • Failed to set source process path variable., xrefs: 00A074F7
    • WixBundleSourceProcessPath, xrefs: 00A074E6
    • Failed to get manifest stream from container., xrefs: 00A073D9
    • Failed to get unique temporary folder for bootstrapper application., xrefs: 00A075BC
    • Failed to overwrite the %ls built-in variable., xrefs: 00A074C9
    • WixBundleOriginalSource, xrefs: 00A07547
    • Failed to set original source variable., xrefs: 00A07558
    • Failed to initialize variables., xrefs: 00A0737E
    • Failed to extract bootstrapper application payloads., xrefs: 00A075DD
    • Failed to open manifest stream., xrefs: 00A073B8
    • Failed to open attached UX container., xrefs: 00A0739B
    • Failed to initialize internal cache functionality., xrefs: 00A0758D
    • Failed to set source process folder variable., xrefs: 00A07533
    • Failed to parse command line., xrefs: 00A07474
    • Failed to load catalog files., xrefs: 00A075FD
    • Failed to get source process folder from path., xrefs: 00A07513
    • WixBundleElevated, xrefs: 00A074B3, 00A074C4
    • Failed to load manifest., xrefs: 00A073F5
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalInitializeSection
    • String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath
    • API String ID: 32694325-252221001
    • Opcode ID: c7f1b338e0ead320068d25385feffbc9861ef633a7e74fcd4145286e29fb0855
    • Instruction ID: fafdfe199867aa07bd06dcaf3539775412da63a9e50cd1b9d06cf605c0f60a6c
    • Opcode Fuzzy Hash: c7f1b338e0ead320068d25385feffbc9861ef633a7e74fcd4145286e29fb0855
    • Instruction Fuzzy Hash: B3916272E44A1DBACB129AA8DC55FEFB77CBF04700F044626F616A7181DB31BA448BD1
    Function 00A084C4 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 205fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1016 a084c4-a08512 CreateFileW 1017 a08514-a08553 GetLastError call 9f37d3 call a3012f 1016->1017 1018 a08558-a08568 call a347d3 1016->1018 1031 a086fc-a0870e call a1de36 1017->1031 1023 a08580-a08594 call a33db5 1018->1023 1024 a0856a-a0857b call a3012f 1018->1024 1033 a08596-a085aa call a3012f 1023->1033 1034 a085af-a085b4 1023->1034 1032 a086f5-a086f6 FindCloseChangeNotification 1024->1032 1032->1031 1033->1032 1034->1032 1037 a085ba-a085c9 SetFilePointerEx 1034->1037 1040 a08603-a08613 call a34cee 1037->1040 1041 a085cb-a085fe GetLastError call 9f37d3 1037->1041 1046 a08615-a0861a 1040->1046 1047 a0861f-a08630 SetFilePointerEx 1040->1047 1048 a086ed-a086f4 call a3012f 1041->1048 1046->1048 1049 a08632-a08665 GetLastError call 9f37d3 1047->1049 1050 a0866a-a0867a call a34cee 1047->1050 1048->1032 1049->1048 1050->1046 1057 a0867c-a0868c call a34cee 1050->1057 1057->1046 1060 a0868e-a0869f SetFilePointerEx 1057->1060 1061 a086a1-a086d4 GetLastError call 9f37d3 1060->1061 1062 a086d6-a086dd call a34cee 1060->1062 1061->1048 1066 a086e2-a086e6 1062->1066 1066->1032 1067 a086e8 1066->1067 1067->1048
    APIs
    • CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,009F4CB6,?,?,00000000,009F4CB6,00000000), ref: 00A08507
    • GetLastError.KERNEL32 ref: 00A08514
    • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,00A3B4F0,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A086F6
    Strings
    • Failed to seek to beginning of engine file: %ls, xrefs: 00A0856D
    • Failed to seek to signature table in exe header., xrefs: 00A08660
    • Failed to zero out original data offset., xrefs: 00A086E8
    • Failed to create engine file at path: %ls, xrefs: 00A08545
    • Failed to seek to original data in exe burn section header., xrefs: 00A086CF
    • msi.dll, xrefs: 00A08608
    • Failed to seek to checksum in exe header., xrefs: 00A085F9
    • Failed to update signature offset., xrefs: 00A08615
    • cabinet.dll, xrefs: 00A0866F
    • cache.cpp, xrefs: 00A08538, 00A085EF, 00A08656, 00A086C5
    • Failed to copy engine from: %ls to: %ls, xrefs: 00A0859C
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ChangeCloseCreateErrorFileFindLastNotification
    • String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
    • API String ID: 4091947256-1976062716
    • Opcode ID: 3550f444f72e8b2b56db2dbc20f3004bd8d2577448d6188ead10c7da88b18087
    • Instruction ID: 8414274cd7a7bd796879bb4a40d3cbd0531d9e6a33375977f7e538301adbf1d2
    • Opcode Fuzzy Hash: 3550f444f72e8b2b56db2dbc20f3004bd8d2577448d6188ead10c7da88b18087
    • Instruction Fuzzy Hash: 8C51E872A407257FEB11ABA89D45F7F76A9EB44710F020225FE01F71C1EB659C0186FA
    Function 009F7503 Relevance: 33.4, APIs: 1, Strings: 21, Instructions: 378COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1068 9f7503-9f7dc0 InitializeCriticalSection 1069 9f7dc3-9f7de0 call 9f5530 1068->1069 1072 9f7ded-9f7dfb call a3012f 1069->1072 1073 9f7de2-9f7de9 1069->1073 1076 9f7dfe-9f7e10 call a1de36 1072->1076 1073->1069 1074 9f7deb 1073->1074 1074->1076
    APIs
    • InitializeCriticalSection.KERNEL32(00A07378,009F52B5,00000000,009F533D), ref: 009F7523
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalInitializeSection
    • String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleVersion
    • API String ID: 32694325-826827252
    • Opcode ID: e5d13b40e9cd073b01baca312de214b18d41fb0c5b4e7d9995e1503a87148733
    • Instruction ID: 701020ffdc456682124baec32031304ec6c398ed35b9efec33cad343b8782f16
    • Opcode Fuzzy Hash: e5d13b40e9cd073b01baca312de214b18d41fb0c5b4e7d9995e1503a87148733
    • Instruction Fuzzy Hash: 573217B0D253798BDB65CF598D887DDBAF8BB49B14F5081DAE24CB6211D7B00B848F84
    Function 00A080AE Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 151COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1080 a080ae-a080f7 call a1f670 1083 a08270-a0827d call 9f21a5 1080->1083 1084 a080fd-a0810b GetCurrentProcess call a3076c 1080->1084 1091 a0828c-a0829e call a1de36 1083->1091 1092 a0827f 1083->1092 1087 a08110-a0811d 1084->1087 1089 a08123-a08132 GetWindowsDirectoryW 1087->1089 1090 a081ab-a081b9 GetTempPathW 1087->1090 1094 a08134-a08167 GetLastError call 9f37d3 1089->1094 1095 a0816c-a0817d call 9f338f 1089->1095 1097 a081f3-a08205 UuidCreate 1090->1097 1098 a081bb-a081ee GetLastError call 9f37d3 1090->1098 1093 a08284-a0828b call a3012f 1092->1093 1093->1091 1094->1093 1114 a08189-a0819f call 9f36b4 1095->1114 1115 a0817f-a08184 1095->1115 1100 a08207-a0820c 1097->1100 1101 a0820e-a08223 StringFromGUID2 1097->1101 1098->1093 1100->1093 1108 a08241-a08262 call 9f1f20 1101->1108 1109 a08225-a0823f call 9f37d3 1101->1109 1119 a08264-a08269 1108->1119 1120 a0826b 1108->1120 1109->1093 1114->1097 1122 a081a1-a081a6 1114->1122 1115->1093 1119->1093 1120->1083 1122->1093
    APIs
    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,009F5381), ref: 00A08104
      • Part of subcall function 00A3076C: OpenProcessToken.ADVAPI32(?,00000008,?,009F52B5,00000000,?,?,?,?,?,?,?,00A074AB,00000000), ref: 00A3078A
      • Part of subcall function 00A3076C: GetLastError.KERNEL32(?,?,?,?,?,?,?,00A074AB,00000000), ref: 00A30794
      • Part of subcall function 00A3076C: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00A074AB,00000000), ref: 00A3081D
    • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00A0812A
    • GetLastError.KERNEL32 ref: 00A08134
    • GetTempPathW.KERNEL32(00000104,?,00000000), ref: 00A081B1
    • GetLastError.KERNEL32 ref: 00A081BB
    Strings
    • Temp\, xrefs: 00A08189
    • Failed to get windows path for working folder., xrefs: 00A08162
    • Failed to create working folder guid., xrefs: 00A08207
    • Failed to get temp path for working folder., xrefs: 00A081E9
    • Failed to concat Temp directory on windows path for working folder., xrefs: 00A081A1
    • Failed to append bundle id on to temp path for working folder., xrefs: 00A08264
    • Failed to ensure windows path for working folder ended in backslash., xrefs: 00A0817F
    • %ls%ls\, xrefs: 00A0824C
    • Failed to convert working folder guid into string., xrefs: 00A0823A
    • Failed to copy working folder path., xrefs: 00A0827F
    • cache.cpp, xrefs: 00A08158, 00A081DF, 00A08230
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast$Process$ChangeCloseCurrentDirectoryFindNotificationOpenPathTempTokenWindows
    • String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
    • API String ID: 58964441-819636856
    • Opcode ID: 2f1914f5f9e1b07328b441e0b224ca4d426112a4b60e900df380abf12c14120a
    • Instruction ID: cdefe3f5b91f00c3fb96034191e3a85f002974af65c7f6b227c83d527f1b31eb
    • Opcode Fuzzy Hash: 2f1914f5f9e1b07328b441e0b224ca4d426112a4b60e900df380abf12c14120a
    • Instruction Fuzzy Hash: 9C411972B41B28BBDB60E7B4DD49FA773A8BB44710F004251FA45E7180EA788D0586EA
    Function 00A10E43 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 210COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1123 a10e43-a10e6f CoInitializeEx 1124 a10e71-a10e7e call a3012f 1123->1124 1125 a10e83-a10ece call a2f364 1123->1125 1130 a110df-a110f1 call a1de36 1124->1130 1131 a10ed0-a10ef3 call 9f37d3 call a3012f 1125->1131 1132 a10ef8-a10f1a call a2f374 1125->1132 1151 a110d8-a110d9 CoUninitialize 1131->1151 1139 a10f20-a10f28 1132->1139 1140 a10fd3-a10fde SetEvent 1132->1140 1142 a110d0-a110d3 call a2f384 1139->1142 1143 a10f2e-a10f34 1139->1143 1144 a10fe0-a11009 GetLastError call 9f37d3 1140->1144 1145 a1101b-a11029 WaitForSingleObject 1140->1145 1142->1151 1143->1142 1149 a10f3a-a10f42 1143->1149 1166 a1100e-a11016 call a3012f 1144->1166 1147 a1105b-a11066 ResetEvent 1145->1147 1148 a1102b-a11059 GetLastError call 9f37d3 1145->1148 1156 a11068-a11096 GetLastError call 9f37d3 1147->1156 1157 a1109b-a110a1 1147->1157 1148->1166 1154 a10f44-a10f46 1149->1154 1155 a10fbb-a10fce call a3012f 1149->1155 1151->1130 1160 a10f58-a10f5b 1154->1160 1161 a10f48-a10f56 1154->1161 1155->1142 1156->1166 1164 a110a3-a110a6 1157->1164 1165 a110cb 1157->1165 1168 a10fb5 1160->1168 1169 a10f5d 1160->1169 1167 a10fb7-a10fb9 1161->1167 1172 a110c7-a110c9 1164->1172 1173 a110a8-a110c2 call 9f37d3 1164->1173 1165->1142 1166->1142 1167->1140 1167->1155 1168->1167 1175 a10fb1-a10fb3 1169->1175 1176 a10f80-a10f85 1169->1176 1177 a10fa3-a10fa8 1169->1177 1178 a10f72-a10f77 1169->1178 1179 a10f95-a10f9a 1169->1179 1180 a10f64-a10f69 1169->1180 1181 a10f87-a10f8c 1169->1181 1182 a10f79-a10f7e 1169->1182 1183 a10f6b-a10f70 1169->1183 1184 a10faa-a10faf 1169->1184 1185 a10f9c-a10fa1 1169->1185 1186 a10f8e-a10f93 1169->1186 1172->1142 1173->1166 1175->1155 1176->1155 1177->1155 1178->1155 1179->1155 1180->1155 1181->1155 1182->1155 1183->1155 1184->1155 1185->1155 1186->1155
    APIs
    • CoInitializeEx.OLE32(00000000,00000000), ref: 00A10E65
    • CoUninitialize.OLE32 ref: 00A110D9
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: InitializeUninitialize
    • String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
    • API String ID: 3442037557-1168358783
    • Opcode ID: 834bfa7d77f907be7f375b750b1ba1356aff60cfcfe2e84b5d67674e40fd8bf3
    • Instruction ID: 448d1be74ca7d308378df7b2a072dd27f1cc257c5bef4f9a78c70e36a70794be
    • Opcode Fuzzy Hash: 834bfa7d77f907be7f375b750b1ba1356aff60cfcfe2e84b5d67674e40fd8bf3
    • Instruction Fuzzy Hash: 29518E36E90735FBD73057648D46EEB7674EB44760F124225FD02BB280D6A98CC28AE1
    Function 009F41D2 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158stringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1190 9f41d2-9f4229 InitializeCriticalSection * 2 call a04b0e * 2 1195 9f422f 1190->1195 1196 9f434d-9f4357 call 9fb389 1190->1196 1197 9f4235-9f4242 1195->1197 1201 9f435c-9f4360 1196->1201 1199 9f4248-9f4274 lstrlenW * 2 CompareStringW 1197->1199 1200 9f4340-9f4347 1197->1200 1204 9f42c6-9f42f2 lstrlenW * 2 CompareStringW 1199->1204 1205 9f4276-9f4299 lstrlenW 1199->1205 1200->1196 1200->1197 1202 9f436f-9f4377 1201->1202 1203 9f4362-9f436e call a3012f 1201->1203 1203->1202 1204->1200 1209 9f42f4-9f4317 lstrlenW 1204->1209 1206 9f429f-9f42a4 1205->1206 1207 9f4385-9f439a call 9f37d3 1205->1207 1206->1207 1210 9f42aa-9f42ba call 9f29dc 1206->1210 1220 9f439f-9f43a6 1207->1220 1213 9f431d-9f4322 1209->1213 1214 9f43b1-9f43cb call 9f37d3 1209->1214 1223 9f437a-9f4383 1210->1223 1224 9f42c0 1210->1224 1213->1214 1217 9f4328-9f4338 call 9f29dc 1213->1217 1214->1220 1217->1223 1228 9f433a 1217->1228 1225 9f43a7-9f43af call a3012f 1220->1225 1223->1225 1224->1204 1225->1202 1228->1200
    APIs
    • InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,009F515E,?,?,00000000,?,?), ref: 009F41FE
    • InitializeCriticalSection.KERNEL32(000000D0,?,?,009F515E,?,?,00000000,?,?), ref: 009F4207
    • lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,009F515E,?,?,00000000,?,?), ref: 009F424D
    • lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,009F515E,?,?,00000000,?,?), ref: 009F4257
    • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,009F515E,?,?,00000000,?,?), ref: 009F426B
    • lstrlenW.KERNEL32(burn.filehandle.attached,?,?,009F515E,?,?,00000000,?,?), ref: 009F427B
    • lstrlenW.KERNEL32(burn.filehandle.self,?,?,009F515E,?,?,00000000,?,?), ref: 009F42CB
    • lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,009F515E,?,?,00000000,?,?), ref: 009F42D5
    • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,009F515E,?,?,00000000,?,?), ref: 009F42E9
    • lstrlenW.KERNEL32(burn.filehandle.self,?,?,009F515E,?,?,00000000,?,?), ref: 009F42F9
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: lstrlen$CompareCriticalInitializeSectionString
    • String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
    • API String ID: 3039292287-3209860532
    • Opcode ID: 5135d50c676bbb5150283c2232314171b71eed0d3120c2d8b6df14410f233b11
    • Instruction ID: e664c171778c3eacdfb493c799067282c819509368e79b096476b20d605fba72
    • Opcode Fuzzy Hash: 5135d50c676bbb5150283c2232314171b71eed0d3120c2d8b6df14410f233b11
    • Instruction Fuzzy Hash: 6251A171A50219BFCB24DB69DC86FABB76DFB45760F000116F718DB290DBB0A950CBA4
    Function 009FC129 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 128fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1230 9fc129-9fc15b 1231 9fc15d-9fc17b CreateFileW 1230->1231 1232 9fc1c5-9fc1e1 GetCurrentProcess * 2 DuplicateHandle 1230->1232 1233 9fc21d-9fc223 1231->1233 1234 9fc181-9fc1b2 GetLastError call 9f37d3 1231->1234 1235 9fc21b 1232->1235 1236 9fc1e3-9fc219 GetLastError call 9f37d3 1232->1236 1239 9fc22d 1233->1239 1240 9fc225-9fc22b 1233->1240 1246 9fc1b7-9fc1c0 call a3012f 1234->1246 1235->1233 1236->1246 1243 9fc22f-9fc23d SetFilePointerEx 1239->1243 1240->1243 1244 9fc23f-9fc272 GetLastError call 9f37d3 1243->1244 1245 9fc274-9fc27a 1243->1245 1254 9fc290-9fc297 call a3012f 1244->1254 1248 9fc27c-9fc280 call a11484 1245->1248 1249 9fc298-9fc29e 1245->1249 1246->1249 1255 9fc285-9fc289 1248->1255 1254->1249 1255->1249 1256 9fc28b 1255->1256 1256->1254
    APIs
    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,009FC319,009F52FD,?,?,009F533D), ref: 009FC170
    • GetLastError.KERNEL32(?,009FC319,009F52FD,?,?,009F533D,009F533D,00000000,?,00000000), ref: 009FC181
    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,009FC319,009F52FD,?,?,009F533D,009F533D,00000000,?), ref: 009FC1D0
    • GetCurrentProcess.KERNEL32(000000FF,00000000,?,009FC319,009F52FD,?,?,009F533D,009F533D,00000000,?,00000000), ref: 009FC1D6
    • DuplicateHandle.KERNELBASE(00000000,?,009FC319,009F52FD,?,?,009F533D,009F533D,00000000,?,00000000), ref: 009FC1D9
    • GetLastError.KERNEL32(?,009FC319,009F52FD,?,?,009F533D,009F533D,00000000,?,00000000), ref: 009FC1E3
    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,009FC319,009F52FD,?,?,009F533D,009F533D,00000000,?,00000000), ref: 009FC235
    • GetLastError.KERNEL32(?,009FC319,009F52FD,?,?,009F533D,009F533D,00000000,?,00000000), ref: 009FC23F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
    • String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
    • API String ID: 2619879409-373955632
    • Opcode ID: 61c0eda3f67dfc40b748160c34459fa09bfbd5afbefa9ec2db0cceb893345da6
    • Instruction ID: 0f02b2691ff3794d3f00474f4f6617f5bee04961af2b0fdd495ce6697a38ef20
    • Opcode Fuzzy Hash: 61c0eda3f67dfc40b748160c34459fa09bfbd5afbefa9ec2db0cceb893345da6
    • Instruction Fuzzy Hash: BD41D472240309AFEB109F699D85F677BEAEBC5710F118129FA18DB291DB31C801DBB0
    Function 00A329B3 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 86libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009F37EA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 009F3829
      • Part of subcall function 009F37EA: GetLastError.KERNEL32 ref: 009F3833
      • Part of subcall function 00A34932: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00A3495A
    • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00A329FD
    • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00A32A20
    • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00A32A43
    • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00A32A66
    • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00A32A89
    • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00A32AAC
    • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00A32ACF
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AddressProc$ErrorLast$DirectorySystem
    • String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
    • API String ID: 2510051996-1735120554
    • Opcode ID: 9ea69669fe683260cdd884d2a286b66e5352dcb91bd04b648af8cc58b1fec739
    • Instruction ID: 0140b1e4d392d6ecbd782faf105de9eebaf653cb1932ad61d21417a48c972fee
    • Opcode Fuzzy Hash: 9ea69669fe683260cdd884d2a286b66e5352dcb91bd04b648af8cc58b1fec739
    • Instruction Fuzzy Hash: C831E9B0A61308FFDB18DFA5ED62A293BF5B744703740492EF40593A60E7B59802DF20
    Function 00A32F23 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152libraryloadercomCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00A334DF,00000000,?,00000000), ref: 00A32F3D
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00A1BDED,?,009F52FD,?,00000000,?), ref: 00A32F49
    • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00A32F89
    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A32F95
    • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 00A32FA0
    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A32FAA
    • CoCreateInstance.OLE32(00A5B6C8,00000000,00000001,00A3B808,?,?,?,?,?,?,?,?,?,?,?,00A1BDED), ref: 00A32FE5
    • ExitProcess.KERNEL32 ref: 00A33094
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
    • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
    • API String ID: 2124981135-499589564
    • Opcode ID: 852272cc04e741ae87dc1fdb8ad965e8293f7cdff9e2216e24196ded90b04a3b
    • Instruction ID: 93fefb89c3ff1b487a0ba01bb3d6b8135fe3bea66a95dfec7ab84bc6f9cf7efe
    • Opcode Fuzzy Hash: 852272cc04e741ae87dc1fdb8ad965e8293f7cdff9e2216e24196ded90b04a3b
    • Instruction Fuzzy Hash: 56418F32A01315ABDF24DFA8C844BAEB7B5FF45712F114169FA01EB251DB71DE448BA0
    Function 00A11484 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,009FC285,?,00000000,?,009FC319), ref: 00A114BB
    • GetLastError.KERNEL32(?,009FC285,?,00000000,?,009FC319,009F52FD,?,?,009F533D,009F533D,00000000,?,00000000), ref: 00A114C4
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CreateErrorEventLast
    • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
    • API String ID: 545576003-938279966
    • Opcode ID: 4e60a32103e328695b3410d2e393ee9af516c5298fa7e851c111f1d0acdadb92
    • Instruction ID: 315145d34d90e59c497b818b1a0422fbfa502d9f18fa761ae271bb6da720454f
    • Opcode Fuzzy Hash: 4e60a32103e328695b3410d2e393ee9af516c5298fa7e851c111f1d0acdadb92
    • Instruction Fuzzy Hash: 752106B6A807397AF32066B95C81FB769EDFF847A0F014222FE05E7180E654DC4186F6
    Function 00A2FBAD Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 74libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 00A2FBD5
    • GetProcAddress.KERNEL32(SystemFunction041), ref: 00A2FBE7
    • GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 00A2FC2A
    • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00A2FC3E
    • GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 00A2FC76
    • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00A2FC8A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AddressProc$ErrorLast
    • String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$cryputil.cpp
    • API String ID: 4214558900-3191127217
    • Opcode ID: 181193ba91356a626f10ec70e59c1fa6686c5c5f72a849316603d0f9d9534f66
    • Instruction ID: 71294ce3625bdd01b7c4bf6b6e5f43b89da6351e71ebca0f774966e994dcd94b
    • Opcode Fuzzy Hash: 181193ba91356a626f10ec70e59c1fa6686c5c5f72a849316603d0f9d9534f66
    • Instruction Fuzzy Hash: 55216571A5073AAED729ABAABD04B2669A1BB50753F010235FD02E7160F7748C06DAF0
    Function 00A10627 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103fileCOMMON
    Download Yara Rule
    APIs
    • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 00A10657
    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 00A1066F
    • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 00A10674
    • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00A10677
    • GetLastError.KERNEL32(?,?), ref: 00A10681
    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 00A106F0
    • GetLastError.KERNEL32(?,?), ref: 00A106FD
    Strings
    • Failed to open cabinet file: %hs, xrefs: 00A1072E
    • cabextract.cpp, xrefs: 00A106A5, 00A10721
    • Failed to add virtual file pointer for cab container., xrefs: 00A106D6
    • <the>.cab, xrefs: 00A10650
    • Failed to duplicate handle to cab container., xrefs: 00A106AF
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
    • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
    • API String ID: 3030546534-3446344238
    • Opcode ID: 4693290c92ac34696811f0119024acd1677bc1eafee9ac8e5dfd34e2f4a2bb69
    • Instruction ID: 5f3350005d74a4266b7a0328b13316d6d1ef54972518d48d109d302c6cb5179d
    • Opcode Fuzzy Hash: 4693290c92ac34696811f0119024acd1677bc1eafee9ac8e5dfd34e2f4a2bb69
    • Instruction Fuzzy Hash: 9F310472A41728BBEB20ABA99D49FDB7AADFF44760F100215FE08F7150C7609D518AE4
    Function 00A06859 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,009F4D0B,?,?), ref: 00A06879
    • GetCurrentProcess.KERNEL32(?,00000000,?,?,009F4D0B,?,?), ref: 00A0687F
    • DuplicateHandle.KERNELBASE(00000000,?,?,009F4D0B,?,?), ref: 00A06882
    • GetLastError.KERNEL32(?,?,009F4D0B,?,?), ref: 00A0688C
    • CloseHandle.KERNEL32(000000FF,?,009F4D0B,?,?), ref: 00A06905
    Strings
    • Failed to duplicate file handle for attached container., xrefs: 00A068BA
    • %ls -%ls=%u, xrefs: 00A068D9
    • core.cpp, xrefs: 00A068B0
    • Failed to append the file handle to the command line., xrefs: 00A068ED
    • burn.filehandle.attached, xrefs: 00A068D2
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CurrentHandleProcess$CloseDuplicateErrorLast
    • String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$core.cpp
    • API String ID: 4224961946-4196573879
    • Opcode ID: 8c3e2db19d3c0f4e66bdb2762357a15287fc1b513e520cde15baa7599bfa5e1f
    • Instruction ID: d9c8232e5696469a83b5dbff77ebfd57fa8981299bbab160ae2117735bc23de7
    • Opcode Fuzzy Hash: 8c3e2db19d3c0f4e66bdb2762357a15287fc1b513e520cde15baa7599bfa5e1f
    • Instruction Fuzzy Hash: C111D331E40719FBDB10ABB9AD05A9ABBA9EF04B30F104726FA10E71E0D7718D1197A0
    Function 00A06915 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 00A0694B
    • CloseHandle.KERNEL32(00000000), ref: 00A069BB
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseCreateFileHandle
    • String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
    • API String ID: 3498533004-3263533295
    • Opcode ID: 2ddf3eab388de00715a2ef5ed8222113aa9880353769355df83d989ec38ad318
    • Instruction ID: a05a9712703910eb0f16710a4dc37be780ee1c19cd5959c0df2b12125950ad7c
    • Opcode Fuzzy Hash: 2ddf3eab388de00715a2ef5ed8222113aa9880353769355df83d989ec38ad318
    • Instruction Fuzzy Hash: 9F11CB32A40714BBC7205AA8EC45F5B77A9EB85B74F010754FD14AB1E2D770581156A1
    Function 00A3076C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
    Download Yara Rule
    APIs
    • OpenProcessToken.ADVAPI32(?,00000008,?,009F52B5,00000000,?,?,?,?,?,?,?,00A074AB,00000000), ref: 00A3078A
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00A074AB,00000000), ref: 00A30794
    • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,00A074AB,00000000), ref: 00A307C6
    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00A074AB,00000000), ref: 00A3081D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Token$ChangeCloseErrorFindInformationLastNotificationOpenProcess
    • String ID: procutil.cpp
    • API String ID: 2387526074-1178289305
    • Opcode ID: e1f2ac0eb0913e42fe710670d27ea224594e3695e590a266478481009e597bb2
    • Instruction ID: 56e8abec33e82c8e7560e84a1298be00f6da0e658339df041a68553103b078cd
    • Opcode Fuzzy Hash: e1f2ac0eb0913e42fe710670d27ea224594e3695e590a266478481009e597bb2
    • Instruction Fuzzy Hash: 44218171E40228EBDB149B999C44AAEFBE8EF54711F118166FE15E7250D3708E00DBE0
    Function 00A3343B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
    Download Yara Rule
    APIs
    • CoInitialize.OLE32(00000000), ref: 00A3344A
    • InterlockedIncrement.KERNEL32(00A5B6D8), ref: 00A33467
    • CLSIDFromProgID.OLE32(Msxml2.DOMDocument,00A5B6C8,?,?,?,?,?,?), ref: 00A33482
    • CLSIDFromProgID.OLE32(MSXML.DOMDocument,00A5B6C8,?,?,?,?,?,?), ref: 00A3348E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: FromProg$IncrementInitializeInterlocked
    • String ID: MSXML.DOMDocument$Msxml2.DOMDocument
    • API String ID: 2109125048-2356320334
    • Opcode ID: f4543730ee9db3f9cf0d851d1e8f79b2999394ee3b9ed493d377898b80fa3dc2
    • Instruction ID: aeebbb9a2f3d2c831c4721c6be8d5738c6c7244132cbe7dd1c6ad6299adda447
    • Opcode Fuzzy Hash: f4543730ee9db3f9cf0d851d1e8f79b2999394ee3b9ed493d377898b80fa3dc2
    • Instruction Fuzzy Hash: EFF0E52276833567CF22CBEAEC0DF172E65BB80F67F000414FD41D2594D370898286B0
    Function 00A34932 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 94memoryCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00A3495A
    • GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00A34989
    • GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 00A349B3
    • GetLastError.KERNEL32(00000000,00A3B790,?,?,?,00000000,00000000,00000000), ref: 00A349F4
    • GlobalFree.KERNEL32(00000000), ref: 00A34A28
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast$Global$AllocFree
    • String ID: fileutil.cpp
    • API String ID: 1145190524-2967768451
    • Opcode ID: 116453044afb0320a76a3a5bf4d3c0d8645a919fe73cef403aa85c2ab76f4564
    • Instruction ID: 04d3b015da649d8ebfc8ed5f8208c1d598fc76393b01cd9bf0eb0463be84e39d
    • Opcode Fuzzy Hash: 116453044afb0320a76a3a5bf4d3c0d8645a919fe73cef403aa85c2ab76f4564
    • Instruction Fuzzy Hash: 5E21A236A40729BBD711ABA99D45AEBFBA9EF89360F014256FE05E7210D7309D00D6F0
    Function 00A107E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON
    Download Yara Rule
    APIs
    • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00A1088A
    • GetLastError.KERNEL32(?,?,?), ref: 00A10894
    Strings
    • Invalid seek type., xrefs: 00A10820
    • cabextract.cpp, xrefs: 00A108B8
    • Failed to move file pointer 0x%x bytes., xrefs: 00A108C5
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
    • API String ID: 2976181284-417918914
    • Opcode ID: 598b976b2b63754a8a5a7ae2e987615f855ebfd4744d9fc64ec260428b106d04
    • Instruction ID: 654d50d7b73a12350109d3241c6fb9f597995137271e53ab165200ecf0cdad92
    • Opcode Fuzzy Hash: 598b976b2b63754a8a5a7ae2e987615f855ebfd4744d9fc64ec260428b106d04
    • Instruction Fuzzy Hash: 78318071A4061AFFDB04DFA9DC84DAAB7B9FB04710F008229F915E7650D770A991CBD0
    Function 00A331C7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84memoryCOMMON
    Download Yara Rule
    APIs
    • VariantInit.OLEAUT32(?), ref: 00A331DD
    • SysAllocString.OLEAUT32(?), ref: 00A331F9
    • VariantClear.OLEAUT32(?), ref: 00A33280
    • SysFreeString.OLEAUT32(00000000), ref: 00A3328B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: StringVariant$AllocClearFreeInit
    • String ID: xmlutil.cpp
    • API String ID: 760788290-1270936966
    • Opcode ID: ec6bd988cc0b133faf37e314ed0dfdbabde74c78d5532e9df3bc4f3b869aa18f
    • Instruction ID: 8a0d6a47d5800fb17b36fbf1119ff6f1a39d8985f9b51320ac828e380116b66e
    • Opcode Fuzzy Hash: ec6bd988cc0b133faf37e314ed0dfdbabde74c78d5532e9df3bc4f3b869aa18f
    • Instruction Fuzzy Hash: CF218232905229ABCF10DBE9C848EEF7BB9AF94721F154158F905AB210DB359E018B90
    Function 009F4013 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
    Download Yara Rule
    APIs
    • CreateDirectoryW.KERNELBASE(009F533D,009F53B5,00000000,00000000,?,00A09EE4,00000000,00000000,009F533D,00000000,009F52B5,00000000,?,?,009FD4AC,009F533D), ref: 009F4021
    • GetLastError.KERNEL32(?,00A09EE4,00000000,00000000,009F533D,00000000,009F52B5,00000000,?,?,009FD4AC,009F533D,00000000,00000000), ref: 009F402F
    • CreateDirectoryW.KERNEL32(009F533D,009F53B5,009F5381,?,00A09EE4,00000000,00000000,009F533D,00000000,009F52B5,00000000,?,?,009FD4AC,009F533D,00000000), ref: 009F4097
    • GetLastError.KERNEL32(?,00A09EE4,00000000,00000000,009F533D,00000000,009F52B5,00000000,?,?,009FD4AC,009F533D,00000000,00000000), ref: 009F40A1
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CreateDirectoryErrorLast
    • String ID: dirutil.cpp
    • API String ID: 1375471231-2193988115
    • Opcode ID: 11a152271f6c254f524462adc0ec6f8e06bafca783736110990b74e539147a4c
    • Instruction ID: 9c41fa20c1df91b4476761f63576876e7cf5f5c56d45ef2f12b2fc8fc6669335
    • Opcode Fuzzy Hash: 11a152271f6c254f524462adc0ec6f8e06bafca783736110990b74e539147a4c
    • Instruction Fuzzy Hash: A911263664033DEAEB311AA15C44B3BB6ACEF91BA0F184125FF06EB050DF648C0193E1
    Function 00A30917 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,009F4E16,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 00A30927
    • GetLastError.KERNEL32(?,?,009F4E16,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00A30935
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLastObjectSingleWait
    • String ID: procutil.cpp
    • API String ID: 1211598281-1178289305
    • Opcode ID: b183f07a8f35df796b31b32d16445a00ef0c25d74f965f71b55402fed745a1da
    • Instruction ID: 661271228bf35396437f46378f0a902e4d2265c760e2532641c93127dc2fdc20
    • Opcode Fuzzy Hash: b183f07a8f35df796b31b32d16445a00ef0c25d74f965f71b55402fed745a1da
    • Instruction Fuzzy Hash: 8F11A132E00325EBFB20DFA59C04BAB7AE5EF08360F114216FE15EB251D3348D0196E5
    Function 00A1074E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A1114F: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00A1077D,?,?,?), ref: 00A11177
      • Part of subcall function 00A1114F: GetLastError.KERNEL32(?,00A1077D,?,?,?), ref: 00A11181
    • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 00A1078B
    • GetLastError.KERNEL32 ref: 00A10795
    Strings
    • cabextract.cpp, xrefs: 00A107B9
    • Failed to read during cabinet extraction., xrefs: 00A107C3
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFileLast$PointerRead
    • String ID: Failed to read during cabinet extraction.$cabextract.cpp
    • API String ID: 2170121939-2426083571
    • Opcode ID: 48dd6f654a126eecfd080f28e8d31ecd1f564660c456a109f5b36411b82398df
    • Instruction ID: 4a243854f85a702e1d7931ad4ddad4237584c1b15392f975c43de1dddf434d03
    • Opcode Fuzzy Hash: 48dd6f654a126eecfd080f28e8d31ecd1f564660c456a109f5b36411b82398df
    • Instruction Fuzzy Hash: D701C472A00624BBDB20DFA8DD04E9A7BA9FF48760F010219FE08E7650D7319A118BE0
    Function 00A1114F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00A1077D,?,?,?), ref: 00A11177
    • GetLastError.KERNEL32(?,00A1077D,?,?,?), ref: 00A11181
    Strings
    • cabextract.cpp, xrefs: 00A111A5
    • Failed to move to virtual file pointer., xrefs: 00A111AF
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID: Failed to move to virtual file pointer.$cabextract.cpp
    • API String ID: 2976181284-3005670968
    • Opcode ID: 472124d5d4f91adc5faae9aedcb2b9720c67c62ea2d427748f3a1e6c01e6bd93
    • Instruction ID: c9b7972632dc1e4e511bc11c168953751bc51a4ef476f418750c6763b19f54a2
    • Opcode Fuzzy Hash: 472124d5d4f91adc5faae9aedcb2b9720c67c62ea2d427748f3a1e6c01e6bd93
    • Instruction Fuzzy Hash: 8A01FD36640A35BBDB215AAA9C04EC7FFA9EF417A0B00822AFE0896110D7358C60C6E4
    Function 00A33DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101fileCOMMON
    Download Yara Rule
    APIs
    • ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00A33E5E
    • GetLastError.KERNEL32 ref: 00A33EC1
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFileLastRead
    • String ID: fileutil.cpp
    • API String ID: 1948546556-2967768451
    • Opcode ID: a8efe080a5cd136748e53916b8de84367543de2cdaa5d7613556a3de21263b60
    • Instruction ID: 6097cbd1514edfe3da7fe0d175963b349d4751d2038c568b80bdfa2b2a729861
    • Opcode Fuzzy Hash: a8efe080a5cd136748e53916b8de84367543de2cdaa5d7613556a3de21263b60
    • Instruction Fuzzy Hash: 40416B72E042699BDF21CF59CD407EAB7F4BF48351F1081AAB949E7240D7B49EC48BA0
    Function 009F501B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,009F1104,?,?,00000000), ref: 009F503A
    • CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,009F1104,?,?,00000000), ref: 009F506A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CompareStringlstrlen
    • String ID: burn.clean.room
    • API String ID: 1433953587-3055529264
    • Opcode ID: 0a3424a5be7b3af08c49b47286795705d512e4bb148e1dcaa1da583c92258d75
    • Instruction ID: 7beefdd80213a1cc21d6251c9a0a9076ff66a2d1c4867b18611fdf2cb2538103
    • Opcode Fuzzy Hash: 0a3424a5be7b3af08c49b47286795705d512e4bb148e1dcaa1da583c92258d75
    • Instruction Fuzzy Hash: FC01F972600729AE9320CB98AC84D73B76CFB287927154216F70DC3610C7709C51C7E1
    Function 00A34CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
    Download Yara Rule
    APIs
    • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00A33E85,?,?,?), ref: 00A34D12
    • GetLastError.KERNEL32(?,?,00A33E85,?,?,?), ref: 00A34D1C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFileLastWrite
    • String ID: fileutil.cpp
    • API String ID: 442123175-2967768451
    • Opcode ID: 49d74a2ab49923d9a2d7f98b74c1e48f47cafd048df27ebe449803899e5b503c
    • Instruction ID: 9378a5581e1fedd509d48aa107a1eaaefe2ed52e5cd63a5f3cb482a8ba6ff90f
    • Opcode Fuzzy Hash: 49d74a2ab49923d9a2d7f98b74c1e48f47cafd048df27ebe449803899e5b503c
    • Instruction Fuzzy Hash: 6CF03C72A11229BBD710DE9ADD45EABBBADFB48761F414216FE05D7140EA30AE1086F0
    Function 00A347D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
    Download Yara Rule
    APIs
    • SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00A08564,00000000,00000000,00000000,00000000,00000000), ref: 00A347EB
    • GetLastError.KERNEL32(?,?,?,00A08564,00000000,00000000,00000000,00000000,00000000), ref: 00A347F5
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID: fileutil.cpp
    • API String ID: 2976181284-2967768451
    • Opcode ID: 242648c7273307fa93c2403679c378602422605b33eef9e2a57f0c34f7695cb1
    • Instruction ID: 625c6a8a2d21665b3ae386c4797d5340af2d3fc05aa5726e92158b2683818d8d
    • Opcode Fuzzy Hash: 242648c7273307fa93c2403679c378602422605b33eef9e2a57f0c34f7695cb1
    • Instruction Fuzzy Hash: 96F08C71A00229AFEB109F95DC08EAB7BA9EF08350F018119BD09D7220E631DC10DBE0
    Function 009F37EA Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON
    Download Yara Rule
    APIs
    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 009F3829
    • GetLastError.KERNEL32 ref: 009F3833
    • LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 009F389B
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: DirectoryErrorLastLibraryLoadSystem
    • String ID:
    • API String ID: 1230559179-0
    • Opcode ID: 13ce6ff54b482dbab6a4a7aaa2694759002c2c7fa2332c083d03ae1cd6395aaa
    • Instruction ID: f9f504a3e0b651c2a8246cbca1a15b6cab10e76298aef571cba5629f4402db2c
    • Opcode Fuzzy Hash: 13ce6ff54b482dbab6a4a7aaa2694759002c2c7fa2332c083d03ae1cd6395aaa
    • Instruction Fuzzy Hash: D621DAB2E0132D67DB20DBA49C45FAA776CAB40760F114165BF18E7241E638DE448BE0
    Function 009F3999 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,009F3B34,00000000,?,009F1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,009F13B7), ref: 009F39A3
    • RtlFreeHeap.NTDLL(00000000,?,009F3B34,00000000,?,009F1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,009F13B7,000001C7,00000100), ref: 009F39AA
    • GetLastError.KERNEL32(?,009F3B34,00000000,?,009F1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,009F13B7,000001C7,00000100,?), ref: 009F39B4
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Heap$ErrorFreeLastProcess
    • String ID:
    • API String ID: 406640338-0
    • Opcode ID: fa80d4b497bedf6905207fb0e26a7710c87bb1a8e011376e0bff18af8c60a826
    • Instruction ID: 10b128d620775dd327953b6929e74c3f27902f27e6bea208d289b49073f83b0b
    • Opcode Fuzzy Hash: fa80d4b497bedf6905207fb0e26a7710c87bb1a8e011376e0bff18af8c60a826
    • Instruction Fuzzy Hash: 40D05B32610634678710ABFB6C0C697BE9DEF455E17014122FF05D2110D7358811D7F4
    Function 00A30E3F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00A35699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00A30E52
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Open
    • String ID: regutil.cpp
    • API String ID: 71445658-955085611
    • Opcode ID: 6e6af15df4b1bc700fc8a66386138dc56430d52897ad93f83ec472a1dd5341ef
    • Instruction ID: cfab0ae0ab8f30a9d1e0ff8ab7376798ff43bbcab8d186c112b84618b49145d8
    • Opcode Fuzzy Hash: 6e6af15df4b1bc700fc8a66386138dc56430d52897ad93f83ec472a1dd5341ef
    • Instruction Fuzzy Hash: D2F0A7727012356BDF245A564C10FAB7D95EF446A1F118524FD49DA550E235CC1093D0
    Function 00A33499 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
    Download Yara Rule
    APIs
    • VariantInit.OLEAUT32(?), ref: 00A334CE
      • Part of subcall function 00A32F23: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00A334DF,00000000,?,00000000), ref: 00A32F3D
      • Part of subcall function 00A32F23: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00A1BDED,?,009F52FD,?,00000000,?), ref: 00A32F49
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorHandleInitLastModuleVariant
    • String ID:
    • API String ID: 52713655-0
    • Opcode ID: d681c3670a328bca08db1a4612d820a51ff2ebc0e18c1fa513c5de1f203f52be
    • Instruction ID: f1f192d94a78a953b6645ffe7b186bfe33040c861ec303950fbaf35a799fe806
    • Opcode Fuzzy Hash: d681c3670a328bca08db1a4612d820a51ff2ebc0e18c1fa513c5de1f203f52be
    • Instruction Fuzzy Hash: 79311A76E006299FCB11DFA8C884AEEB7F8EF08710F01456AFD15EB311D6709E048BA0
    Function 00A35728 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON
    Download Yara Rule
    APIs
    • RegCloseKey.ADVAPI32(80070490,00000000,80070490,00A5AAA0,00000000,80070490,00000000,?,00A0890E,WiX\Burn,PackageCache,00000000,00A5AAA0,00000000,00000000,80070490), ref: 00A35782
      • Part of subcall function 00A30F6E: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00A30FE4
      • Part of subcall function 00A30F6E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00A3101F
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: QueryValue$Close
    • String ID:
    • API String ID: 1979452859-0
    • Opcode ID: b0ba5847ec9e29ee5ba546090c2fe0f0a156617502821750da1f473dc75c8b71
    • Instruction ID: 2a9b1298f4edfa6e4cc2aec58c20a813bdca603fd5eadf5abbb49b64642b1ebe
    • Opcode Fuzzy Hash: b0ba5847ec9e29ee5ba546090c2fe0f0a156617502821750da1f473dc75c8b71
    • Instruction Fuzzy Hash: 67117076C00629EBCB21AFBCDD85AAEB66AEB44361F154639FD1167110C3314D50DAD0
    Function 009F34C5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
    Download Yara Rule
    APIs
    • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00A089CA,0000001C,80070490,00000000,00000000,80070490), ref: 009F34E5
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: FolderPath
    • String ID:
    • API String ID: 1514166925-0
    • Opcode ID: 116c7e4d770e263cf0d1612942f0c645f26a9f05983bf1725fac479ae9bcc070
    • Instruction ID: 5a17fc4fa955441b040218efd843344724384f1e6ffe7bc66804eac8bd425b30
    • Opcode Fuzzy Hash: 116c7e4d770e263cf0d1612942f0c645f26a9f05983bf1725fac479ae9bcc070
    • Instruction Fuzzy Hash: 39E0127231122D7BA6026EB25C05EFB7B9CDF057507008055BF44D7050E665E91097B0
    Function 00A32DD0 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
    Download Yara Rule
    APIs
    • FreeLibrary.KERNELBASE(00000000,00000000,009F547B,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A32DDD
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: FreeLibrary
    • String ID:
    • API String ID: 3664257935-0
    • Opcode ID: 2bd130e7fe3f34f493e0efd1528e69499ffa03b4854d9104af9242107806f7b4
    • Instruction ID: 57bfa96adfc92e287bbca563fd787dffee157a0cb925d53defa62b04a58c2b46
    • Opcode Fuzzy Hash: 2bd130e7fe3f34f493e0efd1528e69499ffa03b4854d9104af9242107806f7b4
    • Instruction Fuzzy Hash: ECE0FEB593A328EB8B10CFD9FD545527BB8BB08B43315065BF500C2A61C3B084429FB0
    Function 00A2F36A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00A2F35B
      • Part of subcall function 00A39814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A39891
      • Part of subcall function 00A39814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A398A2
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: e9e56121e634ad5709f252725378c48d0de5fb4f974608f0d58324dc2dddabaa
    • Instruction ID: 303dd7653aa792dcc5e6eaf2464017caa272d75e13a9a87bacf7b9e774a2c32d
    • Opcode Fuzzy Hash: e9e56121e634ad5709f252725378c48d0de5fb4f974608f0d58324dc2dddabaa
    • Instruction Fuzzy Hash: B5B012E1358411BD328493186E07C37016CF1C5F22734C53AB901C5080F8D40C0D0072
    Function 00A2F37A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00A2F35B
      • Part of subcall function 00A39814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A39891
      • Part of subcall function 00A39814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A398A2
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: fd7328ffc16d352ffa0d816c458b9171533eb230c43b6f8c1b31010e4f3678e0
    • Instruction ID: fe4be9403e9b36703025d28208216769a9543b33a4ad1e6c8fbf8c4a7672e9bb
    • Opcode Fuzzy Hash: fd7328ffc16d352ffa0d816c458b9171533eb230c43b6f8c1b31010e4f3678e0
    • Instruction Fuzzy Hash: 9DB012A1358511BC328493186D06C37016CF1C5F22734C63AF801C5080E8E00C4C0072
    Function 00A2F349 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00A2F35B
      • Part of subcall function 00A39814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A39891
      • Part of subcall function 00A39814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A398A2
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 6d50b767be5853527d6a594b9cf49683d08b7abd1f3e8129d3786fd6de4b4331
    • Instruction ID: 70be8a8e0874eb55b52192f6a6772ff9a4ccf708b253780c0589f16d861eab22
    • Opcode Fuzzy Hash: 6d50b767be5853527d6a594b9cf49683d08b7abd1f3e8129d3786fd6de4b4331
    • Instruction Fuzzy Hash: 65B012A2358511BC32445314BD06C37022CF1C1F26734C53ABD01D4080E8D40D0C00B2
    Function 00A394F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00A394E7
      • Part of subcall function 00A39814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A39891
      • Part of subcall function 00A39814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A398A2
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: b2a0a960178db37b0c3e6ce1d21b8c1d6df5c2445df8cd962d7eaba1805bb38f
    • Instruction ID: f49006d589221b208fe41b5341ae0363855e2055aecfc39604639b232adaf565
    • Opcode Fuzzy Hash: b2a0a960178db37b0c3e6ce1d21b8c1d6df5c2445df8cd962d7eaba1805bb38f
    • Instruction Fuzzy Hash: 31B01295369A02BC328462141D03C37011CF5D4F12B30C62ABD04C20C2E8D00C0D0072
    Function 00A394D5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00A394E7
      • Part of subcall function 00A39814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A39891
      • Part of subcall function 00A39814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A398A2
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: fae544c40de06c98ff11260596c858f27e314e529bbf2eecef93b65fe005fcb3
    • Instruction ID: 973f583c0550ba10fee5f3a3ffd125f0259f1db7329601cc27b58e0cf25fc276
    • Opcode Fuzzy Hash: fae544c40de06c98ff11260596c858f27e314e529bbf2eecef93b65fe005fcb3
    • Instruction Fuzzy Hash: F1B01295368701BC324422141D42C37011CF5C0F12B30C62AF904E20C2A8D00C0D0033
    Function 00A39506 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 00A394E7
      • Part of subcall function 00A39814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A39891
      • Part of subcall function 00A39814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A398A2
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: c75a8c0f8ef4f361d309dfc90a555319f7733e9a9d88a0582c7c0fe222b37ca1
    • Instruction ID: c09bd5954674a3bbe8a61a8d7632c4a65f0db2759d2eec2de76d88bfc8921e37
    • Opcode Fuzzy Hash: c75a8c0f8ef4f361d309dfc90a555319f7733e9a9d88a0582c7c0fe222b37ca1
    • Instruction Fuzzy Hash: CDB012D5368701BC328462542F03C37011CF5C0F12B30862AFA09D30C2E8D40C0E0032
    Function 009F14B2 Relevance: 1.3, APIs: 1, Instructions: 54stringCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,009F21B8,?,00000000,?,00000000,?,009F38BD,00000000,?,00000104), ref: 009F14E4
      • Part of subcall function 009F3B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,009F21DC,000001C7,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F3B59
      • Part of subcall function 009F3B51: HeapSize.KERNEL32(00000000,?,009F21DC,000001C7,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F3B60
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Heap$ProcessSizelstrlen
    • String ID:
    • API String ID: 3492610842-0
    • Opcode ID: 8e7bcd09a4547d37e972802a80ea719267086f88c6bb4719cc4cc153802ffef7
    • Instruction ID: 3d4e5a55e27f11e02beb7b92ea3327a7a225a3b1dad4fe6b763ff8248fdaecc8
    • Opcode Fuzzy Hash: 8e7bcd09a4547d37e972802a80ea719267086f88c6bb4719cc4cc153802ffef7
    • Instruction Fuzzy Hash: E701923720021DEBCF219E54DC84FBA779AAB81764F218225FB259B160D6319D509BE0

    Non-executed Functions

    Function 00A315CB Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 320COMMON
    Download Yara Rule
    APIs
    • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00A3166B
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A31675
    • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00A316C2
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A316C8
    • CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 00A31702
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A31708
    • CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 00A31748
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A3174E
    • CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 00A3178E
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A31794
    • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 00A317D4
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A317DA
    • SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 00A318BD
    • LocalFree.KERNEL32(?), ref: 00A319DC
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast$CreateKnownWell$DescriptorEntriesFreeInitializeLocalSecurity
    • String ID: srputil.cpp
    • API String ID: 3627156773-4105181634
    • Opcode ID: 6e743f6a057e96d330c20a9ea56b776b65bc7da8c140dccf2d94118712035546
    • Instruction ID: a6d7addd57a2b8dd13dc559226ea99e042e9998d70b0ce8fee0fc1597f5d8928
    • Opcode Fuzzy Hash: 6e743f6a057e96d330c20a9ea56b776b65bc7da8c140dccf2d94118712035546
    • Instruction Fuzzy Hash: 32B14572D40728AAEB20DBA59D44BEBB6FCEF08740F014266FD09F7150E7749D858AB4
    Function 00A1C0FA Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 364COMMON
    Download Yara Rule
    Strings
    • Failed to copy filename for pseudo bundle., xrefs: 00A1C1DF
    • Failed to copy key for pseudo bundle., xrefs: 00A1C30A
    • Failed to copy cache id for pseudo bundle., xrefs: 00A1C327
    • Failed to copy install arguments for related bundle package, xrefs: 00A1C34C
    • Failed to copy version for pseudo bundle., xrefs: 00A1C4D0
    • -%ls, xrefs: 00A1C114
    • pseudobundle.cpp, xrefs: 00A1C141, 00A1C17A, 00A1C269, 00A1C475
    • Failed to append relation type to install arguments for related bundle package, xrefs: 00A1C371
    • Failed to copy display name for pseudo bundle., xrefs: 00A1C4F2
    • Failed to copy download source for pseudo bundle., xrefs: 00A1C231
    • Failed to allocate memory for dependency providers., xrefs: 00A1C481
    • Failed to copy repair arguments for related bundle package, xrefs: 00A1C398
    • Failed to append relation type to repair arguments for related bundle package, xrefs: 00A1C3B9
    • Failed to append relation type to uninstall arguments for related bundle package, xrefs: 00A1C40C
    • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 00A1C186
    • Failed to copy key for pseudo bundle payload., xrefs: 00A1C1BB
    • Failed to allocate memory for pseudo bundle payload hash., xrefs: 00A1C275
    • Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 00A1C14D
    • Failed to copy local source path for pseudo bundle., xrefs: 00A1C203
    • Failed to copy uninstall arguments for related bundle package, xrefs: 00A1C3EB
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Heap$AllocateProcess
    • String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
    • API String ID: 1357844191-2832335422
    • Opcode ID: eb7aab177624fe84df6568dcb90e7ad20dbcf3e295db8857277d0781d8322470
    • Instruction ID: 7eab5216f1b27e32a7d7f966a4b1ef42aecd9555573c92a42da77ddb2dc15443
    • Opcode Fuzzy Hash: eb7aab177624fe84df6568dcb90e7ad20dbcf3e295db8857277d0781d8322470
    • Instruction Fuzzy Hash: 2AC1E271A8465ABFEB15DF68CC55FBAB6A8BF48760F004225FD15EB241D730EC809B90
    Function 00A069CC Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 358synchronizationCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009FD39D: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00A06E4B,000000B8,00000000,?,00000000,75A4B390), ref: 009FD3AC
      • Part of subcall function 009FD39D: InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 009FD3BB
      • Part of subcall function 009FD39D: LeaveCriticalSection.KERNEL32(000000D0,?,00A06E4B,000000B8,00000000,?,00000000,75A4B390), ref: 009FD3D0
    • ReleaseMutex.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000000), ref: 00A06D9A
    • CloseHandle.KERNEL32(00000000), ref: 00A06DA3
    • CloseHandle.KERNEL32(009F4740,?,00000000,?,00000000,00000001,00000000), ref: 00A06DC0
    Strings
    • Failed to register bundle., xrefs: 00A06C00
    • Failed to elevate., xrefs: 00A06BA5
    • Failed while caching, aborting execution., xrefs: 00A06CA8
    • Another per-machine setup is already executing., xrefs: 00A06BD9
    • crypt32.dll, xrefs: 00A06CD2
    • Engine cannot start apply because it is busy with another action., xrefs: 00A06A2F
    • core.cpp, xrefs: 00A06A9C, 00A06C76
