Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe

Overview

General Information

Sample name:SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
Analysis ID:1467386
MD5:9bae70489ffa1fd07797f8964350af30
SHA1:274d484c8de888ba87f3232f451c888e436337b5
SHA256:38afba1a62ee831a679ed728da8ca167b4c80a432a3ddf575c784bdd29d33975
Tags:exe
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to infect the boot sector
Modifies the windows firewall
Potentially malicious time measurement code found
Uses netsh to modify the Windows network and firewall settings
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to create new users
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to enumerate running services
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe" MD5: 9BAE70489FFA1FD07797F8964350AF30)
    • vc_redist.x64.exe (PID: 7608 cmdline: "C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" /quiet MD5: 35431D059197B67227CD12F841733539)
      • VC_redist.x64.exe (PID: 7628 cmdline: "C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" -burn.filehandle.attached=508 -burn.filehandle.self=684 /quiet MD5: 24323F69876BDA1B9909A0D0D6B981BA)
    • nssm.exe (PID: 7680 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" install IDmelonFidoCredentialProviderService "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 7736 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Application "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 7820 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppDirectory "C:\Program Files (x86)\IDmelon\FCP" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 7868 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdout "C:\Program Files (x86)\IDmelon\FCP\logs.log" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 7920 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderr "C:\Program Files (x86)\IDmelon\FCP\logs.log" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 7972 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Description "Handles the FIDO authentication of IDmelon credential provider." MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 8024 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdoutCreationDisposition 4 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 8076 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderrCreationDisposition 4 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 8132 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateFiles 1 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 8188 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateOnline 0 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 7328 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateSeconds 14400 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 7192 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateBytes 5000000 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 5816 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Start SERVICE_AUTO_START MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 3104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 7220 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" restart IDmelonFidoCredentialProviderService MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 7708 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" status IDmelonFidoCredentialProviderService MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 7748 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" start IDmelonFidoCredentialProviderService MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cacls.exe (PID: 7796 cmdline: CACLS "C:\Program Files (x86)\IDmelon\FCP\cashedData.xml" /e /p Everyone:f MD5: 00BAAE10C69DAD58F169A3ED638D6C59)
      • conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cacls.exe (PID: 7864 cmdline: CACLS "C:\Program Files (x86)\IDmelon\FCP\service_log.lo" /e /p Everyone:f MD5: 00BAAE10C69DAD58F169A3ED638D6C59)
      • conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • icacls.exe (PID: 7940 cmdline: icacls "C:\Program Files (x86)\IDmelon\FCP" /inheritance:d MD5: 2E49585E4E08565F52090B144062F97E)
      • conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • icacls.exe (PID: 7924 cmdline: icacls "C:\Program Files (x86)\IDmelon\FCP" /grant:r everyone:(OI)(CI)(F) /T MD5: 2E49585E4E08565F52090B144062F97E)
      • conhost.exe (PID: 1696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 7980 cmdline: netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 3980 cmdline: netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=out program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 8144 cmdline: netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 7296 cmdline: netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=out program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MpCmdRun.exe (PID: 7708 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • nssm.exe (PID: 7300 cmdline: "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
    • conhost.exe (PID: 4428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • IDmelonCredentialProviderFidoAgent.exe (PID: 7640 cmdline: "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" MD5: 2B087903208E385308BF23C41F82E872)
      • conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • IDmelonCredentialProviderFidoAgent.exe (PID: 7824 cmdline: "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" MD5: 2B087903208E385308BF23C41F82E872)
        • cmd.exe (PID: 6104 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • IDmelonCredentialProviderFidoAgent.exe (PID: 7452 cmdline: "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" MD5: 2B087903208E385308BF23C41F82E872)
      • conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • IDmelonCredentialProviderFidoAgent.exe (PID: 7220 cmdline: "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" MD5: 2B087903208E385308BF23C41F82E872)
        • cmd.exe (PID: 5064 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • svchost.exe (PID: 7896 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: IDmelonV2CredentialProvider, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, ProcessId: 7528, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{adeba497-0484-4d69-aff3-d7c759f21d15}\(Default)