    • Failed to cache engine to working directory., xrefs: 00A06B7F
    • UX aborted apply begin., xrefs: 00A06AA6
    • Failed to set initial apply variables., xrefs: 00A06B18
    • Another per-user setup is already executing., xrefs: 00A06AF1
    • Failed to create cache thread., xrefs: 00A06C80
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseCriticalHandleSection$CompareEnterExchangeInterlockedLeaveMutexRelease
    • String ID: Another per-machine setup is already executing.$Another per-user setup is already executing.$Engine cannot start apply because it is busy with another action.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$core.cpp$crypt32.dll
    • API String ID: 322611130-4292671789
    • Opcode ID: 96b6d295cc0059690470b89714985cd7b6adf1979dda1a9aaacd9e150d0c085f
    • Instruction ID: 741207412ed68fe9a5e5b0ba36a00ce68ada187f15c53cf348a9353a2b10b8cc
    • Opcode Fuzzy Hash: 96b6d295cc0059690470b89714985cd7b6adf1979dda1a9aaacd9e150d0c085f
    • Instruction Fuzzy Hash: F4C19871E0161EBFDB159BA4D845BEFB7B9FF04318F00422AF615A6181DB709964CBE0
    Function 009F44E9 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 137COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 009F4512
    • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 009F4519
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 009F4523
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 009F4573
    • GetLastError.KERNEL32 ref: 009F457D
    • CloseHandle.KERNEL32(?), ref: 009F4677
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLastProcess$CloseCurrentHandleLookupOpenPrivilegeTokenValue
    • String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$engine.cpp
    • API String ID: 4232854991-1583736410
    • Opcode ID: 6f1144488c6759c64c75ed354838acceac6656cce8851129bfd9e7085b664671
    • Instruction ID: 42b8cf185c7e4029ff3b81aafb5edd71ebc97d98b2fec7c4a120d61dabff3abe
    • Opcode Fuzzy Hash: 6f1144488c6759c64c75ed354838acceac6656cce8851129bfd9e7085b664671
    • Instruction Fuzzy Hash: 5941D572A50729BBEB20ABB99C89BBBB69DFB01751F010129FF05F6190D7644D0187F1
    Function 00A04CE8 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 161pipeCOMMON
    Download Yara Rule
    APIs
    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 00A04D16
    • GetLastError.KERNEL32(?,00000000,?,?,009F442A,?), ref: 00A04D1F
    • CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,009F442A,?), ref: 00A04DC0
    • GetLastError.KERNEL32(?,009F442A,?), ref: 00A04DCD
    • CloseHandle.KERNEL32(00000000,pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,009F442A,?), ref: 00A04E93
    • LocalFree.KERNEL32(00000000,?,009F442A,?), ref: 00A04EC1
    Strings
    • \\.\pipe\%ls, xrefs: 00A04D77
    • Failed to create pipe: %ls, xrefs: 00A04DFE, 00A04E84
    • Failed to allocate full name of cache pipe: %ls, xrefs: 00A04E2A
    • Failed to create the security descriptor for the connection event and pipe., xrefs: 00A04D4D
    • \\.\pipe\%ls.Cache, xrefs: 00A04E14
    • pipe.cpp, xrefs: 00A04D43, 00A04DF1, 00A04E77
    • Failed to allocate full name of pipe: %ls, xrefs: 00A04D8D
    • D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 00A04D11
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: DescriptorErrorLastSecurity$CloseConvertCreateFreeHandleLocalNamedPipeString
    • String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
    • API String ID: 3065245045-3253666091
    • Opcode ID: f7ae95b94a8833da83c6931ce6d90afd939a18b2860495b69966bc8bd0417302
    • Instruction ID: 6f4d3a34700b15b924edb42b54b2ac5b3cabcf471cdeea11888f29f43f0af1eb
    • Opcode Fuzzy Hash: f7ae95b94a8833da83c6931ce6d90afd939a18b2860495b69966bc8bd0417302
    • Instruction Fuzzy Hash: 0651A2B6E40719BFEB119BA4EC46BEEBAB9FF48710F104125FE00B61D0D3755E509AA0
    Function 00A2F961 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 167encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,00A09CFF,00000003,000007D0,00000003,?,000007D0,00000000,000007D0), ref: 00A2F9C6
    • GetLastError.KERNEL32 ref: 00A2F9D0
    • CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 00A2FA0D
    • GetLastError.KERNEL32 ref: 00A2FA17
    • CryptDestroyHash.ADVAPI32(00000000), ref: 00A2FAC9
    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00A2FAE0
    • GetLastError.KERNEL32 ref: 00A2FAFB
    • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00A2FB33
    • GetLastError.KERNEL32 ref: 00A2FB3D
    • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 00A2FB76
    • GetLastError.KERNEL32 ref: 00A2FB84
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CryptErrorLast$Hash$Context$AcquireCreateDestroyFileParamPointerRelease
    • String ID: cryputil.cpp
    • API String ID: 1716956426-2185294990
    • Opcode ID: ce6ae0dd61e3c78450f0d0c0775eddf5edc0b4f08c0efd3bec7a0b031934cd28
    • Instruction ID: 06bf5fd00fe1c0bada60713b856c20c1b74321691e86b2da728835835af35262
    • Opcode Fuzzy Hash: ce6ae0dd61e3c78450f0d0c0775eddf5edc0b4f08c0efd3bec7a0b031934cd28
    • Instruction Fuzzy Hash: C351A232A10234AFEB31DBA99D44BE776F9FB08781F014175BE49E6190D3748D818AE0
    Function 00A09C99 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 181COMMON
    Download Yara Rule
    Strings
    • Failed to transfer working path to unverified path for payload: %ls., xrefs: 00A09D9F
    • copying, xrefs: 00A09E27
    • moving, xrefs: 00A09E2C, 00A09E34
    • Failed to get cached path for package with cache id: %ls, xrefs: 00A09CC3
    • Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 00A09DC6
    • Failed to create unverified path., xrefs: 00A09D69
    • Failed to concat complete cached path., xrefs: 00A09CEF
    • Failed to move verified file to complete payload path: %ls, xrefs: 00A09E68
    • Failed to reset permissions on unverified cached payload: %ls, xrefs: 00A09DEC
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID:
    • String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
    • API String ID: 0-1289240508
    • Opcode ID: 466ec9af8c990cb2b1b53866467d79a717be1ca1c9b64e07c12c090b7284379f
    • Instruction ID: 62a81927ab6cfbca2eb351ae6d3145cd1b36e1ae127052c4e74cbacf694f1737
    • Opcode Fuzzy Hash: 466ec9af8c990cb2b1b53866467d79a717be1ca1c9b64e07c12c090b7284379f
    • Instruction Fuzzy Hash: 78518135D4061DBBDF126B94ED42FAEBB76AF04740F104165FA00751A2E7729E60AB81
    Function 009F6184 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 147COMMON
    Download Yara Rule
    APIs
    • GetVersionExW.KERNEL32(0000011C), ref: 009F61D2
    • GetLastError.KERNEL32 ref: 009F61DC
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLastVersion
    • String ID: Failed to get OS info.$Failed to set variant value.$variable.cpp
    • API String ID: 305913169-1971907631
    • Opcode ID: 7596ee402a69783f656f30d978462ab4ebca1671381a5c783acfb480eb412bf7
    • Instruction ID: ddd90ad2b38ea5c78f9a9a48b6d363234cc01f727315629af998f2c57946d1d5
    • Opcode Fuzzy Hash: 7596ee402a69783f656f30d978462ab4ebca1671381a5c783acfb480eb412bf7
    • Instruction Fuzzy Hash: 96418672E0432CABDB20DBA9CC45EFA7BB8EB89710F10059AF615E7141D6749E81CB50
    Function 00A2FDC2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130threadtimeCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(00A5B60C,00000000,?,?,?,?,00A11014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 00A2FDF0
    • GetCurrentProcessId.KERNEL32(00000000,?,00A11014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 00A2FE00
    • GetCurrentThreadId.KERNEL32 ref: 00A2FE09
    • GetLocalTime.KERNEL32(8007139F,?,00A11014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 00A2FE1F
    • LeaveCriticalSection.KERNEL32(00A5B60C,?,00000000,00000000,0000FDE9), ref: 00A2FF12
    Strings
    • %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 00A2FEB9
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
    • String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
    • API String ID: 296830338-59366893
    • Opcode ID: 34c52d05fd5fa30edb44ac2f78828a2930d819f2b1b2bb6cb1bf17c69a48bda2
    • Instruction ID: 89c7df62ce453b336e4ebaddf0be722a3a2a7f1b357a46e148a14782ad583227
    • Opcode Fuzzy Hash: 34c52d05fd5fa30edb44ac2f78828a2930d819f2b1b2bb6cb1bf17c69a48bda2
    • Instruction Fuzzy Hash: 39417D72E10229AFDB21DBE8ED45ABEB7F9BB48712F504135FA01E6160D7348D41CBA1
    Function 00A0993E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108filestringCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileW.KERNEL32(?,?,?,?,*.*,?,?,?,00000000,.unverified,?), ref: 00A099ED
    • lstrlenW.KERNEL32(?), ref: 00A09A14
    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A09A74
    • FindClose.KERNEL32(00000000), ref: 00A09A7F
      • Part of subcall function 009F3BC3: GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 009F3C3F
      • Part of subcall function 009F3BC3: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 009F3C52
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
    • String ID: *.*$.unverified
    • API String ID: 457978746-2528915496
    • Opcode ID: 2bbff97d6d8b1574046283bac7717a1b97421e06ed776b60653edb4342d103c2
    • Instruction ID: afc45bc284ba1656923bab6c45b6cc3fba767bf94ee627b6fa4f0fd4ed50cc5b
    • Opcode Fuzzy Hash: 2bbff97d6d8b1574046283bac7717a1b97421e06ed776b60653edb4342d103c2
    • Instruction Fuzzy Hash: 8E416231A0066CAEDB20EB64ED49BEB77B9AF44341F4001A5F548E10E1EB748EC5CF14
    Function 00A38733 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 79timeCOMMON
    Download Yara Rule
    APIs
    • GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 00A38788
    • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 00A3879A
    Strings
    • %04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 00A38771
    • crypt32.dll, xrefs: 00A38758
    • %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 00A387E3
    • feclient.dll, xrefs: 00A38762
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Time$InformationLocalSpecificSystemZone
    • String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$crypt32.dll$feclient.dll
    • API String ID: 1772835396-1985132828
    • Opcode ID: c02998b0a52834e8dd88e1f7d70c00494580d6880e71bbea2fc72156296be088
    • Instruction ID: 5258ebf350dc1cd875c19b8bb0447691fba4557505fd2beac6624687fe2a84f3
    • Opcode Fuzzy Hash: c02998b0a52834e8dd88e1f7d70c00494580d6880e71bbea2fc72156296be088
    • Instruction Fuzzy Hash: B121FAA6900118FAD724DB969C05FBBB3FDFB48B12F10455AFA45D6080E738AE85D770
    Function 009F60BA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLastNameUser
    • String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
    • API String ID: 2054405381-1522884404
    • Opcode ID: 9f3ebf59525738ccab203f058b06959a1f49653ef2afce3e04a85debd463325e
    • Instruction ID: 8ff41382d20ebe0686062f87854b070954575fd89e2aeee260065d29ad035621
    • Opcode Fuzzy Hash: 9f3ebf59525738ccab203f058b06959a1f49653ef2afce3e04a85debd463325e
    • Instruction Fuzzy Hash: A701D632B0132C6BD710EBA59C09AABB7ACEB00720F004256F905E7141EA749E458BE1
    Function 00A2FD20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59windowCOMMON
    Download Yara Rule
    APIs
    • FormatMessageW.KERNEL32(00000900,?,00000000,00000000,00000000,00000000,?,00000000,?,?,00A303EC,?,00000000,?,?,00000001), ref: 00A2FD3F
    • GetLastError.KERNEL32(?,00A303EC,?,00000000,?,?,00000001,?,009F5523,?,?,00000000,?,?,009F528D,00000002), ref: 00A2FD4B
    • LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,00A303EC,?,00000000,?,?,00000001,?,009F5523,?,?), ref: 00A2FDB3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessage
    • String ID: logutil.cpp
    • API String ID: 1365068426-3545173039
    • Opcode ID: 6621cd21dfd3f121ae06366de0abf77a642bccc61b850cffe0c1ed79ea3c4bf3
    • Instruction ID: 1dc054f70f89215cbeaf91413cfa132d33465dc51e3438af78ca3bbb2d6b8566
    • Opcode Fuzzy Hash: 6621cd21dfd3f121ae06366de0abf77a642bccc61b850cffe0c1ed79ea3c4bf3
    • Instruction Fuzzy Hash: B2116A32600229AEDB25AF99EE05EEF7B79EF55710F01403AFE0596160E7318A60D7A1
    Function 00A16945 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39COMMON
    Download Yara Rule
    APIs
    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00A168EF,00000000,00000003), ref: 00A1695C
    • GetLastError.KERNEL32(?,00A168EF,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,00A16CE1,?), ref: 00A16966
    Strings
    • msuengine.cpp, xrefs: 00A1698A
    • Failed to set service start type., xrefs: 00A16994
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ChangeConfigErrorLastService
    • String ID: Failed to set service start type.$msuengine.cpp
    • API String ID: 1456623077-1628545019
    • Opcode ID: 7664c0bef77d5e45c7947d83a85df5fcb1975904220d502fb050152652593378
    • Instruction ID: 32de133a0955c35574dffb1d8951af142c4bf8ed43c1bfc8a42426cb549417bd
    • Opcode Fuzzy Hash: 7664c0bef77d5e45c7947d83a85df5fcb1975904220d502fb050152652593378
    • Instruction Fuzzy Hash: E7F0653674433477AB1066A96C05F977EC9EF027F1F114325FE28E61D0DA258D0182F5
    Function 00A23BB0 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00A23CA8
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00A23CB2
    • UnhandledExceptionFilter.KERNEL32(80003CDD,?,?,?,?,?,?), ref: 00A23CBF
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: b79c64a48ff61912811496e17a2aebb4ed9cbeca07875aea6a6e6fd3bdb256c7
    • Instruction ID: dacf1ed6e587703e096cda0b14d1bb94a7d77b253e3c3f2fa9116b0f7f6095bb
    • Opcode Fuzzy Hash: b79c64a48ff61912811496e17a2aebb4ed9cbeca07875aea6a6e6fd3bdb256c7
    • Instruction Fuzzy Hash: 3C31B57591122CABCB21DF68DD897DDBBB8BF08310F5042EAE81CA7251E7349B858F54
    Function 00A3393B Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A33AC9: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00A3396A,?), ref: 00A33B3A
    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00A3398E
    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A3399F
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AllocateCheckCloseInitializeMembershipToken
    • String ID:
    • API String ID: 2114926846-0
    • Opcode ID: a5f10a282c18b154783be3fb1a9751c44c7f87d14c9c35b6ddcf06e3ff894a3f
    • Instruction ID: d5f95ba9e7b4dc77d362561cb3eccce79b78c176c50f87cb502982a9677c7e20
    • Opcode Fuzzy Hash: a5f10a282c18b154783be3fb1a9751c44c7f87d14c9c35b6ddcf06e3ff894a3f
    • Instruction Fuzzy Hash: D3112772A1421AEBDF10DFA5CD95BAFBBB8FF08300F50082EB545A6181E7709A44CB65
    Function 00A3858F Relevance: 1.5, APIs: 1, Instructions: 23timeCOMMON
    Download Yara Rule
    APIs
    • GetSystemTime.KERNEL32(?,00000000,?,?,?), ref: 00A385A7
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: SystemTime
    • String ID:
    • API String ID: 2656138-0
    • Opcode ID: d1f74c1d8454d193a9b93f0e911f94612d6408af202a42e2722a335a8d42a549
    • Instruction ID: 1387678cd3f7e2eea3309c8726dfa23d7fc9908b97d93e960459db2776bd4052
    • Opcode Fuzzy Hash: d1f74c1d8454d193a9b93f0e911f94612d6408af202a42e2722a335a8d42a549
    • Instruction Fuzzy Hash: 1AE0127190110DEB8F00EFA4D9018EEB7BCEF15211B504159F905A7140DA30AA1A8BA6
    Function 00A1E773 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_0002E77F,00A1DEF8), ref: 00A1E778
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: f51aa395e18334ad6d3ddeb6bc0b01453328f461ec3db85203a87297b345eb44
    • Instruction ID: dbc3ea91e7f262309ba9d91e1afa79f1407b9f684d20e4bb810e79f22a63c5d1
    • Opcode Fuzzy Hash: f51aa395e18334ad6d3ddeb6bc0b01453328f461ec3db85203a87297b345eb44
    • Instruction Fuzzy Hash:
    Function 009FFE26 Relevance: 81.0, APIs: 1, Strings: 45, Instructions: 476registryCOMMON
    Download Yara Rule
    APIs
    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000,?,?,?), ref: 00A00409
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Close
    • String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.10.4.4718$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EngineVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString
    • API String ID: 3535843008-3978993339
    • Opcode ID: 4e25eacbc4ef72bb78789de1f0491e8ee62d249510078f5fc9ac51484a17b75a
    • Instruction ID: db351a32e814a1ad9061eb084bfe9c89a0dcd3158c516b66c4cb136f0baecc62
    • Opcode Fuzzy Hash: 4e25eacbc4ef72bb78789de1f0491e8ee62d249510078f5fc9ac51484a17b75a
    • Instruction Fuzzy Hash: 40F1C335A40A2EFBCB235A64DD02FAEBA65BF44710F110661FE00BA6D1D771ED60A7C1
    Function 009F834D Relevance: 59.8, APIs: 5, Strings: 29, Instructions: 331COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(009F533D,?,00000000,80070490,?,?,?,?,?,?,?,?,00A1BF87,?,009F533D,?), ref: 009F837E
    • LeaveCriticalSection.KERNEL32(009F533D,?,?,?,?,?,?,?,?,00A1BF87,?,009F533D,?,009F533D,009F533D,Chain), ref: 009F86DB
    Strings
    • Failed to set variant encryption, xrefs: 009F8674
    • Failed to set variant value., xrefs: 009F8666
    • numeric, xrefs: 009F8493
    • Initializing version variable '%ls' to value '%ls', xrefs: 009F852A
    • Initializing string variable '%ls' to value '%ls', xrefs: 009F84F1
    • version, xrefs: 009F8503
    • Failed to set value of variable: %ls, xrefs: 009F867E
    • Failed to get @Id., xrefs: 009F86C6
    • Failed to insert variable '%ls'., xrefs: 009F859D
    • Failed to get @Value., xrefs: 009F866D
    • Variable, xrefs: 009F8388
    • Failed to get next node., xrefs: 009F86CD
    • variable.cpp, xrefs: 009F8690
    • Type, xrefs: 009F847A
    • Value, xrefs: 009F843C
    • Failed to find variable value '%ls'., xrefs: 009F86A9
    • Failed to select variable nodes., xrefs: 009F839B
    • Invalid value for @Type: %ls, xrefs: 009F864F
    • Failed to get @Persisted., xrefs: 009F86B8
    • Hidden, xrefs: 009F8406
    • Attempt to set built-in variable value: %ls, xrefs: 009F869F
    • string, xrefs: 009F84CE
    • Failed to get variable node count., xrefs: 009F83B8
    • Failed to change variant type., xrefs: 009F86B1
    • Initializing hidden variable '%ls', xrefs: 009F8548
    • Failed to get @Hidden., xrefs: 009F86BF
    • Failed to get @Type., xrefs: 009F865F
    • Initializing numeric variable '%ls' to value '%ls', xrefs: 009F84B9
    • Persisted, xrefs: 009F8421
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
    • API String ID: 3168844106-1614826165
    • Opcode ID: cc059b77f1b6da2df5334ca24e8c33d45d4b523b6893d21a2844a50a8ea58c2a
    • Instruction ID: ae3e03d7b3a796f75d9f34ae87a503a1074c04c6ab9d57dd567fb4d1d01c6c76
    • Opcode Fuzzy Hash: cc059b77f1b6da2df5334ca24e8c33d45d4b523b6893d21a2844a50a8ea58c2a
    • Instruction Fuzzy Hash: CDB1BC72D0022DBBCF51DB94CC46EBFBB79BF44720F104A55FA14BA290CB749A509B90
    Function 00A16A85 Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 377COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00A0BBCA,00000007,?,?,?), ref: 00A16AD9
      • Part of subcall function 00A309BB: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,009F5D8F,00000000), ref: 00A309CF
      • Part of subcall function 00A309BB: GetProcAddress.KERNEL32(00000000), ref: 00A309D6
      • Part of subcall function 00A309BB: GetLastError.KERNEL32(?,?,?,009F5D8F,00000000), ref: 00A309ED
    • CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 00A16EC9
    • CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 00A16EDD
    Strings
    • Bootstrapper application aborted during MSU progress., xrefs: 00A16E0D
    • Failed to determine WOW64 status., xrefs: 00A16AEB
    • SysNative\, xrefs: 00A16B23
    • 2, xrefs: 00A16D6C
    • Failed to append SysNative directory., xrefs: 00A16B36
    • Failed to build MSU path., xrefs: 00A16BEE
    • Failed to get process exit code., xrefs: 00A16DE5
    • Failed to find Windows directory., xrefs: 00A16B18
    • wusa.exe, xrefs: 00A16B59
    • msuengine.cpp, xrefs: 00A16D46, 00A16DDB, 00A16E03
    • Failed to get cached path for package: %ls, xrefs: 00A16BB5
    • Failed to append log path to MSU command-line., xrefs: 00A16C8D
    • Failed to ensure WU service was enabled to install MSU package., xrefs: 00A16CE7
    • D, xrefs: 00A16CF4
    • Failed to format MSU install command., xrefs: 00A16C15
    • "%ls" "%ls" /quiet /norestart, xrefs: 00A16C01
    • Failed to format MSU uninstall command., xrefs: 00A16C42
    • Failed to find System32 directory., xrefs: 00A16B4E
    • WixBundleExecutePackageCacheFolder, xrefs: 00A16BC4, 00A16EF5
    • Failed to CreateProcess on path: %ls, xrefs: 00A16D53
    • Failed to allocate WUSA.exe path., xrefs: 00A16B6C
    • Failed to append log switch to MSU command-line., xrefs: 00A16C6F
    • Failed to wait for executable to complete: %ls, xrefs: 00A16E58
    • Failed to get action arguments for MSU package., xrefs: 00A16B8F
    • /log:, xrefs: 00A16C5B
    • "%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 00A16C2E
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
    • String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$WixBundleExecutePackageCacheFolder$msuengine.cpp$wusa.exe
    • API String ID: 1400713077-4261965642
    • Opcode ID: 7c0a5e7b80fa5c802468a3287eb335128e601ee27775adc7a1f9bedc9035b450
    • Instruction ID: c6a4b052861c89f0ff3389efd74bf0467726df0111a01425f44c81245f6cc6fe
    • Opcode Fuzzy Hash: 7c0a5e7b80fa5c802468a3287eb335128e601ee27775adc7a1f9bedc9035b450
    • Instruction Fuzzy Hash: 7BD1AE75A4031ABFDB119FE8CD81FEEBAB9BF08704F104525F601E61A1D7B49A809B61
    Function 00A372F4 Relevance: 45.8, APIs: 13, Strings: 13, Instructions: 340COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009F38D4: GetProcessHeap.KERNEL32(?,000001C7,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38E5
      • Part of subcall function 009F38D4: RtlAllocateHeap.NTDLL(00000000,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38EC
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 00A37407
    • SysFreeString.OLEAUT32(00000000), ref: 00A375D0
    • SysFreeString.OLEAUT32(00000000), ref: 00A3766D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: String$FreeHeap$AllocateCompareProcess
    • String ID: ($@$atomutil.cpp$author$category$entry$generator$icon$link$logo$subtitle$title$updated
    • API String ID: 1555028553-2592408802
    • Opcode ID: 3e7c86b692add5e1314ad5062fd54366902b77f3db307d3659728864ab8728ec
    • Instruction ID: dda7a7d6dbd3a600926c6e587d83cb73815568d8f2008e5b40097942c8df7cd5
    • Opcode Fuzzy Hash: 3e7c86b692add5e1314ad5062fd54366902b77f3db307d3659728864ab8728ec
    • Instruction Fuzzy Hash: C6B1B1B1948616FBDB219B58CC52FAEBB74BB04720F604355F921AB2D1DB70EE10DB90
    Function 00A36FB7 Relevance: 45.8, APIs: 11, Strings: 15, Instructions: 298COMMON
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,00A53C78,000000FF,?,?,?), ref: 00A3707E
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 00A370A3
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 00A370C3
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 00A370DF
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 00A37107
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 00A37123
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 00A3715C
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 00A37195
      • Part of subcall function 00A36BF6: SysFreeString.OLEAUT32(00000000), ref: 00A36D2F
      • Part of subcall function 00A36BF6: SysFreeString.OLEAUT32(00000000), ref: 00A36D71
    • SysFreeString.OLEAUT32(00000000), ref: 00A37219
    • SysFreeString.OLEAUT32(00000000), ref: 00A372C9
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: String$Compare$Free
    • String ID: ($atomutil.cpp$author$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
    • API String ID: 318886736-4294603148
    • Opcode ID: 08331663df0c927f3078380ee35913a6a789e6634e38656abd8ec0d4578e1ce9
    • Instruction ID: c6f36541b515f8872fd1949e787435fd97a6b71817f8fc212fa03a16a2abccdb
    • Opcode Fuzzy Hash: 08331663df0c927f3078380ee35913a6a789e6634e38656abd8ec0d4578e1ce9
    • Instruction Fuzzy Hash: 3AA16DB194821AFBDB319BA4CC41FAEB774BB05720F204755F921AB2D1D770EA50DBA0
    Function 00A052E3 Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 222filepipesleepCOMMON
    Download Yara Rule
    APIs
    • lstrlenW.KERNEL32(?,?,00000000,?,00A3B4F0,?,00000000,?,009F442A,?,00A3B4F0), ref: 00A05304
    • GetCurrentProcessId.KERNEL32(?,009F442A,?,00A3B4F0), ref: 00A0530F
    • SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,009F442A,?,00A3B4F0), ref: 00A05346
    • ConnectNamedPipe.KERNEL32(?,00000000,?,009F442A,?,00A3B4F0), ref: 00A0535B
    • GetLastError.KERNEL32(?,009F442A,?,00A3B4F0), ref: 00A05365
    • Sleep.KERNEL32(00000064,?,009F442A,?,00A3B4F0), ref: 00A05396
    • SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,009F442A,?,00A3B4F0), ref: 00A053B9
    • WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,009F442A,?,00A3B4F0), ref: 00A053D4
    • WriteFile.KERNEL32(?,009F442A,00A3B4F0,00000000,00000000,?,009F442A,?,00A3B4F0), ref: 00A053EF
    • WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,009F442A,?,00A3B4F0), ref: 00A0540A
    • ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,?,009F442A,?,00A3B4F0), ref: 00A05425
    • GetLastError.KERNEL32(?,009F442A,?,00A3B4F0), ref: 00A0547D
    • GetLastError.KERNEL32(?,009F442A,?,00A3B4F0), ref: 00A054B1
    • GetLastError.KERNEL32(?,009F442A,?,00A3B4F0), ref: 00A054E5
    • GetLastError.KERNEL32(?,009F442A,?,00A3B4F0), ref: 00A0557B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
    • String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$crypt32.dll$pipe.cpp
    • API String ID: 2944378912-2047837012
    • Opcode ID: f45dcfa659c7d36c19e269246f2ab4fcafd3cc0c2619578b6a05bb57e8e72002
    • Instruction ID: 7b656b5d5814b898d9d21d8402ca695a6c03e336a656329fe8c6e00401a934a2
    • Opcode Fuzzy Hash: f45dcfa659c7d36c19e269246f2ab4fcafd3cc0c2619578b6a05bb57e8e72002
    • Instruction Fuzzy Hash: C361F5B6E50729BAEB10EBB99C45BABB6E9AF04740F114125FE05EB0C0D774DD008AF1
    Function 009FA311 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299registryCOMMON
    Download Yara Rule
    APIs
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 009FA356
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 009FA37C
    • RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 009FA666
    Strings
    • Failed to change value type., xrefs: 009FA60D
    • Failed to format key string., xrefs: 009FA361
    • Failed to get expand environment string., xrefs: 009FA5DB
    • Failed to open registry key., xrefs: 009FA3E9
    • Failed to allocate string buffer., xrefs: 009FA565
    • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 009FA418
    • Failed to clear variable., xrefs: 009FA3D4
    • search.cpp, xrefs: 009FA44A, 009FA47D, 009FA4CE, 009FA5D1
    • Failed to set variable., xrefs: 009FA629
    • Failed to format value string., xrefs: 009FA387
    • Failed to query registry key value size., xrefs: 009FA454
    • Failed to query registry key value., xrefs: 009FA4D8
    • Failed to allocate memory registry value., xrefs: 009FA487
    • Registry key not found. Key = '%ls', xrefs: 009FA3B0
    • Unsupported registry key value type. Type = '%u', xrefs: 009FA506
    • RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 009FA63E
    • Failed to read registry value., xrefs: 009FA5F4
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Open@16$Close
    • String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
    • API String ID: 2348241696-3124384294
    • Opcode ID: b09fe86cc0335bfb7b018328f3ba2ad2d8bbae5b18f8c067ba685d4f2a457295
    • Instruction ID: 1356a5b807d35130c5245ecb6938c7a1d93edecd340a409711e4ad52c9157e2d
    • Opcode Fuzzy Hash: b09fe86cc0335bfb7b018328f3ba2ad2d8bbae5b18f8c067ba685d4f2a457295
    • Instruction Fuzzy Hash: 5FA1D8B2D4022DFBDF119AA4CD45FBEBAA9BF04310F148525FA08F6190D775DE0097A2
    Function 00A1D22C Relevance: 44.0, APIs: 10, Strings: 15, Instructions: 276processCOMMON
    Download Yara Rule
    APIs
    • UuidCreate.RPCRT4(?), ref: 00A1D2A7
    • StringFromGUID2.OLE32(?,?,00000027), ref: 00A1D2D0
    • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?), ref: 00A1D3BC
    • GetLastError.KERNEL32(?,?,?,?), ref: 00A1D3C6
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 00A1D45B
    • GetExitCodeProcess.KERNEL32(?,?), ref: 00A1D485
    • GetLastError.KERNEL32(?,?,?,?), ref: 00A1D493
    • GetLastError.KERNEL32(?,?,?,?), ref: 00A1D4CB
      • Part of subcall function 00A1D12C: WaitForSingleObject.KERNEL32(?,000000FF,771B30B0,00000000,?,?,?,?,00A1D439,?), ref: 00A1D145
      • Part of subcall function 00A1D12C: ReleaseMutex.KERNEL32(?,?,?,?,00A1D439,?), ref: 00A1D161
      • Part of subcall function 00A1D12C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A1D1A4
      • Part of subcall function 00A1D12C: ReleaseMutex.KERNEL32(?), ref: 00A1D1BB
      • Part of subcall function 00A1D12C: SetEvent.KERNEL32(?), ref: 00A1D1C4
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00A1D580
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00A1D598
    Strings
    • D, xrefs: 00A1D3A1
    • Failed to get netfx return code., xrefs: 00A1D4C1
    • NetFxChainer.cpp, xrefs: 00A1D2E5, 00A1D3EA, 00A1D4B7, 00A1D4EF
    • Failed to create netfx chainer guid., xrefs: 00A1D2B4
    • Failed to convert netfx chainer guid into string., xrefs: 00A1D2EF
    • NetFxSection.%ls, xrefs: 00A1D2FD
    • Failed to allocate netfx chainer arguments., xrefs: 00A1D387
    • %ls /pipe %ls, xrefs: 00A1D373
    • Failed to allocate event name., xrefs: 00A1D333
    • Failed to allocate section name., xrefs: 00A1D311
    • Failed to wait for netfx chainer process to complete, xrefs: 00A1D4F9
    • Failed to CreateProcess on path: %ls, xrefs: 00A1D3F5
    • Failed to create netfx chainer., xrefs: 00A1D352
    • NetFxEvent.%ls, xrefs: 00A1D31F
    • Failed to process netfx chainer message., xrefs: 00A1D43F
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLastWait$CloseCreateHandleMutexObjectProcessReleaseSingle$CodeEventExitFromMultipleObjectsStringUuid
    • String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
    • API String ID: 2531618940-1825855094
    • Opcode ID: 5251e7c25c079832ca853e34418711f1d8960ed29f900c8cc4b0b93880194f87
    • Instruction ID: 65ceda0b51e0429dee2b90429ea5e86db295df4a3d37fd2a7a1ba2391f75bf82
    • Opcode Fuzzy Hash: 5251e7c25c079832ca853e34418711f1d8960ed29f900c8cc4b0b93880194f87
    • Instruction Fuzzy Hash: 58A18E72E40328ABEB209BA4CD45FEEB7B9BB04311F104169FA09F7151D7759E848FA1
    Function 009F567D Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 476stringCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(000002C0,00000100,00000100,00000000,00000000,?,009F99BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 009F56A2
    • lstrlenW.KERNEL32(00000000,?,009F99BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 009F56AC
    • _wcschr.LIBVCRUNTIME ref: 009F58B4
    • LeaveCriticalSection.KERNEL32(000002C0,00000000,00000000,00000000,00000000,00000000,00000001,?,009F99BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0), ref: 009F5B56
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave_wcschrlstrlen
    • String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
    • API String ID: 1026845265-2050445661
    • Opcode ID: 7211822d270ca5724c78568efaf71a07e798d00679940cb526ffc533e0d2bdc5
    • Instruction ID: 4675d4d2e240664718e7919670b3ec8343f97083fae575313129760a7eb5cf7a
    • Opcode Fuzzy Hash: 7211822d270ca5724c78568efaf71a07e798d00679940cb526ffc533e0d2bdc5
    • Instruction Fuzzy Hash: 02F19171D00A2DFBDB11EFA48841ABF7BA9EB44750F12452ABF15AB240D7749E41CBA0
    Function 00A1CC24 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 235synchronizationCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009F38D4: GetProcessHeap.KERNEL32(?,000001C7,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38E5
      • Part of subcall function 009F38D4: RtlAllocateHeap.NTDLL(00000000,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38EC
    • CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,00A1D34C,?,?,?), ref: 00A1CC6A
    • GetLastError.KERNEL32(?,?,00A1D34C,?,?,?), ref: 00A1CC77
    • ReleaseMutex.KERNEL32(?), ref: 00A1CEDF
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
    • String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$NetFxChainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
    • API String ID: 3944734951-2991465304
    • Opcode ID: 14e6ca882493407c2204cd0abada9fd67fc6ad82b648961d02cad17d8474b40c
    • Instruction ID: e233dcced33aeffbe0bb5e8417e9d8bdabb6c0a693c4684df18aedbfbb7a7216
    • Opcode Fuzzy Hash: 14e6ca882493407c2204cd0abada9fd67fc6ad82b648961d02cad17d8474b40c
    • Instruction Fuzzy Hash: FA71D372A80721BFD7119B698C49FABBAE8FF14760F014225FE08EB290D7748D50C6E4
    Function 009FE936 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 231COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A331C7: VariantInit.OLEAUT32(?), ref: 00A331DD
      • Part of subcall function 00A331C7: SysAllocString.OLEAUT32(?), ref: 00A331F9
      • Part of subcall function 00A331C7: VariantClear.OLEAUT32(?), ref: 00A33280
      • Part of subcall function 00A331C7: SysFreeString.OLEAUT32(00000000), ref: 00A3328B
    • CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,00A3CA64,?,?,Action,?,?,?,00000000,009F533D), ref: 009FEA07
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 009FEA51
    Strings
    • Failed to get RelatedBundle nodes, xrefs: 009FE966
    • Action, xrefs: 009FE9C4
    • Invalid value for @Action: %ls, xrefs: 009FEB46
    • Failed to get RelatedBundle element count., xrefs: 009FE98B
    • Failed to get @Action., xrefs: 009FEB5D
    • cabinet.dll, xrefs: 009FEAAE
    • Failed to resize Detect code array in registration, xrefs: 009FEB22
    • Addon, xrefs: 009FEA8E
    • Failed to get next RelatedBundle element., xrefs: 009FEB64
    • Failed to get @Id., xrefs: 009FEB56
    • version.dll, xrefs: 009FEA64
    • Detect, xrefs: 009FE9F8
    • Failed to resize Patch code array in registration, xrefs: 009FEB37
    • Patch, xrefs: 009FEAD1
    • Failed to resize Upgrade code array in registration, xrefs: 009FEB29
    • RelatedBundle, xrefs: 009FE944
    • Upgrade, xrefs: 009FEA44
    • Failed to resize Addon code array in registration, xrefs: 009FEB30
    • comres.dll, xrefs: 009FEA1A
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: String$CompareVariant$AllocClearFreeInit
    • String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
    • API String ID: 702752599-259800149
    • Opcode ID: 5555f0953bcee7f6bdbfe61b6a3eb1b788c9ca943ce46c5c538342518927d34d
    • Instruction ID: 16ff16107401076ac2902baa5535b8ee6b3db445f25b303b34e4b0ef208c4237
    • Opcode Fuzzy Hash: 5555f0953bcee7f6bdbfe61b6a3eb1b788c9ca943ce46c5c538342518927d34d
    • Instruction Fuzzy Hash: 4671BF75E4422ABBCB10CA95CC41EBAB7B4FF04725F204654FA22A76A0D734EE50CB90
    Function 009F8E48 Relevance: 37.2, APIs: 8, Strings: 13, Instructions: 433COMMON
    Download Yara Rule
    APIs
    • GetStringTypeW.KERNEL32(00000001,5600A3DB,00000001,?,009F9801,?,00000000,00000000), ref: 009F8E8D
    Strings
    • Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 009F903A
    • AND, xrefs: 009F9187
    • Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 009F928D
    • Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 009F8F6F
    • @, xrefs: 009F8E93
    • condition.cpp, xrefs: 009F8F5C, 009F9027, 009F909C, 009F90F9, 009F923A, 009F927A, 009F92B5
    • Failed to set symbol value., xrefs: 009F8F35
    • Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 009F90AF
    • -, xrefs: 009F8FF1
    • NOT, xrefs: 009F91A7
    • Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 009F910C
    • Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 009F92C8
    • Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 009F924D
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: StringType
    • String ID: -$@$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$condition.cpp
    • API String ID: 4177115715-3640792234
    • Opcode ID: 0078831ace9ef06664a2a6176730126a2bb06fec1f34d4a7d3e42ff05e1d69b5
    • Instruction ID: 20344c59b9929888faa4dfaf1d7b06ffa836614ab5ff544ea4a091748b49f4d9
    • Opcode Fuzzy Hash: 0078831ace9ef06664a2a6176730126a2bb06fec1f34d4a7d3e42ff05e1d69b5
    • Instruction Fuzzy Hash: ABE1E072644209EBDB118F58CC89BBA7B69FB45710F244495FB059E2C5CBF9CAC1CB90
    Function 00A044E7 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 181fileCOMMON
    Download Yara Rule
    APIs
    • GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,00A049FE,00A3B4D8,?,feclient.dll,00000000,?,?), ref: 00A044FE
    • ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,00A049FE,00A3B4D8,?,feclient.dll,00000000,?,?), ref: 00A0451F
    • GetLastError.KERNEL32(?,00A049FE,00A3B4D8,?,feclient.dll,00000000,?,?), ref: 00A04525
    • WriteFile.KERNEL32(feclient.dll,?,00000004,00A049FE,00000000,?,00A049FE,00A3B4D8,?,feclient.dll,00000000,?,?), ref: 00A0468E
    • GetLastError.KERNEL32(?,00A049FE,00A3B4D8,?,feclient.dll,00000000,?,?), ref: 00A04698
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFileLast$CurrentProcessReadWrite
    • String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$feclient.dll$msasn1.dll$pipe.cpp
    • API String ID: 3008747291-452622383
    • Opcode ID: f1438dde4d312af36de1402fb1b549c97c47bdc3b754da38a42bed1cdfe295f9
    • Instruction ID: 4b314a49cf984cc2f7d4a2c085047866127fb4af2d1d3af8cf573cc35fd3b05e
    • Opcode Fuzzy Hash: f1438dde4d312af36de1402fb1b549c97c47bdc3b754da38a42bed1cdfe295f9
    • Instruction Fuzzy Hash: 6251E4B6E40719BBEB109AA5AC81FBBB6A8BB49710F114115FF01FB1D0E7349E0186E1
    Function 00A125AF Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: StringVariant$AllocClearFreeInit
    • String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
    • API String ID: 760788290-1911311241
    • Opcode ID: ccbe5b8082c6909897db8d99003df5138f4d770a93f17896381a113dea0404fb
    • Instruction ID: a4ce4648ceb4a2cdbd4f7b656db6de3a018aff1f909c0ffeaebdd185db81900b
    • Opcode Fuzzy Hash: ccbe5b8082c6909897db8d99003df5138f4d770a93f17896381a113dea0404fb
    • Instruction Fuzzy Hash: 9041D776EC4776BADB2652648D42FEBB55CBB60B30F200711F930B62D1C764EDA09392
    Function 00A11970 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 212COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009F38D4: GetProcessHeap.KERNEL32(?,000001C7,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38E5
      • Part of subcall function 009F38D4: RtlAllocateHeap.NTDLL(00000000,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38EC
    • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 00A11A77
    • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 00A11A95
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CompareHeapString$AllocateProcess
    • String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$error$exeengine.cpp$forceReboot$scheduleReboot$success
    • API String ID: 2664528157-1714101571
    • Opcode ID: e633feccdf8dbd3ee3e4141df7b8dabb110a8fe6da09f3b1a89dffccf1bfe583
    • Instruction ID: e238a6e02bff70dc0ecb3cdd7a5201cb93557d7cdda09199dba80ea10f613750
    • Opcode Fuzzy Hash: e633feccdf8dbd3ee3e4141df7b8dabb110a8fe6da09f3b1a89dffccf1bfe583
    • Instruction Fuzzy Hash: A561D375E4922ABBCB109B54CC41EEEBBB9EF40760F204255F625AB2D1E770DE80D790
    Function 009FF09D Relevance: 33.4, APIs: 3, Strings: 16, Instructions: 180registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A339CD: GetVersionExW.KERNEL32(?,?,00000000,?), ref: 00A33A1A
    • RegCloseKey.ADVAPI32(00000000,?,00020006,00020006,00000000,?,?,00000002,00000000,?,00000000,00000001,00000002), ref: 009FF2CB
      • Part of subcall function 00A31344: RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,009FF11A,00000005,Resume,?,?,?,00000002,00000000), ref: 00A31359
    Strings
    • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 009FF0FA
    • "%ls" /%ls, xrefs: 009FF172
    • Failed to write Resume value., xrefs: 009FF120
    • Failed to write run key value., xrefs: 009FF1C8
    • Failed to delete resume command line value., xrefs: 009FF2A7
    • Installed, xrefs: 009FF132
    • BundleResumeCommandLine, xrefs: 009FF1D5, 009FF267
    • Failed to delete run key value., xrefs: 009FF25A
    • Failed to write resume command line value., xrefs: 009FF1EA
    • registration.cpp, xrefs: 009FF250, 009FF29D
    • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 009FF0AE
    • burn.runonce, xrefs: 009FF167
    • Failed to create run key., xrefs: 009FF1AA
    • Resume, xrefs: 009FF10F
    • Failed to format resume command line for RunOnce., xrefs: 009FF186
    • Failed to write Installed value., xrefs: 009FF143
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseValueVersion
    • String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$burn.runonce$registration.cpp
    • API String ID: 2348918689-3140388177
    • Opcode ID: fb6b0f7d29377707b352c421c486d90798f5c0359d8c8f9332074d2c4b905838
    • Instruction ID: ffb91c0fb2a3e8d1dfd32a26508629bf9966f06a88bfa08f369e0608fa178ecc
    • Opcode Fuzzy Hash: fb6b0f7d29377707b352c421c486d90798f5c0359d8c8f9332074d2c4b905838
    • Instruction Fuzzy Hash: 4751AD3AA4062DFADF21AAA4CD92ABA7AA8BF04750F000935BF10F6190E775DD509780
    Function 00A37FEC Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 309COMMON
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,00000000,000002C0), ref: 00A38019
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 00A38034
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 00A380D7
    • CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,00000018,00A3B508,00000000), ref: 00A38116
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 00A38169
    • CompareStringW.KERNEL32(0000007F,00000000,00A3B508,000000FF,true,000000FF), ref: 00A38187
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 00A381BF
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 00A38303
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CompareString
    • String ID: application$apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
    • API String ID: 1825529933-3037633208
    • Opcode ID: e5ab17bbd8d125e8b7a948030808acd1804fabb1e18ea885978841c0918f9865
    • Instruction ID: c15dd2dec6fa296afd383af8ab3109659f872ef74bafce7b62fd44edcba98f81
    • Opcode Fuzzy Hash: e5ab17bbd8d125e8b7a948030808acd1804fabb1e18ea885978841c0918f9865
    • Instruction Fuzzy Hash: AAB18B71A44306ABDB218F98CC85F5A77B6BF44730F254A14FA39AB2D1DB78E841CB10
    Function 00A376A1 Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 210COMMON
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 00A37703
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 00A37727
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 00A37746
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 00A3777D
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 00A37798
    • SysFreeString.OLEAUT32(00000000), ref: 00A377C3
    • SysFreeString.OLEAUT32(00000000), ref: 00A37842
    • SysFreeString.OLEAUT32(00000000), ref: 00A3788E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: String$Compare$Free
    • String ID: comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
    • API String ID: 318886736-3944986760
    • Opcode ID: 83c070fbb0b98bb35c5f76fff7f16f5da9cb536d1c2600338894f9c6640fc3b8
    • Instruction ID: 38a2e6c95f859aae35b5782575d7cd0e4755c13eac63074603d4cdbe5a2f8d9b
    • Opcode Fuzzy Hash: 83c070fbb0b98bb35c5f76fff7f16f5da9cb536d1c2600338894f9c6640fc3b8
    • Instruction Fuzzy Hash: 11715175905119FFDF21DB94CC85EAEBB78BF04720F2042A4F925A7191D7319E44DB90
    Function 00A0E177 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 144registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A0E05E: LoadBitmapW.USER32(?,00000001), ref: 00A0E094
      • Part of subcall function 00A0E05E: GetLastError.KERNEL32 ref: 00A0E0A0
    • LoadCursorW.USER32(00000000,00007F00), ref: 00A0E1D8
    • RegisterClassW.USER32(?), ref: 00A0E1EC
    • GetLastError.KERNEL32 ref: 00A0E1F7
    • UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 00A0E2FC
    • DeleteObject.GDI32(00000000), ref: 00A0E30B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
    • String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
    • API String ID: 164797020-2188509422
    • Opcode ID: f6e13ffd0c3455ba2fd27e5589fddd594cfc84981a60b996d9bbd084dea9cb88
    • Instruction ID: ff39c4cd8311d0aa38cb9ecd73cd1d67ef0d584c007d639bfe8862ed533d8bf1
    • Opcode Fuzzy Hash: f6e13ffd0c3455ba2fd27e5589fddd594cfc84981a60b996d9bbd084dea9cb88
    • Instruction Fuzzy Hash: 29416E76A00629BFEB11DBE4ED45AEBB7BDFF08310F100525FA05E6190D7709D119BA1
    Function 00A19BB3 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 230threadCOMMON
    Download Yara Rule
    APIs
    • WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,00000000,?,00A1BA53,00000001), ref: 00A19C18
    • GetLastError.KERNEL32(?,00A1BA53,00000001), ref: 00A19D88
    • GetExitCodeThread.KERNEL32(00000001,00000000,?,00A1BA53,00000001), ref: 00A19DC8
    • GetLastError.KERNEL32(?,00A1BA53,00000001), ref: 00A19DD2
    Strings
    • Failed to get cache thread exit code., xrefs: 00A19E03
    • Failed to execute compatible package action., xrefs: 00A19D45
    • Invalid execute action., xrefs: 00A19E23
    • Failed to execute MSI package., xrefs: 00A19C78
    • Failed to load compatible package on per-machine package., xrefs: 00A19D2E
    • Failed to wait for cache check-point., xrefs: 00A19DB9
    • Failed to execute MSU package., xrefs: 00A19CCD
    • Failed to execute EXE package., xrefs: 00A19C4F
    • Failed to execute MSP package., xrefs: 00A19C9D
    • Failed to execute package provider registration action., xrefs: 00A19CE9
    • Failed to execute dependency action., xrefs: 00A19D08
    • apply.cpp, xrefs: 00A19DAC, 00A19DF6
    • Cache thread exited unexpectedly., xrefs: 00A19E14
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
    • String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
    • API String ID: 3703294532-2662572847
    • Opcode ID: 0cb1ff0e4366a7ca75d2715430f52b9fe962c89bb4cf31caf01ec05b05f2574b
    • Instruction ID: 6ee0e4df05ff17b3871b208d6bd5a9abbb2538fb70f34bc8bdc27af54eebd621
    • Opcode Fuzzy Hash: 0cb1ff0e4366a7ca75d2715430f52b9fe962c89bb4cf31caf01ec05b05f2574b
    • Instruction Fuzzy Hash: 88715B71A01219FFEB14DF64DA51AEFB7F8EB48B10F10466AF905E7290D2709E41DBA0
    Function 00A1CA34 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 173processCOMMON
    Download Yara Rule
    APIs
    • GetCurrentProcessId.KERNEL32(771A8FB0,00000002,00000000), ref: 00A1CA40
      • Part of subcall function 00A04B96: UuidCreate.RPCRT4(?), ref: 00A04BC9
    • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,08000000,00000000,00000000,?,00A121A5,?,?,00000000,?,?,?), ref: 00A1CB1E
    • GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 00A1CB28
    • GetProcessId.KERNEL32(00A121A5,?,?,00000000,?,?,?,?), ref: 00A1CB60
      • Part of subcall function 00A052E3: lstrlenW.KERNEL32(?,?,00000000,?,00A3B4F0,?,00000000,?,009F442A,?,00A3B4F0), ref: 00A05304
      • Part of subcall function 00A052E3: GetCurrentProcessId.KERNEL32(?,009F442A,?,00A3B4F0), ref: 00A0530F
      • Part of subcall function 00A052E3: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,009F442A,?,00A3B4F0), ref: 00A05346
      • Part of subcall function 00A052E3: ConnectNamedPipe.KERNEL32(?,00000000,?,009F442A,?,00A3B4F0), ref: 00A0535B
      • Part of subcall function 00A052E3: GetLastError.KERNEL32(?,009F442A,?,00A3B4F0), ref: 00A05365
      • Part of subcall function 00A052E3: Sleep.KERNEL32(00000064,?,009F442A,?,00A3B4F0), ref: 00A05396
      • Part of subcall function 00A052E3: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,009F442A,?,00A3B4F0), ref: 00A053B9
      • Part of subcall function 00A052E3: WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,009F442A,?,00A3B4F0), ref: 00A053D4
      • Part of subcall function 00A052E3: WriteFile.KERNEL32(?,009F442A,00A3B4F0,00000000,00000000,?,009F442A,?,00A3B4F0), ref: 00A053EF
      • Part of subcall function 00A052E3: WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,009F442A,?,00A3B4F0), ref: 00A0540A
      • Part of subcall function 00A30917: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,009F4E16,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 00A30927
      • Part of subcall function 00A30917: GetLastError.KERNEL32(?,?,009F4E16,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00A30935
    • CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,00A1C992,?,?,?,?,?,00000000,?,?,?,?), ref: 00A1CBE4
    • CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,00A1C992,?,?,?,?,?,00000000,?,?,?,?), ref: 00A1CBF3
    • CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,00A1C992,?,?,?,?,?,00000000,?,?,?), ref: 00A1CC0A
    Strings
    • Failed to create embedded process at path: %ls, xrefs: 00A1CB56
    • burn.embedded, xrefs: 00A1CADB
    • Failed to wait for embedded process to connect to pipe., xrefs: 00A1CB82
    • Failed to allocate embedded command., xrefs: 00A1CAF7
    • Failed to create embedded pipe., xrefs: 00A1CACA
    • Failed to wait for embedded executable: %ls, xrefs: 00A1CBC7
    • Failed to process messages from embedded message., xrefs: 00A1CBA7
    • %ls -%ls %ls %ls %u, xrefs: 00A1CAE3
    • embedded.cpp, xrefs: 00A1CB49
    • Failed to create embedded pipe name and client token., xrefs: 00A1CAA3
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
    • String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$embedded.cpp
    • API String ID: 875070380-3803182736
    • Opcode ID: 85f6e401902903e9ede82e7a185a453d316a8658d535919a84e6601a83c056c0
    • Instruction ID: 193c8f3e3879cfca50f10bb6326d0ae1df451c5dec0537d6a4df1fcf84124c8d
    • Opcode Fuzzy Hash: 85f6e401902903e9ede82e7a185a453d316a8658d535919a84e6601a83c056c0
    • Instruction Fuzzy Hash: BC514D72D4421DBBDF11EBA4DD42FEEBBB9BF08721F104121FA04B6190D7719A458B91
    Function 00A37E36 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 153stringCOMMON
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(0000007F,00000000,msi.dll,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,00000000,?,00A38320,00000001,?), ref: 00A37E56
    • CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,00A38320,00000001,?), ref: 00A37E71
    • CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,00A38320,00000001,?), ref: 00A37E8C
    • CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,00A38320,00000001,?), ref: 00A37EF8
    • CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,00A38320,00000001,?), ref: 00A37F1C
    • CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,00A38320,00000001,?), ref: 00A37F40
    • CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,00A38320,00000001,?), ref: 00A37F60
    • lstrlenW.KERNEL32(006C0064,?,00A38320,00000001,?), ref: 00A37F7B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CompareString$lstrlen
    • String ID: algorithm$apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$msi.dll$name$sha1$sha256
    • API String ID: 1657112622-2492263259
    • Opcode ID: fef1a7ab47e96d8472fa59ff0e4bf471058d0cbb97772879db39a77791cb7c53
    • Instruction ID: a538268cf43cce226e9b32754c38fb8187b25dc295574c1579d567e6e2a6caad
    • Opcode Fuzzy Hash: fef1a7ab47e96d8472fa59ff0e4bf471058d0cbb97772879db39a77791cb7c53
    • Instruction Fuzzy Hash: B25180B169C212BBDB208F54DC41F297661BB15730F304754FA34AE6E5C7A1EC90C790
    Function 009F9F2B Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 216COMMON
    Download Yara Rule
    APIs
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 009F9FA3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Open@16
    • String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
    • API String ID: 3613110473-2134270738
    • Opcode ID: d8109285d81f907e46dda6de4ff4ac4820bc534b254400e0b61d8c011c5ca864
    • Instruction ID: 53471fa130826440f13f8b62b3344a794a978e69599f53f1c77a7c7433f1d3b2
    • Opcode Fuzzy Hash: d8109285d81f907e46dda6de4ff4ac4820bc534b254400e0b61d8c011c5ca864
    • Instruction Fuzzy Hash: F1613672E4021CBBCB11DEA8DE46EFE7B78EB45300F244565F608BB291C672DE409792
    Function 00A1DC0D Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 204stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenW.KERNEL32(?,?,00A19751,75C08550,?,?,00000000,?,?,?,00000001,00000000,?), ref: 00A1DC28
    Strings
    • Failed to initialize BITS job callback., xrefs: 00A1DD49
    • Failed to create BITS job callback., xrefs: 00A1DD3B
    • Failed to add file to BITS job., xrefs: 00A1DCF5
    • Failed to copy download URL., xrefs: 00A1DC6F
    • bitsengine.cpp, xrefs: 00A1DC3E, 00A1DD31
    • Failed to set callback interface for BITS job., xrefs: 00A1DD60
    • Failed to complete BITS job., xrefs: 00A1DDD2
    • Failed while waiting for BITS download., xrefs: 00A1DDD9
    • Invalid BITS engine URL: %ls, xrefs: 00A1DC4A
    • Failed to set credentials for BITS job., xrefs: 00A1DCD6
    • Failed to download BITS job., xrefs: 00A1DDBF
    • Failed to create BITS job., xrefs: 00A1DCB7
    • Falied to start BITS job., xrefs: 00A1DDE0
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: lstrlen
    • String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS engine URL: %ls$bitsengine.cpp
    • API String ID: 1659193697-2382896028
    • Opcode ID: f97a608d1cf6b93e5a7eab4eb9d262d9b3f0ccd58c0349898253c6b05322f806
    • Instruction ID: b517048a0812e8da461328fd2020404f3a739a3660edc7c02107fe4e086b4a72
    • Opcode Fuzzy Hash: f97a608d1cf6b93e5a7eab4eb9d262d9b3f0ccd58c0349898253c6b05322f806
    • Instruction Fuzzy Hash: 5861D031A41225FBCB119F98D985EEEBBB4AF08B61F114555FC04AB251E770ED80DB90
    Function 009FEBB2 Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 173COMMON
    Download Yara Rule
    APIs
    • SysFreeString.OLEAUT32(?), ref: 009FED40
      • Part of subcall function 009F38D4: GetProcessHeap.KERNEL32(?,000001C7,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38E5
      • Part of subcall function 009F38D4: RtlAllocateHeap.NTDLL(00000000,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38EC
    • SysFreeString.OLEAUT32(?), ref: 009FECF8
    Strings
    • Failed to get software tag count., xrefs: 009FEC07
    • Failed to allocate memory for software tag structs., xrefs: 009FEC3F
    • Failed to get @Regid., xrefs: 009FED93
    • Failed to select software tag nodes., xrefs: 009FEBE2
    • Failed to get SoftwareTag text., xrefs: 009FED7F
    • registration.cpp, xrefs: 009FEC35
    • Path, xrefs: 009FECA6
    • Failed to convert SoftwareTag text to UTF-8, xrefs: 009FED75
    • SoftwareTag, xrefs: 009FEBC1
    • Failed to get @Path., xrefs: 009FED89
    • Failed to get next node., xrefs: 009FEDA7
    • Regid, xrefs: 009FEC8E
    • Filename, xrefs: 009FEC73
    • Failed to get @Filename., xrefs: 009FED9D
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: FreeHeapString$AllocateProcess
    • String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$registration.cpp
    • API String ID: 336948655-1068704183
    • Opcode ID: 3445e9255968801c7cd9cdd09c9f1fd6ab2904e694e9d631fee97656c62e49eb
    • Instruction ID: 96e4ef22dc93882ac8ef07d18b77da2c95d05e9aabbf4b673148a17a13f94fa6
    • Opcode Fuzzy Hash: 3445e9255968801c7cd9cdd09c9f1fd6ab2904e694e9d631fee97656c62e49eb
    • Instruction Fuzzy Hash: CB51D275A0132DBBCB11DF95CC91EBEBBA8BF44751F104969FA01AB2A1C770DE408790
    Function 00A04933 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 155sleepfileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 00A0498D
    • GetLastError.KERNEL32 ref: 00A0499B
    • Sleep.KERNEL32(00000064), ref: 00A049BF
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CreateErrorFileLastSleep
    • String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$feclient.dll$pipe.cpp
    • API String ID: 408151869-3212458075
    • Opcode ID: 68ae6d4d00663d64caabcac83cc80c66e42395a2d32b1c02c5b7ba854e58b847
    • Instruction ID: da133c73dd2dd991d31b2226f0ba17a1b7e704f5329645eb11d54520bf119f4c
    • Opcode Fuzzy Hash: 68ae6d4d00663d64caabcac83cc80c66e42395a2d32b1c02c5b7ba854e58b847
    • Instruction Fuzzy Hash: E24128B6E80725BBDB2197E4EC46B6BB6A8FF08760F104221FF00F61D0D7659D1096D4
    Function 009FF410 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 152registryCOMMON
    Download Yara Rule
    APIs
    • RegCloseKey.ADVAPI32(00000000,00000000,00A00348,InstallerVersion,InstallerVersion,00000000,00A00348,InstallerName,InstallerName,00000000,00A00348,Date,InstalledDate,00000000,00A00348,LogonUser), ref: 009FF5BE
      • Part of subcall function 00A31392: RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,009FF1C2,00000000,?,00020006), ref: 00A313C5
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseValue
    • String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
    • API String ID: 3132538880-2703781546
    • Opcode ID: 35c84757ef6584150a021f4242168257b4571252f4a204a40362ad291adc593e
    • Instruction ID: 427b262fd72a925f27645b69a65ead5f56a2a14983feea3ce249a2f46502cc3f
    • Opcode Fuzzy Hash: 35c84757ef6584150a021f4242168257b4571252f4a204a40362ad291adc593e
    • Instruction Fuzzy Hash: FF418436E8462DBBCB225A54CD16F7E7A69BF80B24F114671FA00BB261D7709E10E790
    Function 00A0E563 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 135registryCOMMON
    Download Yara Rule
    APIs
    • TlsSetValue.KERNEL32(?,?), ref: 00A0E5AE
    • RegisterClassW.USER32(?), ref: 00A0E5DA
    • GetLastError.KERNEL32 ref: 00A0E5E5
    • CreateWindowExW.USER32(00000080,00A49CC4,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 00A0E64C
    • GetLastError.KERNEL32 ref: 00A0E656
    • UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 00A0E6F4
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
    • String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
    • API String ID: 213125376-288575659
    • Opcode ID: 76805effffd9d7db055b0b886c2744ec6393c10e78d225d6312718f92c959408
    • Instruction ID: 8304d65daa7745af2e155c26f00d95d389a135407f6c9d509ef7b5027d5c2efe
    • Opcode Fuzzy Hash: 76805effffd9d7db055b0b886c2744ec6393c10e78d225d6312718f92c959408
    • Instruction Fuzzy Hash: 43417076A00218AFDB10DBA4EC85ADBBFF9FF08350F104526FA09EA190D7319911DBA1
    Function 00A1C517 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 272COMMON
    Download Yara Rule
    Strings
    • Failed to copy related arguments for passthrough bundle package, xrefs: 00A1C825
    • pseudobundle.cpp, xrefs: 00A1C54B, 00A1C744, 00A1C77E
    • Failed to copy download source for passthrough pseudo bundle., xrefs: 00A1C732
    • Failed to copy key for passthrough pseudo bundle., xrefs: 00A1C72B
    • Failed to copy local source path for passthrough pseudo bundle., xrefs: 00A1C75A
    • Failed to recreate command-line arguments., xrefs: 00A1C7E6
    • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 00A1C78A
    • Failed to copy filename for passthrough pseudo bundle., xrefs: 00A1C761
    • Failed to copy cache id for passthrough pseudo bundle., xrefs: 00A1C7A8
    • Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 00A1C557
    • Failed to copy key for passthrough pseudo bundle payload., xrefs: 00A1C768
    • Failed to allocate memory for pseudo bundle payload hash., xrefs: 00A1C750
    • Failed to copy uninstall arguments for passthrough bundle package, xrefs: 00A1C84F
    • Failed to copy install arguments for passthrough bundle package, xrefs: 00A1C805
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Heap$AllocateProcess
    • String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
    • API String ID: 1357844191-115096447
    • Opcode ID: 9eca05176cfcba02b5c7c2316ec5b312233a4007b34e7edc68916aa0c8bfa8f4
    • Instruction ID: 07527888c80af96be9e46d5041d15a9d82bce99531527b01ed3981de4f06bbb0
    • Opcode Fuzzy Hash: 9eca05176cfcba02b5c7c2316ec5b312233a4007b34e7edc68916aa0c8bfa8f4
    • Instruction Fuzzy Hash: A2B13875A40615EFDB11DF28C881F95BBA1BF48720F118169FE14AB3A2C771E8A1DF90
    Function 009FBB30 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 189processCOMMON
    Download Yara Rule
    APIs
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 009FBB82
    • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 009FBC8F
    • GetLastError.KERNEL32(?,?,?,?), ref: 009FBC99
    • WaitForInputIdle.USER32(?,?), ref: 009FBCED
    • CloseHandle.KERNEL32(?,?,?), ref: 009FBD38
    • CloseHandle.KERNEL32(?,?,?), ref: 009FBD45
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseHandle$CreateErrorIdleInputLastOpen@16ProcessWait
    • String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$approvedexe.cpp
    • API String ID: 155678114-2737401750
    • Opcode ID: cedbecde0dc152b5437a61fdacaf8dc602bee8db76367f7d1ed85f69e5a89ce1
    • Instruction ID: b9f0852312e2210b5790666a9cc709c66ee5d0e70cd463e5cf586eafe43b4433
    • Opcode Fuzzy Hash: cedbecde0dc152b5437a61fdacaf8dc602bee8db76367f7d1ed85f69e5a89ce1
    • Instruction Fuzzy Hash: F2513572D0061EBBDF11AEA5CD42EBEBBB9FF04301F10456AFA14A6120D7319E509BA1
    Function 00A1678F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 150serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,?,?,?,?,00A16CE1,?), ref: 00A167C8
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00A16CE1,?,?,?), ref: 00A167D5
    • OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,00A16CE1,?,?,?), ref: 00A1681D
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00A16CE1,?,?,?), ref: 00A16829
    • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,00A16CE1,?,?,?), ref: 00A16863
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00A16CE1,?,?,?), ref: 00A1686D
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00A16924
    • CloseServiceHandle.ADVAPI32(?), ref: 00A1692E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
    • String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$msuengine.cpp$wuauserv
    • API String ID: 971853308-301359130
    • Opcode ID: 36a3c90fedf7b13f52cacd9f60359a43ec2421577d9ec15088df4d6c7450ad35
    • Instruction ID: 7f63a387f7ee8cf5473b90084010fd8637516221fde0dac642d7bb6e36dc56b8
    • Opcode Fuzzy Hash: 36a3c90fedf7b13f52cacd9f60359a43ec2421577d9ec15088df4d6c7450ad35
    • Instruction Fuzzy Hash: DA419275B10324ABEB20EBB98D85AEEB6E9EB48750F114429FD05F7250DB749C4186A0
    Function 009FB106 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 136COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,009FB9F7,00000008,?,00000000,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 009FB10E
    • GetLastError.KERNEL32(?,009FB9F7,00000008,?,00000000,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 009FB11A
    • _memcmp.LIBVCRUNTIME ref: 009FB1C2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorHandleLastModule_memcmp
    • String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$section.cpp
    • API String ID: 3888311042-926796631
    • Opcode ID: 250c80a5fa2c4b89786afae60f941662b0a3d8a10bfb836442e5373effcb9a87
    • Instruction ID: d185ed9fc71ffb3f154a44bca94f1d2c244138698e338ed95b41ba664edabddb
    • Opcode Fuzzy Hash: 250c80a5fa2c4b89786afae60f941662b0a3d8a10bfb836442e5373effcb9a87
    • Instruction Fuzzy Hash: 63414C32384314B7D720AE55DC82F7B625ABF81B70F254829FB029F5C1D768C90283E6
    Function 00A02DDC Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 303COMMON
    Download Yara Rule
    Strings
    • Failed to copy ancestors and self to related bundle ancestors., xrefs: 00A02EF6
    • Failed to create dictionary from ancestors array., xrefs: 00A02E46
    • %ls;%ls, xrefs: 00A02EDE
    • Failed to lookup the bundle ID in the ancestors dictionary., xrefs: 00A030F0
    • crypt32.dll, xrefs: 00A02E0E
    • Failed to create string array from ancestors., xrefs: 00A02E1A
    • UX aborted plan related bundle., xrefs: 00A03127
    • Failed to add the package provider key "%ls" to the planned list., xrefs: 00A03107
    • Failed to copy self to related bundle ancestors., xrefs: 00A0312E
    • plan.cpp, xrefs: 00A0311D
    • Unexpected relation type encountered during plan: %d, xrefs: 00A030FE
    • feclient.dll, xrefs: 00A030BB
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID:
    • String ID: %ls;%ls$Failed to add the package provider key "%ls" to the planned list.$Failed to copy ancestors and self to related bundle ancestors.$Failed to copy self to related bundle ancestors.$Failed to create dictionary from ancestors array.$Failed to create string array from ancestors.$Failed to lookup the bundle ID in the ancestors dictionary.$UX aborted plan related bundle.$Unexpected relation type encountered during plan: %d$crypt32.dll$feclient.dll$plan.cpp
    • API String ID: 0-794096528
    • Opcode ID: 3862a7c9be24d1336492c4385110e37fdad4dde75c4fe8159388b2eb2a7c6c51
    • Instruction ID: 64cfe6e3f534b22eb8825c8663dd113e1fb48df4b80b8bfa23c28ecf7e7d9b43
    • Opcode Fuzzy Hash: 3862a7c9be24d1336492c4385110e37fdad4dde75c4fe8159388b2eb2a7c6c51
    • Instruction Fuzzy Hash: 9AB1D23290171AEFDF15DF64EC41BAABBB9FF49310F104665F904AB290D7319A91CB90
    Function 009FA17D Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON
    Download Yara Rule
    APIs
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 009FA1A8
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 009FA204
    • RegQueryValueExW.ADVAPI32(000002C0,00000000,00000000,000002C0,00000000,00000000,000002C0,?,00000000,00000000,?,00000000,00000101,000002C0,000002C0,?), ref: 009FA226
    • RegCloseKey.ADVAPI32(00000000,00000000,00000000,000002C0,00000100,00000000,000002C0), ref: 009FA300
    Strings
    • search.cpp, xrefs: 009FA25B
    • Failed to set variable., xrefs: 009FA2B8
    • RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 009FA2D8
    • Failed to format value string., xrefs: 009FA20F
    • Failed to open registry key. Key = '%ls', xrefs: 009FA2C2
    • Failed to format key string., xrefs: 009FA1B3
    • Failed to query registry key value., xrefs: 009FA265
    • Registry key not found. Key = '%ls', xrefs: 009FA291
    • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 009FA275
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Open@16$CloseQueryValue
    • String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
    • API String ID: 2702208347-46557908
    • Opcode ID: b7dca77de6fb7d2ddd1a0428d03d5618e9405f923e4b472de2355272c4b117dc
    • Instruction ID: ee5bea0bbfdf08dd1442bb6663ceaf4d6051b0a98bbf76aa439217bc48304be2
    • Opcode Fuzzy Hash: b7dca77de6fb7d2ddd1a0428d03d5618e9405f923e4b472de2355272c4b117dc
    • Instruction Fuzzy Hash: 1E41E3B2F4021CBBDF25AAA4CD06FFEBA69EB04710F104165FE08A5291D7728E109792
    Function 009F67E5 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 131libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 009F6835
    • GetLastError.KERNEL32 ref: 009F683F
    • GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 009F6882
    • GetLastError.KERNEL32 ref: 009F688C
    • FreeLibrary.KERNEL32(00000000,00000000,?), ref: 009F699D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
    • String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$ntdll$variable.cpp
    • API String ID: 3057421322-109962352
    • Opcode ID: 3dad7d8f5f04ce0c29d4b8419e37da5f839e16c31ffa4a864f86814a89095c7b
    • Instruction ID: 4050f9c476e4004b770b306cc838c57d527331e9c0dbe8a215a17dd54f440a3c
    • Opcode Fuzzy Hash: 3dad7d8f5f04ce0c29d4b8419e37da5f839e16c31ffa4a864f86814a89095c7b
    • Instruction Fuzzy Hash: C6419271E0033CABDB319B659D45BFABAE8FB08750F000199FA49F6190D7758E94CBA0
    Function 009F47E9 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 128memorysynchronizationCOMMON
    Download Yara Rule
    APIs
    • TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,009F535E,?,?,?,?), ref: 009F481A
    • GetLastError.KERNEL32(?,?,?,009F535E,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 009F482B
    • ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009F4968
    • CloseHandle.KERNEL32(?,?,?,?,009F535E,?,?,?,?,?,?,?,?,?,?,?), ref: 009F4971
    Strings
    • Failed to set elevated pipe into thread local storage for logging., xrefs: 009F48A2
    • Failed to pump messages from parent process., xrefs: 009F493C
    • Failed to allocate thread local storage for logging., xrefs: 009F4859
    • engine.cpp, xrefs: 009F484F, 009F4898
    • Failed to create the message window., xrefs: 009F48C6
    • Failed to connect to unelevated process., xrefs: 009F4810
    • comres.dll, xrefs: 009F48D7
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AllocCloseErrorHandleLastMutexRelease
    • String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$comres.dll$engine.cpp
    • API String ID: 687263955-1790235126
    • Opcode ID: 113eebe2d7e2896a5f9720f35462ecf6fc867754e144c77916b3b2355d554b23
    • Instruction ID: a5bdaf4a83bf3a68b81f9f4c44a281e7f73eb2b64b9b2d9d60a5a7291d6bab32
    • Opcode Fuzzy Hash: 113eebe2d7e2896a5f9720f35462ecf6fc867754e144c77916b3b2355d554b23
    • Instruction Fuzzy Hash: ED418172A00619BADB11ABA4DC86EEBF6ADBF04750F104626FB15E2150DB74A95087E0
    Function 00A039FD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 128COMMON
    Download Yara Rule
    APIs
    • GetTempPathW.KERNEL32(00000104,?,?,00000000,crypt32.dll), ref: 00A03A51
    • GetLastError.KERNEL32(?,00000000,crypt32.dll), ref: 00A03A5B
    • GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,crypt32.dll), ref: 00A03AC4
    • ProcessIdToSessionId.KERNEL32(00000000,?,00000000,crypt32.dll), ref: 00A03ACB
    Strings
    • Failed to get temp folder., xrefs: 00A03A89
    • crypt32.dll, xrefs: 00A03A10
    • Failed to format session id as a string., xrefs: 00A03AF9
    • Failed to get length of temp folder., xrefs: 00A03AB5
    • Failed to get length of session id string., xrefs: 00A03B1D
    • logging.cpp, xrefs: 00A03A7F
    • Failed to copy temp folder., xrefs: 00A03B7A
    • %u\, xrefs: 00A03AE5
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Process$CurrentErrorLastPathSessionTemp
    • String ID: %u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$crypt32.dll$logging.cpp
    • API String ID: 1726527325-3274134579
    • Opcode ID: 43060b9d0d00341f1c94e676bfa83f0a89a3ac7840c4f2678add795274b0896f
    • Instruction ID: 9564f6bb55dae3133ac7d8831bbdad056aab4d139471d9a272c67b267748154a
    • Opcode Fuzzy Hash: 43060b9d0d00341f1c94e676bfa83f0a89a3ac7840c4f2678add795274b0896f
    • Instruction Fuzzy Hash: 37418377D8123DABDF209B649C49FEAB7BCEB55710F100295F909A6181D7709F818BD0
    Function 009F7E7C Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 214COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,000000B9,00000002,?,00000000,00000000), ref: 009F7E99
    • LeaveCriticalSection.KERNEL32(?,?,?), ref: 009F80C1
    Strings
    • Failed to write variable value as number., xrefs: 009F806B
    • Failed to write variable count., xrefs: 009F7EB4
    • Failed to write variable name., xrefs: 009F80A8
    • Unsupported variable type., xrefs: 009F807E
    • Failed to get version., xrefs: 009F8072
    • Failed to write included flag., xrefs: 009F80AF
    • Failed to write variable value type., xrefs: 009F80A1
    • Failed to write literal flag., xrefs: 009F809A
    • Failed to get numeric., xrefs: 009F8093
    • Failed to write variable value as string., xrefs: 009F8085
    • Failed to get string., xrefs: 009F808C
    • feclient.dll, xrefs: 009F7F74, 009F7FCA, 009F800B
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
    • API String ID: 3168844106-2118673349
    • Opcode ID: f3c1c7b7444dfecbbb1fb08de35f41e968a946caa05ab8283bdc6ad1f48220d8
    • Instruction ID: f98548f4ca411ded0a8e7c295d16272e8d9eed9e397114d5559d00d5c198c2d6
    • Opcode Fuzzy Hash: f3c1c7b7444dfecbbb1fb08de35f41e968a946caa05ab8283bdc6ad1f48220d8
    • Instruction Fuzzy Hash: C161AE3280462EEFCB629EA4CD40AFFBB69BF04754F584661FB01A7250CF349D589B91
    Function 00A095AC Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 122fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,00A0A63D,?,00000000,?,?,00A1B049), ref: 00A095C7
    • GetLastError.KERNEL32(?,00A0A63D,?,00000000,?,?,00A1B049,?,00000000,?,00000000,?,?,00A1B049,?), ref: 00A095D7
    • CloseHandle.KERNEL32(?,00A1B049,00000001,00000003,000007D0,?,?,00A1B049,?), ref: 00A096E4
    Strings
    • Failed to verify payload signature: %ls, xrefs: 00A09632
    • Failed to move %ls to %ls, xrefs: 00A096BC
    • %ls payload from working path '%ls' to path '%ls', xrefs: 00A0968F
    • Failed to verify payload hash: %ls, xrefs: 00A0966F
    • Failed to copy %ls to %ls, xrefs: 00A096D2
    • Copying, xrefs: 00A09679
    • Failed to open payload in working path: %ls, xrefs: 00A09606
    • Moving, xrefs: 00A09686, 00A0968E
    • cache.cpp, xrefs: 00A095FB
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseCreateErrorFileHandleLast
    • String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
    • API String ID: 2528220319-1604654059
    • Opcode ID: e4958756c12b7ec6c3c6b0cb5f5336a2e8360795be7d40bdc183c9a7c70c2187
    • Instruction ID: bd27dac3e39f6ec0543fb57e832b7353c99671058b1ebffb63c88867fd7aa6c1
    • Opcode Fuzzy Hash: e4958756c12b7ec6c3c6b0cb5f5336a2e8360795be7d40bdc183c9a7c70c2187
    • Instruction Fuzzy Hash: 27310871E407687BE7211A29AC56F6F696CEF81B50F010219FD04BB2D2D7A29D0086E5
    Function 00A03E47 Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A03955: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00A03E61,feclient.dll,?,00000000,?,?,?,009F4A0C), ref: 00A039F1
    • Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,009F4A0C,?,?,00A3B478,?,00000001,00000000,00000000), ref: 00A03EF8
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseSleep
    • String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
    • API String ID: 2834455192-2673269691
    • Opcode ID: f0fa732c78dcae6020650c675e021f878c0a25bc61828df4eb0288e1628098c5
    • Instruction ID: ab35d7d48dd32adb00e8485f0742e669aa05c023c55496f8840ba25ae9fe99ee
    • Opcode Fuzzy Hash: f0fa732c78dcae6020650c675e021f878c0a25bc61828df4eb0288e1628098c5
    • Instruction Fuzzy Hash: 0261CF72A0061EBBDF269F28DC46B7A76BCFF04340B144665F901EB181E7B1EE5087A1
    Function 009F6C5D Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 167COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(00000001,?,00000000,009F533D,00000000,00000001), ref: 009F6C6E
      • Part of subcall function 009F55B6: CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,00000007,009F648B,009F648B,?,009F554A,?,?,00000000), ref: 009F55F2
      • Part of subcall function 009F55B6: GetLastError.KERNEL32(?,009F554A,?,?,00000000,?,00000000,009F648B,?,009F7DDC,?,?,?,?,?), ref: 009F5621
    • LeaveCriticalSection.KERNEL32(00000001,?,00000001), ref: 009F6E02
    Strings
    • Setting hidden variable '%ls', xrefs: 009F6D2C
    • Failed to insert variable '%ls'., xrefs: 009F6CB3
    • Failed to find variable value '%ls'., xrefs: 009F6C89
    • Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 009F6D79
    • Unsetting variable '%ls', xrefs: 009F6DBE
    • Setting string variable '%ls' to value '%ls', xrefs: 009F6D96
    • variable.cpp, xrefs: 009F6CF1
    • Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 009F6E14
    • Attempt to set built-in variable value: %ls, xrefs: 009F6CFC
    • Failed to set value of variable: %ls, xrefs: 009F6DEA
    • Setting numeric variable '%ls' to value %lld, xrefs: 009F6DA3
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalSection$CompareEnterErrorLastLeaveString
    • String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
    • API String ID: 2716280545-445000439
    • Opcode ID: 066f7f7f65da47c1000cc9bff6a53c652452098e4585921ce6150fc38d55a81b
    • Instruction ID: 684f80281daf6229bf44687725426970b5e575116593be952a081906ae395b82
    • Opcode Fuzzy Hash: 066f7f7f65da47c1000cc9bff6a53c652452098e4585921ce6150fc38d55a81b
    • Instruction Fuzzy Hash: EE51BF71B0031DBBCB349E24CD4AF7B7A68EB95710F100A19FA886A2C1C375DD61CBA1
    Function 00A02A60 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 298COMMON
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,002C002B,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00A02ACD
    Strings
    • Failed to add dependent bundle provider key to ignore dependents., xrefs: 00A02C37
    • Failed to create the string dictionary., xrefs: 00A02B06
    • Failed to add registration action for dependent related bundle., xrefs: 00A02DD5
    • crypt32.dll, xrefs: 00A02B18, 00A02C16, 00A02D0B, 00A02D80
    • Failed to add dependents ignored from command-line., xrefs: 00A02B82
    • Failed to check for remaining dependents during planning., xrefs: 00A02C73
    • Failed to add self-dependent to ignore dependents., xrefs: 00A02B51
    • Failed to add registration action for self dependent., xrefs: 00A02D9E
    • wininet.dll, xrefs: 00A02D1E
    • Failed to allocate registration action., xrefs: 00A02B36
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CompareString
    • String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
    • API String ID: 1825529933-1705955799
    • Opcode ID: fbe25384edc13c7d1fe015a02638872ac7ee71f3f25fc32f237bf131e5a1a37c
    • Instruction ID: b702e5620d76a31946260c3b13b374ceced664080074016f606502e69f58299a
    • Opcode Fuzzy Hash: fbe25384edc13c7d1fe015a02638872ac7ee71f3f25fc32f237bf131e5a1a37c
    • Instruction Fuzzy Hash: 3DB18E70A0072AEFDB25DF54D849BAEBBB5FF44310F00816AF805AA291D770DD91DB91
    Function 009F49DF Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON
    Download Yara Rule
    APIs
    • IsWindow.USER32(?), ref: 009F4B5E
    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009F4B6F
    Strings
    • Failed to create the message window., xrefs: 009F4A92
    • Failed to set action variables., xrefs: 009F4ABE
    • Failed to set registration variables., xrefs: 009F4AD8
    • Failed to open log., xrefs: 009F4A12
    • Failed to check global conditions, xrefs: 009F4A43
    • Failed while running , xrefs: 009F4B24
    • WixBundleLayoutDirectory, xrefs: 009F4AEF
    • Failed to set layout directory variable to value provided from command-line., xrefs: 009F4B00
    • Failed to query registration., xrefs: 009F4AA8
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: MessagePostWindow
    • String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
    • API String ID: 3618638489-3051724725
    • Opcode ID: 1648ac9eda9c9f864b811622970b147f487584b5045894f2cbd863595c816c87
    • Instruction ID: 9d7ff06178aad213648293949e418c466d2ca878e540d5df689684c2a15e3224
    • Opcode Fuzzy Hash: 1648ac9eda9c9f864b811622970b147f487584b5045894f2cbd863595c816c87
    • Instruction Fuzzy Hash: 8A41E431A40A2FBBDB269A64DC45FBBB66CFF04752F000615FB04A6551EB70ED1097E0
    Function 00A0EDFE Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 124COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009F38D4: GetProcessHeap.KERNEL32(?,000001C7,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38E5
      • Part of subcall function 009F38D4: RtlAllocateHeap.NTDLL(00000000,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38EC
    • EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 00A0EE1B
    • LeaveCriticalSection.KERNEL32(?), ref: 00A0EF48
    Strings
    • Engine is active, cannot change engine state., xrefs: 00A0EE36
    • UX requested unknown approved exe with id: %ls, xrefs: 00A0EE7B
    • Failed to copy the arguments., xrefs: 00A0EEDA
    • EngineForApplication.cpp, xrefs: 00A0EF29
    • Failed to post launch approved exe message., xrefs: 00A0EF33
    • Failed to copy the id., xrefs: 00A0EEAD
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalHeapSection$AllocateEnterLeaveProcess
    • String ID: Engine is active, cannot change engine state.$EngineForApplication.cpp$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls
    • API String ID: 1367039788-528931743
    • Opcode ID: 3b8137c47c6db0231e15f6d130ceb9118bbade85047e44a8d67da6329f5dcb78
    • Instruction ID: 1481ae6fb0a662a48088438b87107b532263a258c47da75bfd50fcd2484649cf
    • Opcode Fuzzy Hash: 3b8137c47c6db0231e15f6d130ceb9118bbade85047e44a8d67da6329f5dcb78
    • Instruction Fuzzy Hash: 13319E76A50229BFEB11DF64EC45E6B77E8EF44720B058925FE08EB291E730DD0097A1
    Function 00A09496 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 101fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,00A0A5CE,?,00000000,?,?,00A1B041), ref: 00A094B1
    • GetLastError.KERNEL32(?,00A0A5CE,?,00000000,?,?,00A1B041,?,00000000,?,00000000,?,?,00A1B041,?), ref: 00A094BF
    • CloseHandle.KERNEL32(?,00A1B041,00000001,00000003,000007D0,?,?,00A1B041,?), ref: 00A0959E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseCreateErrorFileHandleLast
    • String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
    • API String ID: 2528220319-1187406825
    • Opcode ID: 13fd86d6dce84837c9d6d2422c9256a47389f4de5be7530ba0ee7acecf567945
    • Instruction ID: 97e8e227ed81b3ed792fdf5d08f971e93a152d138fda9016a860859718f04a75
    • Opcode Fuzzy Hash: 13fd86d6dce84837c9d6d2422c9256a47389f4de5be7530ba0ee7acecf567945
    • Instruction Fuzzy Hash: 45214C71B807687BE7221A29AC46F7F362CDF95B50F000618FD05BA2D2D391AD0185F1
    Function 009F6E5A Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 009F6E89
    • LeaveCriticalSection.KERNEL32(?), ref: 009F7095
    Strings
    • Failed to read variable value type., xrefs: 009F7077
    • Failed to read variable value as number., xrefs: 009F704F
    • Unsupported variable type., xrefs: 009F705B
    • Failed to set variable., xrefs: 009F7069
    • Failed to read variable value as string., xrefs: 009F7062
    • Failed to read variable name., xrefs: 009F707E
    • Failed to read variable included flag., xrefs: 009F7085
    • Failed to set variable value., xrefs: 009F7048
    • Failed to read variable literal flag., xrefs: 009F7070
    • Failed to read variable count., xrefs: 009F6EA9
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
    • API String ID: 3168844106-528957463
    • Opcode ID: 9bc263986c297b90e85d578985663cbd11843f9d0ca720438616e779c7b03783
    • Instruction ID: 6414ff9a7e1fd3b2a0745983644e7a87772c7607e48ddcfe19a6eeec97b26224
    • Opcode Fuzzy Hash: 9bc263986c297b90e85d578985663cbd11843f9d0ca720438616e779c7b03783
    • Instruction Fuzzy Hash: 1C719C72C0522EBBDB21DEA8DD45EBEBBB9EF04710F144621FA00A6150DB35DE519BA0
    Function 00A343A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 247fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 00A34425
    • GetLastError.KERNEL32 ref: 00A3443B
    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00A34486
    • GetLastError.KERNEL32 ref: 00A34490
    • CloseHandle.KERNEL32(?), ref: 00A34650
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFileLast$CloseCreateHandleSize
    • String ID: fileutil.cpp
    • API String ID: 3555958901-2967768451
    • Opcode ID: e25557ba4f93708bcc2fe3efac515fbf9dc7eeeac18e5406e54871acc1a60775
    • Instruction ID: 354ade5740f82d6d94f32ed32f73484c7fa3e4af0757e1f426390e1ca3c7e166
    • Opcode Fuzzy Hash: e25557ba4f93708bcc2fe3efac515fbf9dc7eeeac18e5406e54871acc1a60775
    • Instruction Fuzzy Hash: D2710671A40315EBEB21DF698C45B7B76E9EF48760F114129FE15EB290E778ED008BA0
    Function 00A04B96 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 122COMMON
    Download Yara Rule
    APIs
    • UuidCreate.RPCRT4(?), ref: 00A04BC9
    • StringFromGUID2.OLE32(?,?,00000027), ref: 00A04BF8
    • UuidCreate.RPCRT4(?), ref: 00A04C43
    • StringFromGUID2.OLE32(?,?,00000027), ref: 00A04C6F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CreateFromStringUuid
    • String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$pipe.cpp
    • API String ID: 4041566446-2510341293
    • Opcode ID: 721672dc60d0f7fcb0b1fbb7f18a0af46bec65611eed080415f003776c0facd9
    • Instruction ID: ca9519537b554b84174b4af782b5214a866fdd8aff7ddad604d5282532762239
    • Opcode Fuzzy Hash: 721672dc60d0f7fcb0b1fbb7f18a0af46bec65611eed080415f003776c0facd9
    • Instruction Fuzzy Hash: 8941A3B2D0071CABDB10DBE4DD45F9EB7B8BB88711F204126FA05BB280D7749905CB90
    Function 009F5F14 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 105timeCOMMON
    Download Yara Rule
    APIs
    • GetSystemTime.KERNEL32(?), ref: 009F5F3F
    • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 009F5F53
    • GetLastError.KERNEL32 ref: 009F5F65
    • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 009F5FB8
    • GetLastError.KERNEL32 ref: 009F5FC2
    Strings
    • Failed to set variant value., xrefs: 009F5FFF
    • variable.cpp, xrefs: 009F5F7F, 009F5FDC
    • Failed to get the Date., xrefs: 009F5FE6
    • Failed to allocate the buffer for the Date., xrefs: 009F5FA0
    • Failed to get the required buffer length for the Date., xrefs: 009F5F89
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: DateErrorFormatLast$SystemTime
    • String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
    • API String ID: 2700948981-3682088697
    • Opcode ID: 970ec75c4a65c03e786b2c956e2b4e73200edfe72806b601b87eb0921031960e
    • Instruction ID: 6aa5b2942a9dbfe9cf5c6886cc38fc990d321df109341e599576ad7195752445
    • Opcode Fuzzy Hash: 970ec75c4a65c03e786b2c956e2b4e73200edfe72806b601b87eb0921031960e
    • Instruction Fuzzy Hash: 0431C732A4071DBBDB21EBE9DC46FBFBAA9AB04710F114129FB01F7180DA708D0087A1
    Function 00A0E82A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 99threadCOMMON
    Download Yara Rule
    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,009F5386,?,?), ref: 00A0E84A
    • GetLastError.KERNEL32(?,009F5386,?,?), ref: 00A0E857
    • CreateThread.KERNEL32(00000000,00000000,00A0E563,?,00000000,00000000), ref: 00A0E8B0
    • GetLastError.KERNEL32(?,009F5386,?,?), ref: 00A0E8BD
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,009F5386,?,?), ref: 00A0E8F8
    • CloseHandle.KERNEL32(00000000,?,009F5386,?,?), ref: 00A0E917
    • CloseHandle.KERNEL32(?,?,009F5386,?,?), ref: 00A0E924
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
    • String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
    • API String ID: 2351989216-3599963359
    • Opcode ID: 6e177544f09eb28e615e6ba46f7b9b6c18215b7a401a21cac83ccc519a7fbf1e
    • Instruction ID: 90d2e3d6aaab96ee6693e443c5cba4da3e7913e8cc9b34f423ead5b45b45c211
    • Opcode Fuzzy Hash: 6e177544f09eb28e615e6ba46f7b9b6c18215b7a401a21cac83ccc519a7fbf1e
    • Instruction Fuzzy Hash: EF317475E00219BFEB10DFE99D84AAFF6ECFF48350F114526FA04E3180D6308E0196A1
    Function 00A0E3F4 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 95threadCOMMON
    Download Yara Rule
    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,009F5386,?,?), ref: 00A0E415
    • GetLastError.KERNEL32(?,?,009F5386,?,?), ref: 00A0E422
    • CreateThread.KERNEL32(00000000,00000000,00A0E177,00000000,00000000,00000000), ref: 00A0E481
    • GetLastError.KERNEL32(?,?,009F5386,?,?), ref: 00A0E48E
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,009F5386,?,?), ref: 00A0E4C9
    • CloseHandle.KERNEL32(?,?,?,009F5386,?,?), ref: 00A0E4DD
    • CloseHandle.KERNEL32(?,?,?,009F5386,?,?), ref: 00A0E4EA
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
    • String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
    • API String ID: 2351989216-1977201954
    • Opcode ID: 3d3346022d29d96c7779f23675e50220ffd2236e2300d6846fd29aef9121ab6d
    • Instruction ID: e19587331f72198b02ae59adbd1151d99d4bddec09b88d0f7f4c28cd92aff032
    • Opcode Fuzzy Hash: 3d3346022d29d96c7779f23675e50220ffd2236e2300d6846fd29aef9121ab6d
    • Instruction Fuzzy Hash: 03318475D00719BBEB10DBA9AC45AAFFBF9EB84710F108126FD14E2190D77549019BA0
    Function 00A11224 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88threadCOMMON
    Download Yara Rule
    APIs
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,771B2F60,?,?,009F52FD,009F52B5,00000000,009F533D), ref: 00A11249
    • GetLastError.KERNEL32 ref: 00A1125C
    • GetExitCodeThread.KERNEL32(00A3B478,?), ref: 00A1129E
    • GetLastError.KERNEL32 ref: 00A112AC
    • ResetEvent.KERNEL32(00A3B450), ref: 00A112E7
    • GetLastError.KERNEL32 ref: 00A112F1
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
    • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
    • API String ID: 2979751695-3400260300
    • Opcode ID: 5a6578cd3d11b05b5b9c5d4c9926f4b1fd54221a3ab7a4d108e944666b436aaf
    • Instruction ID: 79a36461d141f723206b216ae2ad733540c118f953f3d511813359a094d73474
    • Opcode Fuzzy Hash: 5a6578cd3d11b05b5b9c5d4c9926f4b1fd54221a3ab7a4d108e944666b436aaf
    • Instruction Fuzzy Hash: AA21D275750304BFEB18EBB99D45ABEB6F8FB44710F00412EFA46DA1A0E734CA009B24
    Function 00A11341 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 80synchronizationCOMMON
    Download Yara Rule
    APIs
    • SetEvent.KERNEL32(685479F6,009F533D,00000000,?,009FC06D,009F533D,009F52B5,00000000,?,00A0763B,?,009F5565,009F5371,009F5371,00000000,?), ref: 00A1135E
    • GetLastError.KERNEL32(?,009FC06D,009F533D,009F52B5,00000000,?,00A0763B,?,009F5565,009F5371,009F5371,00000000,?,009F5381,FFF9E89D,009F5381), ref: 00A11368
    • WaitForSingleObject.KERNEL32(85F08BFF,000000FF,?,009FC06D,009F533D,009F52B5,00000000,?,00A0763B,?,009F5565,009F5371,009F5371,00000000,?,009F5381), ref: 00A113A2
    • GetLastError.KERNEL32(?,009FC06D,009F533D,009F52B5,00000000,?,00A0763B,?,009F5565,009F5371,009F5371,00000000,?,009F5381,FFF9E89D,009F5381), ref: 00A113AC
    • CloseHandle.KERNEL32(85F08BFF,009F5381,009F533D,00000000,?,009FC06D,009F533D,009F52B5,00000000,?,00A0763B,?,009F5565,009F5371,009F5371,00000000), ref: 00A113F7
    • CloseHandle.KERNEL32(685479F6,009F5381,009F533D,00000000,?,009FC06D,009F533D,009F52B5,00000000,?,00A0763B,?,009F5565,009F5371,009F5371,00000000), ref: 00A11406
    • CloseHandle.KERNEL32(00A3BA60,009F5381,009F533D,00000000,?,009FC06D,009F533D,009F52B5,00000000,?,00A0763B,?,009F5565,009F5371,009F5371,00000000), ref: 00A11415
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseHandle$ErrorLast$EventObjectSingleWait
    • String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
    • API String ID: 1206859064-226982402
    • Opcode ID: b13421247d611d1fffd99460d2423a33b2d7085f5fb76e014678d2d6698a4cfd
    • Instruction ID: 717fa72b2d319ae34055e097ab7d122d1092d7334bd0493ad443041c6793f42b
    • Opcode Fuzzy Hash: b13421247d611d1fffd99460d2423a33b2d7085f5fb76e014678d2d6698a4cfd
    • Instruction Fuzzy Hash: 97212732250B00EBE731AB26DC48BA7B2F6FF84712F01462DF64A918A0D778D481CB25
    Function 009FD5C0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 61libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryW.KERNEL32(?,00000000,?,009F46F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,009F5386,?,?), ref: 009FD5CD
    • GetLastError.KERNEL32(?,009F46F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,009F5386,?,?), ref: 009FD5DA
    • GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 009FD612
    • GetLastError.KERNEL32(?,009F46F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,009F5386,?,?), ref: 009FD61E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast$AddressLibraryLoadProc
    • String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp$wininet.dll
    • API String ID: 1866314245-1140179540
    • Opcode ID: 2b7e976d304a0a3b5aab0ac5eac48d70aa43a11fbabb46bd09b61ae78414093d
    • Instruction ID: fbc445e8179b7b4acf102f17e9303e92fd4d94629af00bb75e178685f656fb26
    • Opcode Fuzzy Hash: 2b7e976d304a0a3b5aab0ac5eac48d70aa43a11fbabb46bd09b61ae78414093d
    • Instruction Fuzzy Hash: 1E11C232B61B25BFEB25ABA99C05F6776D9AF05750F01452AFE09E7190DB24CC008BE4
    Function 00A091F7 Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 223COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 00A09297
    • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 00A092BB
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$cache.cpp
    • API String ID: 1452528299-4263581490
    • Opcode ID: 32902a8abb8eb32bcdf523c194e33cf9a14f227a5ee731f45627827c9c848930
    • Instruction ID: 200326e6a213337e886ac3744b73f39f39d67574f9952eef9b55c94b2154c2b4
    • Opcode Fuzzy Hash: 32902a8abb8eb32bcdf523c194e33cf9a14f227a5ee731f45627827c9c848930
    • Instruction Fuzzy Hash: 737171B1D0022DAEEB10DFA8DD41BEFB7F8AB08350F114126F914F7291E77599418BA1
    Function 00A0E31B Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON
    Download Yara Rule
    APIs
    • GetWindowLongW.USER32(?,000000EB), ref: 00A0E326
    • DefWindowProcW.USER32(?,00000082,?,?), ref: 00A0E364
    • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00A0E371
    • SetWindowLongW.USER32(?,000000EB,?), ref: 00A0E380
    • DefWindowProcW.USER32(?,?,?,?), ref: 00A0E38E
    • CreateCompatibleDC.GDI32(?), ref: 00A0E39A
    • SelectObject.GDI32(00000000,00000000), ref: 00A0E3AB
    • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00A0E3CD
    • SelectObject.GDI32(00000000,00000000), ref: 00A0E3D5
    • DeleteDC.GDI32(00000000), ref: 00A0E3D8
    • PostQuitMessage.USER32(00000000), ref: 00A0E3E6
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
    • String ID:
    • API String ID: 409979828-0
    • Opcode ID: b0ee3d73cf345479b1cb24e083faab0e4808ac55594324cbf9fd779b7058e4dd
    • Instruction ID: 0058d9789673a9175b11946a2d467359d8a1d5a79fd881f6c8552fbd4365d614
    • Opcode Fuzzy Hash: b0ee3d73cf345479b1cb24e083faab0e4808ac55594324cbf9fd779b7058e4dd
    • Instruction Fuzzy Hash: 68219032110118BFCB15DFA8EC5CE7B3FAAEB49321B154918F616DB1B0D7318811EB62
    Function 00A09F36 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 220COMMON
    Download Yara Rule
    Strings
    • Failed to get current process directory., xrefs: 00A09FEF
    • Failed to combine last source with source., xrefs: 00A0A00C
    • WixBundleLastUsedSource, xrefs: 00A09F9D
    • Failed to get bundle layout directory property., xrefs: 00A0A083
    • WixBundleOriginalSource, xrefs: 00A09FB3
    • WixBundleLayoutDirectory, xrefs: 00A0A068
    • Failed to copy source path., xrefs: 00A0A113
    • Failed to combine layout source with source., xrefs: 00A0A0A0
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Find$CloseFileFirstlstrlen
    • String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
    • API String ID: 2767606509-3003062821
    • Opcode ID: fcf7b34b654b338a89b83a7d3bba92707cac9c006fe199fad46981f0a35abcf3
    • Instruction ID: 50fb9a61a84c2f98550372abe4ffabfb7361146c3fd848b3af5e3b85d8112514
    • Opcode Fuzzy Hash: fcf7b34b654b338a89b83a7d3bba92707cac9c006fe199fad46981f0a35abcf3
    • Instruction Fuzzy Hash: 3A716C72D0021DAFDF15DFA8E941AFEBBB5AF58310F100229F911B7290D7759D408B62
    Function 009F3083 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 206COMMON
    Download Yara Rule
    APIs
    • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000040,00000000,00000000), ref: 009F30C7
    • GetLastError.KERNEL32 ref: 009F30D1
    • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009F3129
    • GetLastError.KERNEL32 ref: 009F3133
    • GetFullPathNameW.KERNEL32(00000000,00000040,00000000,00000000,00000000,00000040,00000000,00000000), ref: 009F31EC
    • GetLastError.KERNEL32 ref: 009F31F6
    • GetFullPathNameW.KERNEL32(00000000,00000007,00000000,00000000,00000000,00000007), ref: 009F324D
    • GetLastError.KERNEL32 ref: 009F3257
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
    • String ID: pathutil.cpp
    • API String ID: 1547313835-741606033
    • Opcode ID: 78ec9d0c093ca4bd3617bf161fb576925280065a5a3d2f04eeb7b2d39293ba24
    • Instruction ID: a7710dab05cf2ed8e529c3c84ed6e704acb6fb2121ee69a0b7712ade6128bf58
    • Opcode Fuzzy Hash: 78ec9d0c093ca4bd3617bf161fb576925280065a5a3d2f04eeb7b2d39293ba24
    • Instruction Fuzzy Hash: DE618232E0022DABDF219AB58C45BFE7AE9EB44750F118565FF15E7150E7388E009BA0
    Function 009F2DE0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 198sleepfiletimeCOMMON
    Download Yara Rule
    APIs
    • GetTempPathW.KERNEL32(00000104,?,00000001,00000000,00000000), ref: 009F2E7A
    • GetLastError.KERNEL32 ref: 009F2E84
    • GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 009F2F1F
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 009F2FAD
    • GetLastError.KERNEL32 ref: 009F2FBA
    • Sleep.KERNEL32(00000064), ref: 009F2FCC
    • CloseHandle.KERNEL32(?), ref: 009F302C
    Strings
    • pathutil.cpp, xrefs: 009F2EA8
    • %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 009F2F7D
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
    • String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
    • API String ID: 3480017824-1101990113
    • Opcode ID: b32576a6d3a50a59a902c909b2c0544c03482453288f9d4f832f3b697b703085
    • Instruction ID: ca73787b9665d2616a077089b62ebc74d19bbdec775cf81b1b1c2fae2dfe92be
    • Opcode Fuzzy Hash: b32576a6d3a50a59a902c909b2c0544c03482453288f9d4f832f3b697b703085
    • Instruction Fuzzy Hash: 2F716472D5122DABDB309BA4DC48BBAB7F9EB48710F1441A5FA05E7190DB749E80CF60
    Function 00A36BF6 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 166COMMON
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,771ADFD0,?,00A37172,?,?), ref: 00A36C4C
    • SysFreeString.OLEAUT32(00000000), ref: 00A36CB7
    • SysFreeString.OLEAUT32(00000000), ref: 00A36D2F
    • SysFreeString.OLEAUT32(00000000), ref: 00A36D71
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: String$Free$Compare
    • String ID: label$scheme$term
    • API String ID: 1324494773-4117840027
    • Opcode ID: 4345087c6593f5bc605aaa81703a0b144d1b0fb70b49f88572b8d91c97ac52e0
    • Instruction ID: ca9fb2a6557094367da5b4c4580bf923224866c50afc6bf577e49dbcf36d56fd
    • Opcode Fuzzy Hash: 4345087c6593f5bc605aaa81703a0b144d1b0fb70b49f88572b8d91c97ac52e0
    • Instruction Fuzzy Hash: C4513B76A01219FBCF21DBA4CD59FAEBBB9EF04721F208295F511AB1A0D7319E40DB50
    Function 009FCABE Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,?,000000FF,009F5381,?,009F52B5,00000000,009F5381,FFF9E89D,009F5381,009F53B5,009F533D,?), ref: 009FCB15
    Strings
    • Failed to find embedded payload: %ls, xrefs: 009FCB41
    • payload.cpp, xrefs: 009FCC16
    • Failed to extract file., xrefs: 009FCBE0
    • Failed to get next stream., xrefs: 009FCBFC
    • Payload was not found in container: %ls, xrefs: 009FCC22
    • Failed to concat file paths., xrefs: 009FCBF5
    • Failed to get directory portion of local file path, xrefs: 009FCBEE
    • Failed to ensure directory exists, xrefs: 009FCBE7
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CompareString
    • String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
    • API String ID: 1825529933-1711239286
    • Opcode ID: 57965cede128190c8a024792a54933e4a84e955964f921ff832d43eac6ece3e5
    • Instruction ID: d5184d04cf08928216037a32f8b766ee0abfa09198d70439618811c931a60e23
    • Opcode Fuzzy Hash: 57965cede128190c8a024792a54933e4a84e955964f921ff832d43eac6ece3e5
    • Instruction Fuzzy Hash: 7041DFB5D0021DEFCF25DE84CA82ABEB769BF40711F10C56AFA05AB251C3709D40DB90
    Function 009F4690 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON
    Download Yara Rule
    APIs
    • PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 009F46B5
    • GetCurrentThreadId.KERNEL32 ref: 009F46BB
      • Part of subcall function 00A0FC51: new.LIBCMT ref: 00A0FC58
    • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009F4749
    Strings
    • Failed to create engine for UX., xrefs: 009F46D5
    • engine.cpp, xrefs: 009F4795
    • Failed to load UX., xrefs: 009F46FE
    • Unexpected return value from message pump., xrefs: 009F479F
    • Failed to start bootstrapper application., xrefs: 009F4717
    • wininet.dll, xrefs: 009F46E8
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Message$CurrentPeekThread
    • String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
    • API String ID: 673430819-2573580774
    • Opcode ID: 219f6047db8e54982ee1251f648382854e6ec0c0e8432429091af1e88378dcf7
    • Instruction ID: dfa50846575b318412e17dc389283f15bf6735b397d513ce99dcb1625d692ede
    • Opcode Fuzzy Hash: 219f6047db8e54982ee1251f648382854e6ec0c0e8432429091af1e88378dcf7
    • Instruction Fuzzy Hash: C3417F7160021DBFEB14AAA4CC85EBBB7ADEF05714F100525FB05EB290EB24ED5587A1
    Function 00A08CB5 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 127COMMON
    Download Yara Rule
    APIs
    • LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 00A08E01
    Strings
    • Failed to secure cache path: %ls, xrefs: 00A08DE4
    • Failed to create ACL to secure cache path: %ls, xrefs: 00A08DB7
    • Failed to allocate access for Administrators group to path: %ls, xrefs: 00A08D08
    • Failed to allocate access for SYSTEM group to path: %ls, xrefs: 00A08D29
    • Failed to allocate access for Users group to path: %ls, xrefs: 00A08D6B
    • cache.cpp, xrefs: 00A08DAC
    • Failed to allocate access for Everyone group to path: %ls, xrefs: 00A08D4A
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: FreeLocal
    • String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$cache.cpp
    • API String ID: 2826327444-4113288589
    • Opcode ID: b36854b686c0adaf90cef07d40caae7030bf3fe187fd6ebfa3c32bf351acf62a
    • Instruction ID: 97f75888e9a51fc6f0ad705943a1f21fdfc08403fc22d9b7e85f7955493df400
    • Opcode Fuzzy Hash: b36854b686c0adaf90cef07d40caae7030bf3fe187fd6ebfa3c32bf351acf62a
    • Instruction Fuzzy Hash: 86412671E4122DB6EB309664DD45FFB7A68EF50710F014125FA48BA1C1DF649D88C7A8
    Function 00A19A57 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 125COMMON
    Download Yara Rule
    APIs
    • SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00A1ADE5,?,00000001,00000000), ref: 00A19AE1
    • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,00A1ADE5,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 00A19AEB
    • CopyFileExW.KERNEL32(00000000,00000000,00A1993C,00000000,00000020,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00A19B39
    • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,00A1ADE5,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 00A19B68
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFileLast$AttributesCopy
    • String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$copy
    • API String ID: 1969131206-836986073
    • Opcode ID: 080dfdf25c8ca1dad6a4ca836c3ccfcf8d867806157099fa8a02757723785f57
    • Instruction ID: f85d463db97aca3c6977cc30a9f48033721af4b0041c4068f820a15792012766
    • Opcode Fuzzy Hash: 080dfdf25c8ca1dad6a4ca836c3ccfcf8d867806157099fa8a02757723785f57
    • Instruction Fuzzy Hash: E231E071B44215BBEB109A659C91EBBB3ADFF84781B108229BD09EB291E720DD41C6E1
    Function 00A0E05E Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103windowCOMMON
    Download Yara Rule
    APIs
    • LoadBitmapW.USER32(?,00000001), ref: 00A0E094
    • GetLastError.KERNEL32 ref: 00A0E0A0
    • GetObjectW.GDI32(00000000,00000018,?), ref: 00A0E0E7
    • GetCursorPos.USER32(?), ref: 00A0E108
    • MonitorFromPoint.USER32(?,?,00000002), ref: 00A0E11A
    • GetMonitorInfoW.USER32(00000000,?), ref: 00A0E130
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
    • String ID: ($Failed to load splash screen bitmap.$splashscreen.cpp
    • API String ID: 2342928100-598475503
    • Opcode ID: c075b66ac9568406c3b5b4172159819b8cf47a0e1c8b374dad2a8bbd9d987339
    • Instruction ID: dab8bfb2f7a7243fb14d74680b1f33c635dc80cc0463168dfdcd42f6b93b63e8
    • Opcode Fuzzy Hash: c075b66ac9568406c3b5b4172159819b8cf47a0e1c8b374dad2a8bbd9d987339
    • Instruction Fuzzy Hash: 14313E75A00219AFDB10DFB8DD85A9EBBF5FB08710F148529F904EB294DB70D905CBA0
    Function 009F64B6 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 93COMMON
    Download Yara Rule
    APIs
    • GetSystemWow64DirectoryW.KERNEL32(?,00000104), ref: 009F64F7
    • GetLastError.KERNEL32 ref: 009F6505
    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 009F6546
    • GetLastError.KERNEL32 ref: 009F6550
    Strings
    • Failed to get 64-bit system folder., xrefs: 009F657E
    • Failed to backslash terminate system folder., xrefs: 009F65A2
    • variable.cpp, xrefs: 009F6535, 009F6574
    • Failed to get 32-bit system folder., xrefs: 009F653F
    • Failed to set system folder variant value., xrefs: 009F65BE
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: DirectoryErrorLastSystem$Wow64
    • String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
    • API String ID: 2634638900-1590374846
    • Opcode ID: 3d88e0b40c63888a1a718bda16d4b1d8a7ea2beba2f7afa578b9ebd8a70ff9c0
    • Instruction ID: 7879dd01be6769a547b75077deed17313727935c9899ff8fdbe284dca829cb3d
    • Opcode Fuzzy Hash: 3d88e0b40c63888a1a718bda16d4b1d8a7ea2beba2f7afa578b9ebd8a70ff9c0
    • Instruction Fuzzy Hash: 7921E972B40338A7EB20A7B59C45BBA72E8AF00750F114265FE09F7181DA649D45C7E1
    Function 00A04ED2 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 84COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcessId.KERNEL32(?,00000000,?,?,00A3B4F0), ref: 00A04EDB
    • GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 00A04F79
    • CloseHandle.KERNEL32(00000000), ref: 00A04F92
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Process$CloseCurrentHandle
    • String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
    • API String ID: 2815245435-1352204306
    • Opcode ID: be348e0f3cba0c03d5476e5aed1d53a0a40c4914c90a07c9f4c7f54f097def97
    • Instruction ID: 36221ea1f5497eb13b2bc2fa4b98fef02d33d2421f130f34044ab729c3e2181c
    • Opcode Fuzzy Hash: be348e0f3cba0c03d5476e5aed1d53a0a40c4914c90a07c9f4c7f54f097def97
    • Instruction Fuzzy Hash: 05217FB5D0020DFFCF01DF94ED819AEBBB8FF08751B10816AFA04A2240D7719E109B90
    Function 009F671C Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 74libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 009F6746
    • GetProcAddress.KERNEL32(00000000), ref: 009F674D
    • GetLastError.KERNEL32 ref: 009F6757
    Strings
    • Failed to get msi.dll version info., xrefs: 009F679F
    • Failed to set variant value., xrefs: 009F67C3
    • DllGetVersion, xrefs: 009F6738
    • msi, xrefs: 009F673D
    • variable.cpp, xrefs: 009F677B
    • Failed to find DllGetVersion entry point in msi.dll., xrefs: 009F6785
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AddressErrorHandleLastModuleProc
    • String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$msi$variable.cpp
    • API String ID: 4275029093-842451892
    • Opcode ID: 4022f4ebddbeadd3915a866e669866aa8e9d38d5c95e5c537f61dbbc4d94c1bc
    • Instruction ID: a3a701c94d1b41e517b628bd1def621d1b16de2e9f51aeb3d60b42d0af20eefd
    • Opcode Fuzzy Hash: 4022f4ebddbeadd3915a866e669866aa8e9d38d5c95e5c537f61dbbc4d94c1bc
    • Instruction Fuzzy Hash: 9311B971B00729BBE710ABB9DC42ABFB6E8EB04750F000919FE05F7181DA649D0583E1
    Function 009F1174 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53libraryloadermemoryCOMMON
    Download Yara Rule
    APIs
    • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,009F111A,cabinet.dll,00000009,?,?,00000000), ref: 009F1185
    • GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,009F111A,cabinet.dll,00000009,?,?,00000000), ref: 009F1190
    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 009F119E
    • GetLastError.KERNEL32(?,?,?,?,009F111A,cabinet.dll,00000009,?,?,00000000), ref: 009F11B9
    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 009F11C1
    • GetLastError.KERNEL32(?,?,?,?,009F111A,cabinet.dll,00000009,?,?,00000000), ref: 009F11D6
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AddressErrorLastProc$HandleHeapInformationModule
    • String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
    • API String ID: 3104334766-1824683568
    • Opcode ID: 2b138023cbd33cbd3c940771b2034cd27ffef0054f0ab253778ac108eebe6412
    • Instruction ID: 17cf92c50d0bf0f44762846e0c87df5d16e0650b94871447ee147a67c861423c
    • Opcode Fuzzy Hash: 2b138023cbd33cbd3c940771b2034cd27ffef0054f0ab253778ac108eebe6412
    • Instruction Fuzzy Hash: 49015E71714219FA9620ABA6AC49D7B7B6EFB81791B008015FB1692140DB71DA018BF1
    Function 00A0F3E6 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 155COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?), ref: 00A0F3FB
    • LeaveCriticalSection.KERNEL32(?), ref: 00A0F576
    Strings
    • UX did not provide container or payload id., xrefs: 00A0F565
    • Engine is active, cannot change engine state., xrefs: 00A0F415
    • UX denied while trying to set download URL on embedded payload: %ls, xrefs: 00A0F466
    • UX requested unknown container with id: %ls, xrefs: 00A0F4A0
    • UX requested unknown payload with id: %ls, xrefs: 00A0F450
    • Failed to set download URL., xrefs: 00A0F4D5
    • Failed to set download user., xrefs: 00A0F4FE
    • Failed to set download password., xrefs: 00A0F524
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
    • API String ID: 3168844106-2615595102
    • Opcode ID: aa0e8692370e8fb685cdbd61ef7ffdf354d0df34c1361dfab1df6e3329d11c81
    • Instruction ID: 2a4d58ab158b1caa8053a2966e9c52b98b788344d17065ee1f56041ce11c19f1
    • Opcode Fuzzy Hash: aa0e8692370e8fb685cdbd61ef7ffdf354d0df34c1361dfab1df6e3329d11c81
    • Instruction Fuzzy Hash: 5D41C172A40619BFDB319F28EC45A6A73A8AF80710F158235F905B7AC0EB75ED40CB91
    Function 00A35916 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194filememoryCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000000,000000FF,?,00000000,00000000), ref: 00A35955
    • GetLastError.KERNEL32 ref: 00A35963
    • VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 00A359A4
    • GetLastError.KERNEL32 ref: 00A359B1
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A35B26
    • CloseHandle.KERNEL32(?), ref: 00A35B35
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
    • String ID: GET$dlutil.cpp
    • API String ID: 2028584396-3303425918
    • Opcode ID: 1af8b4cc8c3f8cd87eeee6054d891f7806e239304adf80ff09dc72c06938bbbb
    • Instruction ID: 75a0690c67ae7b9d4dd1e11b92cab399e229664c98ff2f735c33a7e2d9044f37
    • Opcode Fuzzy Hash: 1af8b4cc8c3f8cd87eeee6054d891f7806e239304adf80ff09dc72c06938bbbb
    • Instruction Fuzzy Hash: 0B613B71E00619ABDF11DFB9CC85BEEBBB9BF48350F11421AFE15A7250E77099409BA0
    Function 00A00AAE Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 182COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A00E7E: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,00A00ACD,?,00000000,?,00000000,00000000), ref: 00A00EAD
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 00A00C51
    • GetLastError.KERNEL32 ref: 00A00C5E
    Strings
    • Failed to create syncpoint event., xrefs: 00A00C8C
    • Failed to append package start action., xrefs: 00A00AF3
    • Failed to append payload cache action., xrefs: 00A00C08
    • plan.cpp, xrefs: 00A00C82
    • Failed to append rollback cache action., xrefs: 00A00B2D
    • Failed to append cache action., xrefs: 00A00BA8
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CompareCreateErrorEventLastString
    • String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$plan.cpp
    • API String ID: 801187047-2489563283
    • Opcode ID: 5abc2cf6683f88571ed339beaad426c6fd39278a7d01147f54a575ecc95223d9
    • Instruction ID: 0ee5e5d7bbec6bb66dfe6368a98a06aa592c588ca781c3381d55612cafb7f0b4
    • Opcode Fuzzy Hash: 5abc2cf6683f88571ed339beaad426c6fd39278a7d01147f54a575ecc95223d9
    • Instruction Fuzzy Hash: 35619F75600708EFDB05CF68D980EAABBF9FF89354F218459E8059B241DB30EE41DB50
    Function 009F9DB4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 147COMMON
    Download Yara Rule
    APIs
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 009F9DDA
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 009F9DFF
    Strings
    • Failed to set variable., xrefs: 009F9EE3
    • Failed to format component id string., xrefs: 009F9DE5
    • MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 009F9EF3
    • Failed to format product code string., xrefs: 009F9E0A
    • Failed to get component path: %d, xrefs: 009F9E63
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Open@16
    • String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
    • API String ID: 3613110473-1671347822
    • Opcode ID: f0d4355a53695d12b6d308282d4d8e81c6fff72012a66679210d362ee5c504a7
    • Instruction ID: 3e0349a286a06e884737f8ebe207dc8026a1f7892be65bc9736fdd20b09db7d0
    • Opcode Fuzzy Hash: f0d4355a53695d12b6d308282d4d8e81c6fff72012a66679210d362ee5c504a7
    • Instruction Fuzzy Hash: CB41D47290021DBECB25EAA88C46FBEB66DEF44310F244E16F715E1191D7319E50D792
    Function 00A36ACD Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116COMMON
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(0000007F,00000000,771ADFD0,000000FF,name,000000FF,771ADFD0,?,771ADFD0,?,771ADFD0), ref: 00A36B2B
    • CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,email,000000FF), ref: 00A36B48
    • SysFreeString.OLEAUT32(00000000), ref: 00A36B86
    • SysFreeString.OLEAUT32(00000000), ref: 00A36BCD
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: String$CompareFree
    • String ID: email$name$uri
    • API String ID: 3589242889-1168628755
    • Opcode ID: a09f275c881c48ef87eb82d3ace2150edf50c848e2e1d025a1d03b52e5da3493
    • Instruction ID: c2581fffe4feea68123cb4f862fcfa6c00732fd41fd3de9ecc474ffc0d1b47bc
    • Opcode Fuzzy Hash: a09f275c881c48ef87eb82d3ace2150edf50c848e2e1d025a1d03b52e5da3493
    • Instruction Fuzzy Hash: D8410B35A45219BBDB11DFA4CC45FAEBBB5AF04721F2082A5F921EB290C7319E44DB90
    Function 00A0473A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 115fileCOMMON
    Download Yara Rule
    APIs
    • ReadFile.KERNEL32(00000000,?,00000008,009F4740,00000000,?,00000000,00000000,?,00000000,009F4740,?,?,00000000,?,00000000), ref: 00A04765
    • GetLastError.KERNEL32 ref: 00A04772
    • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 00A0481B
    • GetLastError.KERNEL32 ref: 00A04825
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFileLastRead
    • String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$pipe.cpp
    • API String ID: 1948546556-3912962418
    • Opcode ID: 82243bf31559c703dd276bd4bbe1eb4a9ce82b8dfd9c29e191f287f4c892d51b
    • Instruction ID: 568a4457564a353f0117478680149d212753017a01e49999a80f84b56fbd1730
    • Opcode Fuzzy Hash: 82243bf31559c703dd276bd4bbe1eb4a9ce82b8dfd9c29e191f287f4c892d51b
    • Instruction Fuzzy Hash: 0231D3B6A4022DBBEB10DFA5EC45BAAF769FB49711F10C125FA04E6180D7749E0487E0
    Function 009FF2DC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 109stringCOMMON
    Download Yara Rule
    APIs
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 009FF315
      • Part of subcall function 009F4013: CreateDirectoryW.KERNELBASE(009F533D,009F53B5,00000000,00000000,?,00A09EE4,00000000,00000000,009F533D,00000000,009F52B5,00000000,?,?,009FD4AC,009F533D), ref: 009F4021
      • Part of subcall function 009F4013: GetLastError.KERNEL32(?,00A09EE4,00000000,00000000,009F533D,00000000,009F52B5,00000000,?,?,009FD4AC,009F533D,00000000,00000000), ref: 009F402F
    • lstrlenA.KERNEL32(00A3B4F0,00000000,00000094,00000000,00000094,?,?,00A00328,swidtag,00000094,?,00A3B508,00A00328,00000000,?,00000000), ref: 009FF368
      • Part of subcall function 00A34C67: CreateFileW.KERNEL32(00A3B4F0,40000000,00000001,00000000,00000002,00000080,00000000,00A00328,00000000,?,009FF37F,?,00000080,00A3B4F0,00000000), ref: 00A34C7F
      • Part of subcall function 00A34C67: GetLastError.KERNEL32(?,009FF37F,?,00000080,00A3B4F0,00000000,?,00A00328,?,00000094,?,?,?,?,?,00000000), ref: 00A34C8C
    Strings
    • Failed to allocate regid folder path., xrefs: 009FF3C7
    • Failed to write tag xml to file: %ls, xrefs: 009FF3A6
    • Failed to create regid folder: %ls, xrefs: 009FF3B0
    • Failed to allocate regid file path., xrefs: 009FF3C0
    • swidtag, xrefs: 009FF328
    • Failed to format tag folder path., xrefs: 009FF3CE
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
    • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$swidtag
    • API String ID: 904508749-1201533908
    • Opcode ID: fba6f61338b2a1b0248f23517d3bd944481e7b5896c4321972fa4a41cabc4940
    • Instruction ID: ad1c117ade80d1680dc949ce08a6ef63899e74d2d35acbddf0e0255bbd64dc5f
    • Opcode Fuzzy Hash: fba6f61338b2a1b0248f23517d3bd944481e7b5896c4321972fa4a41cabc4940
    • Instruction Fuzzy Hash: 93319032D0021DBFCB11AFA4DC51BADBBB9EF04750F108576FA00BA250E7B59E509B90
    Function 00A051E9 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,009F5386,00000000,00000000,?,00000000), ref: 00A05292
    • GetLastError.KERNEL32(?,?,?,009F4B5B,?,?,00000000,?,?,?,?,?,?,00A3B490,?,?), ref: 00A0529D
    Strings
    • Failed to write exit code to message buffer., xrefs: 00A0520D
    • Failed to post terminate message to child process cache thread., xrefs: 00A05261
    • Failed to post terminate message to child process., xrefs: 00A0527D
    • pipe.cpp, xrefs: 00A052C1
    • Failed to wait for child process exit., xrefs: 00A052CB
    • Failed to write restart to message buffer., xrefs: 00A05235
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLastObjectSingleWait
    • String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
    • API String ID: 1211598281-2161881128
    • Opcode ID: f6849668aab805fb4dd87db6adc8aefcbdd7a88d5a657d933e10c76493f0eb10
    • Instruction ID: 570e44dab4dd6ed7161d62f372ff2f6b5de92f5baaca6f879db7c7a903ba3cc9
    • Opcode Fuzzy Hash: f6849668aab805fb4dd87db6adc8aefcbdd7a88d5a657d933e10c76493f0eb10
    • Instruction Fuzzy Hash: 84219136D41B29BBDB125AA4ED05BDFBAB8EF18721F114325F900A61D0D7319E509AE0
    Function 00A08E92 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 88fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,00A09CFF,00000003,000007D0,00000003,?,000007D0), ref: 00A08EAC
    • GetLastError.KERNEL32(?,00A09CFF,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000000,-00000004), ref: 00A08EB9
    • CloseHandle.KERNEL32(00000000,?,00A09CFF,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000000), ref: 00A08F80
    Strings
    • Failed to open payload at path: %ls, xrefs: 00A08EFC
    • Failed to verify hash of payload: %ls, xrefs: 00A08F6B
    • Failed to verify catalog signature of payload: %ls, xrefs: 00A08F47
    • cache.cpp, xrefs: 00A08EEF
    • Failed to verify signature of payload: %ls, xrefs: 00A08F28
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseCreateErrorFileHandleLast
    • String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
    • API String ID: 2528220319-2757871984
    • Opcode ID: d2fc4361c7228af936ba26f0e1de47d47037c4bd2b3e8b9805095ccf2f2eebdb
    • Instruction ID: 2835f28e53970d54fca8d7b46154fa680c6f1cba6797784786bb6764ccab1e16
    • Opcode Fuzzy Hash: d2fc4361c7228af936ba26f0e1de47d47037c4bd2b3e8b9805095ccf2f2eebdb
    • Instruction Fuzzy Hash: F321383560062ABBD7222B78EC89F9F7A1ABF00770F104210FD40651D0DB7E9C60DAD5
    Function 009F69B8 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 86COMMON
    Download Yara Rule
    APIs
    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 009F6A03
    • GetLastError.KERNEL32 ref: 009F6A0D
    • GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 009F6A51
    • GetLastError.KERNEL32 ref: 009F6A5B
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast$DirectoryNamePathVolumeWindows
    • String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$variable.cpp
    • API String ID: 124030351-4026719079
    • Opcode ID: 83fc18c68a4cf36e8ce5ab4f2da1bd30723f0baf28eede824dbab09499b4f6bf
    • Instruction ID: 472076966c6d8dbd08241d0ce30372a895e3f83d046252a483e1c862d7a23037
    • Opcode Fuzzy Hash: 83fc18c68a4cf36e8ce5ab4f2da1bd30723f0baf28eede824dbab09499b4f6bf
    • Instruction Fuzzy Hash: A221B772F40328BBD720EAA59D45FEB72ECAB40710F014166BE05F7181E6749D8186A5
    Function 009F9B3F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 86COMMON
    Download Yara Rule
    APIs
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 009F9B5A
    • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 009F9B72
    • GetLastError.KERNEL32 ref: 009F9B81
    Strings
    • search.cpp, xrefs: 009F9BB3
    • Failed to set variable., xrefs: 009F9C07
    • File search: %ls, did not find path: %ls, xrefs: 009F9BD5
    • Failed to format variable string., xrefs: 009F9B65
    • Failed get to file attributes. '%ls', xrefs: 009F9BC0
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AttributesErrorFileLastOpen@16
    • String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
    • API String ID: 1811509786-2053429945
    • Opcode ID: 88b1357affed5339fa91e826caafc68861e95a7e0c036748d8f55fb379b5abcc
    • Instruction ID: 3d40767498fad586bc346cab1e39e5037b4640c0e68de44c305c55528510a9b7
    • Opcode Fuzzy Hash: 88b1357affed5339fa91e826caafc68861e95a7e0c036748d8f55fb379b5abcc
    • Instruction Fuzzy Hash: B1212B32E4021CBBDB11AAA49D42BBEB7A9EF55310F104716FE04E5190E7709D50D7E1
    Function 00A0AB3C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
    Download Yara Rule
    APIs
    • TlsSetValue.KERNEL32(?,?), ref: 00A0AB53
    • GetLastError.KERNEL32 ref: 00A0AB5D
    • CoInitializeEx.OLE32(00000000,00000000), ref: 00A0AB9C
    • CoUninitialize.OLE32(?,00A0C4F4,?,?), ref: 00A0ABD9
    Strings
    • Failed to initialize COM., xrefs: 00A0ABA8
    • elevation.cpp, xrefs: 00A0AB81
    • Failed to pump messages in child process., xrefs: 00A0ABC7
    • Failed to set elevated cache pipe into thread local storage for logging., xrefs: 00A0AB8B
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorInitializeLastUninitializeValue
    • String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$elevation.cpp
    • API String ID: 876858697-113251691
    • Opcode ID: 6c2604da40d4eca173951d19c354848a9b87a814e9ab1b5adea7df0ea0400b82
    • Instruction ID: 583370bf088afd7e485ecdb588408bf5683305db0184a399d1a761b75c42d931
    • Opcode Fuzzy Hash: 6c2604da40d4eca173951d19c354848a9b87a814e9ab1b5adea7df0ea0400b82
    • Instruction Fuzzy Hash: CF113672910739BFD7115B69FC05DAFBBA9EF12B60B004216FD04B7280EB605C0096E1
    Function 009F5BF0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 54registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A30E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00A35699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00A30E52
    • RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 009F5C77
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseOpen
    • String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
    • API String ID: 47109696-3209209246
    • Opcode ID: 5115fecdcc308b7a7b525d9eaa3671389488367e74cc4418a845252ea38e84f2
    • Instruction ID: aceecaee507879a22403e3f5aa36f4018b4b742532a526156f80d8c629dd5b6e
    • Opcode Fuzzy Hash: 5115fecdcc308b7a7b525d9eaa3671389488367e74cc4418a845252ea38e84f2
    • Instruction Fuzzy Hash: 5F012832E4062CF7CB126A54FF02EAEBB6CEB50760F12026AFE45B6110D7708E1093D0
    Function 00A1A024 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 172COMMON
    Download Yara Rule
    APIs
    • SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,00000001,00000000,?), ref: 00A1A0F1
    • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00A1A0FB
    Strings
    • Failed to clear readonly bit on payload destination path: %ls, xrefs: 00A1A12A
    • :, xrefs: 00A1A174
    • Failed attempt to download URL: '%ls' to: '%ls', xrefs: 00A1A1D8
    • download, xrefs: 00A1A0BB
    • apply.cpp, xrefs: 00A1A11F
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AttributesErrorFileLast
    • String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
    • API String ID: 1799206407-1905830404
    • Opcode ID: a8666dd655e4bc77939f6f64c70b72d6890073277e9553823692c4c7e1666274
    • Instruction ID: a975602a5b9ee6d64c7faf60fbbc844806fde0476b54f6216e42ccdc2f73ecf9
    • Opcode Fuzzy Hash: a8666dd655e4bc77939f6f64c70b72d6890073277e9553823692c4c7e1666274
    • Instruction Fuzzy Hash: 89518D71A01219BFDB11DFA8C840AEAB7B9FF58710F108559E905EB251E371DE80CB92
    Function 00A36DA8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 159COMMON
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(0000007F,00000000,771ADFD0,000000FF,type,000000FF,?,771ADFD0,771ADFD0,771ADFD0), ref: 00A36DFE
    • SysFreeString.OLEAUT32(00000000), ref: 00A36E49
    • SysFreeString.OLEAUT32(00000000), ref: 00A36EC5
    • SysFreeString.OLEAUT32(00000000), ref: 00A36F11
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: String$Free$Compare
    • String ID: type$url
    • API String ID: 1324494773-1247773906
    • Opcode ID: 0e6426c066664375e626f4c4972bdc6d7d4ea740fea2a087f5aef2a87643d9ad
    • Instruction ID: 0109d64d62fd0e0ae796904db325e3fa2dfe3279611c587546989bd6b071d336
    • Opcode Fuzzy Hash: 0e6426c066664375e626f4c4972bdc6d7d4ea740fea2a087f5aef2a87643d9ad
    • Instruction Fuzzy Hash: 8C514A76901219FFCF15DFA4C848EAEBBB9AF04711F2482A9F911EB1A0D7319E44DB50
    Function 00A3837F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 156COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009F38D4: GetProcessHeap.KERNEL32(?,000001C7,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38E5
      • Part of subcall function 009F38D4: RtlAllocateHeap.NTDLL(00000000,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38EC
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000000,?,?,00A18E1F,000002C0,00000100), ref: 00A383AD
    • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,00A18E1F,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 00A383C8
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CompareHeapString$AllocateProcess
    • String ID: application$apuputil.cpp$http://appsyndication.org/2006/appsyn$type
    • API String ID: 2664528157-4206478990
    • Opcode ID: 7e9e91c79067c08d8c2a14423d7da8f42a71cae4b10bac05bd260e7cc4eeb488
    • Instruction ID: 63e0f59515fbf7ba6fab745ee0a697ddc2f1a8df10648f2679832af32374626d
    • Opcode Fuzzy Hash: 7e9e91c79067c08d8c2a14423d7da8f42a71cae4b10bac05bd260e7cc4eeb488
    • Instruction Fuzzy Hash: 0051B171644306BBEB219F54CC81F2A77A5EF44760F208214FA66EB6D1DBB8E940CB10
    Function 00A3635A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 152fileCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32 ref: 00A363B7
    • DeleteFileW.KERNEL32(00000000,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 00A364AE
    • CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 00A364BD
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseDeleteErrorFileHandleLast
    • String ID: Burn$DownloadTimeout$WiX\Burn$dlutil.cpp
    • API String ID: 3522763407-1704223933
    • Opcode ID: 0dccd4be3e15619783d5cf4503af802188b301201f5146f9d62e8ec9f4591342
    • Instruction ID: c1c565e34687debe9d891f02a675cd3f87c1cadf722c0d4de3fe2eb5faf10054
    • Opcode Fuzzy Hash: 0dccd4be3e15619783d5cf4503af802188b301201f5146f9d62e8ec9f4591342
    • Instruction Fuzzy Hash: 78511972D00619BBDF12DFA4CD85EEEBBB9FF08710F008155FA14E6190E7358A559BA0
    Function 00A09080 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON
    Download Yara Rule
    APIs
    • _memcmp.LIBVCRUNTIME ref: 00A0910E
      • Part of subcall function 00A35587: GetLastError.KERNEL32(?,?,00A09133,?,00000003,00000000,?), ref: 00A355A6
    • _memcmp.LIBVCRUNTIME ref: 00A09148
    • GetLastError.KERNEL32 ref: 00A091C2
    Strings
    • Failed to read certificate thumbprint., xrefs: 00A091B6
    • Failed to find expected public key in certificate chain., xrefs: 00A09183
    • cache.cpp, xrefs: 00A091E6
    • Failed to get certificate public key identifier., xrefs: 00A091F0
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast_memcmp
    • String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp
    • API String ID: 3428363238-3408201827
    • Opcode ID: 2b8470853880cdfe662a97153979b18bb30e76ad062653f52b6b7cddc8c86349
    • Instruction ID: 82d2a459224096da0fa1185ee929147794fdcc1366131c1bcfe981eedd3138b9
    • Opcode Fuzzy Hash: 2b8470853880cdfe662a97153979b18bb30e76ad062653f52b6b7cddc8c86349
    • Instruction Fuzzy Hash: 1B413F71F0021AAFDB50DBA9E845AABB7B9BB08750F004125F905E7292D774ED44CBA4
    Function 00A00419 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 133registryCOMMON
    Download Yara Rule
    APIs
    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,?,00000000,?), ref: 00A0054A
    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,?,00000000,?), ref: 00A00559
      • Part of subcall function 00A30AD5: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,00A00491,?,00000000,00020006), ref: 00A30AFA
    Strings
    • Failed to open registration key., xrefs: 00A00591
    • Failed to delete registration key: %ls, xrefs: 00A004F8
    • Failed to update resume mode., xrefs: 00A0052E
    • Failed to write volatile reboot required registry key., xrefs: 00A00495
    • %ls.RebootRequired, xrefs: 00A00467
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Close$Create
    • String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.
    • API String ID: 359002179-2517785395
    • Opcode ID: 89e9bb63aedb1742fa3884a349efaf20ad1ccc343fc81d34f5dd4ed24a387002
    • Instruction ID: ca62b9635ea2dde1393063cba4c8eeae091b4f43d6e3307d58130e47ac2b2ccb
    • Opcode Fuzzy Hash: 89e9bb63aedb1742fa3884a349efaf20ad1ccc343fc81d34f5dd4ed24a387002
    • Instruction Fuzzy Hash: 0B41833190071CBBDF22AFA4ED02FAF7BB9EF84310F144469F645610A1D772AA50DB51
    Function 009FF69D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON
    Download Yara Rule
    APIs
    • RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 009FF7CD
    • RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 009FF7DA
    Strings
    • Failed to open registration key., xrefs: 009FF736
    • Resume, xrefs: 009FF741
    • Failed to read Resume value., xrefs: 009FF763
    • Failed to format pending restart registry key to read., xrefs: 009FF6D1
    • %ls.RebootRequired, xrefs: 009FF6BA
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Close
    • String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
    • API String ID: 3535843008-3890505273
    • Opcode ID: 0032a2220aa2b02f648d3fec0e03d540d078a0b5b8e0584acc0ca0d8abbdd723
    • Instruction ID: c8acad6566c3162e6b54a6d61e3ba13ce58e03faead67d854fddf9aefa4e526b
    • Opcode Fuzzy Hash: 0032a2220aa2b02f648d3fec0e03d540d078a0b5b8e0584acc0ca0d8abbdd723
    • Instruction Fuzzy Hash: F0415C3690021CEFCB11AF98C991ABDFBB9FF01310F258576EA14AB224D3759E40DB80
    Function 00A0A7FA Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 111COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID:
    • String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
    • API String ID: 0-660234312
    • Opcode ID: 596498b115410ec74b903f7cb4533c46ba25752e7a428d572cbd53408a3e62da
    • Instruction ID: f2ca0faf559e50f8507341d01770e488bf0a28cac7c683b783a2406d37534511
    • Opcode Fuzzy Hash: 596498b115410ec74b903f7cb4533c46ba25752e7a428d572cbd53408a3e62da
    • Instruction Fuzzy Hash: 7B31D632D0032DBBCF219BA8DC05FAEB779AB51760F218265F920A61D0EB308E459791
    Function 00A1D677 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106comCOMMON
    Download Yara Rule
    APIs
    • CoCreateInstance.OLE32(00A50A84,00000000,00000017,00A50A94,?,?,00000000,00000000,?,?,?,?,?,00A1DCAE,00000000,00000000), ref: 00A1D6AF
    Strings
    • Failed to set BITS job to foreground., xrefs: 00A1D730
    • WixBurn, xrefs: 00A1D6DA
    • Failed to set notification flags for BITS job., xrefs: 00A1D701
    • Failed to create IBackgroundCopyManager., xrefs: 00A1D6BB
    • Failed to create BITS job., xrefs: 00A1D6E9
    • Failed to set progress timeout., xrefs: 00A1D719
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CreateInstance
    • String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
    • API String ID: 542301482-468763447
    • Opcode ID: a1f5761e3b122c441559354e70b4c61911a5275da5e3ba96c42a66074e39002b
    • Instruction ID: 5648cd250f31df5aa910884361167fd70d6e298a6f657f6d1731ebdf183f62a2
    • Opcode Fuzzy Hash: a1f5761e3b122c441559354e70b4c61911a5275da5e3ba96c42a66074e39002b
    • Instruction Fuzzy Hash: 0D318E31B40226BF9B15CFA8C855EAFBBB4FF48751B100569FD06EB390CA30AC458B91
    Function 00A35C68 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 98fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 00A35CB2
    • GetLastError.KERNEL32 ref: 00A35CBF
    • ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 00A35D06
    • CloseHandle.KERNEL32(00000000,dlutil.cpp,000000C8,00000000), ref: 00A35D6E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: File$CloseCreateErrorHandleLastRead
    • String ID: %ls.R$dlutil.cpp
    • API String ID: 2136311172-657863730
    • Opcode ID: 7c3e3a57693a7521854f32da8aac86be2f1660b6f213662863629e4aa4cbaa16
    • Instruction ID: ace1906e6270fbdbef9c957ad1925c3e4dca7ad06a06ce5fd65b5e8aedd7a1ff
    • Opcode Fuzzy Hash: 7c3e3a57693a7521854f32da8aac86be2f1660b6f213662863629e4aa4cbaa16
    • Instruction Fuzzy Hash: F531B172A40714ABEB20DFB8CC89BAA76E8EF45761F114219FE05EB1D0D7705D0187A1
    Function 009FC7DF Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009FCC57: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,009FE336,000000FF,00000000,00000000,009FE336,?,?,009FDADD,?,?,?,?), ref: 009FCC82
    • CreateFileW.KERNEL32(E900A3BA,80000000,00000005,00000000,00000003,08000000,00000000,009F52BD,00A3B450,00000000,009F53B5,04680A79,?,009F52B5,00000000,009F5381), ref: 009FC84F
    • GetLastError.KERNEL32(?,?,?,00A075F7,009F5565,009F5371,009F5371,00000000,?,009F5381,FFF9E89D,009F5381,009F53B5,009F533D,?,009F533D), ref: 009FC894
    Strings
    • Failed to find payload for catalog file., xrefs: 009FC8D9
    • Failed to verify catalog signature: %ls, xrefs: 009FC88D
    • Failed to open catalog in working path: %ls, xrefs: 009FC8C2
    • Failed to get catalog local file path, xrefs: 009FC8D2
    • catalog.cpp, xrefs: 009FC8B5
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CompareCreateErrorFileLastString
    • String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$catalog.cpp
    • API String ID: 1774366664-48089280
    • Opcode ID: f9c5e0404602dd70d370e18e900107ffcf6e315e4aab992e157ca4f99653c52f
    • Instruction ID: 3aa7704a567b1fee38a0577c0a891778e306fe74102cf448aba5273db11e7aba
    • Opcode Fuzzy Hash: f9c5e0404602dd70d370e18e900107ffcf6e315e4aab992e157ca4f99653c52f
    • Instruction Fuzzy Hash: 7031D1B1E4061DBFD7109B68CD41F6ABBA4FB04790F11C629FA08EB290E770AD509B90
    Function 00A1D12C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(?,000000FF,771B30B0,00000000,?,?,?,?,00A1D439,?), ref: 00A1D145
    • ReleaseMutex.KERNEL32(?,?,?,?,00A1D439,?), ref: 00A1D161
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A1D1A4
    • ReleaseMutex.KERNEL32(?), ref: 00A1D1BB
    • SetEvent.KERNEL32(?), ref: 00A1D1C4
    Strings
    • Failed to get message from netfx chainer., xrefs: 00A1D1E5
    • Failed to send files in use message from netfx chainer., xrefs: 00A1D20A
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: MutexObjectReleaseSingleWait$Event
    • String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
    • API String ID: 2608678126-3424578679
    • Opcode ID: bae95856bdd819e37b3e33d4dfcbefa06e2678462b67ff6483b056ce5b1f1cee
    • Instruction ID: a77bfacb444d1ea4a0d91358bbeb307574459b62ef7da7cfd081cf8abaa1c7d8
    • Opcode Fuzzy Hash: bae95856bdd819e37b3e33d4dfcbefa06e2678462b67ff6483b056ce5b1f1cee
    • Instruction Fuzzy Hash: 2831C732900609BFCB129FA4DC08EEFBBB9FF44321F108665FA65A6261C775D9458B90
    Function 00A3082D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89processCOMMON
    Download Yara Rule
    APIs
    • CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 00A3089A
    • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 00A308A4
    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 00A308ED
    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 00A308FA
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseHandle$CreateErrorLastProcess
    • String ID: "%ls" %ls$D$procutil.cpp
    • API String ID: 161867955-2732225242
    • Opcode ID: 77d4ac4eae30df932f52d46618c489e1ccce61d408a1b32026479a66d031bcb4
    • Instruction ID: 1929e61ee97aa4c24185559b45269e4255c76367d95c86f3027f6489663b5a7a
    • Opcode Fuzzy Hash: 77d4ac4eae30df932f52d46618c489e1ccce61d408a1b32026479a66d031bcb4
    • Instruction Fuzzy Hash: 9F211971D0021EAFDB10EFE9DD409AEBBB9EF44355F10412AFA05B6161D7705E409BA1
    Function 009F9A6D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON
    Download Yara Rule
    APIs
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 009F9A86
    • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,009FA7A9,00000100,000002C0,000002C0,00000100), ref: 009F9AA6
    • GetLastError.KERNEL32(?,009FA7A9,00000100,000002C0,000002C0,00000100), ref: 009F9AB1
    Strings
    • Failed to set directory search path variable., xrefs: 009F9AE1
    • Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 009F9B1C
    • Failed while searching directory search: %ls, for path: %ls, xrefs: 009F9B06
    • Failed to format variable string., xrefs: 009F9A91
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AttributesErrorFileLastOpen@16
    • String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
    • API String ID: 1811509786-2966038646
    • Opcode ID: 0d6e33d19895969eab9509cd66a4d687a8a87a7ca8b7d34d280bc413ccd9583c
    • Instruction ID: ad978e30e4660830a6285d1f28fe9c68716bb192cca01137bd2403d2b00c699f
    • Opcode Fuzzy Hash: 0d6e33d19895969eab9509cd66a4d687a8a87a7ca8b7d34d280bc413ccd9583c
    • Instruction Fuzzy Hash: AA11E732D4012DFBCB12A6D5AD02FBEBA69EF14320F200611FE04761A0D7269E10A7E1
    Function 009F9C39 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 71COMMON
    Download Yara Rule
    APIs
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 009F9C52
    • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,009FA781,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 009F9C72
    • GetLastError.KERNEL32(?,009FA781,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 009F9C7D
    Strings
    • Failed while searching file search: %ls, for path: %ls, xrefs: 009F9CAA
    • File search: %ls, did not find path: %ls, xrefs: 009F9CE0
    • Failed to set variable to file search path., xrefs: 009F9CD4
    • Failed to format variable string., xrefs: 009F9C5D
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AttributesErrorFileLastOpen@16
    • String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
    • API String ID: 1811509786-3425311760
    • Opcode ID: 2a1325f79f3877190615674ef2c22969001994e9c291d6d79c1985f025970c16
    • Instruction ID: f6d75625d5a3c72af000d2b6474436f281a7e8f694e8b6b418706471ccd5e030
    • Opcode Fuzzy Hash: 2a1325f79f3877190615674ef2c22969001994e9c291d6d79c1985f025970c16
    • Instruction Fuzzy Hash: 52112C32D4012CBBCF226B949E43BBDBBA9EF11720F204612FE58B61A0D7355D10A7D5
    Function 00A0CCF4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53synchronizationthreadCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,00A0D134,00000000,?,?,00A0C59C,00000001,?,?,?,?,?), ref: 00A0CD06
    • GetLastError.KERNEL32(?,?,00A0D134,00000000,?,?,00A0C59C,00000001,?,?,?,?,?,00000000,00000000,?), ref: 00A0CD10
    • GetExitCodeThread.KERNEL32(00000001,?,?,?,00A0D134,00000000,?,?,00A0C59C,00000001,?,?,?,?,?,00000000), ref: 00A0CD4C
    • GetLastError.KERNEL32(?,?,00A0D134,00000000,?,?,00A0C59C,00000001,?,?,?,?,?,00000000,00000000,?), ref: 00A0CD56
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast$CodeExitObjectSingleThreadWait
    • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$elevation.cpp
    • API String ID: 3686190907-1954264426
    • Opcode ID: 4cdbb87c7ce1e27f7ed0504ce6f0d8a27c5bb9bacac4d43623760f816ba91c61
    • Instruction ID: fe0a3e92e569e975b44fdfd72cc4d83c4b768a24615bb3400714bda861888256
    • Opcode Fuzzy Hash: 4cdbb87c7ce1e27f7ed0504ce6f0d8a27c5bb9bacac4d43623760f816ba91c61
    • Instruction Fuzzy Hash: DB012876B407387BE720ABB9AD06BAF79D9EF047A0F014225FE05E6090E7548E0082F5
    Function 00A067B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52synchronizationthreadCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,00A06CFB,009F4740,?,00000000,?,00000000,00000001), ref: 00A067BD
    • GetLastError.KERNEL32(?,00A06CFB,009F4740,?,00000000,?,00000000,00000001), ref: 00A067C7
    • GetExitCodeThread.KERNEL32(00000001,00000000,?,00A06CFB,009F4740,?,00000000,?,00000000,00000001), ref: 00A06806
    • GetLastError.KERNEL32(?,00A06CFB,009F4740,?,00000000,?,00000000,00000001), ref: 00A06810
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast$CodeExitObjectSingleThreadWait
    • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
    • API String ID: 3686190907-2546940223
    • Opcode ID: 6f62cd97dde3b48229f77859323ffd8b329e124e867b38043155ee80fb3ba74c
    • Instruction ID: 61cbb50de56af6e6f57e63eeae23b33383644c24d34f269896acfd91fa2d4a47
    • Opcode Fuzzy Hash: 6f62cd97dde3b48229f77859323ffd8b329e124e867b38043155ee80fb3ba74c
    • Instruction Fuzzy Hash: 67018070750308BBFB08EBB5EE56BBE76E5EB44710F10412DB906D51E0EB798E10A668
    Function 00A0F586 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 118COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?), ref: 00A0F59B
    • LeaveCriticalSection.KERNEL32(?), ref: 00A0F6A8
    Strings
    • UX denied while trying to set source on embedded payload: %ls, xrefs: 00A0F61D
    • Failed to set source path for payload., xrefs: 00A0F637
    • Engine is active, cannot change engine state., xrefs: 00A0F5B5
    • UX requested unknown container with id: %ls, xrefs: 00A0F667
    • Failed to set source path for container., xrefs: 00A0F68D
    • UX requested unknown payload with id: %ls, xrefs: 00A0F607
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: Engine is active, cannot change engine state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
    • API String ID: 3168844106-4121889706
    • Opcode ID: 725c9e89a0d4b201c2ba0781c3fb1a2a470076dee34c005c16f086a01f509220
    • Instruction ID: 6670bd708ac64a6bf88ab05d24ddce7d33ed0acbfcd2251262fb0ae63e77e3dc
    • Opcode Fuzzy Hash: 725c9e89a0d4b201c2ba0781c3fb1a2a470076dee34c005c16f086a01f509220
    • Instruction Fuzzy Hash: BD31E872A40659BFCB319B58EC45E6A73ACEF94720F158126F804F7690DB76ED008BA1
    Function 009F70D4 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 99stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenW.KERNEL32(00000000), ref: 009F70E7
    Strings
    • [\%c], xrefs: 009F7146
    • []{}, xrefs: 009F7111
    • Failed to append escape sequence., xrefs: 009F717A
    • Failed to format escape sequence., xrefs: 009F7181
    • Failed to allocate buffer for escaped string., xrefs: 009F70FE
    • Failed to append characters., xrefs: 009F7173
    • Failed to copy string., xrefs: 009F719B
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: lstrlen
    • String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
    • API String ID: 1659193697-3250950999
    • Opcode ID: 6419734d32b2df8e9c3f0a56fd4e3befe63c6b99e07573c520137a7f6a62cb84
    • Instruction ID: 9bd4ec202a7e7f9d95fd07517781a908109da6921475806e8a91e7278619b937
    • Opcode Fuzzy Hash: 6419734d32b2df8e9c3f0a56fd4e3befe63c6b99e07573c520137a7f6a62cb84
    • Instruction Fuzzy Hash: A921D833E4C22DBAEB1196D4DC42FBEF6ADAB00731F210556FA00B6141DB74AE489394
    Function 00A159B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 207COMMON
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(00000000,00000000,00A3B4F0,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,00A1659B,?,00000001,?,00A3B490), ref: 00A15A19
    Strings
    • Failed grow array of ordered patches., xrefs: 00A15AB2
    • Failed to copy target product code., xrefs: 00A15B4C
    • Failed to plan action for target product., xrefs: 00A15AC4
    • Failed to insert execute action., xrefs: 00A15A6E
    • feclient.dll, xrefs: 00A15A0F, 00A15B39
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CompareString
    • String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
    • API String ID: 1825529933-3477540455
    • Opcode ID: 9f9437cddf2acd919898f512d515c8965016b2986483e143695a8916b61d830c
    • Instruction ID: 6fb226ce90cd740f326e2d28c80f0e70959416d25d5cf3040d8e86f5672d5d9d
    • Opcode Fuzzy Hash: 9f9437cddf2acd919898f512d515c8965016b2986483e143695a8916b61d830c
    • Instruction Fuzzy Hash: 3D8134B5A0474ADFCB14CF68C984AAA77A4FF88364F158669EC158B352D730EC91CF90
    Function 00A19039 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 171COMMON
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,00A06F20,000000B8,0000001C,00000100), ref: 00A19068
    • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,00A3B4A8,000000FF,?,?,?,00A06F20,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 00A19101
    Strings
    • detect.cpp, xrefs: 00A19163
    • Failed to initialize update bundle., xrefs: 00A191A9
    • BA aborted detect forward compatible bundle., xrefs: 00A1916D
    • comres.dll, xrefs: 00A19187
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CompareString
    • String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$comres.dll$detect.cpp
    • API String ID: 1825529933-439563586
    • Opcode ID: 517fca395f1e66e1ed3e00e586c2238e652bc3b7cbda319ade241ebee58b5e1c
    • Instruction ID: f3f4771b2691d675f703bd5f588c59c29737769b90c58f3ca270d3f81d6d9b4e
    • Opcode Fuzzy Hash: 517fca395f1e66e1ed3e00e586c2238e652bc3b7cbda319ade241ebee58b5e1c
    • Instruction Fuzzy Hash: 84519C71600206BFDB559F74CC95EABB7AAFF09320B104668F919DA291D731ECA0DB90
    Function 00A2C9BD Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
    Download Yara Rule
    APIs
    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00A2D132,?,00000000,?,00000000,00000000), ref: 00A2C9FF
    • __fassign.LIBCMT ref: 00A2CA7A
    • __fassign.LIBCMT ref: 00A2CA95
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00A2CABB
    • WriteFile.KERNEL32(?,?,00000000,00A2D132,00000000,?,?,?,?,?,?,?,?,?,00A2D132,?), ref: 00A2CADA
    • WriteFile.KERNEL32(?,?,00000001,00A2D132,00000000,?,?,?,?,?,?,?,?,?,00A2D132,?), ref: 00A2CB13
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
    • String ID:
    • API String ID: 1324828854-0
    • Opcode ID: 60a046833b6e77cb8b6bb30761b23b18d97b6c26ae02cb2e8be38ef3a63667f6
    • Instruction ID: 466909d000390d53172226506b4a5cc208ec2733fa9c88d623f97a033e6db9cc
    • Opcode Fuzzy Hash: 60a046833b6e77cb8b6bb30761b23b18d97b6c26ae02cb2e8be38ef3a63667f6
    • Instruction Fuzzy Hash: 3651B471A002599FCB10CFA8ED85AEEBBF5FF09310F14422AE555E7291E7309941CBA0
    Function 00A0A998 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 138COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,000000FF,00AAC56B,?,009F52B5,00000000,009F533D), ref: 00A0AA90
    • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,000000FF,00AAC56B,?,009F52B5,00000000,009F533D), ref: 00A0AAD4
    Strings
    • Failed authenticode verification of payload: %ls, xrefs: 00A0AA71
    • Failed to verify expected payload against actual certificate chain., xrefs: 00A0AB1A
    • Failed to get signer chain from authenticode certificate., xrefs: 00A0AB02
    • cache.cpp, xrefs: 00A0AA66, 00A0AAB4, 00A0AAF8
    • Failed to get provider state from authenticode certificate., xrefs: 00A0AABE
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID: Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$cache.cpp
    • API String ID: 1452528299-2590768268
    • Opcode ID: 5056a83942c612264183339f8d385d6b775878487133e5ada475120f2a2bc217
    • Instruction ID: 2b3340af0be4505bed82ed42b69480f7af80c7f4efd0b6b45b6e6f722777e838
    • Opcode Fuzzy Hash: 5056a83942c612264183339f8d385d6b775878487133e5ada475120f2a2bc217
    • Instruction Fuzzy Hash: FB418575E00328ABEB109BA9DD45BEFBAF8EF49350F000129F905F7181D7705D0586A6
    Function 00A301F0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 123COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000001,00000000,00000000), ref: 00A30234
    • GetComputerNameW.KERNEL32(?,?), ref: 00A3028C
    Strings
    • Executable: %ls v%d.%d.%d.%d, xrefs: 00A302E8
    • === Logging started: %ls ===, xrefs: 00A302B7
    • Computer : %ls, xrefs: 00A302FA
    • --- logging level: %hs ---, xrefs: 00A3034C
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Name$ComputerFileModule
    • String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
    • API String ID: 2577110986-3153207428
    • Opcode ID: d17b0a55ef606921e173b8cc32fa9e9d0c5f07a8d22f06347877d0a5ddb5db11
    • Instruction ID: c3451aeed2e36a05d45aaa9c8ed8d6585589090cd9d3594e9e213098062bc3c8
    • Opcode Fuzzy Hash: d17b0a55ef606921e173b8cc32fa9e9d0c5f07a8d22f06347877d0a5ddb5db11
    • Instruction Fuzzy Hash: 514136F1A0021CABCB11DF64DD95EEA77BCFB55301F4041A9FA09E7141D6309E858F65
    Function 00A3143C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123stringregistryCOMMON
    Download Yara Rule
    APIs
    • lstrlenW.KERNEL32(?,00000000,00000000,BundleUpgradeCode,?,00020006,00000000,?,?,?,00000001), ref: 00A31479
    • lstrlenW.KERNEL32(?,00000000,00000000,?,00000000,00000001,00000000,00000000,BundleUpgradeCode,?,00020006,00000000,?,?,?,00000001), ref: 00A314F1
    • lstrlenW.KERNEL32(?,?,?,?,00000001), ref: 00A314FD
    • RegSetValueExW.ADVAPI32(00020006,?,00000000,00000007,00000000,?,00000000,?,?,00000000,00000001,00000000,00000000,BundleUpgradeCode,?,00020006), ref: 00A3153D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: lstrlen$Value
    • String ID: BundleUpgradeCode$regutil.cpp
    • API String ID: 198323757-1648651458
    • Opcode ID: 094e488d610b52bd1f18ced99d84bb5885cb6a50f00b3796076af1a1b06ddf8f
    • Instruction ID: 215ed58281b46c34a0e8b0bd3526cb508e50ec1630186b4ac6a3ada83b20c91a
    • Opcode Fuzzy Hash: 094e488d610b52bd1f18ced99d84bb5885cb6a50f00b3796076af1a1b06ddf8f
    • Instruction Fuzzy Hash: 90419672E0022AAFCF15DFA9D941AAE7BBAEF44710F114169FE05E7251D730DD118B90
    Function 00A0D206 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(00000000,?,?,00000001,00A3B4F0,?,00000001,000000FF,?,?,75A4B390,00000000,00000001,00000000,?,00A072F3), ref: 00A0D32F
    Strings
    • Failed to create pipe name and client token., xrefs: 00A0D270
    • Failed to elevate., xrefs: 00A0D311
    • elevation.cpp, xrefs: 00A0D23A
    • Failed to create pipe and cache pipe., xrefs: 00A0D28C
    • UX aborted elevation requirement., xrefs: 00A0D244
    • Failed to connect to elevated child process., xrefs: 00A0D318
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
    • API String ID: 2962429428-3003415917
    • Opcode ID: fdfb63b48e27ba6146d7e3e1008f4ec26f8afead5145e4e6b3d456c4a5a72d64
    • Instruction ID: dc2c8375c167fd24ca8d88b60c624e24ff921b5b5cd4be6175df45104b9598f3
    • Opcode Fuzzy Hash: fdfb63b48e27ba6146d7e3e1008f4ec26f8afead5145e4e6b3d456c4a5a72d64
    • Instruction Fuzzy Hash: D6312873A4572A7BE715A6A4EC42FAFB75CEF45720F100219FB05AB1C1DB61EE0042E6
    Function 00A3041B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118fileCOMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(00A5B60C,00000000,?,?,?,009F5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 00A3042B
    • CreateFileW.KERNEL32(40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,00A5B604,?,009F5407,00000000,Setup), ref: 00A304CC
    • GetLastError.KERNEL32(?,009F5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 00A304DC
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,009F5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 00A30515
      • Part of subcall function 009F2DE0: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 009F2F1F
    • LeaveCriticalSection.KERNEL32(00A5B60C,?,?,00A5B604,?,009F5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 00A3056E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
    • String ID: logutil.cpp
    • API String ID: 4111229724-3545173039
    • Opcode ID: 4a5d201e485b9b3660c9c8920b475646ac3cff61fcfafb9cc592b665abe49158
    • Instruction ID: 11c6f8b86d8dd1c6c306019ae1f47d3d8dff1576668a0ed6e1842ea7f01205bb
    • Opcode Fuzzy Hash: 4a5d201e485b9b3660c9c8920b475646ac3cff61fcfafb9cc592b665abe49158
    • Instruction Fuzzy Hash: D4317471A1131DFFDB21EFA5DDA6E6A7669FB10752F008225FE00A6160D770CD509BB0
    Function 00A0D01A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 117threadCOMMON
    Download Yara Rule
    APIs
    • CreateThread.KERNEL32(00000000,00000000,00A0AB3C,?,00000000,00000000), ref: 00A0D0B8
    • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A0D0C4
    • CloseHandle.KERNEL32(00000000,00000000,?,?,00A0C59C,00000001,?,?,?,?,?,00000000,00000000,?,?,?), ref: 00A0D145
    Strings
    • elevation.cpp, xrefs: 00A0D0E8
    • Failed to create elevated cache thread., xrefs: 00A0D0F2
    • Failed to pump messages in child process., xrefs: 00A0D11C
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseCreateErrorHandleLastThread
    • String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$elevation.cpp
    • API String ID: 747004058-4134175193
    • Opcode ID: ba51cbf233ee34060103b676abdc0b9c3e8b8c9f643640a2757ce0592a358322
    • Instruction ID: 84b28931691d57673616bef8cde3dadf4babd40df4cd2f8ae969b50a4224730e
    • Opcode Fuzzy Hash: ba51cbf233ee34060103b676abdc0b9c3e8b8c9f643640a2757ce0592a358322
    • Instruction Fuzzy Hash: E441B5B5E01219AFDB04DFA9E9819EEBBF9FF48350F10412AF908E7340D77499418BA4
    Function 00A13750 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON
    Download Yara Rule
    APIs
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A137B7
    Strings
    • Failed to escape string., xrefs: 00A13839
    • Failed to format property string part., xrefs: 00A13832
    • Failed to format property value., xrefs: 00A13840
    • %s%="%s", xrefs: 00A137EA
    • Failed to append property string part., xrefs: 00A1382B
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Open@16
    • String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.
    • API String ID: 3613110473-515423128
    • Opcode ID: 661ffedf7f448df164f86ee0df8d1795efd951d1d0cbce3691c0e67b30919f53
    • Instruction ID: ebddae14d529cb36cf246d40eb0ed3ba4ab6bfae64defe05c239cd3d8f316d64
    • Opcode Fuzzy Hash: 661ffedf7f448df164f86ee0df8d1795efd951d1d0cbce3691c0e67b30919f53
    • Instruction Fuzzy Hash: 2D319DB6905229FFDF15AFA8CC42BEEB778AF40B10F10416AF91566241D770AF90DB90
    Function 009F7203 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,009F583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 009F7215
    • LeaveCriticalSection.KERNEL32(00000000,00000000,00000002,00000000,?,?,?,009F583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 009F72F4
    Strings
    • Failed to get value as string for variable: %ls, xrefs: 009F72E3
    • Failed to get unformatted string., xrefs: 009F7285
    • Failed to get variable: %ls, xrefs: 009F7256
    • *****, xrefs: 009F72B0, 009F72BD
    • Failed to format value '%ls' of variable: %ls, xrefs: 009F72BE
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
    • API String ID: 3168844106-2873099529
    • Opcode ID: 0c136bf64bcbfa8c684a0a53992d02679584188abf5be323bff94d0ab44256fc
    • Instruction ID: 4a8c93d41fe2f2d6d2e11ddce0f76d5c720ea50d557599f9959d0c819dc10b42
    • Opcode Fuzzy Hash: 0c136bf64bcbfa8c684a0a53992d02679584188abf5be323bff94d0ab44256fc
    • Instruction Fuzzy Hash: 9531BC32A0461EBBCF219A90DC01FFEBB69AF14320F204625FA2476550D775AAA09BD0
    Function 00A08BE5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON
    Download Yara Rule
    APIs
    • InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,00000000,?,00000000,00000000,?,?,00000000,00000000,?,?,-00000004,00000000), ref: 00A08C30
    • GetLastError.KERNEL32(?,?,?,00000001), ref: 00A08C3A
    • SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 00A08C9A
    Strings
    • Failed to initialize ACL., xrefs: 00A08C68
    • cache.cpp, xrefs: 00A08C5E
    • Failed to allocate administrator SID., xrefs: 00A08C16
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AttributesErrorFileInitializeLast
    • String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$cache.cpp
    • API String ID: 669721577-1117388985
    • Opcode ID: d3f3fd8ab376b5863d23d4ed3fe9fd08e358492952825dd7a2ee2d17877bfb47
    • Instruction ID: 3620c181e932483c9e14e4ac6b66fff9360901e4fef9f71f3cce1ab4d09057bd
    • Opcode Fuzzy Hash: d3f3fd8ab376b5863d23d4ed3fe9fd08e358492952825dd7a2ee2d17877bfb47
    • Instruction Fuzzy Hash: E621D872E41318BBEB109F99AD85F9AB7B9EB40710F114129FE04F71C0DA785E0196A4
    Function 009F410D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON
    Download Yara Rule
    APIs
    • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,00A03ED4,00000001,feclient.dll,?,00000000,?,?,?,009F4A0C), ref: 009F4148
    • GetLastError.KERNEL32(?,?,00A03ED4,00000001,feclient.dll,?,00000000,?,?,?,009F4A0C,?,?,00A3B478,?,00000001), ref: 009F4154
    • GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,00A03ED4,00000001,feclient.dll,?,00000000,?,?,?,009F4A0C,?), ref: 009F418F
    • GetLastError.KERNEL32(?,?,00A03ED4,00000001,feclient.dll,?,00000000,?,?,?,009F4A0C,?,?,00A3B478,?,00000001), ref: 009F4199
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CurrentDirectoryErrorLast
    • String ID: crypt32.dll$dirutil.cpp
    • API String ID: 152501406-1104880720
    • Opcode ID: 47eafcd3783ddae9ccbcbec49c190ccd7dda538917971cbed2061d615c120eb7
    • Instruction ID: f4d462e2291133051ecb6effbf58a320500b8f040c4131a3bf8b807fc0e8fd0d
    • Opcode Fuzzy Hash: 47eafcd3783ddae9ccbcbec49c190ccd7dda538917971cbed2061d615c120eb7
    • Instruction Fuzzy Hash: 11118776B0472EABA7219AA94CC47B7B6DDDF25751B110225FF04E7210E764DC4087F0
    Function 009F999B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON
    Download Yara Rule
    APIs
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 009F99B6
    • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 009F99CE
    • GetLastError.KERNEL32 ref: 009F99D9
    Strings
    • Failed to set variable., xrefs: 009F9A4E
    • Failed while searching directory search: %ls, for path: %ls, xrefs: 009F9A16
    • Failed to format variable string., xrefs: 009F99C1
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AttributesErrorFileLastOpen@16
    • String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
    • API String ID: 1811509786-402580132
    • Opcode ID: 86fde000ef186ba3d023b91270c97de33604dab6a3b0b1f33d94fce3b1a7a48d
    • Instruction ID: 25ec100d5e58ebb195481dacb99cecd7a23eb85fc4e0a97fd2ffe522bf835980
    • Opcode Fuzzy Hash: 86fde000ef186ba3d023b91270c97de33604dab6a3b0b1f33d94fce3b1a7a48d
    • Instruction Fuzzy Hash: 6F213832E5022DBBCB11AAA4DD42BBEF769EF54320F208316FE10B6190D7749E509BD0
    Function 00A108F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Failed to write during cabinet extraction., xrefs: 00A10997
    • cabextract.cpp, xrefs: 00A1098D
    • Unexpected call to CabWrite()., xrefs: 00A10923
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFileLastWrite_memcpy_s
    • String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
    • API String ID: 1970631241-3111339858
    • Opcode ID: 9a704a48e3c9cf94b0e23015cafd36f86de6b987441df3cc02d76b0ac06db246
    • Instruction ID: bb37afc71f003ed9afb487a47030f30f585099b8a794106d47657f8cb820dce9
    • Opcode Fuzzy Hash: 9a704a48e3c9cf94b0e23015cafd36f86de6b987441df3cc02d76b0ac06db246
    • Instruction Fuzzy Hash: 60219A76640204EFEB04DFADDD84EAA77E9FF88720F114159FE08C7256D672DA408B60
    Function 00A109B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON
    Download Yara Rule
    APIs
    • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00A10A25
    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A10A37
    • SetFileTime.KERNEL32(?,?,?,?), ref: 00A10A4A
    • CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00A10616,?,?), ref: 00A10A59
    Strings
    • cabextract.cpp, xrefs: 00A109F4
    • Invalid operation for this state., xrefs: 00A109FE
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Time$File$CloseDateHandleLocal
    • String ID: Invalid operation for this state.$cabextract.cpp
    • API String ID: 609741386-1751360545
    • Opcode ID: b21603fce19df0af84ee95dd7b895931f9b631dca59e0233f5152ab16b82f462
    • Instruction ID: 6139bb35a2473c21437241b0f7962241864d0c1277facc372ca892308cb6295f
    • Opcode Fuzzy Hash: b21603fce19df0af84ee95dd7b895931f9b631dca59e0233f5152ab16b82f462
    • Instruction Fuzzy Hash: F021907281021ABB8710DFA8DD48CEABBBDFE04760B14421AF915D75D0D7B4DA92CBE0
    Function 00A0444C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009F38D4: GetProcessHeap.KERNEL32(?,000001C7,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38E5
      • Part of subcall function 009F38D4: RtlAllocateHeap.NTDLL(00000000,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38EC
    • _memcpy_s.LIBCMT ref: 00A0449E
    • _memcpy_s.LIBCMT ref: 00A044B1
    • _memcpy_s.LIBCMT ref: 00A044CC
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: _memcpy_s$Heap$AllocateProcess
    • String ID: Failed to allocate memory for message.$feclient.dll$pipe.cpp
    • API String ID: 886498622-766083570
    • Opcode ID: 687d01e503eeb13e736a670722654778c915865afffe0e1d7282a314cbfe9971
    • Instruction ID: 2877f364f681c1c2aff463f788996113c6550888a9d24c646bf01e44e959c8e7
    • Opcode Fuzzy Hash: 687d01e503eeb13e736a670722654778c915865afffe0e1d7282a314cbfe9971
    • Instruction Fuzzy Hash: A9113DB660031DABDB019E90DC86EEBB7ADEF48714B00452ABA119B141E7759A54C7E0
    Function 00A39555 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID:
    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
    • API String ID: 0-1718035505
    • Opcode ID: bc043f9b29244a24d091d8ff11a20dbceccd0d3b361dac6896bfa7e5b6c8e227
    • Instruction ID: 3aa53e7345bfe8dc662175fa09cdcc8b88d91dcb7a4a6a3f35ed58f80774ed3c
    • Opcode Fuzzy Hash: bc043f9b29244a24d091d8ff11a20dbceccd0d3b361dac6896bfa7e5b6c8e227
    • Instruction Fuzzy Hash: B201F4723933225B4F729FB55C805A723D9BA46713B00453AF911C3280E7A1C8CEDBB0
    Function 00A309BB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,009F5D8F,00000000), ref: 00A309CF
    • GetProcAddress.KERNEL32(00000000), ref: 00A309D6
    • GetLastError.KERNEL32(?,?,?,009F5D8F,00000000), ref: 00A309ED
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AddressErrorHandleLastModuleProc
    • String ID: IsWow64Process$kernel32$procutil.cpp
    • API String ID: 4275029093-1586155540
    • Opcode ID: 4ca90ea37bc8ab9ff72995925c909cb2ebc0319f14163f910c087ea2de83d4bb
    • Instruction ID: 8d00e98f4ae64f85099e551c23763bc0f9bb38efaed09656ee7693b6d2e1d466
    • Opcode Fuzzy Hash: 4ca90ea37bc8ab9ff72995925c909cb2ebc0319f14163f910c087ea2de83d4bb
    • Instruction Fuzzy Hash: 04F04471A10729BB97249FA5AC05A6B7AA9FF15791F004115BD05EB240D7748D0197F0
    Function 00A2A059 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00A23382,00A23382,?,?,?,00A2A2AA,00000001,00000001,E3E85006), ref: 00A2A0B3
    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A2A2AA,00000001,00000001,E3E85006,?,?,?), ref: 00A2A139
    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,E3E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A2A233
    • __freea.LIBCMT ref: 00A2A240
      • Part of subcall function 00A25154: HeapAlloc.KERNEL32(00000000,?,?,?,00A21E90,?,0000015D,?,?,?,?,00A232E9,000000FF,00000000,?,?), ref: 00A25186
    • __freea.LIBCMT ref: 00A2A249
    • __freea.LIBCMT ref: 00A2A26E
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ByteCharMultiWide__freea$AllocHeap
    • String ID:
    • API String ID: 3147120248-0
    • Opcode ID: 6b6721ef34bcc83174d58ddfc516b9f8b00b071272d3867784aad97f4fb15309
    • Instruction ID: ba6674714b3ff000dce044af08ecbdfb1a334fccec62ed76f491117bcba26736
    • Opcode Fuzzy Hash: 6b6721ef34bcc83174d58ddfc516b9f8b00b071272d3867784aad97f4fb15309
    • Instruction Fuzzy Hash: 2451F172600226AFDB258F68EC82EFB77AAEB64750F144239FC04D6150EB35DC90C762
    Function 00A0F6B8 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 138COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?), ref: 00A0F6D0
    • LeaveCriticalSection.KERNEL32(?,?), ref: 00A0F81D
    Strings
    • update\%ls, xrefs: 00A0F72E
    • Failed to default local update source, xrefs: 00A0F742
    • Failed to recreate command-line for update bundle., xrefs: 00A0F79C
    • Failed to set update bundle., xrefs: 00A0F7F3
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
    • API String ID: 3168844106-1266646976
    • Opcode ID: 3c59d7a1cca642ec67c6e5cd4f682b2ae01dc67f7b59a95e003b48a89024c2a8
    • Instruction ID: 4393cc90ba14e771e974d59d5daf4d19ec4655498b7e7ac1791d2dc75c94df8b
    • Opcode Fuzzy Hash: 3c59d7a1cca642ec67c6e5cd4f682b2ae01dc67f7b59a95e003b48a89024c2a8
    • Instruction Fuzzy Hash: 2D41A93194020AFFDF268FA4EC46EAA77B8FF04310F018275F909A75A1D771AC609B91
    Function 00A08AA3 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(000007D0,00000000,00000000), ref: 00A08B0F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Sleep
    • String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
    • API String ID: 3472027048-398165853
    • Opcode ID: 70efd2fbe3ce91ce81e04d51f9f9ec8c0c205e1024418d89f3888dfa94416222
    • Instruction ID: b76e451a25c4acf591886637a0069ae448f4f583130e3f9a3e0c4c3c664fd5d6
    • Opcode Fuzzy Hash: 70efd2fbe3ce91ce81e04d51f9f9ec8c0c205e1024418d89f3888dfa94416222
    • Instruction Fuzzy Hash: 1A3124B2A0022DBBEB11AB64DD42F7FB66DDF42750F110029FE05EA181DA789D0052A5
    Function 00A0E705 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON
    Download Yara Rule
    APIs
    • DefWindowProcW.USER32(?,00000082,?,?), ref: 00A0E734
    • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00A0E743
    • SetWindowLongW.USER32(?,000000EB,?), ref: 00A0E757
    • DefWindowProcW.USER32(?,?,?,?), ref: 00A0E767
    • GetWindowLongW.USER32(?,000000EB), ref: 00A0E781
    • PostQuitMessage.USER32(00000000), ref: 00A0E7DE
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Window$Long$Proc$MessagePostQuit
    • String ID:
    • API String ID: 3812958022-0
    • Opcode ID: 0fb27050699df9ed86cb89d8233dffdc19855fe9efbbdb4cc5c1ae8ca9764687
    • Instruction ID: e82cef1e8cd58de7338ee612bf49adee73ab5e23ebe93489c7bdad0625e9ec25
    • Opcode Fuzzy Hash: 0fb27050699df9ed86cb89d8233dffdc19855fe9efbbdb4cc5c1ae8ca9764687
    • Instruction Fuzzy Hash: F521713611422CBFDF11DFA4ED49E6A7BAAEF49350F144514FA06EA1A0C731DD11EB60
    Function 00A0C59C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163synchronizationCOMMON
    Download Yara Rule
    APIs
    Strings
    • elevation.cpp, xrefs: 00A0C788
    • Unexpected elevated message sent to child process, msg: %u, xrefs: 00A0C794
    • Failed to save state., xrefs: 00A0C661
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseHandleMutexRelease
    • String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
    • API String ID: 4207627910-1576875097
    • Opcode ID: 9bdb71ca8122651e8de7327c38afbc9db511ac4f9f340d55a906425047c35b88
    • Instruction ID: 0346805a2d88cef3bd4e72dd3ff1411118c7c734adf80957a128a60e5df341f6
    • Opcode Fuzzy Hash: 9bdb71ca8122651e8de7327c38afbc9db511ac4f9f340d55a906425047c35b88
    • Instruction Fuzzy Hash: 7861EA3A100518FFCB129F94DE81C5ABBB2FF09320711C658FA695A572C732E921EF40
    Function 00A310C5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149registrystringCOMMON
    Download Yara Rule
    APIs
    • RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 00A310ED
    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,00A06EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 00A31126
    • lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 00A3121A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: QueryValue$lstrlen
    • String ID: BundleUpgradeCode$regutil.cpp
    • API String ID: 3790715954-1648651458
    • Opcode ID: 8f5d5695427d96e5dbb6dc3b9f64d3565c6dbf4c58d4f63a1ad2ea2b97915967
    • Instruction ID: c200fb462a2dde393e368e4cc8300dcb25f18504e0eab9bd7da541f7e6c42ddd
    • Opcode Fuzzy Hash: 8f5d5695427d96e5dbb6dc3b9f64d3565c6dbf4c58d4f63a1ad2ea2b97915967
    • Instruction Fuzzy Hash: 59416C31A0021AAFDB26DFA9C885AEFB7B9EB48710F514579FD15EB210D630DD018BA0
    Function 00A361FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A347D3: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00A08564,00000000,00000000,00000000,00000000,00000000), ref: 00A347EB
      • Part of subcall function 00A347D3: GetLastError.KERNEL32(?,?,?,00A08564,00000000,00000000,00000000,00000000,00000000), ref: 00A347F5
    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00A35AC5,?,?,?,?,?,?,?,00010000,?), ref: 00A36263
    • WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,00A35AC5,?,?,?,?), ref: 00A362B5
    • GetLastError.KERNEL32(?,00A35AC5,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 00A362FB
    • GetLastError.KERNEL32(?,00A35AC5,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 00A36321
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFileLast$Write$Pointer
    • String ID: dlutil.cpp
    • API String ID: 133221148-2067379296
    • Opcode ID: 7dafcadcb579fb994512dc1b8b6fbfc874d8721bb663a3fb14346da2151c0efa
    • Instruction ID: d2ac1b627955e1ffe0ec33a790c21dc0b48ddc0586d4369b4784a0bae3de15ef
    • Opcode Fuzzy Hash: 7dafcadcb579fb994512dc1b8b6fbfc874d8721bb663a3fb14346da2151c0efa
    • Instruction Fuzzy Hash: BE414D72A10219BFEB118F98CD45BEBBBA9FF04351F158225BE04E6090D775DD60DBA0
    Function 009F2436 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00A2FEE7,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00A2FEE7,?,00000000,00000000), ref: 009F247C
    • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00A2FEE7,?,00000000,00000000,0000FDE9), ref: 009F2488
      • Part of subcall function 009F3B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,009F21DC,000001C7,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F3B59
      • Part of subcall function 009F3B51: HeapSize.KERNEL32(00000000,?,009F21DC,000001C7,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F3B60
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
    • String ID: strutil.cpp
    • API String ID: 3662877508-3612885251
    • Opcode ID: 13fc3a11e2ba92941091d6e840443e6fbd1e808f70287d0158b265389193934e
    • Instruction ID: e0e885b65ec1c8840bdf093c72bdb0ccc14e2223dbfd90b532e8a6a341b9b868
    • Opcode Fuzzy Hash: 13fc3a11e2ba92941091d6e840443e6fbd1e808f70287d0158b265389193934e
    • Instruction Fuzzy Hash: 3831A27120021DAFEB10DF698CD4B7A76DEEB84768B108629FB15DB1A0EBA5CC409770
    Function 00A1AAE8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 107COMMON
    Download Yara Rule
    Strings
    • Failed to extract all payloads from container: %ls, xrefs: 00A1AB9C
    • Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 00A1ABEF
    • Failed to extract payload: %ls from container: %ls, xrefs: 00A1ABE3
    • Failed to open container: %ls., xrefs: 00A1AB2A
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CreateErrorFileLast
    • String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
    • API String ID: 1214770103-3891707333
    • Opcode ID: 6180b23de81262c5948707968c204f697f04711ff0acd4b8f59bdceeab84678d
    • Instruction ID: 017c0298dcfb7dacb7d0c9e2c210f7e7f9ca258c24ef212fb34fe10cec38646a
    • Opcode Fuzzy Hash: 6180b23de81262c5948707968c204f697f04711ff0acd4b8f59bdceeab84678d
    • Instruction Fuzzy Hash: 8D312432C09169BBCF119AE4CD82EDE777AAF14310F204625FE11A6190D730DD91DBA1
    Function 00A340C8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON
    Download Yara Rule
    APIs
    • MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,00A34203,00000003,00000001,00000001,000007D0,00000003,00000000,?,00A09E5F,00000000), ref: 00A340ED
    • GetLastError.KERNEL32(00000001,?,00A34203,00000003,00000001,00000001,000007D0,00000003,00000000,?,00A09E5F,00000000,000007D0,00000001,00000001,00000003), ref: 00A340FC
    • MoveFileExW.KERNEL32(00000003,00000001,000007D0,00000001,00000000,?,00A34203,00000003,00000001,00000001,000007D0,00000003,00000000,?,00A09E5F,00000000), ref: 00A3417F
    • GetLastError.KERNEL32(?,00A34203,00000003,00000001,00000001,000007D0,00000003,00000000,?,00A09E5F,00000000,000007D0,00000001,00000001,00000003,000007D0), ref: 00A34189
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFileLastMove
    • String ID: fileutil.cpp
    • API String ID: 55378915-2967768451
    • Opcode ID: ca3598c8a97f056b3d06e8a57067927d194f07d06b87417de04653f96b18d1de
    • Instruction ID: dbda341e6c5e1cfe4f16c93cfe0cbaa0917a5d125ce36b66371af025f402782f
    • Opcode Fuzzy Hash: ca3598c8a97f056b3d06e8a57067927d194f07d06b87417de04653f96b18d1de
    • Instruction Fuzzy Hash: 0A212636600B36ABDB205F689C4177F7695EFA97A1F020326FD0997150D7709CC183E0
    Function 00A34212 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A34315: FindFirstFileW.KERNEL32(00A18FFA,?,000002C0,00000000,00000000), ref: 00A34350
      • Part of subcall function 00A34315: FindClose.KERNEL32(00000000), ref: 00A3435C
    • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll), ref: 00A34305
      • Part of subcall function 00A30E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00A35699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00A30E52
      • Part of subcall function 00A310C5: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 00A310ED
      • Part of subcall function 00A310C5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,00A06EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 00A31126
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseFindQueryValue$FileFirstOpen
    • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
    • API String ID: 3397690329-3978359083
    • Opcode ID: f1fe669f1478b086cc035378b45fa9417185acc229c0b6ea36ed4e9fcbb54c22
    • Instruction ID: 4f706f7730ee30b1e98cf5bc781d295c8c8744a34ea98e5594825bc876599953
    • Opcode Fuzzy Hash: f1fe669f1478b086cc035378b45fa9417185acc229c0b6ea36ed4e9fcbb54c22
    • Instruction Fuzzy Hash: 23317C35A00219ABDF21AFD5CC41AEFBBB9FF08750F55816AF904BB151D731AA80CB54
    Function 009FEEF9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92registryCOMMON
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,00A004CB,00000001,00000001,00000001,00A004CB,00000000), ref: 009FEF70
    • RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,00A004CB,00000001,00000001,00000001,00A004CB,00000000,00000001,00000002,00A004CB,00000001), ref: 009FEF87
    Strings
    • PackageVersion, xrefs: 009FEF51
    • Failed to format key for update registration., xrefs: 009FEF26
    • Failed to remove update registration key: %ls, xrefs: 009FEFB4
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseCompareString
    • String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
    • API String ID: 446873843-3222553582
    • Opcode ID: 88a5887fcbd74b8cb0bf5a1292ac753b630a7496e516fa46e2020b77ed1ff966
    • Instruction ID: e74572f3688cd590820195f73426849dd239bea94f0b0c08563fe694e63dde30
    • Opcode Fuzzy Hash: 88a5887fcbd74b8cb0bf5a1292ac753b630a7496e516fa46e2020b77ed1ff966
    • Instruction Fuzzy Hash: 76219132E0421CBFDB21ABA9CD45EAFBBBDEF40711F214169FA15A61A0D7319E408790
    Function 009FEE0F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON
    Download Yara Rule
    APIs
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 009FEE4A
      • Part of subcall function 00A34038: SetFileAttributesW.KERNEL32(00A18FFA,00000080,00000000,00A18FFA,000000FF,00000000,?,?,00A18FFA), ref: 00A34067
      • Part of subcall function 00A34038: GetLastError.KERNEL32(?,?,00A18FFA), ref: 00A34071
      • Part of subcall function 009F3B6A: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,009FEE95,00000001,00000000,00000095,00000001,00A004DA,00000095,00000000,swidtag,00000001), ref: 009F3B87
    Strings
    • Failed to allocate regid folder path., xrefs: 009FEEB0
    • Failed to allocate regid file path., xrefs: 009FEEA9
    • swidtag, xrefs: 009FEE59
    • Failed to format tag folder path., xrefs: 009FEEB7
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AttributesDirectoryErrorFileLastOpen@16Remove
    • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
    • API String ID: 1428973842-4170906717
    • Opcode ID: 6fcf389e8af6f0ebd9e0849427a01c9c668894cc32e1a92c862ff5e71f71e7b7
    • Instruction ID: 9d47b38a6c137c412c697b9e4f40226a83973508953d14487fb496e6c37e1c34
    • Opcode Fuzzy Hash: 6fcf389e8af6f0ebd9e0849427a01c9c668894cc32e1a92c862ff5e71f71e7b7
    • Instruction Fuzzy Hash: 59218932D0061CFFCB15EB99DC41AAEBBB9EF84710F10C0AAF614A61B1D7319E909B50
    Function 00A18B73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A30E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00A35699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00A30E52
    • CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 00A18BF7
    • RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,009FF66B,00000001,00000100,000001B4,00000000), ref: 00A18C45
    Strings
    • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00A18B94
    • Failed to open uninstall registry key., xrefs: 00A18BBA
    • Failed to enumerate uninstall key for related bundles., xrefs: 00A18C56
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseCompareOpenString
    • String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    • API String ID: 2817536665-2531018330
    • Opcode ID: 328353207e8a386abafa7ae9247a3fb25e66b88cb451efa2da135604e4f52396
    • Instruction ID: 1a6efac50f771a904ec54a0f036220da49470101067b551addbd22463d4950ca
    • Opcode Fuzzy Hash: 328353207e8a386abafa7ae9247a3fb25e66b88cb451efa2da135604e4f52396
    • Instruction Fuzzy Hash: 8921A336905118FFDF15ABE4CD46FEEBA79EB00761F244664F91066090CB794ED0D6A0
    Function 00A33F04 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85fileCOMMON
    Download Yara Rule
    APIs
    • CopyFileW.KERNEL32(00000000,009F4CB6,00000000,?,?,00000000,?,00A34012,00000000,009F4CB6,00000000,00000000,?,00A083E2,?,?), ref: 00A33F1E
    • GetLastError.KERNEL32(?,00A34012,00000000,009F4CB6,00000000,00000000,?,00A083E2,?,?,00000001,00000003,000007D0,?,?,?), ref: 00A33F2C
    • CopyFileW.KERNEL32(00000000,009F4CB6,00000000,009F4CB6,00000000,?,00A34012,00000000,009F4CB6,00000000,00000000,?,00A083E2,?,?,00000001), ref: 00A33F92
    • GetLastError.KERNEL32(?,00A34012,00000000,009F4CB6,00000000,00000000,?,00A083E2,?,?,00000001,00000003,000007D0,?,?,?), ref: 00A33F9C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CopyErrorFileLast
    • String ID: fileutil.cpp
    • API String ID: 374144340-2967768451
    • Opcode ID: 5e558584eb4ada9017dcd06f17b4be82e9d8b09fdbd8ddb79484843da38b369a
    • Instruction ID: d36c26f155d8b01cec88a6d993ee1d423ad2f60863cf99386f1795a42369a25e
    • Opcode Fuzzy Hash: 5e558584eb4ada9017dcd06f17b4be82e9d8b09fdbd8ddb79484843da38b369a
    • Instruction Fuzzy Hash: EA21A437E48726AAEF205FA58C4477BA6B9EF40BA0F964126FD05DF150DB20CE0182E1
    Function 00A1D047 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80synchronizationCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009F38D4: GetProcessHeap.KERNEL32(?,000001C7,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38E5
      • Part of subcall function 009F38D4: RtlAllocateHeap.NTDLL(00000000,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38EC
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A1D0DC
    • ReleaseMutex.KERNEL32(?), ref: 00A1D10A
    • SetEvent.KERNEL32(?), ref: 00A1D113
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
    • String ID: Failed to allocate buffer.$NetFxChainer.cpp
    • API String ID: 944053411-3611226795
    • Opcode ID: 21dce0e5d45e21a902c3bb4b609793375221b8b3193f98dac9410ed1c0df3b0c
    • Instruction ID: b743e7051e13a82d1af1f12f5b90cee078267979a4fe4e9af567db6cd125f4f3
    • Opcode Fuzzy Hash: 21dce0e5d45e21a902c3bb4b609793375221b8b3193f98dac9410ed1c0df3b0c
    • Instruction Fuzzy Hash: 9821A3B4600309BFDB109F68DC44AA9B7F5FF48314F108629FA2597251C775A991CB50
    Function 009F55B6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,00000007,009F648B,009F648B,?,009F554A,?,?,00000000), ref: 009F55F2
    • GetLastError.KERNEL32(?,009F554A,?,?,00000000,?,00000000,009F648B,?,009F7DDC,?,?,?,?,?), ref: 009F5621
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CompareErrorLastString
    • String ID: Failed to compare strings.$variable.cpp$version.dll
    • API String ID: 1733990998-4228644734
    • Opcode ID: c292e2a257e7afaa7201e54b886a93f2530eaf10c093989040f2b08cef5d9b33
    • Instruction ID: 604b085e6df5c61dffe5a86bc3ea4c0e44b5229f06024d41cd8d536aa6bee2b0
    • Opcode Fuzzy Hash: c292e2a257e7afaa7201e54b886a93f2530eaf10c093989040f2b08cef5d9b33
    • Instruction Fuzzy Hash: C421F932614618AFC7148FA8DD44A79B7A8FF49760F620319FB25EB290DA31DD018790
    Function 00A357BF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON
    Download Yara Rule
    APIs
    • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,00A168CE,00000000,?), ref: 00A357D5
    • GetLastError.KERNEL32(?,?,00A168CE,00000000,?,?,?,?,?,?,?,?,?,00A16CE1,?,?), ref: 00A357E3
      • Part of subcall function 009F38D4: GetProcessHeap.KERNEL32(?,000001C7,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38E5
      • Part of subcall function 009F38D4: RtlAllocateHeap.NTDLL(00000000,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38EC
    • QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,00A168CE,00000000,?), ref: 00A3581D
    • GetLastError.KERNEL32(?,?,00A168CE,00000000,?,?,?,?,?,?,?,?,?,00A16CE1,?,?), ref: 00A35827
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ConfigErrorHeapLastQueryService$AllocateProcess
    • String ID: svcutil.cpp
    • API String ID: 355237494-1746323212
    • Opcode ID: 738d4eb632a30b00b1dc668e10f91bc00b3e9e13b96e5bdaf71c3b8bba073b1c
    • Instruction ID: 0951f2f242c775e9d16ecc0a69ee70113acfb1f9571e9b1cbb826565841f82d3
    • Opcode Fuzzy Hash: 738d4eb632a30b00b1dc668e10f91bc00b3e9e13b96e5bdaf71c3b8bba073b1c
    • Instruction Fuzzy Hash: B421D536E40628BBE7209BAA8D04BABBAADEF45790F114115FE04EB110D675CE01A7F0
    Function 009F96F4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: _memcpy_s
    • String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
    • API String ID: 2001391462-1605196437
    • Opcode ID: 8df4fa179eb708f774e173d2c7cbd3ec308502d0dec91e641aae6d579ac5ed64
    • Instruction ID: 05e99515f770e08ce45749e79c29c69afa3682c71d90346416cfa9611ad8859a
    • Opcode Fuzzy Hash: 8df4fa179eb708f774e173d2c7cbd3ec308502d0dec91e641aae6d579ac5ed64
    • Instruction Fuzzy Hash: F311E732290328BBDB113D6CEC86FBB7E59EB45720F044565FF046E1A2C6A6C91083E1
    Function 009F9D03 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 009F9D25
    Strings
    • Failed to format path string., xrefs: 009F9D30
    • Failed get file version., xrefs: 009F9D65
    • Failed to set variable., xrefs: 009F9D84
    • File search: %ls, did not find path: %ls, xrefs: 009F9D90
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Open@16
    • String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
    • API String ID: 3613110473-2458530209
    • Opcode ID: f390bdc605d41b2f4f6c6adb7c5b668408c2aef53ce22f97e699e45fbd827ed2
    • Instruction ID: c3a02c0a7fda7c80b2717bcb37d690365a9a81f07c1d32e09f6b2486c36d6890
    • Opcode Fuzzy Hash: f390bdc605d41b2f4f6c6adb7c5b668408c2aef53ce22f97e699e45fbd827ed2
    • Instruction Fuzzy Hash: E7118132D0012DBACB126E948D82EBEFB6DEF04350F204565FA0466251D6365E2097D1
    Function 00A04880 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67fileCOMMON
    Download Yara Rule
    APIs
    • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00A051A4), ref: 00A048CC
    Strings
    • Failed to write message type to pipe., xrefs: 00A0490E
    • pipe.cpp, xrefs: 00A04904
    • Failed to allocate message to write., xrefs: 00A048AB
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: FileWrite
    • String ID: Failed to allocate message to write.$Failed to write message type to pipe.$pipe.cpp
    • API String ID: 3934441357-1996674626
    • Opcode ID: 0cdf98a75e7af415ef5261769ff74ba395b5176217d989445d00b1322a1ca775
    • Instruction ID: 1a7c46c68297359c3b3f689bead85d0942a27a745a3c38c4bfef87ba6edbf19b
    • Opcode Fuzzy Hash: 0cdf98a75e7af415ef5261769ff74ba395b5176217d989445d00b1322a1ca775
    • Instruction Fuzzy Hash: 1E11ACB2A0021CBFDB11DFA5ED05BAFBBB9FB88340F114166FE00A2190D7709E50D6A0
    Function 00A08003 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009F38D4: GetProcessHeap.KERNEL32(?,000001C7,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38E5
      • Part of subcall function 009F38D4: RtlAllocateHeap.NTDLL(00000000,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38EC
    • CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,00A08C10,0000001A,00000000,?,00000000,00000000), ref: 00A0804C
    • GetLastError.KERNEL32(?,?,00A08C10,0000001A,00000000,?,00000000,00000000,?,?,00000000,00000000,?,?,-00000004,00000000), ref: 00A08056
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Heap$AllocateCreateErrorKnownLastProcessWell
    • String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
    • API String ID: 2186923214-2110050797
    • Opcode ID: 86ac21dbed885593ea5f82395be8267f5e24b78ca7f07837d658c68467d44a2f
    • Instruction ID: 6a0f35ae8b72adfbf99e3c6cc82f9c5bdaa97da7357ff6bfadeb1b16ce40515e
    • Opcode Fuzzy Hash: 86ac21dbed885593ea5f82395be8267f5e24b78ca7f07837d658c68467d44a2f
    • Instruction Fuzzy Hash: 3D016F766503287BE720AE656C06F6B6A9DDF81B60F114016FE04EB180EEA98D0142F5
    Function 00A1DB67 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64windowCOMMON
    Download Yara Rule
    APIs
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 00A1DB95
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A1DBBF
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00A1DD8F,00000000,?,?,?,00000001,00000000), ref: 00A1DBC7
    Strings
    • Failed while waiting for download., xrefs: 00A1DBF5
    • bitsengine.cpp, xrefs: 00A1DBEB
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLastMessageMultipleObjectsPeekWait
    • String ID: Failed while waiting for download.$bitsengine.cpp
    • API String ID: 435350009-228655868
    • Opcode ID: 31fb3c7325f235a808d7dcda6d2e72d714d50aa4a7cf71be8d3a181823886b37
    • Instruction ID: 7338e0d1edaabb0de428569fbcc6c053224e3d8d6c048b60fce9caeaa7649fe6
    • Opcode Fuzzy Hash: 31fb3c7325f235a808d7dcda6d2e72d714d50aa4a7cf71be8d3a181823886b37
    • Instruction Fuzzy Hash: 84110833B493397BEB109AB99D89EEBBBADEF09760F010125FE05E6180D6749D4085F4
    Function 00A33B4A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • ShellExecuteExW.SHELL32(?), ref: 00A33B98
    • GetLastError.KERNEL32(?,?,00000000), ref: 00A33BA2
    • CloseHandle.KERNEL32(?,?,?,00000000), ref: 00A33BD5
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseErrorExecuteHandleLastShell
    • String ID: <$shelutil.cpp
    • API String ID: 3023784893-3991740012
    • Opcode ID: 77d47985195b7381bbfed116142ca89f19579f3a2494c8106d50a7e4421dc6d8
    • Instruction ID: 71f87d6801cbee9bd2b19bd3bfb35dcfa1063809d111226d4c9a15d78f363948
    • Opcode Fuzzy Hash: 77d47985195b7381bbfed116142ca89f19579f3a2494c8106d50a7e4421dc6d8
    • Instruction Fuzzy Hash: F911E7B5E01218AFDB10DFA9D944ADEBBF8AF08351F00412AFD09E7350E7349A008BA4
    Function 009F5E0B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • GetComputerNameW.KERNEL32(?,00000010), ref: 009F5E39
    • GetLastError.KERNEL32 ref: 009F5E43
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ComputerErrorLastName
    • String ID: Failed to get computer name.$Failed to set variant value.$variable.cpp
    • API String ID: 3560734967-484636765
    • Opcode ID: ef17dce6689e643e6334477616118f276bf704e1f9ca6b21054d534e1cfe1ced
    • Instruction ID: c11f94ce18064bfcb1a3781133c24657e256773a19d36a2fc4290804ee2de6ed
    • Opcode Fuzzy Hash: ef17dce6689e643e6334477616118f276bf704e1f9ca6b21054d534e1cfe1ced
    • Instruction Fuzzy Hash: 6C01A532A4072CBBD710EAA5AD05AEF77E8EB08720F010516FE05F7180DA749E0587E5
    Function 009F9908 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 57COMMON
    Download Yara Rule
    APIs
    • SysFreeString.OLEAUT32(00000000), ref: 009F997F
    Strings
    • Condition, xrefs: 009F991A
    • Failed to select condition node., xrefs: 009F9936
    • Failed to get Condition inner text., xrefs: 009F994F
    • Failed to copy condition string from BSTR, xrefs: 009F9969
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: FreeString
    • String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.
    • API String ID: 3341692771-3600577998
    • Opcode ID: 6aec9d80609f533e3efcb82981480b663a71a35a949e55fb00ea8b7a81e3114c
    • Instruction ID: 0ad9f00b0b37ba81e1799c23027812edee6e0464cd224c2c42a778ca19a3b043
    • Opcode Fuzzy Hash: 6aec9d80609f533e3efcb82981480b663a71a35a949e55fb00ea8b7a81e3114c
    • Instruction Fuzzy Hash: 59118E32D5422CFBDB169BA0DD06FBDBB68AB00761F124558FA00BA150DBB59E90DB80
    Function 009F5D71 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(?), ref: 009F5D83
      • Part of subcall function 00A309BB: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,009F5D8F,00000000), ref: 00A309CF
      • Part of subcall function 00A309BB: GetProcAddress.KERNEL32(00000000), ref: 00A309D6
      • Part of subcall function 00A309BB: GetLastError.KERNEL32(?,?,?,009F5D8F,00000000), ref: 00A309ED
      • Part of subcall function 00A33BF7: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00A33C24
    Strings
    • Failed to get 64-bit folder., xrefs: 009F5DCD
    • Failed to set variant value., xrefs: 009F5DE7
    • variable.cpp, xrefs: 009F5DAD
    • Failed to get shell folder., xrefs: 009F5DB7
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
    • String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$variable.cpp
    • API String ID: 2084161155-3906113122
    • Opcode ID: 0953dbe4ebc7a4eb70968f5869dd4ab80f3a9f613258d37a1eb839c8ce0cabdd
    • Instruction ID: c0aa96aa9e06c7652c71508d3eb4e2ba5a085e303fb16785cc80d420a4669f76
    • Opcode Fuzzy Hash: 0953dbe4ebc7a4eb70968f5869dd4ab80f3a9f613258d37a1eb839c8ce0cabdd
    • Instruction Fuzzy Hash: 1601C431941B2CB7DF12A794CD0AFEE7A6DAB00760F124155FB00BA191CBB49E4097D0
    Function 009F6644 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • GetTempPathW.KERNEL32(00000104,?), ref: 009F667D
    • GetLastError.KERNEL32 ref: 009F6687
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLastPathTemp
    • String ID: Failed to get temp path.$Failed to set variant value.$variable.cpp
    • API String ID: 1238063741-2915113195
    • Opcode ID: 9d0fb3ff2bf7f710e4cc6d7eda454d567728b6364186851146e1a552b4506838
    • Instruction ID: f4a5e17e2f45902ecf58fd82349c6a54db44d8e33cad5d2dac8a524c93aedc9b
    • Opcode Fuzzy Hash: 9d0fb3ff2bf7f710e4cc6d7eda454d567728b6364186851146e1a552b4506838
    • Instruction Fuzzy Hash: EC01D672F4133CBBE710EBA46D06FAA7398AB00710F000265FE04F7181EA64AE4587E5
    Function 00A34038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A34315: FindFirstFileW.KERNEL32(00A18FFA,?,000002C0,00000000,00000000), ref: 00A34350
      • Part of subcall function 00A34315: FindClose.KERNEL32(00000000), ref: 00A3435C
    • SetFileAttributesW.KERNEL32(00A18FFA,00000080,00000000,00A18FFA,000000FF,00000000,?,?,00A18FFA), ref: 00A34067
    • GetLastError.KERNEL32(?,?,00A18FFA), ref: 00A34071
    • DeleteFileW.KERNEL32(00A18FFA,00000000,00A18FFA,000000FF,00000000,?,?,00A18FFA), ref: 00A34090
    • GetLastError.KERNEL32(?,?,00A18FFA), ref: 00A3409A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
    • String ID: fileutil.cpp
    • API String ID: 3967264933-2967768451
    • Opcode ID: 499696d294fab01ea077bec1dd7e0d90de551c1a3d6ccbdffea1db17091bde1d
    • Instruction ID: b12e4d9f8a6f8fdd6b2be836593ebb97d992b3056b73fa5315c5aa856ef4fdb1
    • Opcode Fuzzy Hash: 499696d294fab01ea077bec1dd7e0d90de551c1a3d6ccbdffea1db17091bde1d
    • Instruction Fuzzy Hash: 4E01DE32B00725A7D725ABA98D08B5B7AD8AF0A7A0F004311FE05E6090D724EE0095E1
    Function 00A1D7CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?), ref: 00A1D7E1
    • LeaveCriticalSection.KERNEL32(?), ref: 00A1D826
    • SetEvent.KERNEL32(?,?,?,?), ref: 00A1D83A
    Strings
    • Failure while sending progress during BITS job modification., xrefs: 00A1D815
    • Failed to get state during job modification., xrefs: 00A1D7FA
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalSection$EnterEventLeave
    • String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
    • API String ID: 3094578987-1258544340
    • Opcode ID: 8bc73e95ed86ff34b2f8759c38cbce31a92c7b95954e4c440e12b126d99385b3
    • Instruction ID: 211cd5df97048e808977270b2227393caae6904bd9c952cca8d308b143995385
    • Opcode Fuzzy Hash: 8bc73e95ed86ff34b2f8759c38cbce31a92c7b95954e4c440e12b126d99385b3
    • Instruction Fuzzy Hash: 00019E72A00625FBCB01DB55D889EAABBACFF08331B004219F908D7600D770ED45CBE4
    Function 00A1DA45 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,00A1DBB5), ref: 00A1DA59
    • LeaveCriticalSection.KERNEL32(00000008,?,00A1DBB5), ref: 00A1DA9E
    • SetEvent.KERNEL32(?,?,00A1DBB5), ref: 00A1DAB2
    Strings
    • Failure while sending progress., xrefs: 00A1DA8D
    • Failed to get BITS job state., xrefs: 00A1DA72
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalSection$EnterEventLeave
    • String ID: Failed to get BITS job state.$Failure while sending progress.
    • API String ID: 3094578987-2876445054
    • Opcode ID: a87e6127ea91271251003bee790d3be97b8fefa46250fc6055a527d61c11f4b0
    • Instruction ID: 2734f04716dd9d7aa8c892bbe86ad61c1652b57c12d3bd874498917dc9b2de7e
    • Opcode Fuzzy Hash: a87e6127ea91271251003bee790d3be97b8fefa46250fc6055a527d61c11f4b0
    • Instruction Fuzzy Hash: 3901F172A04625BFCB05DB99D849DAABBA8FF04362B000216F90997610DB30ED4487E4
    Function 00A1D5AF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,00A1DD19,?,?,?,?,?,00000001,00000000,?), ref: 00A1D5C9
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00A1DD19,?,?,?,?,?,00000001,00000000,?), ref: 00A1D5D4
    • GetLastError.KERNEL32(?,00A1DD19,?,?,?,?,?,00000001,00000000,?), ref: 00A1D5E1
    Strings
    • Failed to create BITS job complete event., xrefs: 00A1D60F
    • bitsengine.cpp, xrefs: 00A1D605
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CreateCriticalErrorEventInitializeLastSection
    • String ID: Failed to create BITS job complete event.$bitsengine.cpp
    • API String ID: 3069647169-3441864216
    • Opcode ID: 4befae7de6d4a2bc46ededad4e01ede4b7c919adc8f0eb6154162fb2427d9de3
    • Instruction ID: 38b8c1c2db6a1a0d171fd869c97c34c71f255036b36957df552e5777f6190bf7
    • Opcode Fuzzy Hash: 4befae7de6d4a2bc46ededad4e01ede4b7c919adc8f0eb6154162fb2427d9de3
    • Instruction Fuzzy Hash: 2C015A72611726BBD310AB6ADC05A87BAE8FF49761B004226FD08D7A40E7B098518BE4
    Function 009FD39D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00A06E4B,000000B8,00000000,?,00000000,75A4B390), ref: 009FD3AC
    • InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 009FD3BB
    • LeaveCriticalSection.KERNEL32(000000D0,?,00A06E4B,000000B8,00000000,?,00000000,75A4B390), ref: 009FD3D0
    Strings
    • Engine active cannot be changed because it was already in that state., xrefs: 009FD3F3
    • userexperience.cpp, xrefs: 009FD3E9
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
    • String ID: Engine active cannot be changed because it was already in that state.$userexperience.cpp
    • API String ID: 3376869089-1544469594
    • Opcode ID: c7e3610968b79c867c8a30a2719c3c346d389a4b65cad2853da08aa75bc97c0f
    • Instruction ID: ee4e7c339f2070c71b17f269ed6715245c47c3476e2550bf2e753834ebf16673
    • Opcode Fuzzy Hash: c7e3610968b79c867c8a30a2719c3c346d389a4b65cad2853da08aa75bc97c0f
    • Instruction Fuzzy Hash: 7EF0AF763003086F9710AEE6AC84EAB73AEFBC5765B00452AFB05C3140DBB4E8058770
    Function 00A31B28 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 00A31B53
    • GetLastError.KERNEL32(?,009F48D4,00000001,?,?,009F444C,?,?,?,?,009F535E,?,?,?,?), ref: 00A31B62
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AddressErrorLastProc
    • String ID: SRSetRestorePointW$srclient.dll$srputil.cpp
    • API String ID: 199729137-398595594
    • Opcode ID: b1c5fb21cfe065083ebdcba2b7cb261d225ddff67d300a23573fff782e323fcf
    • Instruction ID: 4c5ad2046f13b1a7bae93c1da67aba0d147160b36f9cf8d276a8a69b18af80f2
    • Opcode Fuzzy Hash: b1c5fb21cfe065083ebdcba2b7cb261d225ddff67d300a23573fff782e323fcf
    • Instruction Fuzzy Hash: D4F0D136F80721A7E7216BB98D05776A590AB00792F014221BD01A7650FA348C4186F1
    Function 00A24897 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A24848,00000000,?,00A247E8,00000000,00A57CF8,0000000C,00A2493F,00000000,00000002), ref: 00A248B7
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A248CA
    • FreeLibrary.KERNEL32(00000000,?,?,?,00A24848,00000000,?,00A247E8,00000000,00A57CF8,0000000C,00A2493F,00000000,00000002), ref: 00A248ED
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: 4e69a35c05ad75ed9c4ec706c052912e489d070782f182a0ce1049536300f228
    • Instruction ID: 9caaa4d5c9b3064c2cb10bb2bc88640c78f2904f40c432b62c609e389f4d3afb
    • Opcode Fuzzy Hash: 4e69a35c05ad75ed9c4ec706c052912e489d070782f182a0ce1049536300f228
    • Instruction Fuzzy Hash: 6EF04430620218FBCB119BD4EC19BADBFB9FF48712F4001A9F905A6190DB704E45DB50
    Function 00A3937F Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A30E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00A35699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00A30E52
    • RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 00A39457
    • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 00A39492
    • RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000), ref: 00A394AE
    • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000), ref: 00A394BB
    • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000), ref: 00A394C8
      • Part of subcall function 00A30B49: RegCloseKey.ADVAPI32(00000000), ref: 00A30CA0
      • Part of subcall function 00A30E9B: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00A39444,00000001), ref: 00A30EB3
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Close$InfoOpenQuery
    • String ID:
    • API String ID: 796878624-0
    • Opcode ID: 68cbcf68fd886c31c2f0677cf7376f0374868a212a9d6cfa8092949211d196cb
    • Instruction ID: 8b5ee71c21055fa5bca71965123f47d870fcf65ebb367cb290f3d39274970537
    • Opcode Fuzzy Hash: 68cbcf68fd886c31c2f0677cf7376f0374868a212a9d6cfa8092949211d196cb
    • Instruction Fuzzy Hash: 3F411872C0122DBFDF22AF95CD819AEFB79EF04360F1541AAF90076121C3724E519A90
    Function 009F88DE Relevance: 7.6, APIs: 5, Instructions: 118stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,009F8A9E,009F95E7,?,009F95E7,?,?,009F95E7,?,?), ref: 009F88FE
    • lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,009F8A9E,009F95E7,?,009F95E7,?,?,009F95E7,?,?), ref: 009F8906
    • CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,009F8A9E,009F95E7,?,009F95E7,?), ref: 009F8955
    • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,009F8A9E,009F95E7,?,009F95E7,?), ref: 009F89B7
    • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,009F8A9E,009F95E7,?,009F95E7,?), ref: 009F89E4
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CompareString$lstrlen
    • String ID:
    • API String ID: 1657112622-0
    • Opcode ID: 6ab6549f1aa86c0e7ae5efdaff0d42e2c0a6d25c433f17db9262983becb5b8f9
    • Instruction ID: 94b3ef67d9fc96eb6f8d61fd3762ed541ee03f23afc59267a20db385c5e7e3ed
    • Opcode Fuzzy Hash: 6ab6549f1aa86c0e7ae5efdaff0d42e2c0a6d25c433f17db9262983becb5b8f9
    • Instruction Fuzzy Hash: 8031737261010DBFCF518F58CC88ABF3F6AEB89360F144416FA5997210C7B589D1DBA2
    Function 009F21BC Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 117COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F2202
    • GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F220E
      • Part of subcall function 009F3B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,009F21DC,000001C7,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F3B59
      • Part of subcall function 009F3B51: HeapSize.KERNEL32(00000000,?,009F21DC,000001C7,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F3B60
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
    • String ID: strutil.cpp
    • API String ID: 3662877508-3612885251
    • Opcode ID: 5d7b341c5d5437b4f56e576255685a9ae659db07c45b5c6a14b5bd0b8ac47215
    • Instruction ID: 59002e9b346b660d98a689e090fa88820722ae49c5eb98e1518078daf9633e09
    • Opcode Fuzzy Hash: 5d7b341c5d5437b4f56e576255685a9ae659db07c45b5c6a14b5bd0b8ac47215
    • Instruction Fuzzy Hash: 4F31FA3271021AABEB189BA9CC44BB777D9EF45360B214225FE25DB1A0EB34CC01D7E0
    Function 009F738E Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(009F52B5,WixBundleOriginalSource,?,?,00A0A41D,009F53B5,WixBundleOriginalSource,009F533D,00A5AA90,?,00000000,009F533D,?,00A07587,?,?), ref: 009F739A
    • LeaveCriticalSection.KERNEL32(009F52B5,009F52B5,00000000,00000000,?,?,00A0A41D,009F53B5,WixBundleOriginalSource,009F533D,00A5AA90,?,00000000,009F533D,?,00A07587), ref: 009F7401
    Strings
    • Failed to get value as string for variable: %ls, xrefs: 009F73F0
    • Failed to get value of variable: %ls, xrefs: 009F73D4
    • WixBundleOriginalSource, xrefs: 009F7396
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
    • API String ID: 3168844106-30613933
    • Opcode ID: cc22d583a93175d0b666c3bd81d6551b665b772e9a8974923456c13308c79777
    • Instruction ID: 91ea0a0c51f2d3725f58fabe922125b828f5e08af92b8926aacc15f9add5168c
    • Opcode Fuzzy Hash: cc22d583a93175d0b666c3bd81d6551b665b772e9a8974923456c13308c79777
    • Instruction Fuzzy Hash: 5801843299412CFBCF119F94EC05EEEBB69EF14761F108525FE04AA220D7B59E50A7D0
    Function 00A1CEF5 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(?,00000000,?,00000000,?,00A1CEEB,00000000), ref: 00A1CF10
    • CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,00A1CEEB,00000000), ref: 00A1CF1C
    • CloseHandle.KERNEL32(00A3B508,00000000,?,00000000,?,00A1CEEB,00000000), ref: 00A1CF29
    • CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,00A1CEEB,00000000), ref: 00A1CF36
    • UnmapViewOfFile.KERNEL32(00A3B4D8,00000000,?,00A1CEEB,00000000), ref: 00A1CF45
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseHandle$FileUnmapView
    • String ID:
    • API String ID: 260491571-0
    • Opcode ID: b4c94c9eace00336a6878cd7c97cb19da88a9f76a641d4890d9184cd0e4522aa
    • Instruction ID: 480eeffdf09a1f4356520aa047771937ed003e5122e8b26ae797d6e517d3703d
    • Opcode Fuzzy Hash: b4c94c9eace00336a6878cd7c97cb19da88a9f76a641d4890d9184cd0e4522aa
    • Instruction Fuzzy Hash: 1D01F676405B19DFCB30AFA6DC90856FBEAEF50721315C83EE29652921C371A881DF90
    Function 00A379CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009F38D4: GetProcessHeap.KERNEL32(?,000001C7,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38E5
      • Part of subcall function 009F38D4: RtlAllocateHeap.NTDLL(00000000,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38EC
    • SysFreeString.OLEAUT32(00000000), ref: 00A37B2C
    • SysFreeString.OLEAUT32(00000000), ref: 00A37B37
    • SysFreeString.OLEAUT32(00000000), ref: 00A37B42
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: FreeString$Heap$AllocateProcess
    • String ID: atomutil.cpp
    • API String ID: 2724874077-4059165915
    • Opcode ID: 719ffeafeec7fa03efc2d146ee9f8830a0b1cd98aa33033a587571b1e88c4f9d
    • Instruction ID: 8466a6d2fdddd199c0eb4d244a8e3e2e60634ba1d6fd3fe857ca2348a8b51135
    • Opcode Fuzzy Hash: 719ffeafeec7fa03efc2d146ee9f8830a0b1cd98aa33033a587571b1e88c4f9d
    • Instruction Fuzzy Hash: 0E5130B1E0522AAFDB21DFA8C944FAEF7B8AF44754F154564F905AB250DB31DE00CBA0
    Function 00A385CB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137timeCOMMON
    Download Yara Rule
    APIs
    • SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 00A386D8
    • GetLastError.KERNEL32 ref: 00A386E2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Time$ErrorFileLastSystem
    • String ID: clbcatq.dll$timeutil.cpp
    • API String ID: 2781989572-961924111
    • Opcode ID: 1b3abcc26309be47904e4540ae7f78fd06fc1dfd3d1a9b66ac962201ff4ce709
    • Instruction ID: 7829c642d94c046a1b47dce58cf0b9589b65c0ac74dc1f56e93c2c4620d0c7f8
    • Opcode Fuzzy Hash: 1b3abcc26309be47904e4540ae7f78fd06fc1dfd3d1a9b66ac962201ff4ce709
    • Instruction Fuzzy Hash: 7A41F571B41315B6EB24ABB88E47BBFB379EF80700F144529B901A7190DB39DE0183A5
    Function 00A335A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON
    Download Yara Rule
    APIs
    • VariantInit.OLEAUT32(000002C0), ref: 00A335BE
    • SysAllocString.OLEAUT32(?), ref: 00A335CE
    • VariantClear.OLEAUT32(?), ref: 00A336AF
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Variant$AllocClearInitString
    • String ID: xmlutil.cpp
    • API String ID: 2213243845-1270936966
    • Opcode ID: a77640b27ea33c0524eb10a2280f49898d4e70f19894d04c13a7fb1fe3a93a49
    • Instruction ID: ff82503da370cfc144e3febc78a9a52bf3d34a005c0a83db4725ecbfd128d62e
    • Opcode Fuzzy Hash: a77640b27ea33c0524eb10a2280f49898d4e70f19894d04c13a7fb1fe3a93a49
    • Instruction Fuzzy Hash: A14151B2900625AFCB119FA9C889EABBBB8AF45710F0545A9FD15EB311D734D9008BA0
    Function 00A30D1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115registryCOMMON
    Download Yara Rule
    APIs
    • RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,00A18BD8), ref: 00A30D77
    • RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00A18BD8,00000000), ref: 00A30D99
    • RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,00A18BD8,00000000,00000000,00000000), ref: 00A30DF1
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Enum$InfoQuery
    • String ID: regutil.cpp
    • API String ID: 73471667-955085611
    • Opcode ID: c492ec9716d4bb487030e6aee6c0c8e1c62c888d5a3fe88f5e4acd93e3a11eb5
    • Instruction ID: 008def5d7d08e8fefaa38a97fbba787c9bea235db6a15e332c5e6c36158c30ec
    • Opcode Fuzzy Hash: c492ec9716d4bb487030e6aee6c0c8e1c62c888d5a3fe88f5e4acd93e3a11eb5
    • Instruction Fuzzy Hash: 313181B6A01229FFEB21CB99CD90EBBB7ACEF04390F214166BD04E7150D7319E1196A0
    Function 00A378C5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009F38D4: GetProcessHeap.KERNEL32(?,000001C7,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38E5
      • Part of subcall function 009F38D4: RtlAllocateHeap.NTDLL(00000000,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38EC
    • SysFreeString.OLEAUT32(00000000), ref: 00A379AA
    • SysFreeString.OLEAUT32(?), ref: 00A379B5
    • SysFreeString.OLEAUT32(00000000), ref: 00A379C0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: FreeString$Heap$AllocateProcess
    • String ID: atomutil.cpp
    • API String ID: 2724874077-4059165915
    • Opcode ID: 558a7d10540f379fe7328d665797879e1a02e0226e1a04ba653a2282005c68ba
    • Instruction ID: e8fbbdf9ced4cb25bd3753c359ef24605cb117699f859d102919fb08cf016236
    • Opcode Fuzzy Hash: 558a7d10540f379fe7328d665797879e1a02e0226e1a04ba653a2282005c68ba
    • Instruction Fuzzy Hash: D23176B2D05629FBDB62ABA8CC45BAEB7B8EF45750F0142A5F900AB210D771DD00DB90
    Function 00A188CF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A30E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00A35699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00A30E52
    • RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,00A18C14,00000000,00000000), ref: 00A1898C
    Strings
    • Failed to initialize package from related bundle id: %ls, xrefs: 00A18972
    • Failed to ensure there is space for related bundles., xrefs: 00A1893F
    • Failed to open uninstall key for potential related bundle: %ls, xrefs: 00A188FB
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseOpen
    • String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
    • API String ID: 47109696-1717420724
    • Opcode ID: 528b7fb15e9c881faa14b5d9ea52e421e7fa09a0a45611727a3d507cbdccf865
    • Instruction ID: 95a0b73d935217fa346ec8c984c2909d7643e4a788fd9b10891dac90ef8c3921
    • Opcode Fuzzy Hash: 528b7fb15e9c881faa14b5d9ea52e421e7fa09a0a45611727a3d507cbdccf865
    • Instruction Fuzzy Hash: 52214C3294022ABBDB129F94CD06FFEBB79FF00711F144155F900A6160DB799EA0EB92
    Function 009F3A97 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(00000010,00000000,80004005,00000000,00000000,00000100,?,009F1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,009F13B7), ref: 009F3AB2
    • HeapReAlloc.KERNEL32(00000000,?,009F1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,009F13B7,000001C7,00000100,?,80004005,00000000), ref: 009F3AB9
      • Part of subcall function 009F38D4: GetProcessHeap.KERNEL32(?,000001C7,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38E5
      • Part of subcall function 009F38D4: RtlAllocateHeap.NTDLL(00000000,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38EC
      • Part of subcall function 009F3B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,009F21DC,000001C7,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F3B59
      • Part of subcall function 009F3B51: HeapSize.KERNEL32(00000000,?,009F21DC,000001C7,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F3B60
    • _memcpy_s.LIBCMT ref: 009F3B04
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Heap$Process$AllocAllocateSize_memcpy_s
    • String ID: memutil.cpp
    • API String ID: 3406509257-2429405624
    • Opcode ID: 28cab9587acd3bd8c28454079bdb550ab6be38d83e7437739d070b85ca51d7f6
    • Instruction ID: 915602bc591e4bbfb576ceb9fa7f241efcfe0bde9ba1275a3ec594a3f9efa906
    • Opcode Fuzzy Hash: 28cab9587acd3bd8c28454079bdb550ab6be38d83e7437739d070b85ca51d7f6
    • Instruction Fuzzy Hash: E811E13160121CBFDB226B659C65EBE3A5DDF84761B008715FB158B290C779CF5093A0
    Function 00A38803 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69timeCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32 ref: 00A3884C
    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00A38874
    • GetLastError.KERNEL32 ref: 00A3887E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLastTime$FileSystem
    • String ID: inetutil.cpp
    • API String ID: 1528435940-2900720265
    • Opcode ID: 03996e238b7b2af03c3b793ca5625433e307eb3e71dfea9f26bc6df60f59ad80
    • Instruction ID: f438b5864f3dca31ee60a2935373eabc82082dfe8b94b29d6eeaba1c0bed129c
    • Opcode Fuzzy Hash: 03996e238b7b2af03c3b793ca5625433e307eb3e71dfea9f26bc6df60f59ad80
    • Instruction Fuzzy Hash: F1119072A01329BBE720DBF98D44BEBB7E8EF48281F01012ABE05E7150E6348D0587F1
    Function 00A03955 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A30E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00A35699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00A30E52
    • RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00A03E61,feclient.dll,?,00000000,?,?,?,009F4A0C), ref: 00A039F1
      • Part of subcall function 00A30F6E: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00A30FE4
      • Part of subcall function 00A30F6E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00A3101F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: QueryValue$CloseOpen
    • String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
    • API String ID: 1586453840-3596319545
    • Opcode ID: 27348071434e47b3da80b393a81dc0251742cfedf091a42bde1c8daf0eb90c40
    • Instruction ID: c0d835ec0e99ec80de5e45c9cd381fee63f676d0b76386b896c88080eb4eb308
    • Opcode Fuzzy Hash: 27348071434e47b3da80b393a81dc0251742cfedf091a42bde1c8daf0eb90c40
    • Instruction Fuzzy Hash: 31118E33A4020CBBDF218B95ED62AAEBBBCAB40B81F504066F501AA090D6B19F81D750
    Function 00A30658 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62filestringCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,?,00A2FF0B,?,?,00000000,00000000,0000FDE9), ref: 00A3066A
    • WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,?,?,00A2FF0B,?,?,00000000,00000000,0000FDE9), ref: 00A306A6
    • GetLastError.KERNEL32(?,?,00A2FF0B,?,?,00000000,00000000,0000FDE9), ref: 00A306B0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFileLastWritelstrlen
    • String ID: logutil.cpp
    • API String ID: 606256338-3545173039
    • Opcode ID: cf44821fc4220035bff34d8d870999fb0404aefcafa28289888c0292a88af0e5
    • Instruction ID: 87d8e6ab868ff77abddda7383ab86b116f8db565f62dd044146afcc0a87c432f
    • Opcode Fuzzy Hash: cf44821fc4220035bff34d8d870999fb0404aefcafa28289888c0292a88af0e5
    • Instruction Fuzzy Hash: 4A11C272A01324AB9710DBAA8D65EAFBAADEBD5761F014315FE05D7140EBB0AD10C6F0
    Function 009F1209 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON
    Download Yara Rule
    APIs
    • CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,009F5137,00000000,?), ref: 009F1247
    • GetLastError.KERNEL32(?,?,?,009F5137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 009F1251
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ArgvCommandErrorLastLine
    • String ID: apputil.cpp$ignored
    • API String ID: 3459693003-568828354
    • Opcode ID: 249498aff386e534c6aa08f87eabece45025de8f4b53f8f3fe070ea9d2a9680a
    • Instruction ID: fa7bf940bd42b87b58442b7e4dcdb2c4af208fc6f223bd2ab5b4b5521bd8d8c0
    • Opcode Fuzzy Hash: 249498aff386e534c6aa08f87eabece45025de8f4b53f8f3fe070ea9d2a9680a
    • Instruction Fuzzy Hash: 40113A72A1022DFB9B15DBA9C845EAEBBA9EB44750B11415AFE05E7210E7309E109BE0
    Function 00A1CF56 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(?,000000FF,00000002,00000000,?,?,00A1D1DC,00000000,00000000,00000000,?), ref: 00A1CF66
    • ReleaseMutex.KERNEL32(?,?,00A1D1DC,00000000,00000000,00000000,?), ref: 00A1CFED
      • Part of subcall function 009F38D4: GetProcessHeap.KERNEL32(?,000001C7,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38E5
      • Part of subcall function 009F38D4: RtlAllocateHeap.NTDLL(00000000,?,009F2284,000001C7,00000001,80004005,8007139F,?,?,00A3015F,8007139F,?,00000000,00000000,8007139F), ref: 009F38EC
    Strings
    • NetFxChainer.cpp, xrefs: 00A1CFAB
    • Failed to allocate memory for message data, xrefs: 00A1CFB5
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
    • String ID: Failed to allocate memory for message data$NetFxChainer.cpp
    • API String ID: 2993511968-1624333943
    • Opcode ID: bb42fdaa5e88cb888659c785efaac7ba3a96231116710713e7feeb3f6fe3b6e0
    • Instruction ID: e7d1969708fffcf7718046dab44d2859c716cb1a1eb3f34e848c0918d36f53d2
    • Opcode Fuzzy Hash: bb42fdaa5e88cb888659c785efaac7ba3a96231116710713e7feeb3f6fe3b6e0
    • Instruction Fuzzy Hash: 32118FB1300215AFCB05DF68D895EAABBB5FF09720F104269FA149B3A1C731AC51CBA4
    Function 009F1F78 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
    Download Yara Rule
    APIs
    • FormatMessageW.KERNEL32(000011FF,009F5386,?,00000000,00000000,00000000,?,80070656,?,?,?,00A0E50B,00000000,009F5386,00000000,80070656), ref: 009F1FAA
    • GetLastError.KERNEL32(?,?,?,00A0E50B,00000000,009F5386,00000000,80070656,?,?,00A03F6B,009F5386,?,80070656,00000001,crypt32.dll), ref: 009F1FB7
    • LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,00A0E50B,00000000,009F5386,00000000,80070656,?,?,00A03F6B,009F5386), ref: 009F1FFE
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessage
    • String ID: strutil.cpp
    • API String ID: 1365068426-3612885251
    • Opcode ID: e0dc49f3dd828fc6a3e190671d1ba3200570b8f82825b71117d3a67046b45e4c
    • Instruction ID: 49ce1e34249970915c6e6616398b5ee0c7419a9df8991fb4e886e9f2b6e99137
    • Opcode Fuzzy Hash: e0dc49f3dd828fc6a3e190671d1ba3200570b8f82825b71117d3a67046b45e4c
    • Instruction Fuzzy Hash: 4E115E76A10228FFEB159F94CD09AEE7AA9EB09350F00416ABE01E2150E7714E11DBE0
    Function 00A0FC51 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
    Download Yara Rule
    APIs
    Strings
    • Failed to QI for IBootstrapperEngine from BootstrapperEngineForApplication object., xrefs: 00A0FCB0
    • EngineForApplication.cpp, xrefs: 00A0FC84
    • Failed to allocate new BootstrapperEngineForApplication object., xrefs: 00A0FC8E
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID:
    • String ID: EngineForApplication.cpp$Failed to QI for IBootstrapperEngine from BootstrapperEngineForApplication object.$Failed to allocate new BootstrapperEngineForApplication object.
    • API String ID: 0-1509993410
    • Opcode ID: 0c487b9f7b2ecb7ddd20ceb62d471d8b2fc434cb0d2a14502470f86d21ab5ffd
    • Instruction ID: 54774e8f682df6f17d54f2b51f5dd4146e4b6413417db45fb82cacc6dc561655
    • Opcode Fuzzy Hash: 0c487b9f7b2ecb7ddd20ceb62d471d8b2fc434cb0d2a14502470f86d21ab5ffd
    • Instruction Fuzzy Hash: 9CF0493624471E7FE7212714FD06D9F7768DF84770B100026FD05BA2D0EF20890091A2
    Function 00A34C67 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(00A3B4F0,40000000,00000001,00000000,00000002,00000080,00000000,00A00328,00000000,?,009FF37F,?,00000080,00A3B4F0,00000000), ref: 00A34C7F
    • GetLastError.KERNEL32(?,009FF37F,?,00000080,00A3B4F0,00000000,?,00A00328,?,00000094,?,?,?,?,?,00000000), ref: 00A34C8C
    • CloseHandle.KERNEL32(00000000,00000000,?,009FF37F,?,009FF37F,?,00000080,00A3B4F0,00000000,?,00A00328,?,00000094), ref: 00A34CE0
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseCreateErrorFileHandleLast
    • String ID: fileutil.cpp
    • API String ID: 2528220319-2967768451
    • Opcode ID: c736db23d2f85153818c9e55f4a1ec166ded20eccd37964f2651f751154873c8
    • Instruction ID: f80b7e6fe88365afa0c0a92bffceacee938f35975be769ad137de05a16e0ee7b
    • Opcode Fuzzy Hash: c736db23d2f85153818c9e55f4a1ec166ded20eccd37964f2651f751154873c8
    • Instruction Fuzzy Hash: 6301D43270172467E7215FA99C05F5B3A95EB497B0F014214FF24A71E0C7319C1193A0
    Function 00A34840 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,00A18A30,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 00A34874
    • GetLastError.KERNEL32(?,00A18A30,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,EngineVersion,000002C0,000000B0), ref: 00A34881
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CreateErrorFileLast
    • String ID: fileutil.cpp
    • API String ID: 1214770103-2967768451
    • Opcode ID: 74d9f9cceb5bcef4fbe2892b274ad4025216d6380e1ba54c3b0c62666397e43e
    • Instruction ID: 4f12748160bc0ad34c2948b911282a1093572ad4c95e318e59f5034fe06e36c6
    • Opcode Fuzzy Hash: 74d9f9cceb5bcef4fbe2892b274ad4025216d6380e1ba54c3b0c62666397e43e
    • Instruction Fuzzy Hash: 8201F432780320BBF72066A8AC49F7BA698EB49B61F014221FF05AB1D0C6695D0153F0
    Function 00A169A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(00A168BA,00000001,?,00000001,00000000,?,?,?,?,?,?,00A168BA,00000000), ref: 00A169D0
    • GetLastError.KERNEL32(?,?,?,?,?,?,00A168BA,00000000), ref: 00A169DA
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ControlErrorLastService
    • String ID: Failed to stop wusa service.$msuengine.cpp
    • API String ID: 4114567744-2259829683
    • Opcode ID: 4b980a6f2fc09d4d0972864550f5e72e9037f0deb428494c5d9d8e05538695fc
    • Instruction ID: df4ab3698d44b0d4f3a0c6af48bd49f2f434cdb3ec9323d99e4946f5a9d047f4
    • Opcode Fuzzy Hash: 4b980a6f2fc09d4d0972864550f5e72e9037f0deb428494c5d9d8e05538695fc
    • Instruction Fuzzy Hash: 1F012632B003286BE710EBB9AD01BEBB7E8EF48710F014129FD04FB180EA249D0186E4
    Function 00A0EA72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38threadwindowCOMMON
    Download Yara Rule
    APIs
    • PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 00A0EA9A
    • GetLastError.KERNEL32 ref: 00A0EAA4
    Strings
    • Failed to post elevate message., xrefs: 00A0EAD2
    • EngineForApplication.cpp, xrefs: 00A0EAC8
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLastMessagePostThread
    • String ID: EngineForApplication.cpp$Failed to post elevate message.
    • API String ID: 2609174426-4098423239
    • Opcode ID: 7e8c96cc7d3e4557390ad9a31ffe684dc2d3bc34782c152d4f6b953ad434d829
    • Instruction ID: 15f185127c1d224e6c8ede767126fee19d36753ccc90a2eca7f2073c61939504
    • Opcode Fuzzy Hash: 7e8c96cc7d3e4557390ad9a31ffe684dc2d3bc34782c152d4f6b953ad434d829
    • Instruction Fuzzy Hash: FBF0F636744334AFD320AA98AC09E9377C4FB08761F114225FE19EA1D0D7258C0297E4
    Function 009FD7CF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 009FD7F6
    • FreeLibrary.KERNEL32(?,?,009F47D1,00000000,?,?,009F5386,?,?), ref: 009FD805
    • GetLastError.KERNEL32(?,009F47D1,00000000,?,?,009F5386,?,?), ref: 009FD80F
    Strings
    • BootstrapperApplicationDestroy, xrefs: 009FD7EE
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AddressErrorFreeLastLibraryProc
    • String ID: BootstrapperApplicationDestroy
    • API String ID: 1144718084-3186005537
    • Opcode ID: d3c29d5e319ddf3dc144c9eabb4748febbdaed6f73f9724cb0f5661de4085022
    • Instruction ID: 395d3da6cf5eb3e7493e20d00f75ea2788dd24519a1f006eecaddd9ad9403115
    • Opcode Fuzzy Hash: d3c29d5e319ddf3dc144c9eabb4748febbdaed6f73f9724cb0f5661de4085022
    • Instruction Fuzzy Hash: FDF06D322117049FD7209FA6DC08A67B7EAFF81362B01C53EFA66C6520D735E801CBA0
    Function 00A0F086 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON
    Download Yara Rule
    APIs
    • PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 00A0F09B
    • GetLastError.KERNEL32 ref: 00A0F0A5
    Strings
    • Failed to post plan message., xrefs: 00A0F0D3
    • EngineForApplication.cpp, xrefs: 00A0F0C9
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLastMessagePostThread
    • String ID: EngineForApplication.cpp$Failed to post plan message.
    • API String ID: 2609174426-2952114608
    • Opcode ID: 044a9a85b1feb09f7e226172f0342e8cbef16cd18623d2c9273ee1530a5002dc
    • Instruction ID: 5dfe50b05a82218d307092e84dba6ad553c7705c2a903882ad6ac13863455d72
    • Opcode Fuzzy Hash: 044a9a85b1feb09f7e226172f0342e8cbef16cd18623d2c9273ee1530a5002dc
    • Instruction Fuzzy Hash: 90F0EC327503347FE7206AA96C45F877BC9EF44BA0F018021FE0CEA091D6558C0086E4
    Function 00A0F194 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON
    Download Yara Rule
    APIs
    • PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 00A0F1A9
    • GetLastError.KERNEL32 ref: 00A0F1B3
    Strings
    • Failed to post shutdown message., xrefs: 00A0F1E1
    • EngineForApplication.cpp, xrefs: 00A0F1D7
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLastMessagePostThread
    • String ID: EngineForApplication.cpp$Failed to post shutdown message.
    • API String ID: 2609174426-188808143
    • Opcode ID: fb930a5d26dd6ceca1e77095029dbd4a61ac7a06c3225b889f792c04353dcd77
    • Instruction ID: 81d008fe05e39ae4a0f29d0dc64bcced988d687cdd4dbfeaba17ee37f6d7169a
    • Opcode Fuzzy Hash: fb930a5d26dd6ceca1e77095029dbd4a61ac7a06c3225b889f792c04353dcd77
    • Instruction Fuzzy Hash: 69F0EC37B403347FE7206AA9AC09F877BC8EF44B60F014125FE08E6490E6558D0097F4
    Function 00A1051A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
    Download Yara Rule
    APIs
    • SetEvent.KERNEL32(00A3B468,00000000,?,00A1145A,?,00000000,?,009FC121,?,009F52FD,?,00A073B2,?,?,009F52FD,?), ref: 00A10524
    • GetLastError.KERNEL32(?,00A1145A,?,00000000,?,009FC121,?,009F52FD,?,00A073B2,?,?,009F52FD,?,009F533D,00000001), ref: 00A1052E
    Strings
    • Failed to set begin operation event., xrefs: 00A1055C
    • cabextract.cpp, xrefs: 00A10552
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorEventLast
    • String ID: Failed to set begin operation event.$cabextract.cpp
    • API String ID: 3848097054-4159625223
    • Opcode ID: 47ab37ac864bd834fe62490efc945cca8accdd22aa0607ef0da01ed4194faa3c
    • Instruction ID: 31565c0a29128b54fac3efde63c450fc97077bb76fa2f47ca85dfdb2bb471228
    • Opcode Fuzzy Hash: 47ab37ac864bd834fe62490efc945cca8accdd22aa0607ef0da01ed4194faa3c
    • Instruction Fuzzy Hash: C5F0E533A407306BA720A6B97D06FDB76DDDF047B1F014136FE09E7150E6589D8146E9
    Function 00A0E978 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON
    Download Yara Rule
    APIs
    • PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 00A0E98D
    • GetLastError.KERNEL32 ref: 00A0E997
    Strings
    • Failed to post apply message., xrefs: 00A0E9C5
    • EngineForApplication.cpp, xrefs: 00A0E9BB
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLastMessagePostThread
    • String ID: EngineForApplication.cpp$Failed to post apply message.
    • API String ID: 2609174426-1304321051
    • Opcode ID: 8f361957c8f6cc6f9ee8976fbeeb5e715d119be6a88bcf7c0ade56a2925ac382
    • Instruction ID: 3b3bbf90160462affd0bb48aafa9e098a1538758b49e2bc46d3f738e09fbe201
    • Opcode Fuzzy Hash: 8f361957c8f6cc6f9ee8976fbeeb5e715d119be6a88bcf7c0ade56a2925ac382
    • Instruction Fuzzy Hash: B0F0EC327403347BE72077A9AC45F87BFC8EF44BA0F014025FE08EA0A1D6258C1096E4
    Function 00A0EA09 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON
    Download Yara Rule
    APIs
    • PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 00A0EA1E
    • GetLastError.KERNEL32 ref: 00A0EA28
    Strings
    • Failed to post detect message., xrefs: 00A0EA56
    • EngineForApplication.cpp, xrefs: 00A0EA4C
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLastMessagePostThread
    • String ID: EngineForApplication.cpp$Failed to post detect message.
    • API String ID: 2609174426-598219917
    • Opcode ID: 268ac079829c4b9692e56c198c2ef39831cc4855971c7fa263cab57c9b4e60c7
    • Instruction ID: 75faa10bab6a3b97fd993a05ca6b9839d08223c8a6c79f46946452f1c11cce2f
    • Opcode Fuzzy Hash: 268ac079829c4b9692e56c198c2ef39831cc4855971c7fa263cab57c9b4e60c7
    • Instruction Fuzzy Hash: 9DF0EC36B403347FE72066A9AC45F877BC8EF48BA0F014111FE08EB090D6158D01D6E4
    Function 00A26A76 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: __alldvrm$_strrchr
    • String ID:
    • API String ID: 1036877536-0
    • Opcode ID: f3a74c95afe91129e83f4a200ae329e72b68e1b987d16e4549aa364eb4fd1ab8
    • Instruction ID: c3ce6ef84d0518fb2ebc655110db384be87f8382deb71b7d11a4bfb27613a00a
    • Opcode Fuzzy Hash: f3a74c95afe91129e83f4a200ae329e72b68e1b987d16e4549aa364eb4fd1ab8
    • Instruction Fuzzy Hash: 77A19C72A027A69FDB26DF2CE8817AEBBF4EF15350F1841BDE4859B281C2749D41C750
    Function 00A35D7F Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: lstrlen
    • String ID: dlutil.cpp
    • API String ID: 1659193697-2067379296
    • Opcode ID: 33bf3713c644c460d2312b078c770b2d8a12b28ff4c870ce38fb5be0131180ff
    • Instruction ID: dd132f0726cf8173f25e8ce571e8c445f5bdbd5c984ab1d59ba7bf1b5a1cae84
    • Opcode Fuzzy Hash: 33bf3713c644c460d2312b078c770b2d8a12b28ff4c870ce38fb5be0131180ff
    • Instruction Fuzzy Hash: 1051A032E01625ABDB11DFB9CC84AAFBBB9EF88740F164115FE05A7210DB308D0197A0
    Function 00A290AA Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,E3E85006,00A2234D,00000000,00000000,00A23382,?,00A23382,?,00000001,00A2234D,E3E85006,00000001,00A23382,00A23382), ref: 00A290F7
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A29180
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00A29192
    • __freea.LIBCMT ref: 00A2919B
      • Part of subcall function 00A25154: HeapAlloc.KERNEL32(00000000,?,?,?,00A21E90,?,0000015D,?,?,?,?,00A232E9,000000FF,00000000,?,?), ref: 00A25186
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ByteCharMultiWide$AllocHeapStringType__freea
    • String ID:
    • API String ID: 573072132-0
    • Opcode ID: df82f5df9fdd555d602db2b4beea25c6e46a4100fb643b2bf6099171f790d70c
    • Instruction ID: 6fe0e6b05bdc84b17dfe3e5d51c2db840f68bfee4c7bfd855b32671bc134fabe
    • Opcode Fuzzy Hash: df82f5df9fdd555d602db2b4beea25c6e46a4100fb643b2bf6099171f790d70c
    • Instruction Fuzzy Hash: 8C31B271A0022AABDF24DF69EC45DAF7BA5EB05710F044279FC14D6290E735CD65CBA0
    Function 009F4E9C Relevance: 6.1, APIs: 4, Instructions: 110COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(?,?,?,00000000,?,009F545F,?,?,?,?,?,?), ref: 009F4EF6
    • DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,009F545F,?,?,?,?,?,?), ref: 009F4F0A
    • TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,009F545F,?,?), ref: 009F4FF9
    • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,009F545F,?,?), ref: 009F5000
      • Part of subcall function 009F1160: LocalFree.KERNEL32(?,?,009F4EB3,?,00000000,?,009F545F,?,?,?,?,?,?), ref: 009F116A
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalDeleteFreeSection$CloseHandleLocal
    • String ID:
    • API String ID: 3671900028-0
    • Opcode ID: 2e634acdfeb31cfa0e05764f8e3b4afd3dcf2def207007d68638a0a04227434e
    • Instruction ID: 659ac835934a2fe2e28ffc3b1187608171e734b812f21d57a3d4e1aad2dd308a
    • Opcode Fuzzy Hash: 2e634acdfeb31cfa0e05764f8e3b4afd3dcf2def207007d68638a0a04227434e
    • Instruction Fuzzy Hash: 2D41DEB1A00B09ABCA20FBB5C989FAB73EDAF04351F440929B75AD3151EB34F544C724
    Function 00A33119 Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON
    Download Yara Rule
    APIs
    • SysAllocString.OLEAUT32(?), ref: 00A3312C
    • VariantInit.OLEAUT32(?), ref: 00A33138
    • VariantClear.OLEAUT32(?), ref: 00A331AC
    • SysFreeString.OLEAUT32(00000000), ref: 00A331B7
      • Part of subcall function 00A3336E: SysAllocString.OLEAUT32(?), ref: 00A33383
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: String$AllocVariant$ClearFreeInit
    • String ID:
    • API String ID: 347726874-0
    • Opcode ID: 1f0be1578a5bdd6a04efca32274529244c5f4348b47ee5517b4bddc45da6b6fe
    • Instruction ID: 219fd4789a66899d082fbef2c217aab9c3c6962aa8850ca29c43800809286682
    • Opcode Fuzzy Hash: 1f0be1578a5bdd6a04efca32274529244c5f4348b47ee5517b4bddc45da6b6fe
    • Instruction Fuzzy Hash: 6B211D32901219AFCF24DFA9D848EAEBBB9EF44715F15425CF9059B220D7719E05CBA0
    Function 009F4B80 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 67COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009FF7F7: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,009F4B9F,?,?,00000001), ref: 009FF847
    • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 009F4C06
      • Part of subcall function 00A3082D: CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 00A3089A
      • Part of subcall function 00A3082D: GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 00A308A4
      • Part of subcall function 00A3082D: CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 00A308ED
      • Part of subcall function 00A3082D: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 00A308FA
    Strings
    • Failed to get current process path., xrefs: 009F4BC4
    • Unable to get resume command line from the registry, xrefs: 009F4BA5
    • Failed to re-launch bundle process after RunOnce: %ls, xrefs: 009F4BF0
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Close$Handle$CreateErrorLastProcess
    • String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
    • API String ID: 1572399834-642631345
    • Opcode ID: 81536185892cc62e8e273453f453bde67979026cd0d9c916af6d283bf8fae917
    • Instruction ID: 901997bfaf337000243694bd456764200e6268be9611bed3ddc158170a6c2467
    • Opcode Fuzzy Hash: 81536185892cc62e8e273453f453bde67979026cd0d9c916af6d283bf8fae917
    • Instruction Fuzzy Hash: E7117C76D0161CFF8F12AB98DE01CEEFBB9EF80711F1041A6FA01A2211D7318A409B90
    Function 00A28731 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00A288D5,00000000,00000000,?,00A286D8,00A288D5,00000000,00000000,00000000,?,00A288D5,00000006,FlsSetValue), ref: 00A28763
    • GetLastError.KERNEL32(?,00A286D8,00A288D5,00000000,00000000,00000000,?,00A288D5,00000006,FlsSetValue,00A52208,00A52210,00000000,00000364,?,00A26130), ref: 00A2876F
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A286D8,00A288D5,00000000,00000000,00000000,?,00A288D5,00000006,FlsSetValue,00A52208,00A52210,00000000), ref: 00A2877D
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID:
    • API String ID: 3177248105-0
    • Opcode ID: 45c81b71d7fb365b6af46f119e2f42a6c3c02fa1f8eee354ba44cc01413b2c03
    • Instruction ID: 1c0dbfd4c2233bbe36bca96cea4230721144f4ca6e99f92812b13f1180af543b
    • Opcode Fuzzy Hash: 45c81b71d7fb365b6af46f119e2f42a6c3c02fa1f8eee354ba44cc01413b2c03
    • Instruction Fuzzy Hash: 6C01A7366223369FC7218BADBC48A677769AF45BA27350730FA16D7140DB24D802C6F0
    Function 00A2605E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,00000000,00A219F5,00000000,80004004,?,00A21CF9,00000000,80004004,00000000,00000000), ref: 00A26062
    • SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 00A260CA
    • SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 00A260D6
    • _abort.LIBCMT ref: 00A260DC
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLast$_abort
    • String ID:
    • API String ID: 88804580-0
    • Opcode ID: e446ade8efb99e7541d132f1a6c6e3f7183e79678881d862ff8a6e52d1bff943
    • Instruction ID: 4abad3c141dd6b6c4da4c0ef06c8c62d622f1982625a1d35372f0d9cf3a9c9b3
    • Opcode Fuzzy Hash: e446ade8efb99e7541d132f1a6c6e3f7183e79678881d862ff8a6e52d1bff943
    • Instruction Fuzzy Hash: 6EF0813691AE3066C222777C7E0AB1E166AABD1B71F258238F919961D1EE3488026171
    Function 009F730C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?), ref: 009F7318
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 009F737F
    Strings
    • Failed to get value as numeric for variable: %ls, xrefs: 009F736E
    • Failed to get value of variable: %ls, xrefs: 009F7352
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
    • API String ID: 3168844106-4270472870
    • Opcode ID: 081483ff94e1b785f3f53e67f56ce1132c8dccd7df59c713ba200ed58ec02fa1
    • Instruction ID: 426c3455abe1859111b68a9a41b0ca5387f623f682371238a49614847baec921
    • Opcode Fuzzy Hash: 081483ff94e1b785f3f53e67f56ce1132c8dccd7df59c713ba200ed58ec02fa1
    • Instruction Fuzzy Hash: 8801713294812CFBCF119F94DC05AAEBB69AB04761F108125FE14AA220D3B59E51ABD0
    Function 009F7481 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?), ref: 009F748D
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 009F74F4
    Strings
    • Failed to get value as version for variable: %ls, xrefs: 009F74E3
    • Failed to get value of variable: %ls, xrefs: 009F74C7
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
    • API String ID: 3168844106-1851729331
    • Opcode ID: b95d84a8b27aecf947488c03d56bce71021b6daa62ff5b8e143fc609e665afe2
    • Instruction ID: ff2a011942076a1638eaca8b1302ffd145b9336ba62f171df06f7ae7a159c123
    • Opcode Fuzzy Hash: b95d84a8b27aecf947488c03d56bce71021b6daa62ff5b8e143fc609e665afe2
    • Instruction Fuzzy Hash: E901713295412CFBCF119F94DC05AAEBF6AAB10761F108125FE04AA220C3399E609BE0
    Function 009F7410 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,009F9752,00000000,?,00000000,00000000,00000000,?,009F9590,00000000,?,00000000,00000000), ref: 009F741C
    • LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,009F9752,00000000,?,00000000,00000000,00000000,?,009F9590,00000000,?,00000000), ref: 009F7472
    Strings
    • Failed to get value of variable: %ls, xrefs: 009F7442
    • Failed to copy value of variable: %ls, xrefs: 009F7461
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
    • API String ID: 3168844106-2936390398
    • Opcode ID: 97634b672f47bfef884e958af0df0ed0a49080775ffc84903d12c62b3982742b
    • Instruction ID: 6d38e6e62b49bef6fed41d1aaafc24e8edb6c69215972264702ba98514a5e9d9
    • Opcode Fuzzy Hash: 97634b672f47bfef884e958af0df0ed0a49080775ffc84903d12c62b3982742b
    • Instruction Fuzzy Hash: 53F0443694412DFBCF11AF94DC05DAEBF6AEF14365F108124FE04A6221D7369A20ABD0
    Function 00A21246 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
    Download Yara Rule
    APIs
    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00A21246
    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00A2124B
    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00A21250
      • Part of subcall function 00A21548: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00A21559
    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00A21265
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
    • String ID:
    • API String ID: 1761009282-0
    • Opcode ID: 294756368ebb91e0d837f8d85631f380e5f2af2aa371e18ba28d844398db2aca
    • Instruction ID: 43f63e9fa0bda4c16c0ecb0a2f2114d83adbae67a1d02bf8b25568ac6ba6e47f
    • Opcode Fuzzy Hash: 294756368ebb91e0d837f8d85631f380e5f2af2aa371e18ba28d844398db2aca
    • Instruction Fuzzy Hash: CFC048181042B5A41E243FFD33822ED03884CF2389BD120F6FC6AA7503A90A041B2632
    Function 00A34661 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A30E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00A35699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00A30E52
    • RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,00000000,00000000,00000101), ref: 00A347C2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseOpen
    • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
    • API String ID: 47109696-3023217399
    • Opcode ID: 8e5e4530f0270a92a2bb415125bb49fa9cd6058870d6ed955216bcc8d883bd77
    • Instruction ID: 7ce631b0f6e18e824bbbe504c35e21ffb4590870f810aca155261948f3e2e847
    • Opcode Fuzzy Hash: 8e5e4530f0270a92a2bb415125bb49fa9cd6058870d6ed955216bcc8d883bd77
    • Instruction Fuzzy Hash: D241A675E00219EFCF20DF94C981AADBBB5FF4A750F2144A9F500A7211D731AE51DB50
    Function 00A30B49 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130registryCOMMON
    Download Yara Rule
    APIs
    • RegCloseKey.ADVAPI32(00000000), ref: 00A30CA0
      • Part of subcall function 00A30E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00A35699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00A30E52
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseOpen
    • String ID: regutil.cpp
    • API String ID: 47109696-955085611
    • Opcode ID: 52ea37d7572dd9a2b5fc7891749e92e0f2398f8a3b37cb3fa20ecd0f60b70937
    • Instruction ID: a0af1872ce5095696b76ada61f3b6a3885c02fdba9862ed5d1d4030466505c7d
    • Opcode Fuzzy Hash: 52ea37d7572dd9a2b5fc7891749e92e0f2398f8a3b37cb3fa20ecd0f60b70937
    • Instruction Fuzzy Hash: BF41E232E01229FBDF219FA5CD24FAEBBA5AB04351F118369FD05AB160D3358E40DB90
    Function 00A30F6E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126registryCOMMON
    Download Yara Rule
    APIs
    • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00A30FE4
    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00A3101F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: QueryValue
    • String ID: regutil.cpp
    • API String ID: 3660427363-955085611
    • Opcode ID: 2332821ee0cd6deb6f4cef9c26e4a2ceda45c4cacfbefb4461c10377ab240bbf
    • Instruction ID: 51a94fde8ca8e87cbbb3c89fde7a8faf42a12afb23eda4ac364447fc66a1b4ab
    • Opcode Fuzzy Hash: 2332821ee0cd6deb6f4cef9c26e4a2ceda45c4cacfbefb4461c10377ab240bbf
    • Instruction Fuzzy Hash: 17418C31E0022AEFDB249F98CC81AAEBBB9FF45710F10816AF914A7250D7319E51DB90
    Function 00A265D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • WideCharToMultiByte.KERNEL32(00A3B508,00000000,00000006,00000001,comres.dll,?,00000000,?,00000000,?,?,00000000,00000006,?,comres.dll,?), ref: 00A266A3
    • GetLastError.KERNEL32 ref: 00A266BF
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ByteCharErrorLastMultiWide
    • String ID: comres.dll
    • API String ID: 203985260-246242247
    • Opcode ID: b1c6636ee5e69ab2cc23119de75094a87b276841855c3689fce76d7be3c2d0eb
    • Instruction ID: 152703748573dd10d247ea514454af167177cc885aa8ac263ea331870103fbc2
    • Opcode Fuzzy Hash: b1c6636ee5e69ab2cc23119de75094a87b276841855c3689fce76d7be3c2d0eb
    • Instruction Fuzzy Hash: 5731E331602275AFCB29AF5DF985BAB7BA89F52750F190178F8145B2D1DB30CD40C7A1
    Function 00A38E07 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A38CFB: lstrlenW.KERNEL32(00000100,?,?,00A39098,000002C0,00000100,00000100,00000100,?,?,?,00A17B40,?,?,000001BC,00000000), ref: 00A38D1B
    • RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,00A3B4F0,wininet.dll,?), ref: 00A38F07
    • RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,00A3B4F0,wininet.dll,?), ref: 00A38F14
      • Part of subcall function 00A30E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00A35699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00A30E52
      • Part of subcall function 00A30D1C: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,00A18BD8), ref: 00A30D77
      • Part of subcall function 00A30D1C: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00A18BD8,00000000), ref: 00A30D99
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Close$EnumInfoOpenQuerylstrlen
    • String ID: wininet.dll
    • API String ID: 2680864210-3354682871
    • Opcode ID: 0ff4384035956a030ef4ec224ad8e76de56a5a970f425bfa19b0e160896ef02a
    • Instruction ID: 928bfb45805ad6c92adcef42d2023a89dfefd7b809a954647c7206dc01eb8e10
    • Opcode Fuzzy Hash: 0ff4384035956a030ef4ec224ad8e76de56a5a970f425bfa19b0e160896ef02a
    • Instruction Fuzzy Hash: 0F311776C01229AFCF21AFA8C9808AEBB7AEF44750F254169F90176121DB358E549B90
    Function 00A39220 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A38CFB: lstrlenW.KERNEL32(00000100,?,?,00A39098,000002C0,00000100,00000100,00000100,?,?,?,00A17B40,?,?,000001BC,00000000), ref: 00A38D1B
    • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000), ref: 00A39305
    • RegCloseKey.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00A3931F
      • Part of subcall function 00A30AD5: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,00A00491,?,00000000,00020006), ref: 00A30AFA
      • Part of subcall function 00A31392: RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,009FF1C2,00000000,?,00020006), ref: 00A313C5
      • Part of subcall function 00A31392: RegDeleteValueW.ADVAPI32(00020006,00020006,00000000,?,?,009FF1C2,00000000,?,00020006,?,00020006,00020006,00000000,?,?,?), ref: 00A313F5
      • Part of subcall function 00A31344: RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,009FF11A,00000005,Resume,?,?,?,00000002,00000000), ref: 00A31359
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Value$Close$CreateDeletelstrlen
    • String ID: %ls\%ls
    • API String ID: 3924016894-2125769799
    • Opcode ID: 17d21e705f12bf8eaf442c00fb4ef042c0bdcb4b8cd172f440cf493f9af5bfc6
    • Instruction ID: 88210b1adaad4163017eff89c7a04e4dc640db8510081224543f9051dcb0cf4d
    • Opcode Fuzzy Hash: 17d21e705f12bf8eaf442c00fb4ef042c0bdcb4b8cd172f440cf493f9af5bfc6
    • Instruction Fuzzy Hash: 6B31F872C0162EBBCF129FD8DD818EFBBB9FB04350F41416ABA01B6121D7718E11AB90
    Function 009F39CF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: _memcpy_s
    • String ID: crypt32.dll$wininet.dll
    • API String ID: 2001391462-82500532
    • Opcode ID: 20d9f25f4ff598d2956f110480d47adb0513f97da9c1314b068fe09bcabe11f2
    • Instruction ID: 1621fd89095b97a117aa262cf2b73e0159d6f86da7661ea57f36bf2e0bcdff0f
    • Opcode Fuzzy Hash: 20d9f25f4ff598d2956f110480d47adb0513f97da9c1314b068fe09bcabe11f2
    • Instruction Fuzzy Hash: CE118E71600219AFCF08DE2ACDC59ABBF6DEF84290B14812AFD094B311D230EA508BE0
    Function 00A31392 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61registryCOMMON
    Download Yara Rule
    APIs
    • RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,009FF1C2,00000000,?,00020006), ref: 00A313C5
    • RegDeleteValueW.ADVAPI32(00020006,00020006,00000000,?,?,009FF1C2,00000000,?,00020006,?,00020006,00020006,00000000,?,?,?), ref: 00A313F5
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Value$Delete
    • String ID: regutil.cpp
    • API String ID: 1738766685-955085611
    • Opcode ID: 02639d376b8355d57c6770d15f6e7c48b5fa7a5424580e326a0ac3a04b5e37d0
    • Instruction ID: 0c7450af3f3badaa6d28ee679a7ab8a1116e2528282a0afb9ebbc4b5dfb81cd3
    • Opcode Fuzzy Hash: 02639d376b8355d57c6770d15f6e7c48b5fa7a5424580e326a0ac3a04b5e37d0
    • Instruction Fuzzy Hash: D311C672E10339BBEF219EA59D04BAAB6A9EF04791F014221FD00EA0A0E771CD1196E0
    Function 009FDCA5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,00A1744B,00000000,IGNOREDEPENDENCIES,00000000,?,00A3B508), ref: 009FDCF6
    Strings
    • IGNOREDEPENDENCIES, xrefs: 009FDCAD
    • Failed to copy the property value., xrefs: 009FDD2A
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CompareString
    • String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
    • API String ID: 1825529933-1412343224
    • Opcode ID: 2eadf2302754b4df9ba30186fde27b058fae141e1e1ea0994538ec629a1bddf7
    • Instruction ID: 5510d4ee8574c604400b7d50c0c316b02339d00606961bbe1afe768ce17161e5
    • Opcode Fuzzy Hash: 2eadf2302754b4df9ba30186fde27b058fae141e1e1ea0994538ec629a1bddf7
    • Instruction Fuzzy Hash: 2511A332206219AFDB104F44CC84F7977AAEF55724F264675FB189B2D1C7709850D790
    Function 00A354F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,00A08C90,?,00000001,20000004,00000000,00000000,?,00000000), ref: 00A35527
    • SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00A08C90,?), ref: 00A35542
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: InfoNamedSecuritySleep
    • String ID: aclutil.cpp
    • API String ID: 2352087905-2159165307
    • Opcode ID: 1da89e69338d70e1878e4aaef96d0da938396fd5d9ba6c27822544872ccbcda5
    • Instruction ID: 5ca4bcc7ffb0288b093ee680f81a87c41c65001c18023cde7ac36048123e2cc4
    • Opcode Fuzzy Hash: 1da89e69338d70e1878e4aaef96d0da938396fd5d9ba6c27822544872ccbcda5
    • Instruction Fuzzy Hash: E7015273D00528BBDF129FA9CD05EDEBE76EF88760F020115BE05A6110D6319E61D7A0
    Function 00A055BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
    Download Yara Rule
    APIs
    • CoInitializeEx.OLE32(00000000,00000000), ref: 00A055D9
    • CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 00A05633
    Strings
    • Failed to initialize COM on cache thread., xrefs: 00A055E5
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: InitializeUninitialize
    • String ID: Failed to initialize COM on cache thread.
    • API String ID: 3442037557-3629645316
    • Opcode ID: 7ff2c0928f89276d73d8d71ed747e7aedef21459677e92d0fa9c5669d283b600
    • Instruction ID: c79fc18c4e0c62312d71b72e5ad0d107ebb96fd464abb90b57dfcbca5bbc6484
    • Opcode Fuzzy Hash: 7ff2c0928f89276d73d8d71ed747e7aedef21459677e92d0fa9c5669d283b600
    • Instruction Fuzzy Hash: E7011B72600619BFCB059BA9EC84DDAF7ADFF08354B508126FA09D7121DB31AD548BA0
    Function 009F155F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • LCMapStringW.KERNEL32(0000007F,00000000,00000000,00A06EF3,00000000,00A06EF3,00000000,00000000,00A06EF3,00000000,00000000,00000000,?,009F2326,00000000,00000000), ref: 009F15A3
    • GetLastError.KERNEL32(?,009F2326,00000000,00000000,00A06EF3,00000200,?,00A3516B,00000000,00A06EF3,00000000,00A06EF3,00000000,00000000,00000000), ref: 009F15AD
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorLastString
    • String ID: strutil.cpp
    • API String ID: 3728238275-3612885251
    • Opcode ID: 803bc95b1d1a90e372505b2d4e3cb93af84d0112d11066997caca254c7484ca9
    • Instruction ID: f1443ba65515fd6784ae2ba83d01ee663395e2b12492d542d7690f3e8d72009c
    • Opcode Fuzzy Hash: 803bc95b1d1a90e372505b2d4e3cb93af84d0112d11066997caca254c7484ca9
    • Instruction Fuzzy Hash: 1A01713365462DBB9B219E968C44F677AAEEF8A760B010225FF15EB150DB21DC1087F1
    Function 00A3388A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memoryCOMMON
    Download Yara Rule
    APIs
    • SysAllocString.OLEAUT32(00000000), ref: 00A338D0
    • SysFreeString.OLEAUT32(00000000), ref: 00A33903
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: String$AllocFree
    • String ID: xmlutil.cpp
    • API String ID: 344208780-1270936966
    • Opcode ID: 9adbd04d406d7de46c9064dbfcdf4e07ad788cda1e68a04e6f0fa0929401dcb2
    • Instruction ID: 8b5660618ffb9d0b30931b459e0b3b38001bf98e98be6e2f6ce5e3779f19790b
    • Opcode Fuzzy Hash: 9adbd04d406d7de46c9064dbfcdf4e07ad788cda1e68a04e6f0fa0929401dcb2
    • Instruction Fuzzy Hash: B101AD76A44219FBEF205A949C08F7B76E8EF857A1F104025FE05AB240C7B8CE0497A1
    Function 00A33803 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memoryCOMMON
    Download Yara Rule
    APIs
    • SysAllocString.OLEAUT32(00000000), ref: 00A33849
    • SysFreeString.OLEAUT32(00000000), ref: 00A3387C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: String$AllocFree
    • String ID: xmlutil.cpp
    • API String ID: 344208780-1270936966
    • Opcode ID: ae56d55a2ce9cfa6c85eb21a064f84773c3f57b9dde6f32ff789ce5325de8aaf
    • Instruction ID: ec75558e9a5aeb4823c8ab9d869b162f9060278c17395845af94e49d5c4e79fb
    • Opcode Fuzzy Hash: ae56d55a2ce9cfa6c85eb21a064f84773c3f57b9dde6f32ff789ce5325de8aaf
    • Instruction Fuzzy Hash: 8A01A276644219ABDF215A559C04FBB32A8EF85761F508439FF05AB640C7B8CE0197A1
    Function 00A33AC9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A30E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00A35699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00A30E52
    • RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00A3396A,?), ref: 00A33B3A
    Strings
    • EnableLUA, xrefs: 00A33B0C
    • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00A33AE4
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseOpen
    • String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    • API String ID: 47109696-3551287084
    • Opcode ID: ad99ea86d65c9e1c97ac203a44cefd403a8e3fcce4b15658698089a917cd4a83
    • Instruction ID: 3ad39a758b0dd0bbab8d13fc187545da9f6a3b01cf54ccd06c3a6a9b531fae22
    • Opcode Fuzzy Hash: ad99ea86d65c9e1c97ac203a44cefd403a8e3fcce4b15658698089a917cd4a83
    • Instruction Fuzzy Hash: E2017833915238FBDB10AAA4C90ABEEFAACEB04721F2041A9B900A3110E3745E50D694
    Function 00A36754 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • SysFreeString.OLEAUT32(?), ref: 00A367B3
      • Part of subcall function 00A385CB: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 00A386D8
      • Part of subcall function 00A385CB: GetLastError.KERNEL32 ref: 00A386E2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Time$ErrorFileFreeLastStringSystem
    • String ID: atomutil.cpp$clbcatq.dll
    • API String ID: 211557998-3749116663
    • Opcode ID: 9eb5033fd674f54e35985868858983e100a9517b8718c1d7024d3a7c4e005d03
    • Instruction ID: d7c71d0f4d0c5ac72ebc9d4e3fffd54bdfe23e8cfa46c9eb5d0d6c276c476865
    • Opcode Fuzzy Hash: 9eb5033fd674f54e35985868858983e100a9517b8718c1d7024d3a7c4e005d03
    • Instruction Fuzzy Hash: 7701A27290011AFFCB209F85D981CAAFBB8FB44765F90827AFA0467200D3315E10D7E0
    Function 009F6418 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(?), ref: 009F642A
      • Part of subcall function 00A309BB: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,009F5D8F,00000000), ref: 00A309CF
      • Part of subcall function 00A309BB: GetProcAddress.KERNEL32(00000000), ref: 00A309D6
      • Part of subcall function 00A309BB: GetLastError.KERNEL32(?,?,?,009F5D8F,00000000), ref: 00A309ED
      • Part of subcall function 009F5BF0: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 009F5C77
    Strings
    • Failed to get 64-bit folder., xrefs: 009F644D
    • Failed to set variant value., xrefs: 009F6467
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
    • String ID: Failed to get 64-bit folder.$Failed to set variant value.
    • API String ID: 3109562764-2681622189
    • Opcode ID: 9f683bba01e4fe7b77d73ded38fc7b9c4691de67575bb16cf5a03c0aab3b24a9
    • Instruction ID: d209484b5e7fa571c7b2f01b8560ee977b01f22ed8ed8a354c1e094e22d6c834
    • Opcode Fuzzy Hash: 9f683bba01e4fe7b77d73ded38fc7b9c4691de67575bb16cf5a03c0aab3b24a9
    • Instruction Fuzzy Hash: 8E016D32D0132CBBCF11FBA4DD06ABEBA79EB00761F108256FA40B6162DA719E40D7D0
    Function 009F33D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,009F10DD,?,00000000), ref: 009F33F8
    • GetLastError.KERNEL32(?,?,?,009F10DD,?,00000000), ref: 009F340F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFileLastModuleName
    • String ID: pathutil.cpp
    • API String ID: 2776309574-741606033
    • Opcode ID: db84ee24ca4b0f2def6aa32c58a9b369faa40d8194802c88a3c360d96df3d69d
    • Instruction ID: d9f2431c5e47c4389060054bfc2b75a893791af05ab5d1c89b40abc22f5e32a8
    • Opcode Fuzzy Hash: db84ee24ca4b0f2def6aa32c58a9b369faa40d8194802c88a3c360d96df3d69d
    • Instruction Fuzzy Hash: C3F0FC73B0023877D72196A65C44F67BA9DDB85760B028121FF05E7160C769CD0193F0
    Function 00A00598 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00A30E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00A35699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00A30E52
    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000,?,?,00A1BB7C,00000101,?), ref: 00A005EF
    Strings
    • Failed to open registration key., xrefs: 00A005BF
    • Failed to update resume mode., xrefs: 00A005D9
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CloseOpen
    • String ID: Failed to open registration key.$Failed to update resume mode.
    • API String ID: 47109696-3366686031
    • Opcode ID: a9402d94d59115dad56582b80f75b68faba85f4fe88e320f3d2c82eb39af32d5
    • Instruction ID: ba9bfe3bf104e7f2add7cfb22e60ea8d5d2f11fa32267de5d7557f651651fe5f
    • Opcode Fuzzy Hash: a9402d94d59115dad56582b80f75b68faba85f4fe88e320f3d2c82eb39af32d5
    • Instruction Fuzzy Hash: 75F0FC32A4122CBBC7229A94ED02FEEB769EF00750F144155F600B6190DB71BF1097D0
    Function 00A348CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
    Download Yara Rule
    APIs
    • GetFileSizeEx.KERNEL32(00000000,00000000,00000000,771B34C0,?,?,?,009FB919,?,?,?,00000000,00000000), ref: 00A348E3
    • GetLastError.KERNEL32(?,?,?,009FB919,?,?,?,00000000,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 00A348ED
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: ErrorFileLastSize
    • String ID: fileutil.cpp
    • API String ID: 464720113-2967768451
    • Opcode ID: 5383a4c0d3f35609a914f61cfe8c4f11ce8145a6ae2ef1a210e60bf05b6c5ab4
    • Instruction ID: bdfccc20178cea2f7e39b8afd22d692cc0973fcfcd0a588444dfcdd7499735e9
    • Opcode Fuzzy Hash: 5383a4c0d3f35609a914f61cfe8c4f11ce8145a6ae2ef1a210e60bf05b6c5ab4
    • Instruction Fuzzy Hash: D7F04FB2A10229BBA7149F999C05AABFBEDEF49751B01421AFD05E7200D771AD11CBE0
    Function 00A33C58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36comCOMMON
    Download Yara Rule
    APIs
    • CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,009F535E,?,00000000,009F535E,?,?,?), ref: 00A33C7F
    • CoCreateInstance.OLE32(00000000,00000000,00000001,00A56F3C,?), ref: 00A33C97
    Strings
    • Microsoft.Update.AutoUpdate, xrefs: 00A33C7A
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: CreateFromInstanceProg
    • String ID: Microsoft.Update.AutoUpdate
    • API String ID: 2151042543-675569418
    • Opcode ID: e7296038d3fa9c9c40ef5aed1d0853aac96f23c601e3aa2603a09391c1fd2d0b
    • Instruction ID: 7e2796981b192ed87949a50064eb7504c83c6111d4db8aafd1e98472c33d016e
    • Opcode Fuzzy Hash: e7296038d3fa9c9c40ef5aed1d0853aac96f23c601e3aa2603a09391c1fd2d0b
    • Instruction Fuzzy Hash: E9F03071710218BBDB00DBE8DD059EBB7A8EB08711F500465FA01E7150D670AA0986A2
    Function 00A330BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON
    Download Yara Rule
    APIs
    • SysAllocString.OLEAUT32(?), ref: 00A330D4
    • SysFreeString.OLEAUT32(00000000), ref: 00A33104
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: String$AllocFree
    • String ID: xmlutil.cpp
    • API String ID: 344208780-1270936966
    • Opcode ID: 508901f62e2982ced3d3991fbf28cbf88e55368dbd143757d8b8cdc54e67744d
    • Instruction ID: a09470c915bc82e8950fbde6fbb287e6397ba1deb57bc3301084b74b94db40f3
    • Opcode Fuzzy Hash: 508901f62e2982ced3d3991fbf28cbf88e55368dbd143757d8b8cdc54e67744d
    • Instruction Fuzzy Hash: C9F0E932644268E7CF219F449C09FABBBA5EF81B61F144229FD045B210C7758E10DBE0
    Function 00A3336E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON
    Download Yara Rule
    APIs
    • SysAllocString.OLEAUT32(?), ref: 00A33383
    • SysFreeString.OLEAUT32(00000000), ref: 00A333B3
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: String$AllocFree
    • String ID: xmlutil.cpp
    • API String ID: 344208780-1270936966
    • Opcode ID: 409469a13b161c27ac6adc20af487a537f418ebabafbbfe72a5597af688d9f24
    • Instruction ID: 4a468bde4b6f6045de3b28bc5a15d472b58251df6ea36501e4c7f8ce2d2c4a57
    • Opcode Fuzzy Hash: 409469a13b161c27ac6adc20af487a537f418ebabafbbfe72a5597af688d9f24
    • Instruction Fuzzy Hash: D6F0BE36244228A7CB225F49AC08FAB7BA9EB84761F108019FD049F220CB74CE00DAE0
    Function 00A31344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29registryCOMMON
    Download Yara Rule
    APIs
    • RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,009FF11A,00000005,Resume,?,?,?,00000002,00000000), ref: 00A31359
    Strings
    • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00A31347
    • regutil.cpp, xrefs: 00A31381
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: Value
    • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$regutil.cpp
    • API String ID: 3702945584-2416625845
    • Opcode ID: e7ce8ee02d3f453967e8ad684335585a34f51f993171f9937b22418022852f25
    • Instruction ID: dca7d6e312eeb69ab57f7914783bb008f2fe2df89c13f6ff2b082622823ed23e
    • Opcode Fuzzy Hash: e7ce8ee02d3f453967e8ad684335585a34f51f993171f9937b22418022852f25
    • Instruction Fuzzy Hash: 11E06D72B403397AE7206AA64C05F977A9CEB04AA1F414121BF08EA090D2718D0082E4
    Function 00A30CD1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00A30CF2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1364320486.00000000009F1000.00000020.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true
    • Associated: 00000003.00000002.1364303832.00000000009F0000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364353354.0000000000A3B000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364377845.0000000000A5A000.00000004.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1364394589.0000000000A5E000.00000002.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_9f0000_vc_redist.jbxd
    Similarity
    • API ID: AddressProc
    • String ID: AdvApi32.dll$RegDeleteKeyExW
    • API String ID: 190572456-850864035
    • Opcode ID: ea840ed6555eb564853e449c77d9274182409ac33986d0389156bccbb4a1dd7a
    • Instruction ID: 2eb3fb8fd6a89b6e5f7c8019a263bcbbcb33d241f4e0abab3aa02bc8d08d1820
    • Opcode Fuzzy Hash: ea840ed6555eb564853e449c77d9274182409ac33986d0389156bccbb4a1dd7a
    • Instruction Fuzzy Hash: 66E08CB0725B24ABCB08DFB8FC66A553AA1BB14B077404228F80193A71EB7058028BB0

    Executed Functions

    Function 002C1070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 77fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 002C33D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,002C10DD,?,00000000), ref: 002C33F8
    • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 002C10F6
      • Part of subcall function 002C1174: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,002C111A,cabinet.dll,00000009,?,?,00000000), ref: 002C1185
      • Part of subcall function 002C1174: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,002C111A,cabinet.dll,00000009,?,?,00000000), ref: 002C1190
      • Part of subcall function 002C1174: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 002C119E
      • Part of subcall function 002C1174: GetLastError.KERNEL32(?,?,?,?,002C111A,cabinet.dll,00000009,?,?,00000000), ref: 002C11B9
      • Part of subcall function 002C1174: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 002C11C1
      • Part of subcall function 002C1174: GetLastError.KERNEL32(?,?,?,?,002C111A,cabinet.dll,00000009,?,?,00000000), ref: 002C11D6
    • CloseHandle.KERNEL32(?,?,?,?,0030B4C0,?,cabinet.dll,00000009,?,?,00000000), ref: 002C1131
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
    • String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
    • API String ID: 3687706282-3151496603
    • Opcode ID: 04072e55802720764aa5061c45606fcc73e7474b4e5db2efa3ecb5746a83a9ff
    • Instruction ID: 9865ff5da18dad789060ed8a0b229c372bbf4e56b45cdf7abad82abba5700d1f
    • Opcode Fuzzy Hash: 04072e55802720764aa5061c45606fcc73e7474b4e5db2efa3ecb5746a83a9ff
    • Instruction Fuzzy Hash: 40216271911218ABDB119FA6CC46FEEFBB8AF05310F544219E914B72D2D7B09624CBA0
    Function 002F4812 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000000,?,002F47E8,00000000,00327CF8,0000000C,002F493F,00000000,00000002,00000000), ref: 002F4833
    • TerminateProcess.KERNEL32(00000000,?,002F47E8,00000000,00327CF8,0000000C,002F493F,00000000,00000002,00000000), ref: 002F483A
    • ExitProcess.KERNEL32 ref: 002F484C
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: d2ed935f4d6749e5f946b3279873ac73325566c35d5f9c55585961ddb71c622b
    • Instruction ID: 869d65d65b793bc5522aaf692913f696c2baf0eee4bc5f646493a812228af902
    • Opcode Fuzzy Hash: d2ed935f4d6749e5f946b3279873ac73325566c35d5f9c55585961ddb71c622b
    • Instruction Fuzzy Hash: 14E0123101168CABCF026F10DD29A6ABB2DEB003C1F440425FA048A132CB75E862CA80
    Function 002CF86E Relevance: 117.7, APIs: 3, Strings: 64, Instructions: 445COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 2cf86e-2cf8a4 call 30388a 3 2cf8b8-2cf8d1 call 3031c7 0->3 4 2cf8a6-2cf8b3 call 30012f 0->4 10 2cf8dd-2cf8f2 call 3031c7 3->10 11 2cf8d3-2cf8d8 3->11 9 2cfda0-2cfda5 4->9 14 2cfdad-2cfdb2 9->14 15 2cfda7-2cfda9 9->15 22 2cf8fe-2cf90b call 2ce936 10->22 23 2cf8f4-2cf8f9 10->23 12 2cfd97-2cfd9e call 30012f 11->12 28 2cfd9f 12->28 16 2cfdba-2cfdbf 14->16 17 2cfdb4-2cfdb6 14->17 15->14 20 2cfdc7-2cfdcb 16->20 21 2cfdc1-2cfdc3 16->21 17->16 25 2cfdcd-2cfdd0 call 3054ef 20->25 26 2cfdd5-2cfddc 20->26 21->20 31 2cf90d-2cf912 22->31 32 2cf917-2cf92c call 3031c7 22->32 23->12 25->26 28->9 31->12 35 2cf92e-2cf933 32->35 36 2cf938-2cf94a call 304b5a 32->36 35->12 39 2cf94c-2cf954 36->39 40 2cf959-2cf96e call 3031c7 36->40 41 2cfc23-2cfc2c call 30012f 39->41 45 2cf97a-2cf98f call 3031c7 40->45 46 2cf970-2cf975 40->46 41->28 50 2cf99b-2cf9ad call 3033db 45->50 51 2cf991-2cf996 45->51 46->12 54 2cf9af-2cf9b4 50->54 55 2cf9b9-2cf9cf call 30388a 50->55 51->12 54->12 58 2cfc7e-2cfc98 call 2cebb2 55->58 59 2cf9d5-2cf9d7 55->59 66 2cfc9a-2cfc9f 58->66 67 2cfca4-2cfcbc call 30388a 58->67 60 2cf9d9-2cf9de 59->60 61 2cf9e3-2cf9f8 call 3033db 59->61 60->12 68 2cf9fa-2cf9ff 61->68 69 2cfa04-2cfa19 call 3031c7 61->69 66->12 74 2cfd86-2cfd87 call 2cefe5 67->74 75 2cfcc2-2cfcc4 67->75 68->12 77 2cfa29-2cfa3e call 3031c7 69->77 78 2cfa1b-2cfa1d 69->78 83 2cfd8c-2cfd90 74->83 79 2cfcc6-2cfccb 75->79 80 2cfcd0-2cfcee call 3031c7 75->80 88 2cfa4e-2cfa63 call 3031c7 77->88 89 2cfa40-2cfa42 77->89 78->77 84 2cfa1f-2cfa24 78->84 79->12 90 2cfcfa-2cfd12 call 3031c7 80->90 91 2cfcf0-2cfcf5 80->91 83->28 87 2cfd92 83->87 84->12 87->12 99 2cfa65-2cfa67 88->99 100 2cfa73-2cfa88 call 3031c7 88->100 89->88 92 2cfa44-2cfa49 89->92 97 2cfd1f-2cfd37 call 3031c7 90->97 98 2cfd14-2cfd16 90->98 91->12 92->12 107 2cfd39-2cfd3b 97->107 108 2cfd44-2cfd5c call 3031c7 97->108 98->97 101 2cfd18-2cfd1d 98->101 99->100 102 2cfa69-2cfa6e 99->102 109 2cfa98-2cfaad call 3031c7 100->109 110 2cfa8a-2cfa8c 100->110 101->12 102->12 107->108 111 2cfd3d-2cfd42 107->111 117 2cfd5e-2cfd63 108->117 118 2cfd65-2cfd7d call 3031c7 108->118 119 2cfabd-2cfad2 call 3031c7 109->119 120 2cfaaf-2cfab1 109->120 110->109 112 2cfa8e-2cfa93 110->112 111->12 112->12 117->12 118->74 126 2cfd7f-2cfd84 118->126 127 2cfad4-2cfad6 119->127 128 2cfae2-2cfaf7 call 3031c7 119->128 120->119 122 2cfab3-2cfab8 120->122 122->12 126->12 127->128 129 2cfad8-2cfadd 127->129 132 2cfaf9-2cfafb 128->132 133 2cfb07-2cfb1c call 3031c7 128->133 129->12 132->133 134 2cfafd-2cfb02 132->134 137 2cfb2c-2cfb44 call 3031c7 133->137 138 2cfb1e-2cfb20 133->138 134->12 142 2cfb54-2cfb6c call 3031c7 137->142 143 2cfb46-2cfb48 137->143 138->137 139 2cfb22-2cfb27 138->139 139->12 147 2cfb7c-2cfb91 call 3031c7 142->147 148 2cfb6e-2cfb70 142->148 143->142 144 2cfb4a-2cfb4f 143->144 144->12 152 2cfb97-2cfbb4 CompareStringW 147->152 153 2cfc31-2cfc33 147->153 148->147 149 2cfb72-2cfb77 148->149 149->12 154 2cfbbe-2cfbd3 CompareStringW 152->154 155 2cfbb6-2cfbbc 152->155 156 2cfc3e-2cfc40 153->156 157 2cfc35-2cfc3c 153->157 159 2cfbd5-2cfbdf 154->159 160 2cfbe1-2cfbf6 CompareStringW 154->160 158 2cfbff-2cfc04 155->158 161 2cfc4c-2cfc64 call 3033db 156->161 162 2cfc42-2cfc47 156->162 157->156 158->156 159->158 164 2cfbf8 160->164 165 2cfc06-2cfc1e call 2c37d3 160->165 161->58 168 2cfc66-2cfc68 161->168 162->12 164->158 165->41 170 2cfc6a-2cfc6f 168->170 171 2cfc74 168->171 170->12 171->58
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID:
    • String ID: =S,$AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$clbcatq.dll$msasn1.dll$registration.cpp$yes
    • API String ID: 0-2957427405
    • Opcode ID: 0353c420e81616dc3d8933b89055683c93de99f21076fd4bdb95aa93bb2e93b8
    • Instruction ID: d9dba0c25f32f4c02f829d2b2e851fc23e01fe5b0031a08584a742100b081674
    • Opcode Fuzzy Hash: 0353c420e81616dc3d8933b89055683c93de99f21076fd4bdb95aa93bb2e93b8
    • Instruction Fuzzy Hash: 2BE1FD32E607667BDB5BAA60CE42FFDBA656B08710F11037DFD11B7190D7A05EA09780
    Function 002CB389 Relevance: 93.3, APIs: 24, Strings: 29, Instructions: 565fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 172 2cb389-2cb3fd call 2ef670 * 2 177 2cb3ff-2cb42a GetLastError call 2c37d3 172->177 178 2cb435-2cb450 SetFilePointerEx 172->178 190 2cb42f-2cb430 177->190 179 2cb484-2cb49e ReadFile 178->179 180 2cb452-2cb482 GetLastError call 2c37d3 178->180 183 2cb4d5-2cb4dc 179->183 184 2cb4a0-2cb4d0 GetLastError call 2c37d3 179->184 180->190 188 2cb4e2-2cb4eb 183->188 189 2cbad3-2cbae7 call 2c37d3 183->189 184->190 188->189 194 2cb4f1-2cb501 SetFilePointerEx 188->194 201 2cbaec 189->201 191 2cbaed-2cbaf3 call 30012f 190->191 207 2cbaf4-2cbb06 call 2ede36 191->207 197 2cb538-2cb550 ReadFile 194->197 198 2cb503-2cb52e GetLastError call 2c37d3 194->198 199 2cb587-2cb58e 197->199 200 2cb552-2cb57d GetLastError call 2c37d3 197->200 198->197 205 2cbab8-2cbad1 call 2c37d3 199->205 206 2cb594-2cb59e 199->206 200->199 201->191 205->201 206->205 211 2cb5a4-2cb5c7 SetFilePointerEx 206->211 214 2cb5fe-2cb616 ReadFile 211->214 215 2cb5c9-2cb5f4 GetLastError call 2c37d3 211->215 218 2cb64d-2cb665 ReadFile 214->218 219 2cb618-2cb643 GetLastError call 2c37d3 214->219 215->214 220 2cb69c-2cb6b7 SetFilePointerEx 218->220 221 2cb667-2cb692 GetLastError call 2c37d3 218->221 219->218 225 2cb6b9-2cb6e7 GetLastError call 2c37d3 220->225 226 2cb6f1-2cb710 ReadFile 220->226 221->220 225->226 230 2cba79-2cbaad GetLastError call 2c37d3 226->230 231 2cb716-2cb718 226->231 239 2cbaae-2cbab6 call 30012f 230->239 234 2cb719-2cb720 231->234 236 2cba54-2cba71 call 2c37d3 234->236 237 2cb726-2cb732 234->237 250 2cba76-2cba77 236->250 240 2cb73d-2cb746 237->240 241 2cb734-2cb73b 237->241 239->207 242 2cb74c-2cb772 ReadFile 240->242 243 2cba17-2cba2e call 2c37d3 240->243 241->240 246 2cb780-2cb787 241->246 242->230 247 2cb778-2cb77e 242->247 258 2cba33-2cba39 call 30012f 243->258 248 2cb789-2cb7ab call 2c37d3 246->248 249 2cb7b0-2cb7c7 call 2c38d4 246->249 247->234 248->250 259 2cb7c9-2cb7e6 call 2c37d3 249->259 260 2cb7eb-2cb800 SetFilePointerEx 249->260 250->239 266 2cba3f-2cba40 258->266 259->191 263 2cb840-2cb865 ReadFile 260->263 264 2cb802-2cb830 GetLastError call 2c37d3 260->264 267 2cb89c-2cb8a8 263->267 268 2cb867-2cb89a GetLastError call 2c37d3 263->268 276 2cb835-2cb83b call 30012f 264->276 271 2cba41-2cba43 266->271 273 2cb8aa-2cb8c6 call 2c37d3 267->273 274 2cb8cb-2cb8cf 267->274 268->276 271->207 277 2cba49-2cba4f call 2c3999 271->277 273->258 280 2cb90a-2cb91d call 3048cb 274->280 281 2cb8d1-2cb905 call 2c37d3 call 30012f 274->281 276->266 277->207 291 2cb91f-2cb924 280->291 292 2cb929-2cb933 280->292 281->271 291->276 295 2cb93d-2cb945 292->295 296 2cb935-2cb93b 292->296 298 2cb947-2cb94f 295->298 299 2cb951-2cb954 295->299 297 2cb956-2cb9b6 call 2c38d4 296->297 302 2cb9b8-2cb9d4 call 2c37d3 297->302 303 2cb9da-2cb9fb call 2ef0f0 call 2cb106 297->303 298->297 299->297 302->303 303->271 310 2cb9fd-2cba0d call 2c37d3 303->310 310->243
    APIs
    • GetLastError.KERNEL32(?,?,?,00000000,7774C3F0,00000000), ref: 002CB3FF
    • SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 002CB44C
    • GetLastError.KERNEL32(?,?,?,00000000,7774C3F0,00000000), ref: 002CB452
    • ReadFile.KERNELBASE(00000000,\C,H,00000040,?,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 002CB49A
    • GetLastError.KERNEL32(?,?,?,00000000,7774C3F0,00000000), ref: 002CB4A0
    • SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 002CB4FD
    • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 002CB503
    • ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 002CB54C
    • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 002CB552
    • SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 002CB5C3
    • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7774C3F0,00000000), ref: 002CB5C9
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ErrorLast$File$Pointer$Read
    • String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$\C,H$burn$section.cpp
    • API String ID: 2600052162-714490807
    • Opcode ID: 4af2971746dfcd2917f22278c67cf5f29d1afe9bb5246a71341db999187c2f0f
    • Instruction ID: f2d3ff67e7abb199230adf29ddabac11ed427795e0944e50034c6c60b5b5e82e
    • Opcode Fuzzy Hash: 4af2971746dfcd2917f22278c67cf5f29d1afe9bb5246a71341db999187c2f0f
    • Instruction Fuzzy Hash: F512CF71A51325AFEB229B64CC56FABB6A8EF04700F014269FD09EB6C1D7718D50CFA1
    Function 002E0A77 Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 288synchronizationCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 313 2e0a77-2e0a90 SetEvent 314 2e0aca-2e0ad6 WaitForSingleObject 313->314 315 2e0a92-2e0ac5 GetLastError call 2c37d3 313->315 317 2e0ad8-2e0b0b GetLastError call 2c37d3 314->317 318 2e0b10-2e0b1b ResetEvent 314->318 323 2e0e25-2e0e26 call 30012f 315->323 317->323 321 2e0b1d-2e0b50 GetLastError call 2c37d3 318->321 322 2e0b55-2e0b5b 318->322 321->323 326 2e0b5d-2e0b60 322->326 327 2e0b96-2e0baf call 2c21bc 322->327 333 2e0e2b-2e0e2c 323->333 331 2e0b8c-2e0b91 326->331 332 2e0b62-2e0b87 call 2c37d3 call 30012f 326->332 339 2e0bca-2e0bd5 SetEvent 327->339 340 2e0bb1-2e0bc5 call 30012f 327->340 334 2e0e2d-2e0e2f 331->334 332->333 333->334 338 2e0e30-2e0e40 334->338 343 2e0bd7-2e0bf6 GetLastError 339->343 344 2e0c00-2e0c0c WaitForSingleObject 339->344 340->334 343->344 347 2e0c0e-2e0c2d GetLastError 344->347 348 2e0c37-2e0c42 ResetEvent 344->348 347->348 349 2e0c6d-2e0c74 348->349 350 2e0c44-2e0c63 GetLastError 348->350 351 2e0c76-2e0c79 349->351 352 2e0ce3-2e0d05 CreateFileW 349->352 350->349 355 2e0c7b-2e0c7e 351->355 356 2e0ca0-2e0ca7 call 2c38d4 351->356 353 2e0d07-2e0d38 GetLastError call 2c37d3 352->353 354 2e0d42-2e0d57 SetFilePointerEx 352->354 353->354 360 2e0d59-2e0d8c GetLastError call 2c37d3 354->360 361 2e0d91-2e0d9c SetEndOfFile 354->361 358 2e0c99-2e0c9b 355->358 359 2e0c80-2e0c83 355->359 368 2e0cac-2e0cb1 356->368 358->338 359->331 364 2e0c89-2e0c8f 359->364 360->323 366 2e0d9e-2e0dd1 GetLastError call 2c37d3 361->366 367 2e0dd3-2e0df0 SetFilePointerEx 361->367 364->358 366->323 367->334 373 2e0df2-2e0e20 GetLastError call 2c37d3 367->373 371 2e0cd2-2e0cde 368->371 372 2e0cb3-2e0ccd call 2c37d3 368->372 371->334 372->323 373->323
    APIs
    • SetEvent.KERNEL32(?,?,?,?,00000000,00000000,?,002E0621,?,?), ref: 002E0A85
    • GetLastError.KERNEL32(?,?,?,00000000,00000000,?,002E0621,?,?), ref: 002E0A92
    • WaitForSingleObject.KERNEL32(?,?,?,?,?,00000000,00000000,?,002E0621,?,?), ref: 002E0ACE
    • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,002E0621,?,?), ref: 002E0AD8
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ErrorLast$EventObjectSingleWait
    • String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
    • API String ID: 3600396749-2104912459
    • Opcode ID: 1abf5f24c0c36d16193bb3295aa0b4aa19946fa75ef648602cf0505b574b0282
    • Instruction ID: bf9d818e36e2a404696eb81ee570dafbcfe783550efa07defeb21098dfce0382
    • Opcode Fuzzy Hash: 1abf5f24c0c36d16193bb3295aa0b4aa19946fa75ef648602cf0505b574b0282
    • Instruction Fuzzy Hash: 07915A72BA1722BBE7225B7A8D89FA775D8FF08750F014225FD05EA5D0D3A0CCA186D1
    Function 002C508D Relevance: 44.1, APIs: 5, Strings: 20, Instructions: 322COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 457 2c508d-2c513b call 2ef670 * 2 GetModuleHandleW call 3003f0 call 3005a2 call 2c1209 468 2c513d 457->468 469 2c5151-2c5162 call 2c41d2 457->469 470 2c5142-2c514c call 30012f 468->470 475 2c516b-2c5187 call 2c5525 CoInitializeEx 469->475 476 2c5164-2c5169 469->476 478 2c53cc-2c53d3 470->478 482 2c5189-2c518e 475->482 483 2c5190-2c519c call 2ffbad 475->483 476->470 480 2c53d5-2c53db call 3054ef 478->480 481 2c53e0-2c53e2 478->481 480->481 485 2c53e4-2c53eb 481->485 486 2c5407-2c5425 call 2cd723 call 2da6d0 call 2da91e 481->486 482->470 494 2c519e 483->494 495 2c51b0-2c51bf call 300cd1 483->495 485->486 489 2c53ed-2c5402 call 30041b 485->489 507 2c5427-2c542f 486->507 508 2c5453-2c5466 call 2c4e9c 486->508 489->486 497 2c51a3-2c51ab call 30012f 494->497 504 2c51c8-2c51d7 call 3029b3 495->504 505 2c51c1-2c51c6 495->505 497->478 513 2c51d9-2c51de 504->513 514 2c51e0-2c51ef call 30343b 504->514 505->497 507->508 510 2c5431-2c5434 507->510 516 2c546d-2c5474 508->516 517 2c5468 call 303911 508->517 510->508 515 2c5436-2c5451 call 2d416a call 2c550f 510->515 513->497 526 2c51f8-2c5217 GetVersionExW 514->526 527 2c51f1-2c51f6 514->527 515->508 521 2c547b-2c5482 516->521 522 2c5476 call 302dd0 516->522 517->516 528 2c5489-2c5490 521->528 529 2c5484 call 301317 521->529 522->521 531 2c5219-2c524c GetLastError call 2c37d3 526->531 532 2c5251-2c5296 call 2c33d7 call 2c550f 526->532 527->497 534 2c5497-2c5499 528->534 535 2c5492 call 2ffcbc 528->535 529->528 531->497 553 2c5298-2c52a3 call 3054ef 532->553 554 2c52a9-2c52b9 call 2d7337 532->554 540 2c549b CoUninitialize 534->540 541 2c54a1-2c54a8 534->541 535->534 540->541 544 2c54aa-2c54ac 541->544 545 2c54e3-2c54ec call 30000b 541->545 546 2c54ae-2c54b0 544->546 547 2c54b2-2c54b8 544->547 556 2c54ee call 2c44e9 545->556 557 2c54f3-2c550c call 3006f5 call 2ede36 545->557 550 2c54ba-2c54c9 call 2d3c30 call 2c550f 546->550 547->550 570 2c54ce-2c54d3 550->570 553->554 568 2c52bb 554->568 569 2c52c5-2c52ce 554->569 556->557 568->569 573 2c52d4-2c52d7 569->573 574 2c5396-2c53ac call 2c4c33 569->574 570->545 572 2c54d5-2c54e2 call 2c550f 570->572 572->545 577 2c52dd-2c52e0 573->577 578 2c536e-2c5381 call 2c49df 573->578 585 2c53ae 574->585 586 2c53b8-2c53ca 574->586 581 2c5346-2c5362 call 2c47e9 577->581 582 2c52e2-2c52e5 577->582 584 2c5386-2c538a 578->584 581->586 597 2c5364 581->597 588 2c531e-2c533a call 2c4982 582->588 589 2c52e7-2c52ea 582->589 584->586 590 2c538c 584->590 585->586 586->478 588->586 599 2c533c 588->599 593 2c52ec-2c52f1 589->593 594 2c52fb-2c530e call 2c4b80 589->594 590->574 593->594 594->586 600 2c5314 594->600 597->578 599->581 600->588
    APIs
    • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 002C510F
      • Part of subcall function 003003F0: InitializeCriticalSection.KERNEL32(0032B60C,?,002C511B,00000000,?,?,?,?,?,?), ref: 00300407
      • Part of subcall function 002C1209: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,002C5137,00000000,?), ref: 002C1247
      • Part of subcall function 002C1209: GetLastError.KERNEL32(?,?,?,002C5137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 002C1251
    • CoInitializeEx.OLE32(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 002C517D
      • Part of subcall function 00300CD1: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00300CF2
    • GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 002C520F
    • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 002C5219
    • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 002C549B
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
    • String ID: 3.10.4.4718$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$Setup$_Failed$engine.cpp$txt
    • API String ID: 3262001429-867073019
    • Opcode ID: 3daaa093cb7f3d9287d5c9b25cd50f61cffc71cc2f408dd6bfd39f0ecb6b458d
    • Instruction ID: ccfc6084551605cf1d92f5ec42bc67e96e7c9f39e9c563d951c8eea99ec8449f
    • Opcode Fuzzy Hash: 3daaa093cb7f3d9287d5c9b25cd50f61cffc71cc2f408dd6bfd39f0ecb6b458d
    • Instruction Fuzzy Hash: A6B1AB71D61A799BDB32AF54CC55FEEB6A4AF04300F0402D9F909A6281D770EEE08F91
    Function 002CA311 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 601 2ca311-2ca35f call 2c71cf 604 2ca36b-2ca36e 601->604 605 2ca361-2ca366 601->605 607 2ca370-2ca385 call 2c71cf 604->607 608 2ca391-2ca3ab call 300e3f 604->608 606 2ca62e-2ca638 call 30012f 605->606 615 2ca64d-2ca661 call 2c2793 * 2 606->615 616 2ca63a-2ca64a call 30061a 606->616 607->608 617 2ca387-2ca38c 607->617 618 2ca3ad-2ca3bc call 30061a 608->618 619 2ca3e5-2ca3e7 608->619 643 2ca670-2ca672 615->643 644 2ca663-2ca66c RegCloseKey 615->644 616->615 617->606 634 2ca3bf-2ca3d2 call 2c8137 618->634 620 2ca3e9-2ca3ee 619->620 621 2ca3f3-2ca410 RegQueryValueExW 619->621 620->606 625 2ca428-2ca42a 621->625 626 2ca412-2ca426 call 30061a 621->626 631 2ca42c-2ca459 call 2c37d3 625->631 632 2ca45e-2ca470 call 2c38d4 625->632 626->634 631->606 647 2ca499-2ca4ae RegQueryValueExW 632->647 648 2ca472-2ca494 call 2c37d3 call 30012f 632->648 649 2ca3de-2ca3e0 634->649 650 2ca3d4-2ca3d9 634->650 645 2ca67a-2ca68b call 2e0499 643->645 646 2ca674-2ca675 call 2c3999 643->646 644->643 646->645 654 2ca4b0-2ca4dd call 2c37d3 647->654 655 2ca4e2-2ca4e8 647->655 648->616 649->615 650->606 654->606 659 2ca4ee-2ca4f1 655->659 660 2ca5e2-2ca5e9 call 2e02f4 655->660 664 2ca549-2ca54d 659->664 665 2ca4f3-2ca4f7 659->665 667 2ca5ee 660->667 664->660 668 2ca553-2ca563 call 2c1ede 664->668 669 2ca53c-2ca540 665->669 670 2ca4f9-2ca4fc 665->670 673 2ca5f0-2ca5f2 667->673 686 2ca56f-2ca589 ExpandEnvironmentStringsW 668->686 687 2ca565-2ca56a 668->687 671 2ca51f-2ca524 669->671 672 2ca542-2ca547 669->672 675 2ca4fe-2ca514 call 30012f 670->675 676 2ca519-2ca51d 670->676 671->616 678 2ca52e-2ca537 call 2e02b0 672->678 679 2ca5fb-2ca60b call 2dfeb7 673->679 680 2ca5f4-2ca5f9 673->680 675->616 676->671 677 2ca529-2ca52c 676->677 677->678 678->667 692 2ca60d-2ca612 679->692 693 2ca614-2ca61e call 2c8137 679->693 680->606 686->673 690 2ca58b-2ca599 call 2c1ede 686->690 687->606 690->687 697 2ca59b-2ca5ab ExpandEnvironmentStringsW 690->697 692->606 696 2ca623-2ca627 693->696 696->615 698 2ca629 696->698 697->673 699 2ca5ad-2ca5e0 GetLastError call 2c37d3 697->699 698->606 699->606
    APIs
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 002CA356
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 002CA37C
    • RegCloseKey.KERNELBASE(00000000,?,00000000,?,?,?,?,?), ref: 002CA666
    Strings
    • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 002CA418
    • Failed to query registry key value size., xrefs: 002CA454
    • Failed to open registry key., xrefs: 002CA3E9
    • Failed to allocate memory registry value., xrefs: 002CA487
    • Registry key not found. Key = '%ls', xrefs: 002CA3B0
    • Failed to allocate string buffer., xrefs: 002CA565
    • Unsupported registry key value type. Type = '%u', xrefs: 002CA506
    • Failed to format key string., xrefs: 002CA361
    • Failed to query registry key value., xrefs: 002CA4D8
    • Failed to get expand environment string., xrefs: 002CA5DB
    • RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 002CA63E
    • Failed to read registry value., xrefs: 002CA5F4
    • Failed to format value string., xrefs: 002CA387
    • Failed to clear variable., xrefs: 002CA3D4
    • search.cpp, xrefs: 002CA44A, 002CA47D, 002CA4CE, 002CA5D1
    • Failed to change value type., xrefs: 002CA60D
    • Failed to set variable., xrefs: 002CA629
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: Open@16$Close
    • String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
    • API String ID: 2348241696-3124384294
    • Opcode ID: 4a5e4b8551326272ec9c60405b67c940e6d9b518e270a9276978d769900885d6
    • Instruction ID: 1672ee78d2a1d3ff29ebd7725a1f7f749af04b124e8f53e7761243d61b8320d4
    • Opcode Fuzzy Hash: 4a5e4b8551326272ec9c60405b67c940e6d9b518e270a9276978d769900885d6
    • Instruction Fuzzy Hash: A1A12B72E6121DBBDF129AA4CC51FEEBAB9EF04314F148729F904B6190D7718D20DB92
    Function 002C567D Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 476stringCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 702 2c567d-2c56c4 EnterCriticalSection lstrlenW call 2c1ede 705 2c56ca-2c56d7 call 30012f 702->705 706 2c58b1-2c58bf call 2ef7ca 702->706 713 2c5b53-2c5b61 LeaveCriticalSection 705->713 711 2c56dc-2c56ee call 2ef7ca 706->711 712 2c58c5-2c58e2 call 2c823e 706->712 711->712 730 2c56f4-2c5700 711->730 725 2c5728 712->725 726 2c58e8-2c58eb call 2ff3d0 712->726 716 2c5b9c-2c5ba1 713->716 717 2c5b63-2c5b69 713->717 719 2c5ba9-2c5bad 716->719 720 2c5ba3-2c5ba4 call 2ff3c0 716->720 722 2c5b6b 717->722 723 2c5b96-2c5b97 call 2c3999 717->723 728 2c5bcd-2c5be0 call 2c2793 * 3 719->728 729 2c5baf-2c5bb3 719->729 720->719 731 2c5b6d-2c5b71 722->731 723->716 740 2c572d 725->740 746 2c58f0-2c58f7 726->746 751 2c5be5-2c5bed 728->751 734 2c5bbd-2c5bc1 729->734 735 2c5bb5-2c5bb8 call 3054ef 729->735 736 2c573a-2c573c 730->736 737 2c5702-2c5722 call 2c823e 730->737 738 2c5b83-2c5b86 call 2c2793 731->738 739 2c5b73-2c5b77 731->739 734->751 752 2c5bc3-2c5bcb call 3054ef 734->752 735->734 744 2c573e-2c575f call 2c823e 736->744 745 2c5764-2c5785 call 2c8281 736->745 737->725 769 2c58ab-2c58ae 737->769 750 2c5b8b-2c5b8e 738->750 749 2c5b79-2c5b81 call 3054ef 739->749 739->750 742 2c572e-2c5735 call 30012f 740->742 772 2c5b50 742->772 744->725 774 2c5761 744->774 776 2c5998-2c599d 745->776 777 2c578b-2c579d 745->777 757 2c58fd-2c591c call 2c37d3 746->757 758 2c59a2-2c59b0 call 2ff3e0 746->758 749->750 750->731 754 2c5b90-2c5b93 750->754 752->751 754->723 779 2c593d-2c593e 757->779 782 2c59e7-2c59ee 758->782 783 2c59b2-2c59e2 call 2c37d3 758->783 769->706 772->713 774->745 776->740 780 2c579f-2c57a7 call 2c3a72 777->780 781 2c57b4-2c57c0 call 2c38d4 777->781 779->742 799 2c57ad-2c57b2 780->799 800 2c591e-2c5938 call 2c37d3 780->800 794 2c57c6-2c57ca 781->794 795 2c5977-2c5996 call 2c37d3 781->795 786 2c59f0-2c59f3 782->786 787 2c5a21-2c5a3c call 2ff3f0 782->787 783->740 791 2c59f6-2c5a01 786->791 807 2c5aac-2c5ab0 787->807 808 2c5a3e-2c5a40 787->808 796 2c5a1a-2c5a1d 791->796 797 2c5a03-2c5a12 call 2ff3e0 791->797 801 2c57cc-2c57d3 794->801 802 2c57f2-2c57f6 794->802 795->779 796->791 805 2c5a1f 796->805 822 2c5a14-2c5a17 797->822 823 2c5a77-2c5aa7 call 2c37d3 797->823 799->794 800->779 801->802 809 2c57d5-2c57f0 call 2c8281 801->809 813 2c57f8-2c580e call 2c7e13 802->813 814 2c5814-2c581b 802->814 805->787 810 2c5b44-2c5b49 807->810 811 2c5ab6-2c5acf call 2c821f 807->811 808->807 817 2c5a42-2c5a72 call 2c37d3 808->817 836 2c5862-2c5864 809->836 810->772 819 2c5b4b-2c5b4e 810->819 837 2c5adb-2c5aed call 2ff3f0 811->837 838 2c5ad1-2c5ad6 811->838 813->814 839 2c5943-2c5954 call 30012f 813->839 825 2c581d-2c582e call 2c21a5 814->825 826 2c5830-2c583a call 2c7203 814->826 817->740 819->772 822->796 823->740 842 2c585a-2c585c 825->842 834 2c583f-2c584a 826->834 843 2c584c-2c5855 call 2c22f9 834->843 844 2c585f 834->844 845 2c596d 836->845 846 2c586a-2c5888 call 2c8260 836->846 853 2c5aef-2c5b1f call 2c37d3 837->853 854 2c5b24-2c5b38 call 2c8281 837->854 838->740 839->772 842->844 843->842 844->836 845->795 856 2c588e-2c58a5 call 2c823e 846->856 857 2c5963 846->857 853->740 854->810 862 2c5b3a-2c5b3f 854->862 856->769 864 2c5959 856->864 857->845 862->740 864->857
    APIs
    • EnterCriticalSection.KERNEL32(000002C0,00000100,00000100,00000000,00000000,?,002C99BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 002C56A2
    • lstrlenW.KERNEL32(00000000,?,002C99BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 002C56AC
    • _wcschr.LIBVCRUNTIME ref: 002C58B4
    • LeaveCriticalSection.KERNEL32(000002C0,00000000,00000000,00000000,00000000,00000000,00000001,?,002C99BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0), ref: 002C5B56
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave_wcschrlstrlen
    • String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
    • API String ID: 1026845265-2050445661
    • Opcode ID: 1eb05e41a6c3515c5102f85f81d7993dfece16a0eb891029a650fac7e611d757
    • Instruction ID: a604644c552dd63073ee2a07f30499fe8a389a0f03cfa658d6c7ce6b81fba02b
    • Opcode Fuzzy Hash: 1eb05e41a6c3515c5102f85f81d7993dfece16a0eb891029a650fac7e611d757
    • Instruction Fuzzy Hash: D1F1B371921629EBDB11DFA48C41FAFBBA8EF04750F10422DFD05A7280D774EEA18B91
    Function 002D7337 Relevance: 35.3, APIs: 1, Strings: 19, Instructions: 277COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 970 2d7337-2d737c call 2ef670 call 2c7503 975 2d737e-2d7383 970->975 976 2d7388-2d7399 call 2cc2a1 970->976 977 2d7602-2d7609 call 30012f 975->977 981 2d739b-2d73a0 976->981 982 2d73a5-2d73b6 call 2cc108 976->982 985 2d760a-2d760f 977->985 981->977 989 2d73b8-2d73bd 982->989 990 2d73c2-2d73d7 call 2cc362 982->990 987 2d7617-2d761b 985->987 988 2d7611-2d7612 call 3054ef 985->988 992 2d761d-2d7620 call 3054ef 987->992 993 2d7625-2d762a 987->993 988->987 989->977 1002 2d73d9-2d73de 990->1002 1003 2d73e3-2d73f3 call 2ebdc9 990->1003 992->993 995 2d762c-2d762d call 3054ef 993->995 996 2d7632-2d763f call 2cc055 993->996 995->996 1004 2d7649-2d764d 996->1004 1005 2d7641-2d7644 call 3054ef 996->1005 1002->977 1011 2d73ff-2d7472 call 2d5a35 1003->1011 1012 2d73f5-2d73fa 1003->1012 1009 2d764f-2d7652 call 3054ef 1004->1009 1010 2d7657-2d765b 1004->1010 1005->1004 1009->1010 1014 2d765d-2d7660 call 2c3999 1010->1014 1015 2d7665-2d766d 1010->1015 1019 2d747e-2d74c2 call 2c550f GetCurrentProcess call 30076c call 2c8152 1011->1019 1020 2d7474-2d7479 1011->1020 1012->977 1014->1015 1027 2d74dc-2d74e1 1019->1027 1028 2d74c4-2d74d7 call 30012f 1019->1028 1020->977 1029 2d753d-2d7542 1027->1029 1030 2d74e3-2d74f5 call 2c80f6 1027->1030 1028->985 1033 2d7544-2d7556 call 2c80f6 1029->1033 1034 2d7562-2d756b 1029->1034 1041 2d74f7-2d74fc 1030->1041 1042 2d7501-2d7511 call 2c3446 1030->1042 1033->1034 1045 2d7558-2d755d 1033->1045 1037 2d756d-2d7570 1034->1037 1038 2d7577-2d758b call 2da307 1034->1038 1037->1038 1043 2d7572-2d7575 1037->1043 1050 2d758d-2d7592 1038->1050 1051 2d7594 1038->1051 1041->977 1054 2d751d-2d7531 call 2c80f6 1042->1054 1055 2d7513-2d7518 1042->1055 1043->1038 1046 2d759a-2d759d 1043->1046 1045->977 1052 2d759f-2d75a2 1046->1052 1053 2d75a4-2d75ba call 2cd497 1046->1053 1050->977 1051->1046 1052->985 1052->1053 1060 2d75bc-2d75c1 1053->1060 1061 2d75c3-2d75d2 call 2ccabe 1053->1061 1054->1029 1063 2d7533-2d7538 1054->1063 1055->977 1060->977 1064 2d75d7-2d75db 1061->1064 1063->977 1065 2d75dd-2d75e2 1064->1065 1066 2d75e4-2d75fb call 2cc7df 1064->1066 1065->977 1066->985 1069 2d75fd 1066->1069 1069->977
    Strings
    • WixBundleOriginalSource, xrefs: 002D7547
    • Failed to open manifest stream., xrefs: 002D73B8
    • Failed to initialize internal cache functionality., xrefs: 002D758D
    • Failed to load manifest., xrefs: 002D73F5
    • Failed to set original source variable., xrefs: 002D7558
    • Failed to open attached UX container., xrefs: 002D739B
    • Failed to get source process folder from path., xrefs: 002D7513
    • Failed to overwrite the %ls built-in variable., xrefs: 002D74C9
    • Failed to parse command line., xrefs: 002D7474
    • WixBundleSourceProcessPath, xrefs: 002D74E6
    • Failed to set source process folder variable., xrefs: 002D7533
    • Failed to load catalog files., xrefs: 002D75FD
    • Failed to get unique temporary folder for bootstrapper application., xrefs: 002D75BC
    • Failed to set source process path variable., xrefs: 002D74F7
    • Failed to get manifest stream from container., xrefs: 002D73D9
    • WixBundleSourceProcessFolder, xrefs: 002D7522
    • Failed to initialize variables., xrefs: 002D737E
    • WixBundleElevated, xrefs: 002D74B3, 002D74C4
    • Failed to extract bootstrapper application payloads., xrefs: 002D75DD
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: CriticalInitializeSection
    • String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath
    • API String ID: 32694325-252221001
    • Opcode ID: cbc4916f2b2117e838236f0e9c434c8bfadefa0552ade4ba71a8f263fe9fe177
    • Instruction ID: ea8e04d490aa7f56cd6d62c743cb3f999ba5b5317d938b5ea3218eb278b149c5
    • Opcode Fuzzy Hash: cbc4916f2b2117e838236f0e9c434c8bfadefa0552ade4ba71a8f263fe9fe177
    • Instruction Fuzzy Hash: 39919372964A1ABADB179AA4CC51FEEB76CBF04300F504267F905A6240F774ED648BD0
    Function 002D80AE Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 151COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1070 2d80ae-2d80f7 call 2ef670 1073 2d80fd-2d810b GetCurrentProcess call 30076c 1070->1073 1074 2d8270-2d827d call 2c21a5 1070->1074 1078 2d8110-2d811d 1073->1078 1081 2d828c-2d829e call 2ede36 1074->1081 1082 2d827f 1074->1082 1079 2d81ab-2d81b9 GetTempPathW 1078->1079 1080 2d8123-2d8132 GetWindowsDirectoryW 1078->1080 1086 2d81bb-2d81ee GetLastError call 2c37d3 1079->1086 1087 2d81f3-2d8205 UuidCreate 1079->1087 1083 2d816c-2d817d call 2c338f 1080->1083 1084 2d8134-2d8167 GetLastError call 2c37d3 1080->1084 1088 2d8284-2d828b call 30012f 1082->1088 1104 2d817f-2d8184 1083->1104 1105 2d8189-2d819f call 2c36b4 1083->1105 1084->1088 1086->1088 1090 2d820e-2d8223 StringFromGUID2 1087->1090 1091 2d8207-2d820c 1087->1091 1088->1081 1097 2d8225-2d823f call 2c37d3 1090->1097 1098 2d8241-2d8262 call 2c1f20 1090->1098 1091->1088 1097->1088 1109 2d826b 1098->1109 1110 2d8264-2d8269 1098->1110 1104->1088 1105->1087 1112 2d81a1-2d81a6 1105->1112 1109->1074 1110->1088 1112->1088
    APIs
    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,002C5381), ref: 002D8104
      • Part of subcall function 0030076C: OpenProcessToken.ADVAPI32(?,00000008,?,002C52B5,00000000,?,?,?,?,?,?,?,002D74AB,00000000), ref: 0030078A
      • Part of subcall function 0030076C: GetLastError.KERNEL32(?,?,?,?,?,?,?,002D74AB,00000000), ref: 00300794
      • Part of subcall function 0030076C: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,002D74AB,00000000), ref: 0030081D
    • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 002D812A
    • GetLastError.KERNEL32 ref: 002D8134
    • GetTempPathW.KERNEL32(00000104,?,00000000), ref: 002D81B1
    • GetLastError.KERNEL32 ref: 002D81BB
    Strings
    • cache.cpp, xrefs: 002D8158, 002D81DF, 002D8230
    • Failed to append bundle id on to temp path for working folder., xrefs: 002D8264
    • Failed to convert working folder guid into string., xrefs: 002D823A
    • %ls%ls\, xrefs: 002D824C
    • Temp\, xrefs: 002D8189
    • Failed to get temp path for working folder., xrefs: 002D81E9
    • Failed to ensure windows path for working folder ended in backslash., xrefs: 002D817F
    • Failed to copy working folder path., xrefs: 002D827F
    • Failed to create working folder guid., xrefs: 002D8207
    • Failed to concat Temp directory on windows path for working folder., xrefs: 002D81A1
    • Failed to get windows path for working folder., xrefs: 002D8162
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ErrorLast$Process$ChangeCloseCurrentDirectoryFindNotificationOpenPathTempTokenWindows
    • String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
    • API String ID: 58964441-819636856
    • Opcode ID: d4fab775d6f36da3dbe2aef2c1c98feecb16e7beac7485b4a21e47d33d221db7
    • Instruction ID: a3450c9165ffa7ab12eefda24926eb00b0c7c3614eaa15736fd4cf8c90c847d2
    • Opcode Fuzzy Hash: d4fab775d6f36da3dbe2aef2c1c98feecb16e7beac7485b4a21e47d33d221db7
    • Instruction Fuzzy Hash: 9B412A72B51724B7EB2296E49C4AFEB73BC9B08710F004156FD05E7280EA74CD548AE1
    Function 002E3870 Relevance: 28.6, APIs: 1, Strings: 15, Instructions: 589COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: lstrlen
    • String ID: Failed to convert version: %ls to DWORD64 for ProductCode: %ls$Failed to copy the installed ProductCode to the package.$Failed to enum related products.$Failed to get product information for ProductCode: %ls$Failed to get version for product in machine context: %ls$Failed to get version for product in user unmanaged context: %ls$Failed to query feature state.$Invalid state value.$Language$UX aborted detect compatible MSI package.$UX aborted detect related MSI package.$UX aborted detect.$VersionString$msasn1.dll$msiengine.cpp
    • API String ID: 1659193697-2574767977
    • Opcode ID: 6ee81d597cc87cb2061b7359fd86e0f0fb21b04ca493dcd8ec0ae46d58c94155
    • Instruction ID: 19fd2517859ddd9d102aceb0baed8369fc798fbf8103faed0ec64c4a818323ff
    • Opcode Fuzzy Hash: 6ee81d597cc87cb2061b7359fd86e0f0fb21b04ca493dcd8ec0ae46d58c94155
    • Instruction Fuzzy Hash: CB22B071AA0255AFDB25DFA5CC89FADB7B9FF04301F504229E509AB151C730AEA0CF90
    Function 002C41D2 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158stringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1386 2c41d2-2c4229 InitializeCriticalSection * 2 call 2d4b0e * 2 1391 2c434d-2c4357 call 2cb389 1386->1391 1392 2c422f 1386->1392 1397 2c435c-2c4360 1391->1397 1393 2c4235-2c4242 1392->1393 1395 2c4248-2c4274 lstrlenW * 2 CompareStringW 1393->1395 1396 2c4340-2c4347 1393->1396 1398 2c42c6-2c42f2 lstrlenW * 2 CompareStringW 1395->1398 1399 2c4276-2c4299 lstrlenW 1395->1399 1396->1391 1396->1393 1400 2c436f-2c4377 1397->1400 1401 2c4362-2c436e call 30012f 1397->1401 1398->1396 1402 2c42f4-2c4317 lstrlenW 1398->1402 1403 2c429f-2c42a4 1399->1403 1404 2c4385-2c439a call 2c37d3 1399->1404 1401->1400 1407 2c431d-2c4322 1402->1407 1408 2c43b1-2c43cb call 2c37d3 1402->1408 1403->1404 1409 2c42aa-2c42ba call 2c29dc 1403->1409 1415 2c439f-2c43a6 1404->1415 1407->1408 1412 2c4328-2c4338 call 2c29dc 1407->1412 1408->1415 1419 2c437a-2c4383 1409->1419 1420 2c42c0 1409->1420 1412->1419 1424 2c433a 1412->1424 1421 2c43a7-2c43af call 30012f 1415->1421 1419->1421 1420->1398 1421->1400 1424->1396
    APIs
    • InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,002C515E,?,?,00000000,?,?), ref: 002C41FE
    • InitializeCriticalSection.KERNEL32(000000D0,?,?,002C515E,?,?,00000000,?,?), ref: 002C4207
    • lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,002C515E,?,?,00000000,?,?), ref: 002C424D
    • lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,002C515E,?,?,00000000,?,?), ref: 002C4257
    • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,002C515E,?,?,00000000,?,?), ref: 002C426B
    • lstrlenW.KERNEL32(burn.filehandle.attached,?,?,002C515E,?,?,00000000,?,?), ref: 002C427B
    • lstrlenW.KERNEL32(burn.filehandle.self,?,?,002C515E,?,?,00000000,?,?), ref: 002C42CB
    • lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,002C515E,?,?,00000000,?,?), ref: 002C42D5
    • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,002C515E,?,?,00000000,?,?), ref: 002C42E9
    • lstrlenW.KERNEL32(burn.filehandle.self,?,?,002C515E,?,?,00000000,?,?), ref: 002C42F9
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: lstrlen$CompareCriticalInitializeSectionString
    • String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
    • API String ID: 3039292287-3209860532
    • Opcode ID: 5c900bba46daa7d1d244238d62fe8024ce48a82eecbabd6d074e2f0aa206d682
    • Instruction ID: e76002622dd48e5742fe699475c805f3f686f7d320c21b705535d3ed314e14aa
    • Opcode Fuzzy Hash: 5c900bba46daa7d1d244238d62fe8024ce48a82eecbabd6d074e2f0aa206d682
    • Instruction Fuzzy Hash: AC512771A10256BFC725AF64CC66F9BB76CFF00760F10425AF618D7290DB70A960CBA4
    Function 002DE563 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 135registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1426 2de563-2de5a0 1427 2de5c2-2de5e3 RegisterClassW 1426->1427 1428 2de5a2-2de5b6 TlsSetValue 1426->1428 1429 2de61d-2de654 CreateWindowExW 1427->1429 1430 2de5e5-2de618 GetLastError call 2c37d3 1427->1430 1428->1427 1431 2de5b8-2de5bd 1428->1431 1434 2de68b-2de69f SetEvent 1429->1434 1435 2de656-2de689 GetLastError call 2c37d3 1429->1435 1439 2de6e4-2de6eb call 30012f 1430->1439 1432 2de6ec-2de702 UnregisterClassW 1431->1432 1438 2de6cb-2de6d6 KiUserCallbackDispatcher 1434->1438 1435->1439 1441 2de6d8 1438->1441 1442 2de6a1-2de6a4 1438->1442 1439->1432 1441->1432 1444 2de6da-2de6df 1442->1444 1445 2de6a6-2de6b5 IsDialogMessageW 1442->1445 1444->1439 1445->1438 1447 2de6b7-2de6c5 TranslateMessage DispatchMessageW 1445->1447 1447->1438
    APIs
    • TlsSetValue.KERNEL32(?,?), ref: 002DE5AE
    • RegisterClassW.USER32(?), ref: 002DE5DA
    • GetLastError.KERNEL32 ref: 002DE5E5
    • CreateWindowExW.USER32(00000080,00319CC4,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 002DE64C
    • GetLastError.KERNEL32 ref: 002DE656
    • UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 002DE6F4
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
    • String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
    • API String ID: 213125376-288575659
    • Opcode ID: d56970e5a1c619db5a17a6dbca288d6776a84709d585616ab7667defeb513a52
    • Instruction ID: 47a50546051e51715241aae1659f83baf317315793b8f808a9916fcc64cf761a
    • Opcode Fuzzy Hash: d56970e5a1c619db5a17a6dbca288d6776a84709d585616ab7667defeb513a52
    • Instruction Fuzzy Hash: 08419076A11215ABDF15AFA49C44BDABEECEF08750F218127F909EA290D730DD50CBE1
    Function 002CC129 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 128fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1448 2cc129-2cc15b 1449 2cc15d-2cc17b CreateFileW 1448->1449 1450 2cc1c5-2cc1e1 GetCurrentProcess * 2 DuplicateHandle 1448->1450 1451 2cc21d-2cc223 1449->1451 1452 2cc181-2cc1b2 GetLastError call 2c37d3 1449->1452 1453 2cc21b 1450->1453 1454 2cc1e3-2cc219 GetLastError call 2c37d3 1450->1454 1457 2cc22d 1451->1457 1458 2cc225-2cc22b 1451->1458 1464 2cc1b7-2cc1c0 call 30012f 1452->1464 1453->1451 1454->1464 1459 2cc22f-2cc23d SetFilePointerEx 1457->1459 1458->1459 1462 2cc23f-2cc272 GetLastError call 2c37d3 1459->1462 1463 2cc274-2cc27a 1459->1463 1472 2cc290-2cc297 call 30012f 1462->1472 1466 2cc27c-2cc280 call 2e1484 1463->1466 1467 2cc298-2cc29e 1463->1467 1464->1467 1473 2cc285-2cc289 1466->1473 1472->1467 1473->1467 1474 2cc28b 1473->1474 1474->1472
    APIs
    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,002CC319,002C52FD,?,?,002C533D), ref: 002CC170
    • GetLastError.KERNEL32(?,002CC319,002C52FD,?,?,002C533D,002C533D,00000000,?,00000000), ref: 002CC181
    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,002CC319,002C52FD,?,?,002C533D,002C533D,00000000,?), ref: 002CC1D0
    • GetCurrentProcess.KERNEL32(000000FF,00000000,?,002CC319,002C52FD,?,?,002C533D,002C533D,00000000,?,00000000), ref: 002CC1D6
    • DuplicateHandle.KERNELBASE(00000000,?,002CC319,002C52FD,?,?,002C533D,002C533D,00000000,?,00000000), ref: 002CC1D9
    • GetLastError.KERNEL32(?,002CC319,002C52FD,?,?,002C533D,002C533D,00000000,?,00000000), ref: 002CC1E3
    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,002CC319,002C52FD,?,?,002C533D,002C533D,00000000,?,00000000), ref: 002CC235
    • GetLastError.KERNEL32(?,002CC319,002C52FD,?,?,002C533D,002C533D,00000000,?,00000000), ref: 002CC23F
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
    • String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
    • API String ID: 2619879409-373955632
    • Opcode ID: 8c09cc9a0cc0519d7c93e86ebeb93020ef8ac0ad52b3935fabc2fcf214cc22d0
    • Instruction ID: f784bd9df2233b9e4773002fad1f8a9e43dfb647f0bd7800a1ad56f87c341aef
    • Opcode Fuzzy Hash: 8c09cc9a0cc0519d7c93e86ebeb93020ef8ac0ad52b3935fabc2fcf214cc22d0
    • Instruction Fuzzy Hash: E041F332250301AFEB259F6ADC44F577BE9EB85760F218229FD18DB291DB71C821CB61
    Function 003029B3 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 86libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1477 3029b3-3029d3 call 2c37ea 1480 302af2-302af6 1477->1480 1481 3029d9-3029e7 call 304932 1477->1481 1483 302b00-302b06 1480->1483 1484 302af8-302afb call 3054ef 1480->1484 1485 3029ec-302af1 GetProcAddress * 7 1481->1485 1484->1483 1485->1480
    APIs
      • Part of subcall function 002C37EA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 002C3829
      • Part of subcall function 002C37EA: GetLastError.KERNEL32 ref: 002C3833
      • Part of subcall function 00304932: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 0030495A
    • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 003029FD
    • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00302A20
    • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00302A43
    • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00302A66
    • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00302A89
    • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00302AAC
    • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00302ACF
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: AddressProc$ErrorLast$DirectorySystem
    • String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
    • API String ID: 2510051996-1735120554
    • Opcode ID: 2daeeabbd9beb68999d977ee627fa88fbb9853582e5e45691b3d8137ef6330b1
    • Instruction ID: 4ee40d49ce1603f3ef9fff636070e4c599292b7400eb3a7d0e11674a6e47827f
    • Opcode Fuzzy Hash: 2daeeabbd9beb68999d977ee627fa88fbb9853582e5e45691b3d8137ef6330b1
    • Instruction Fuzzy Hash: AE31E9B0741218EFDB2BDF25FC66A69FBADFB44700F41452EE405922A0D7B1A916DF40
    Function 002E1484 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,002CC285,?,00000000,?,002CC319), ref: 002E14BB
    • GetLastError.KERNEL32(?,002CC285,?,00000000,?,002CC319,002C52FD,?,?,002C533D,002C533D,00000000,?,00000000), ref: 002E14C4
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: CreateErrorEventLast
    • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
    • API String ID: 545576003-938279966
    • Opcode ID: 860315edfe942a6dc895820f2131dbc71e8947fda9abb2a69af5b1accaf31914
    • Instruction ID: 8beb0c86989b9763ee6066d3da007edb951a8c5fc62c8e8ec4eb38ff357c3f3d
    • Opcode Fuzzy Hash: 860315edfe942a6dc895820f2131dbc71e8947fda9abb2a69af5b1accaf31914
    • Instruction Fuzzy Hash: 982129B2A91B357AF322667A4C41FA765DCEB487A0F414236FC05E75C0D760CD2049E1
    Function 002E0627 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103fileCOMMON
    Download Yara Rule
    APIs
    • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 002E0657
    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 002E066F
    • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 002E0674
    • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 002E0677
    • GetLastError.KERNEL32(?,?), ref: 002E0681
    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 002E06F0
    • GetLastError.KERNEL32(?,?), ref: 002E06FD
    Strings
    • Failed to add virtual file pointer for cab container., xrefs: 002E06D6
    • <the>.cab, xrefs: 002E0650
    • Failed to duplicate handle to cab container., xrefs: 002E06AF
    • Failed to open cabinet file: %hs, xrefs: 002E072E
    • cabextract.cpp, xrefs: 002E06A5, 002E0721
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
    • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
    • API String ID: 3030546534-3446344238
    • Opcode ID: 178452fa6cf0e1d7cc016f5fba5d9fedcf8237c98e2bd1d907c1c4b787304ea9
    • Instruction ID: 7e8cb178c98f7686ae3f4c2bdbddd2abe801657538ac5cd0915bffbb15d779e0
    • Opcode Fuzzy Hash: 178452fa6cf0e1d7cc016f5fba5d9fedcf8237c98e2bd1d907c1c4b787304ea9
    • Instruction Fuzzy Hash: 88312872A52725BBEB225BA68C44FDBBAACEF08760F004125FD04E7590C7609D61CAE0
    Function 002C49DF Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON
    Download Yara Rule
    APIs
    • IsWindow.USER32(?), ref: 002C4B5E
    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002C4B6F
    Strings
    • Failed to set layout directory variable to value provided from command-line., xrefs: 002C4B00
    • Failed to create the message window., xrefs: 002C4A92
    • Failed to check global conditions, xrefs: 002C4A43
    • Failed to set action variables., xrefs: 002C4ABE
    • Failed to query registration., xrefs: 002C4AA8
    • Failed while running , xrefs: 002C4B24
    • Failed to open log., xrefs: 002C4A12
    • Failed to set registration variables., xrefs: 002C4AD8
    • WixBundleLayoutDirectory, xrefs: 002C4AEF
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: MessagePostWindow
    • String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
    • API String ID: 3618638489-3051724725
    • Opcode ID: 50c9b29fd20485e342b9f0e33dd58ddf6faba711b3e179640daf78350eec6eca
    • Instruction ID: 18d5126371f63cbf6c0025e62b807a2202f2755a8f9f74e90eea8002a6313132
    • Opcode Fuzzy Hash: 50c9b29fd20485e342b9f0e33dd58ddf6faba711b3e179640daf78350eec6eca
    • Instruction Fuzzy Hash: ED41B671A6161BBADB26BA60CC65FB7FA5CFF04754F00031AF80496550D761ED709BD0
    Function 002CCABE Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 144COMMON
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,?,000000FF,002C5381,?,002C52B5,00000000,002C5381,FFF9E89D,002C5381,002C53B5,002C533D,?), ref: 002CCB15
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: CompareString
    • String ID: =S,$=S,$Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
    • API String ID: 1825529933-1855433667
    • Opcode ID: e36e574b6c9f37bfab6e1f7b3b9607e99ee4cfdac025924f9874a499846c63ed
    • Instruction ID: c7870ac659325645a3b7e38dc6b8d28a7f7246cfb046a29016f16e66a28e7294
    • Opcode Fuzzy Hash: e36e574b6c9f37bfab6e1f7b3b9607e99ee4cfdac025924f9874a499846c63ed
    • Instruction Fuzzy Hash: 7841C431921619EFCF25DF84C991FAEB775AF00710F20426EE80DAB295C7719E61DB90
    Function 002DE82A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 99threadCOMMON
    Download Yara Rule
    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,002C5386,?,?), ref: 002DE84A
    • GetLastError.KERNEL32(?,002C5386,?,?), ref: 002DE857
    • CreateThread.KERNELBASE(00000000,00000000,Function_0001E563,?,00000000,00000000), ref: 002DE8B0
    • GetLastError.KERNEL32(?,002C5386,?,?), ref: 002DE8BD
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,002C5386,?,?), ref: 002DE8F8
    • CloseHandle.KERNEL32(00000000,?,002C5386,?,?), ref: 002DE917
    • FindCloseChangeNotification.KERNELBASE(?,?,002C5386,?,?), ref: 002DE924
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: CloseCreateErrorLast$ChangeEventFindHandleMultipleNotificationObjectsThreadWait
    • String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
    • API String ID: 1372344712-3599963359
    • Opcode ID: 80f9df8220f88a2ce1574f53f19347745caa2235d13bc1d08ef52792ee3a1ff9
    • Instruction ID: 0da78743fca69b7f8c8a9a73a75793267457337dbad9d5fbdf0970ff679c5757
    • Opcode Fuzzy Hash: 80f9df8220f88a2ce1574f53f19347745caa2235d13bc1d08ef52792ee3a1ff9
    • Instruction Fuzzy Hash: 49315475E01219BBEB11EFA99D94AEFF6ECEF08350F114127F905E7290D7308E008AA1
    Function 002E1224 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88threadCOMMON
    Download Yara Rule
    APIs
    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,771B2F60,?,?,002C52FD,002C52B5,00000000,002C533D), ref: 002E1249
    • GetLastError.KERNEL32 ref: 002E125C
    • GetExitCodeThread.KERNELBASE(0030B478,?), ref: 002E129E
    • GetLastError.KERNEL32 ref: 002E12AC
    • ResetEvent.KERNEL32(0030B450), ref: 002E12E7
    • GetLastError.KERNEL32 ref: 002E12F1
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
    • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
    • API String ID: 2979751695-3400260300
    • Opcode ID: 61199752c7b7996684a934d12510fb26e243ccd289618b327aee9d6fd610f3cd
    • Instruction ID: 357f71412235c6236f897c35cbcaaddd325e07101e7d395c397889eed17c575f
    • Opcode Fuzzy Hash: 61199752c7b7996684a934d12510fb26e243ccd289618b327aee9d6fd610f3cd
    • Instruction Fuzzy Hash: 4121F270751304AFEB099B7A8D15BBEB7F8EB08710F50412FF946D61E0E770CA209A14
    Function 002CD5C0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 61libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryW.KERNELBASE(?,00000000,?,002C46F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,002C5386,?,?), ref: 002CD5CD
    • GetLastError.KERNEL32(?,002C46F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,002C5386,?,?), ref: 002CD5DA
    • GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 002CD612
    • GetLastError.KERNEL32(?,002C46F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,002C5386,?,?), ref: 002CD61E
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ErrorLast$AddressLibraryLoadProc
    • String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp$wininet.dll
    • API String ID: 1866314245-1140179540
    • Opcode ID: ac22738895a1a1000cffd6a3f9c6dbe027575b42ee39eb93579b1944c1431f88
    • Instruction ID: 666e55fc675896941f8e80a79a2cc835f5ef43b2b585e4b2d23c94b6fafc2538
    • Opcode Fuzzy Hash: ac22738895a1a1000cffd6a3f9c6dbe027575b42ee39eb93579b1944c1431f88
    • Instruction Fuzzy Hash: 5211E732651722AFE7225A645C14F5776D89F04750F01413AFD09E75D0DB20CC108AD4
    Function 002C4690 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON
    Download Yara Rule
    APIs
    • PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 002C46B5
    • GetCurrentThreadId.KERNEL32 ref: 002C46BB
      • Part of subcall function 002DFC51: new.LIBCMT ref: 002DFC58
    • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002C4749
    Strings
    • wininet.dll, xrefs: 002C46E8
    • engine.cpp, xrefs: 002C4795
    • Failed to start bootstrapper application., xrefs: 002C4717
    • Failed to load UX., xrefs: 002C46FE
    • Failed to create engine for UX., xrefs: 002C46D5
    • Unexpected return value from message pump., xrefs: 002C479F
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: Message$CurrentPeekThread
    • String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
    • API String ID: 673430819-2573580774
    • Opcode ID: 3852ae29558118cb19eba7979beaf1043d9abb1a5be162b09ac1d8766001d073
    • Instruction ID: aa92b97b0f12638fd3142ce03c7e61f91a02c45fb5ceebe06299cbb467023ce0
    • Opcode Fuzzy Hash: 3852ae29558118cb19eba7979beaf1043d9abb1a5be162b09ac1d8766001d073
    • Instruction Fuzzy Hash: 2B419371621515BFE715ABA4CC95FBBB7ACEF05314F10022AF905E7280DB20ED658BA1
    Function 002C9B3F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 86COMMON
    Download Yara Rule
    APIs
    • _MREFOpen@16.MSPDB140-MSVCRT ref: 002C9B5A
    • GetFileAttributesW.KERNELBASE(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 002C9B72
    • GetLastError.KERNEL32 ref: 002C9B81
    Strings
    • Failed to format variable string., xrefs: 002C9B65
    • search.cpp, xrefs: 002C9BB3
    • File search: %ls, did not find path: %ls, xrefs: 002C9BD5
    • Failed to set variable., xrefs: 002C9C07
    • Failed get to file attributes. '%ls', xrefs: 002C9BC0
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: AttributesErrorFileLastOpen@16
    • String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
    • API String ID: 1811509786-2053429945
    • Opcode ID: 0cd9312e572097c570db18472ca7e9962bd42ea72a817c7163ec2688899400fa
    • Instruction ID: 2ce2f0278b520d6069922ac7b6463679c5fc91b30462ed3dbaa32a3268f3246e
    • Opcode Fuzzy Hash: 0cd9312e572097c570db18472ca7e9962bd42ea72a817c7163ec2688899400fa
    • Instruction Fuzzy Hash: 5C213E32E61215BBDB16AAA49D16F9DF7A9EF14310F10431AF800A51D0E7719EA0DBD1
    Function 002CF69D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON
    Download Yara Rule
    APIs
    • RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 002CF7CD
    • RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 002CF7DA
    Strings
    • Failed to open registration key., xrefs: 002CF736
    • Failed to format pending restart registry key to read., xrefs: 002CF6D1
    • Resume, xrefs: 002CF741
    • %ls.RebootRequired, xrefs: 002CF6BA
    • Failed to read Resume value., xrefs: 002CF763
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: Close
    • String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
    • API String ID: 3535843008-3890505273
    • Opcode ID: c332796ca3566992e9b7014bbe7c778cf90c0eac21c8fc3a9eae6f7a931193ba
    • Instruction ID: eb39033b0959e3677b1faeddacbb5551d668091dbc2f4ed6d5a7060c24bb6e49
    • Opcode Fuzzy Hash: c332796ca3566992e9b7014bbe7c778cf90c0eac21c8fc3a9eae6f7a931193ba
    • Instruction Fuzzy Hash: 31416236920219EFCB529F94CA41FEDFBB6FB05310F25427AE914AB250D3719E64DB80
    Function 0030041B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118fileCOMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(0032B60C,00000000,?,?,?,002C5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 0030042B
    • CreateFileW.KERNEL32(40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,0032B604,?,002C5407,00000000,Setup), ref: 003004CC
    • GetLastError.KERNEL32(?,002C5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 003004DC
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,002C5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 00300515
      • Part of subcall function 002C2DE0: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 002C2F1F
    • LeaveCriticalSection.KERNEL32(0032B60C,?,?,0032B604,?,002C5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 0030056E
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
    • String ID: logutil.cpp
    • API String ID: 4111229724-3545173039
    • Opcode ID: 8067754971afbf6678fb6d40bd105edfdef4e0d80b458f19f86ef8ba9516bf6d
    • Instruction ID: 58099436c3aad03b051d31a9b55b40e86e825eda30ac949dbfbb4bb595ba4aed
    • Opcode Fuzzy Hash: 8067754971afbf6678fb6d40bd105edfdef4e0d80b458f19f86ef8ba9516bf6d
    • Instruction Fuzzy Hash: BA31D571A06629EFDB279F61DCA1FAE776CEB01750F050229F900A71A0D730CD509FA0
    Function 002C7203 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,002C583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 002C7215
    • LeaveCriticalSection.KERNEL32(00000000,00000000,00000002,00000000,?,?,?,002C583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 002C72F4
    Strings
    • Failed to format value '%ls' of variable: %ls, xrefs: 002C72BE
    • Failed to get variable: %ls, xrefs: 002C7256
    • Failed to get value as string for variable: %ls, xrefs: 002C72E3
    • Failed to get unformatted string., xrefs: 002C7285
    • *****, xrefs: 002C72B0, 002C72BD
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
    • API String ID: 3168844106-2873099529
    • Opcode ID: 00f5e13ffae7f01800bbdc89507d957ea91f0f425690ed609d56c3b45d8d3108
    • Instruction ID: 35e2ca97889fa6f0d372277ab31e1374121d89569e9f5688dc23d163c2f672e5
    • Opcode Fuzzy Hash: 00f5e13ffae7f01800bbdc89507d957ea91f0f425690ed609d56c3b45d8d3108
    • Instruction Fuzzy Hash: 5331903292562ABBDF125F50CC11F9EBB68AB10361F104329FC0466590D776AAB1DFC2
    Function 002E08F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72fileCOMMON
    Download Yara Rule
    APIs
    Strings
    • Unexpected call to CabWrite()., xrefs: 002E0923
    • Failed to write during cabinet extraction., xrefs: 002E0997
    • cabextract.cpp, xrefs: 002E098D
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ErrorFileLastWrite_memcpy_s
    • String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
    • API String ID: 1970631241-3111339858
    • Opcode ID: ac03f07322a8ab1fb141790e516e61803f90fcb3ad65ec4154d5d5b0b21325f9
    • Instruction ID: 15a5cd6abc3e850c56c9e313b9f55adc708c9b0a3e2b756fd096f1fffe08a8e6
    • Opcode Fuzzy Hash: ac03f07322a8ab1fb141790e516e61803f90fcb3ad65ec4154d5d5b0b21325f9
    • Instruction Fuzzy Hash: 0D21CF76650200AFDB05DF6EDD84EAA77F9EF88710F114059FE08C7252D771DA118B60
    Function 0030076C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
    Download Yara Rule
    APIs
    • OpenProcessToken.ADVAPI32(?,00000008,?,002C52B5,00000000,?,?,?,?,?,?,?,002D74AB,00000000), ref: 0030078A
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,002D74AB,00000000), ref: 00300794
    • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,002D74AB,00000000), ref: 003007C6
    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,002D74AB,00000000), ref: 0030081D
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: Token$ChangeCloseErrorFindInformationLastNotificationOpenProcess
    • String ID: procutil.cpp
    • API String ID: 2387526074-1178289305
    • Opcode ID: c2c5fbf63dd71ae67897e8dfdbc03c965d3ff570d1fb72e9c378e87a03138de8
    • Instruction ID: cc15a3f451317e5fb61248c3432b7f145d8575f243cd252da9251b61f321750c
    • Opcode Fuzzy Hash: c2c5fbf63dd71ae67897e8dfdbc03c965d3ff570d1fb72e9c378e87a03138de8
    • Instruction Fuzzy Hash: 7321A171E01228EBDB169B998C54BDEFBECEF44710F118166ED15E71A0D3308E00DAD0
    Function 002E09B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON
    Download Yara Rule
    APIs
    • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 002E0A25
    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002E0A37
    • SetFileTime.KERNELBASE(?,?,?,?), ref: 002E0A4A
    • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,002E0616,?,?), ref: 002E0A59
    Strings
    • Invalid operation for this state., xrefs: 002E09FE
    • cabextract.cpp, xrefs: 002E09F4
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: Time$File$ChangeCloseDateFindLocalNotification
    • String ID: Invalid operation for this state.$cabextract.cpp
    • API String ID: 1330928052-1751360545
    • Opcode ID: 454231e93cc68b4cf2885d2fe659bf3f9beaf9681bdcbdecf91e483396a785fd
    • Instruction ID: 52085e9f3e769753f9f15cdef0ea26709615391e4e4c9ccd8f52ebc2bcd95a1a
    • Opcode Fuzzy Hash: 454231e93cc68b4cf2885d2fe659bf3f9beaf9681bdcbdecf91e483396a785fd
    • Instruction Fuzzy Hash: C221DB7286061EABC710DFA9DC489EABBBCFF04710B544226F511D66D0C7B0DA62CBD0
    Function 0030343B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
    Download Yara Rule
    APIs
    • CoInitialize.OLE32(00000000), ref: 0030344A
    • InterlockedIncrement.KERNEL32(0032B6D8), ref: 00303467
    • CLSIDFromProgID.OLE32(Msxml2.DOMDocument,0032B6C8,?,?,?,?,?,?), ref: 00303482
    • CLSIDFromProgID.OLE32(MSXML.DOMDocument,0032B6C8,?,?,?,?,?,?), ref: 0030348E
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: FromProg$IncrementInitializeInterlocked
    • String ID: MSXML.DOMDocument$Msxml2.DOMDocument
    • API String ID: 2109125048-2356320334
    • Opcode ID: 1fab454a88c4093812755d3f7c234a2da20766becae58effde298d3b3c04c74d
    • Instruction ID: 122f5d54c9728c5a2be6aa7674658ea992dccfa4bc45650f36c3a73bd2eeeae1
    • Opcode Fuzzy Hash: 1fab454a88c4093812755d3f7c234a2da20766becae58effde298d3b3c04c74d
    • Instruction Fuzzy Hash: 37F0653074B23557D7234BA7BC2DF57AF6CAB81FA5F11041AED00D91D4D360994287B1
    Function 00304932 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 94memoryCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 0030495A
    • GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00304989
    • GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 003049B3
    • GetLastError.KERNEL32(00000000,0030B790,?,?,?,00000000,00000000,00000000), ref: 003049F4
    • GlobalFree.KERNEL32(00000000), ref: 00304A28
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ErrorLast$Global$AllocFree
    • String ID: fileutil.cpp
    • API String ID: 1145190524-2967768451
    • Opcode ID: c493a019cbb6f4438ed238865d6d0a8bbf05be1ed03a1bcaedfb2c639212483a
    • Instruction ID: 08bf7718c815e63b5fb22a05db836801d397c67abf3151e0b9864379233d4dae
    • Opcode Fuzzy Hash: c493a019cbb6f4438ed238865d6d0a8bbf05be1ed03a1bcaedfb2c639212483a
    • Instruction Fuzzy Hash: B121F975A42329ABD7139BA98C55EEBFBACEF84350F014126FE05E7290D7308D00D6E0
    Function 002DE705 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON
    Download Yara Rule
    APIs
    • DefWindowProcW.USER32(?,00000082,?,?), ref: 002DE734
    • SetWindowLongW.USER32(?,000000EB,00000000), ref: 002DE743
    • SetWindowLongW.USER32(?,000000EB,?), ref: 002DE757
    • DefWindowProcW.USER32(?,?,?,?), ref: 002DE767
    • GetWindowLongW.USER32(?,000000EB), ref: 002DE781
    • PostQuitMessage.USER32(00000000), ref: 002DE7DE
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: Window$Long$Proc$MessagePostQuit
    • String ID:
    • API String ID: 3812958022-0
    • Opcode ID: 7896750769949a546345b6b051f3918cbe931277bea30316b763b44ed27c7988
    • Instruction ID: 182cb2ec476f7293341dcb6045f302743f156fca3d5faed5cecb97366dca9f3a
    • Opcode Fuzzy Hash: 7896750769949a546345b6b051f3918cbe931277bea30316b763b44ed27c7988
    • Instruction Fuzzy Hash: 9821F536124219BFEF11AFA4DC48E6EBBA9FF44350F614116F906AE2A0C731DD20DB61
    Function 003010C5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149registrystringCOMMON
    Download Yara Rule
    APIs
    • RegQueryValueExW.KERNELBASE(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 003010ED
    • RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,?,?,?,?,002D6EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 00301126
    • lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 0030121A
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: QueryValue$lstrlen
    • String ID: BundleUpgradeCode$regutil.cpp
    • API String ID: 3790715954-1648651458
    • Opcode ID: cb6ae8f5c602b889907922e2e24b0db03cb495de75a22639c2cb322ed71db724
    • Instruction ID: c64fb39f88671019195c3fa5a503abbc15ef568a96bfaa422eb3fdd30dfe0ab2
    • Opcode Fuzzy Hash: cb6ae8f5c602b889907922e2e24b0db03cb495de75a22639c2cb322ed71db724
    • Instruction Fuzzy Hash: 1041C431A0121AEFDB26DF95C891AAEB7BDEF44710F124569FD05EB290D730DD018B94
    Function 002C2436 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • WideCharToMultiByte.KERNEL32(00000000,00000000,002FFEE7,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,002FFEE7,?,00000000,00000000), ref: 002C247C
    • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,002FFEE7,?,00000000,00000000,0000FDE9), ref: 002C2488
      • Part of subcall function 002C3B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,002C21DC,000001C7,80004005,8007139F,?,?,0030015F,8007139F,?,00000000,00000000,8007139F), ref: 002C3B59
      • Part of subcall function 002C3B51: HeapSize.KERNEL32(00000000,?,002C21DC,000001C7,80004005,8007139F,?,?,0030015F,8007139F,?,00000000,00000000,8007139F), ref: 002C3B60
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
    • String ID: strutil.cpp
    • API String ID: 3662877508-3612885251
    • Opcode ID: 192a90b79ec8a27b9bc825813ef8385120d4fb0c13355541500bf806716f93e3
    • Instruction ID: a6189affa966ee1f2108859967790e0fd7e767be4df8dd3da60394b28d53438a
    • Opcode Fuzzy Hash: 192a90b79ec8a27b9bc825813ef8385120d4fb0c13355541500bf806716f93e3
    • Instruction Fuzzy Hash: 2A31D43122031AEFEB19DE698C90F7B72DDEB447A4B10832DF9159B1A0DFA1CC649760
    Function 002E07E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON
    Download Yara Rule
    APIs
    • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 002E088A
    • GetLastError.KERNEL32(?,?,?), ref: 002E0894
    Strings
    • Failed to move file pointer 0x%x bytes., xrefs: 002E08C5
    • Invalid seek type., xrefs: 002E0820
    • cabextract.cpp, xrefs: 002E08B8
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
    • API String ID: 2976181284-417918914
    • Opcode ID: 75f7980a031fd9485e8b22b8563641d447eaa7ba39f44f9499851da1903a7517
    • Instruction ID: 4da1ebf1a9ba1759cbd0d5398ad19a1b8f0b3ecdfea72bc829d33febaa39cd07
    • Opcode Fuzzy Hash: 75f7980a031fd9485e8b22b8563641d447eaa7ba39f44f9499851da1903a7517
    • Instruction Fuzzy Hash: 7131A231A5061AEFCB09DFA9C8849AAB7B9FF08310F00822AF915D7650D770A9618BD0
    Function 002C4013 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
    Download Yara Rule
    APIs
    • CreateDirectoryW.KERNELBASE(002C533D,002C53B5,00000000,00000000,?,002D9EE4,00000000,00000000,002C533D,00000000,002C52B5,00000000,?,=S,,002CD4AC,=S,), ref: 002C4021
    • GetLastError.KERNEL32(?,002D9EE4,00000000,00000000,002C533D,00000000,002C52B5,00000000,?,=S,,002CD4AC,=S,,00000000,00000000), ref: 002C402F
    • CreateDirectoryW.KERNEL32(002C533D,002C53B5,002C5381,?,002D9EE4,00000000,00000000,002C533D,00000000,002C52B5,00000000,?,=S,,002CD4AC,=S,,00000000), ref: 002C4097
    • GetLastError.KERNEL32(?,002D9EE4,00000000,00000000,002C533D,00000000,002C52B5,00000000,?,=S,,002CD4AC,=S,,00000000,00000000), ref: 002C40A1
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: CreateDirectoryErrorLast
    • String ID: dirutil.cpp
    • API String ID: 1375471231-2193988115
    • Opcode ID: 411b8c2a5a3a752c764a400170fcf860bca7410f16169fa7639eedc8cfa5f37a
    • Instruction ID: 1b3529f890d0469b2d41f9db7e1f84ed28a7df4ba2903b4a2c8d68cba29b9f1c
    • Opcode Fuzzy Hash: 411b8c2a5a3a752c764a400170fcf860bca7410f16169fa7639eedc8cfa5f37a
    • Instruction Fuzzy Hash: F41105356A0222A6EB353FA14C64F7BB658DF44B60F10832EFF45DB050D7618C3192A1
    Function 002E88CF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00300E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00305699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00300E52
    • RegCloseKey.KERNELBASE(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,002E8C14,00000000,00000000), ref: 002E898C
    Strings
    • Failed to ensure there is space for related bundles., xrefs: 002E893F
    • Failed to open uninstall key for potential related bundle: %ls, xrefs: 002E88FB
    • Failed to initialize package from related bundle id: %ls, xrefs: 002E8972
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: CloseOpen
    • String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
    • API String ID: 47109696-1717420724
    • Opcode ID: bec03043912993d369d82ecb32ef4baa22e2035f8fcec5da488c0e6bd9dc68cc
    • Instruction ID: c3589f87c4989ebf4aee1d9a7c7016949c789eb04d56edd345c86c0adc0551fb
    • Opcode Fuzzy Hash: bec03043912993d369d82ecb32ef4baa22e2035f8fcec5da488c0e6bd9dc68cc
    • Instruction Fuzzy Hash: 3F21C432DA025AFBDB169E91CC01BFEBB78EB04710F504115F904A6251DB719D30EB91
    Function 002D3955 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00300E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00305699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00300E52
    • RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,002D3E61,feclient.dll,?,00000000,?,?,?,002C4A0C), ref: 002D39F1
      • Part of subcall function 00300F6E: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00300FE4
      • Part of subcall function 00300F6E: RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 0030101F
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: QueryValue$CloseOpen
    • String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
    • API String ID: 1586453840-3596319545
    • Opcode ID: 1cd572fd35635019e111333eb2eddc349943f6668f6f975ae8cbc09d486825e1
    • Instruction ID: 21db5ca17442ece1d443cc37315b57a186dd6b972cbe28940248348f3c85b04b
    • Opcode Fuzzy Hash: 1cd572fd35635019e111333eb2eddc349943f6668f6f975ae8cbc09d486825e1
    • Instruction Fuzzy Hash: 2811D372A51209FBDB22CE95DD62AEEB7B8EB00740F404067E501AB280D2F19FA0D711
    Function 00300658 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62filestringCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,?,002FFF0B,?,?,00000000,00000000,0000FDE9), ref: 0030066A
    • WriteFile.KERNELBASE(FFFFFFFF,00000000,00000000,00000000,00000000,?,?,002FFF0B,?,?,00000000,00000000,0000FDE9), ref: 003006A6
    • GetLastError.KERNEL32(?,?,002FFF0B,?,?,00000000,00000000,0000FDE9), ref: 003006B0
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ErrorFileLastWritelstrlen
    • String ID: logutil.cpp
    • API String ID: 606256338-3545173039
    • Opcode ID: e5bf45e9ff5be515996c5ee924446054e8d44bf9f8a07192763c7273dd8f4a83
    • Instruction ID: 2c3d546e8108622713e65d74734f9ef115d9132ef1df84222bac71f677029d7e
    • Opcode Fuzzy Hash: e5bf45e9ff5be515996c5ee924446054e8d44bf9f8a07192763c7273dd8f4a83
    • Instruction Fuzzy Hash: 26110632A02228ABC3269AA98C64FAFB76DEB84761F014215FD01D7180DB31AD1086E1
    Function 002E074E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 002E114F: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,002E077D,?,?,?), ref: 002E1177
      • Part of subcall function 002E114F: GetLastError.KERNEL32(?,002E077D,?,?,?), ref: 002E1181
    • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 002E078B
    • GetLastError.KERNEL32 ref: 002E0795
    Strings
    • Failed to read during cabinet extraction., xrefs: 002E07C3
    • cabextract.cpp, xrefs: 002E07B9
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ErrorFileLast$PointerRead
    • String ID: Failed to read during cabinet extraction.$cabextract.cpp
    • API String ID: 2170121939-2426083571
    • Opcode ID: a3c6c151308b0e85a864b92802b4abeab09963650fc6e3e6f125d646d9766846
    • Instruction ID: 8376567d572971ab8d22145e526f5c8c8e9c785403f40917a1f5d64668606f00
    • Opcode Fuzzy Hash: a3c6c151308b0e85a864b92802b4abeab09963650fc6e3e6f125d646d9766846
    • Instruction Fuzzy Hash: C0010432A01664BBDB259FA9DC05EDA7BADFF08760F014129FD08E7690C7309A218BD0
    Function 00304840 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNELBASE(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,002E8A30,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 00304874
    • GetLastError.KERNEL32(?,002E8A30,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,EngineVersion,000002C0,000000B0), ref: 00304881
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: CreateErrorFileLast
    • String ID: fileutil.cpp
    • API String ID: 1214770103-2967768451
    • Opcode ID: 1a4467e474e678fbc6410e9fa7a3d637004c9105f7086a977021bd38fe751b51
    • Instruction ID: 3756fd6b29413fb23b314129172f5d628e22ad9f35ddf6cdacbe912867a2dc22
    • Opcode Fuzzy Hash: 1a4467e474e678fbc6410e9fa7a3d637004c9105f7086a977021bd38fe751b51
    • Instruction Fuzzy Hash: D201F972742220B6F72226A8BC1AFBB66CCDB40BA0F01C221FF15AB5D0C7764E0056E0
    Function 002E114F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,002E077D,?,?,?), ref: 002E1177
    • GetLastError.KERNEL32(?,002E077D,?,?,?), ref: 002E1181
    Strings
    • Failed to move to virtual file pointer., xrefs: 002E11AF
    • cabextract.cpp, xrefs: 002E11A5
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID: Failed to move to virtual file pointer.$cabextract.cpp
    • API String ID: 2976181284-3005670968
    • Opcode ID: 96fb9bc73a989e99d2b5cef053cfa8fb6835efa0fcbb202a0d0a15310865521e
    • Instruction ID: 68d9f4ff7062ca61003b27f2f92d8e2ad411d85069d72b02c1124c8dbfa95244
    • Opcode Fuzzy Hash: 96fb9bc73a989e99d2b5cef053cfa8fb6835efa0fcbb202a0d0a15310865521e
    • Instruction Fuzzy Hash: EA01F236651726BBD7161AAA9C04EC7FFA9EF007B1B00823AFD0C9A550D7318C30DAD0
    Function 002CD7CF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 002CD7F6
    • FreeLibrary.KERNELBASE(?,?,002C47D1,00000000,?,?,002C5386,?,?), ref: 002CD805
    • GetLastError.KERNEL32(?,002C47D1,00000000,?,?,002C5386,?,?), ref: 002CD80F
    Strings
    • BootstrapperApplicationDestroy, xrefs: 002CD7EE
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: AddressErrorFreeLastLibraryProc
    • String ID: BootstrapperApplicationDestroy
    • API String ID: 1144718084-3186005537
    • Opcode ID: cfe6902fe9f6f46375bcb8ca0c8759cf3711a04a5d3e82938304f48a9556637a
    • Instruction ID: 055f55589801071b37b8b0f72fa06d603069f624d03da6c57520540acc96cf46
    • Opcode Fuzzy Hash: cfe6902fe9f6f46375bcb8ca0c8759cf3711a04a5d3e82938304f48a9556637a
    • Instruction Fuzzy Hash: FFF037322107019FD7215F66DC18B67B7E9AF80362B01C63EE566C6560D735E811CBA0
    Function 002DF194 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON
    Download Yara Rule
    APIs
    • PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 002DF1A9
    • GetLastError.KERNEL32 ref: 002DF1B3
    Strings
    • EngineForApplication.cpp, xrefs: 002DF1D7
    • Failed to post shutdown message., xrefs: 002DF1E1
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ErrorLastMessagePostThread
    • String ID: EngineForApplication.cpp$Failed to post shutdown message.
    • API String ID: 2609174426-188808143
    • Opcode ID: ffba3cf49256eea57582afebb643cef76ff3ded49beed890fe0f538eed4b4039
    • Instruction ID: 26c4d6b775ad2c5c8ca83f33a3214328507ce33b6bcc59d8cec9dc4da0848f10
    • Opcode Fuzzy Hash: ffba3cf49256eea57582afebb643cef76ff3ded49beed890fe0f538eed4b4039
    • Instruction Fuzzy Hash: 63F0EC377413307BE7256AA9AC09FC7BBC8EF04B60F014026FD08E6191E651CD5086E4
    Function 002E051A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
    Download Yara Rule
    APIs
    • SetEvent.KERNEL32(0030B468,00000000,?,002E145A,?,00000000,?,002CC121,?,002C52FD,?,002D73B2,?,?,002C52FD,?), ref: 002E0524
    • GetLastError.KERNEL32(?,002E145A,?,00000000,?,002CC121,?,002C52FD,?,002D73B2,?,?,002C52FD,?,002C533D,00000001), ref: 002E052E
    Strings
    • Failed to set begin operation event., xrefs: 002E055C
    • cabextract.cpp, xrefs: 002E0552
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ErrorEventLast
    • String ID: Failed to set begin operation event.$cabextract.cpp
    • API String ID: 3848097054-4159625223
    • Opcode ID: 105994f2577bd0b6852e53f68484ec042f7f1e96531cced402a2fb43d767870b
    • Instruction ID: 446edb71d5a71158f2f8ccd55eba7052b179993dcd070f6c0d9a61ea7cb6eeda
    • Opcode Fuzzy Hash: 105994f2577bd0b6852e53f68484ec042f7f1e96531cced402a2fb43d767870b
    • Instruction Fuzzy Hash: F6F05C33A527306BE71666BA6C01BC776DCDF08761F010136FD08E7080E6509D6146E5
    Function 002DEA09 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON
    Download Yara Rule
    APIs
    • PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 002DEA1E
    • GetLastError.KERNEL32 ref: 002DEA28
    Strings
    • EngineForApplication.cpp, xrefs: 002DEA4C
    • Failed to post detect message., xrefs: 002DEA56
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ErrorLastMessagePostThread
    • String ID: EngineForApplication.cpp$Failed to post detect message.
    • API String ID: 2609174426-598219917
    • Opcode ID: 4f6689f8fcc1aa15874a28b771bf1be30d9a7ea0c4b3a4f0af80396219893e7f
    • Instruction ID: 2430e0a509194f2299ed4e06fce7c9850d55befc27f05eeb4c6c170ecdcd2066
    • Opcode Fuzzy Hash: 4f6689f8fcc1aa15874a28b771bf1be30d9a7ea0c4b3a4f0af80396219893e7f
    • Instruction Fuzzy Hash: 0AF0EC367413316BE7266AA9AC05FC7BBD8EF08BA1F014126FD08EA191D6218D11C6E4
    Function 002C501B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,002C1104,?,?,00000000), ref: 002C503A
    • CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,002C1104,?,?,00000000), ref: 002C506A
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: CompareStringlstrlen
    • String ID: burn.clean.room
    • API String ID: 1433953587-3055529264
    • Opcode ID: f9828593e78114379b9d76b56a8d9cb115a43db37a13e0e06ad29ffb75ee2ce3
    • Instruction ID: c485ebee4bb00d9bf4aa72ce588b5a5516d9f9de020c96c1e5dc2d403fef21d1
    • Opcode Fuzzy Hash: f9828593e78114379b9d76b56a8d9cb115a43db37a13e0e06ad29ffb75ee2ce3
    • Instruction Fuzzy Hash: 88016D72610A36AFC3354F59A884E73B7ACFF18760B10421EF949C2620D375ECA1C6E1
    Function 002C37EA Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON
    Download Yara Rule
    APIs
    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 002C3829
    • GetLastError.KERNEL32 ref: 002C3833
    • LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 002C389B
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: DirectoryErrorLastLibraryLoadSystem
    • String ID:
    • API String ID: 1230559179-0
    • Opcode ID: a66e36933e9f714144afffb83b8ebe536504a2780a9f55a5f9ce782a51bc76b6
    • Instruction ID: 29eb4ab4a5d870d9b10c21e7855a7c978b3f36163180ba5fd1bae73ad96a4981
    • Opcode Fuzzy Hash: a66e36933e9f714144afffb83b8ebe536504a2780a9f55a5f9ce782a51bc76b6
    • Instruction Fuzzy Hash: 7221DAB2D1132AA7EB21DF648C49FDAB76C9F00710F158769BD14E7241EA70DE548BE0
    Function 002C3999 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,002C3B34,00000000,?,002C1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,002C13B7), ref: 002C39A3
    • RtlFreeHeap.NTDLL(00000000,?,002C3B34,00000000,?,002C1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,002C13B7,000001C7,00000100), ref: 002C39AA
    • GetLastError.KERNEL32(?,002C3B34,00000000,?,002C1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,002C13B7,000001C7,00000100,?), ref: 002C39B4
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: Heap$ErrorFreeLastProcess
    • String ID:
    • API String ID: 406640338-0
    • Opcode ID: 56ed88a56e0bdf997d9fb066740cbc1c25101ff874d1420b530074199bc68ac4
    • Instruction ID: 791f2a05ff6d6be8aa4a04b81cc7d8248c55babd99032e3608b9de526c14f3eb
    • Opcode Fuzzy Hash: 56ed88a56e0bdf997d9fb066740cbc1c25101ff874d1420b530074199bc68ac4
    • Instruction Fuzzy Hash: 09D01232601634A7C7116BFA6C1CB97FE9CEF056A1B018122FD05D2210D735881086E4
    Function 002DE7EB Relevance: 4.5, APIs: 3, Instructions: 19synchronizationwindowCOMMON
    Download Yara Rule
    APIs
    • IsWindow.USER32(?), ref: 002DE7F8
    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002DE80E
    • WaitForSingleObject.KERNEL32(?,00003A98,?,002C4B37,?,?,?,?,?,0030B490,?,?,?,?,?,?), ref: 002DE81F
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: MessageObjectPostSingleWaitWindow
    • String ID:
    • API String ID: 1391784381-0
    • Opcode ID: f95e75b5d1b19c533617a6982fc1dac5421fa1dc7d8df8041111d3313e0d35f9
    • Instruction ID: e5692e53786265d8d62bfc80bdad458213db792fe0d27a684e614afdff28fced
    • Opcode Fuzzy Hash: f95e75b5d1b19c533617a6982fc1dac5421fa1dc7d8df8041111d3313e0d35f9
    • Instruction Fuzzy Hash: 4EE08C31280308BBDB231B60DC19BDABB6CFB08751F08092AF249A50E0C7A279609B84
    Function 0030124D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76registryCOMMON
    Download Yara Rule
    APIs
    • RegQueryValueExW.KERNELBASE(00000000,00000008,00000000,00000000,00000000,000000B0,000002C0,00000000,00000000), ref: 0030127B
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: QueryValue
    • String ID: regutil.cpp
    • API String ID: 3660427363-955085611
    • Opcode ID: 7f0a4fe56b2373f9b246aeaefd95eda5ee7fc63a4ab9f70556a148d370839c6e
    • Instruction ID: d3a6b927d2af214c2e183565f1d04849ffcdfcd73bfe395813a9e83b6ba50b14
    • Opcode Fuzzy Hash: 7f0a4fe56b2373f9b246aeaefd95eda5ee7fc63a4ab9f70556a148d370839c6e
    • Instruction Fuzzy Hash: 4521AE32A02119FFDF229E95CD54AAEBBADEF04350F1185B9F904EB290D2318E50DB90
    Function 002CF5E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00300E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00305699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00300E52
    • RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,?,002D7B4D,?,?,?), ref: 002CF644
      • Part of subcall function 00300EEC: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000000,?,00000000,00000000,?,?,?,002CF619,00000000,Installed,00000000,?,?), ref: 00300F10
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: CloseOpenQueryValue
    • String ID: Installed
    • API String ID: 3677997916-3662710971
    • Opcode ID: d6fc121ff36b37593147f8bc531612b809b9613ad99e6f59e7e1867f94cc4fc0
    • Instruction ID: 1e838080380c218860cdb46089cfdebe9e9dfe9d6a49998113dca80c3b47fc30
    • Opcode Fuzzy Hash: d6fc121ff36b37593147f8bc531612b809b9613ad99e6f59e7e1867f94cc4fc0
    • Instruction Fuzzy Hash: 46018F32821119FBCB15EBA4C946FDEBBADEB04311F2141A9E810AB160D7755E50DB90
    Function 002C3A72 Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(?,000001C7,?,?,002C227D,?,000001C7,00000001,80004005,8007139F,?,?,0030015F,8007139F,?,00000000), ref: 002C3A86
    • RtlReAllocateHeap.NTDLL(00000000,?,002C227D,?,000001C7,00000001,80004005,8007139F,?,?,0030015F,8007139F,?,00000000,00000000,8007139F), ref: 002C3A8D
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: Heap$AllocateProcess
    • String ID:
    • API String ID: 1357844191-0
    • Opcode ID: 2fbd15f1b080e9404efd1798dfdefda8e604b7bfb9f4e52b111ac21d81ad2616
    • Instruction ID: 3d732d59943854f83c68c1afb74b2b691b285c4b1ad2be3dbcd1c67c58f75e27
    • Opcode Fuzzy Hash: 2fbd15f1b080e9404efd1798dfdefda8e604b7bfb9f4e52b111ac21d81ad2616
    • Instruction Fuzzy Hash: 18D0123215020DEBCF015FE8DC1DDAE7BACEB58712B008406F915C2210C73DE4609B60
    Function 002C38D4 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(?,000001C7,?,002C2284,000001C7,00000001,80004005,8007139F,?,?,0030015F,8007139F,?,00000000,00000000,8007139F), ref: 002C38E5
    • RtlAllocateHeap.NTDLL(00000000,?,002C2284,000001C7,00000001,80004005,8007139F,?,?,0030015F,8007139F,?,00000000,00000000,8007139F), ref: 002C38EC
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: Heap$AllocateProcess
    • String ID:
    • API String ID: 1357844191-0
    • Opcode ID: 24a80fda6f2ba817ee1d987dcd886ff758533a2064e35d52adada180e7bc2b25
    • Instruction ID: f76ecc0ba01c61aa6e1ea006f58e1cf7dce3d74be9629252a2c578c935f576d3
    • Opcode Fuzzy Hash: 24a80fda6f2ba817ee1d987dcd886ff758533a2064e35d52adada180e7bc2b25
    • Instruction Fuzzy Hash: 94C01232190208A7CB015FF4DC1DC59779CA714702B008401B505C2210C73CE0548760
    Function 00303499 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
    Download Yara Rule
    APIs
    • VariantInit.OLEAUT32(?), ref: 003034CE
      • Part of subcall function 00302F23: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,003034DF,00000000,?,00000000), ref: 00302F3D
      • Part of subcall function 00302F23: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,002EBDED,?,002C52FD,?,00000000,?), ref: 00302F49
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: ErrorHandleInitLastModuleVariant
    • String ID:
    • API String ID: 52713655-0
    • Opcode ID: 8d01f6b2b174b157cb349254335549c0dce0227847035dcd4652658ab4ead7a5
    • Instruction ID: c240e80c0902742d72f2894397b14663f8a351cdd2692ed9a21d8298a1b552d8
    • Opcode Fuzzy Hash: 8d01f6b2b174b157cb349254335549c0dce0227847035dcd4652658ab4ead7a5
    • Instruction Fuzzy Hash: EC314B76E016299BCB11DFA8D884ADEF7F8EF09710F01456AED15EB360D630DE048BA0
    Function 0030907D Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00308CFB: lstrlenW.KERNEL32(00000100,?,?,00309098,000002C0,00000100,00000100,00000100,?,?,?,002E7B40,?,?,000001BC,00000000), ref: 00308D1B
    • RegCloseKey.KERNELBASE(000002C0,000002C0,00000100,00000100,00000100,?,?,?,002E7B40,?,?,000001BC,00000000,00000000,00000000,00000100), ref: 00309136
      • Part of subcall function 00300E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00305699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00300E52
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: CloseOpenlstrlen
    • String ID:
    • API String ID: 514153755-0
    • Opcode ID: c37089639792036052fdb384b9f6bf8aa869c4f2066091550824d9bb9a9d3f19
    • Instruction ID: 6f3dfb6a5a76002137fb8addea7e43e968b192502ee15f4921b8e226565b4f96
    • Opcode Fuzzy Hash: c37089639792036052fdb384b9f6bf8aa869c4f2066091550824d9bb9a9d3f19
    • Instruction Fuzzy Hash: 0A21D672D0252AEBCF23AFA4CC5599EBAB5EB44750F124266FD006B162D3324E50A7D0
    Function 00305728 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON
    Download Yara Rule
    APIs
    • RegCloseKey.ADVAPI32(80070490,00000000,80070490,0032AAA0,00000000,80070490,00000000,?,002D890E,WiX\Burn,PackageCache,00000000,0032AAA0,00000000,00000000,80070490), ref: 00305782
      • Part of subcall function 00300F6E: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00300FE4
      • Part of subcall function 00300F6E: RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 0030101F
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: QueryValue$Close
    • String ID:
    • API String ID: 1979452859-0
    • Opcode ID: be1fb296c84610f950d432166ef234d6b528d3a2b3ed6abf6abc60fd1c615d3f
    • Instruction ID: 8e1fb15f2b120fded562125cd6e4cd82e9b24e243d6051a6b49685bc4a071ef0
    • Opcode Fuzzy Hash: be1fb296c84610f950d432166ef234d6b528d3a2b3ed6abf6abc60fd1c615d3f
    • Instruction Fuzzy Hash: B511C63680252DEBDF236EA4DCA1AAFB769EB04B20B160239ED016B151C3314D50FED0
    Function 002F5154 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,?,?,002F1E90,?,0000015D,?,?,?,?,002F32E9,000000FF,00000000,?,?), ref: 002F5186
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: b02d0cd015eb9b45ae997a06b24e05c83d46408a4c7c5d240117b0bb42cdfde0
    • Instruction ID: 8730eb6ae5cf8e3cf0013f69694a3c44b3f4614c83d391b5a9dd6dff5fa28f7b
    • Opcode Fuzzy Hash: b02d0cd015eb9b45ae997a06b24e05c83d46408a4c7c5d240117b0bb42cdfde0
    • Instruction Fuzzy Hash: 05E0E531270A3E57E6312A255C20B7BF64CDF417E0F154130AF2D96080DB60EC2085E0
    Function 002C34C5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
    Download Yara Rule
    APIs
    • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,002D89CA,0000001C,80070490,00000000,00000000,80070490), ref: 002C34E5
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: FolderPath
    • String ID:
    • API String ID: 1514166925-0
    • Opcode ID: 120efb87129ea4b71e94ffb0199300d12783b3649eed28912d0353d9c7939078
    • Instruction ID: ddf47a09f48544fe18846b8a05f558fea169c67535e990825945712d75abdb2d
    • Opcode Fuzzy Hash: 120efb87129ea4b71e94ffb0199300d12783b3649eed28912d0353d9c7939078
    • Instruction Fuzzy Hash: B4E012762112257BE602AE625C06EEB7B9CDF09754B048559FE40E6001EA61E92086B4
    Function 002C40E2 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesW.KERNELBASE(00000000,00000000,?,002DA229,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,80070490), ref: 002C40EB
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID:
    • API String ID: 3188754299-0
    • Opcode ID: 0e811ebcf9e6ffaf81a98ed4014cf6143445707d50b14709395bac8498433fc8
    • Instruction ID: b435766e4c714a1884862bcb4921f4ad40512e6f6dabc47716db76d2bac9adff
    • Opcode Fuzzy Hash: 0e811ebcf9e6ffaf81a98ed4014cf6143445707d50b14709395bac8498433fc8
    • Instruction Fuzzy Hash: E6D02B31202124178718AE698C24A67BB19DF127B07054319EC98DA1A0C370AC61C3C0
    Function 002FF36A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 002FF35B
      • Part of subcall function 00309814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00309891
      • Part of subcall function 00309814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003098A2
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 7fdd5093a982f3830fd2992fec5d164a6ecdc196a2f1483d47df320b090a7ebe
    • Instruction ID: e37904aeb60d6e9f6df56fbf2ecb4e18bd450367bc52716f149f7135bb6e2b56
    • Opcode Fuzzy Hash: 7fdd5093a982f3830fd2992fec5d164a6ecdc196a2f1483d47df320b090a7ebe
    • Instruction Fuzzy Hash: 34B012B527A8167F328653193E03D36014CC6C2F20338C03BF100C5281E8C00C450132
    Function 002FF37A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 002FF35B
      • Part of subcall function 00309814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00309891
      • Part of subcall function 00309814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003098A2
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 416c288afe2c56ecd7b495a64dc76cabdc0808f89dcfe93e6a7ae7da945fc806
    • Instruction ID: fd21f7f76303c248b3d5ab6c26907dfb2a01f956a675f24aacdb95d4dd8c5a6f
    • Opcode Fuzzy Hash: 416c288afe2c56ecd7b495a64dc76cabdc0808f89dcfe93e6a7ae7da945fc806
    • Instruction Fuzzy Hash: 0BB012B527A9567E328653193D02D36014CC6C1F20338C13BF100C5281E8D00C840132
    Function 002FF349 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 002FF35B
      • Part of subcall function 00309814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00309891
      • Part of subcall function 00309814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003098A2
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: c8a8d595ceed096f27fc11d76f1f4b745043986fa0db9bce7bfed8bdf55f2714
    • Instruction ID: 91edd87bf18c0967062df026b51b9c635e0ecabb995c0b320ded93e4a2d0278c
    • Opcode Fuzzy Hash: c8a8d595ceed096f27fc11d76f1f4b745043986fa0db9bce7bfed8bdf55f2714
    • Instruction Fuzzy Hash: 46B012B627A8167E324613157D02C36020CC6C1F24338C03BF600D4181E8C00D444032
    Function 003094F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 003094E7
      • Part of subcall function 00309814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00309891
      • Part of subcall function 00309814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003098A2
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 099936ede2a399b2f494555928f356fef034c1bf66bdd490d3b3704d80276977
    • Instruction ID: b20d9aef310f7e5aa245d324939cc0ea40a3f9308abedf0e02e268ac670ada90
    • Opcode Fuzzy Hash: 099936ede2a399b2f494555928f356fef034c1bf66bdd490d3b3704d80276977
    • Instruction Fuzzy Hash: 2FB012A926B8127E7247A31A3C13E36020CC2C0F10331C12BF501C61C2E8400C4D4032
    Function 003094D5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 003094E7
      • Part of subcall function 00309814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00309891
      • Part of subcall function 00309814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003098A2
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 4937b04bebfd36bf4fe3ce65d7de32bb8ae1051f33bbf82ae4e8b7d41c5bf144
    • Instruction ID: 64d49e92502d492bd789436d6671c251e68fabdd6af43d8bcc60a5307fcdc4e0
    • Opcode Fuzzy Hash: 4937b04bebfd36bf4fe3ce65d7de32bb8ae1051f33bbf82ae4e8b7d41c5bf144
    • Instruction Fuzzy Hash: 41B012A926B9157E7207631A3C52D36010CD6C0F10331C12BF101D54C2A8400C490033
    Function 00309506 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 003094E7
      • Part of subcall function 00309814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00309891
      • Part of subcall function 00309814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003098A2
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
    • String ID:
    • API String ID: 1269201914-0
    • Opcode ID: 69880088523a03d128cf3d7622377135d84882e28ef9ec47ef2a2877f7850e23
    • Instruction ID: 96b2eec0f105a335ad5fc246dd29924bc0a85b84103f744cd812fc0ed6b41484
    • Opcode Fuzzy Hash: 69880088523a03d128cf3d7622377135d84882e28ef9ec47ef2a2877f7850e23
    • Instruction Fuzzy Hash: 90B012A926BA117E7247A35A3E13E36010CC6C1F10331C12BF101C61C2E8400C4A0032
    Function 002C1360 Relevance: 1.3, APIs: 1, Instructions: 88stringCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 002C3B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,002C21DC,000001C7,80004005,8007139F,?,?,0030015F,8007139F,?,00000000,00000000,8007139F), ref: 002C3B59
      • Part of subcall function 002C3B51: HeapSize.KERNEL32(00000000,?,002C21DC,000001C7,80004005,8007139F,?,?,0030015F,8007139F,?,00000000,00000000,8007139F), ref: 002C3B60
    • lstrlenW.KERNEL32(000001C7,000001C7,80004005,00000000,?,cabextract.cpp,000001C7), ref: 002C139B
    Memory Dump Source
    • Source File: 00000004.00000002.1362663824.00000000002C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 002C0000, based on PE: true
    • Associated: 00000004.00000002.1362647217.00000000002C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362692485.000000000030B000.00000002.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362713358.000000000032A000.00000004.00000001.01000000.0000000A.sdmpDownload File
    • Associated: 00000004.00000002.1362728371.000000000032E000.00000002.00000001.01000000.0000000A.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_2c0000_VC_redist.jbxd
    Similarity
    • API ID: Heap$ProcessSizelstrlen
    • String ID:
    • API String ID: 3492610842-0
    • Opcode ID: b079ce7010c20cb3617aa764acda40a13f680a7441d6e591b457adad4d5ab119
    • Instruction ID: 614d685688b0cd8adf749ff591fa80edab1e5df913760814d4bf4f20daa64b83
    • Opcode Fuzzy Hash: b079ce7010c20cb3617aa764acda40a13f680a7441d6e591b457adad4d5ab119
    • Instruction Fuzzy Hash: F9212632D10216EFCB269F68D841FADB7A9EF46360F15839DED0467252C7318D319B80