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 7896, ProcessName: svchost.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeAvira: detection malicious, Label: HEUR/AGEN.1305235
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeReversingLabs: Detection: 13%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeReversingLabs: Detection: 18%
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeVirustotal: Detection: 12%Perma Link
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_00719EB7 DecryptFileW,1_2_00719EB7
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0073F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,1_2_0073F961
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_00719C99 DecryptFileW,DecryptFileW,1_2_00719C99
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B49EB7 DecryptFileW,2_2_00B49EB7
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B6F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,2_2_00B6F961
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B49C99 DecryptFileW,DecryptFileW,2_2_00B49C99
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2610F5 EVP_PKEY_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_new,RSA_pkey_ctx_ctrl,CRYPTO_free,EVP_MD_CTX_free,EVP_MD_CTX_free,42_2_00007FFDFF2610F5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2611B3 EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,42_2_00007FFDFF2611B3
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261C99 HMAC_CTX_new,EVP_CIPHER_CTX_new,EVP_sha256,HMAC_Init_ex,EVP_aes_256_cbc,HMAC_size,EVP_CIPHER_CTX_iv_length,HMAC_Update,HMAC_Final,CRYPTO_memcmp,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_CTX_iv_length,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,42_2_00007FFDFF261C99
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26DFA0 CRYPTO_free,42_2_00007FFDFF26DFA0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2614FB EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,42_2_00007FFDFF2614FB
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF27A000 CRYPTO_free,CRYPTO_strndup,42_2_00007FFDFF27A000
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2616F9 CRYPTO_free,42_2_00007FFDFF2616F9
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2620B8 CRYPTO_free,CRYPTO_malloc,memcpy,42_2_00007FFDFF2620B8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261C8F CRYPTO_free,CRYPTO_memdup,42_2_00007FFDFF261C8F
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF262527 ERR_put_error,CRYPTO_free,CRYPTO_strdup,42_2_00007FFDFF262527
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF293EC0 CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,42_2_00007FFDFF293EC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF262022 EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,42_2_00007FFDFF262022
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2615E6 EVP_MD_CTX_new,X509_get0_pubkey,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_size,EVP_DigestVerifyInit,CRYPTO_malloc,BUF_reverse,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestVerify,BIO_free,EVP_MD_CTX_free,CRYPTO_free,42_2_00007FFDFF2615E6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF27FF10 strncmp,strncmp,strncmp,strncmp,ERR_put_error,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,ERR_put_error,strncmp,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,42_2_00007FFDFF27FF10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26DEF0 CRYPTO_free,42_2_00007FFDFF26DEF0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2B1F50 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF2B1F50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26102D CRYPTO_malloc,COMP_expand_block,42_2_00007FFDFF26102D
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2ABD80 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,42_2_00007FFDFF2ABD80
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF283D60 CRYPTO_free,CRYPTO_memdup,42_2_00007FFDFF283D60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2616D1 CRYPTO_zalloc,ERR_put_error,42_2_00007FFDFF2616D1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2623BF CRYPTO_free,CRYPTO_memdup,42_2_00007FFDFF2623BF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF275DB0 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,42_2_00007FFDFF275DB0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261979 CRYPTO_free,CRYPTO_memdup,42_2_00007FFDFF261979
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2611EA CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,CRYPTO_free,42_2_00007FFDFF2611EA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261FF5 CRYPTO_free,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,42_2_00007FFDFF261FF5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF297DE0 CRYPTO_free,42_2_00007FFDFF297DE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF297E50 CRYPTO_free,42_2_00007FFDFF297E50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF269E40 CRYPTO_malloc,memset,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF269E40
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF297C90 CRYPTO_free,CRYPTO_free,42_2_00007FFDFF297C90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261A69 CRYPTO_free,42_2_00007FFDFF261A69
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF281C60 CRYPTO_free,CRYPTO_strdup,42_2_00007FFDFF281C60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF27FCC0 CRYPTO_zalloc,ERR_put_error,CRYPTO_free,42_2_00007FFDFF27FCC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261348 CRYPTO_zalloc,ERR_put_error,42_2_00007FFDFF261348
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2CDCA0 SRP_Calc_u,BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,42_2_00007FFDFF2CDCA0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF29FD10 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF29FD10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF277D30 CRYPTO_zalloc,42_2_00007FFDFF277D30
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261398 EVP_MD_CTX_new,EVP_PKEY_new,EVP_PKEY_assign,EVP_PKEY_security_bits,DH_free,EVP_PKEY_get0_DH,EVP_PKEY_free,DH_get0_key,EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,EVP_PKEY_size,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,CRYPTO_free,EVP_MD_CTX_free,42_2_00007FFDFF261398
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261069 CRYPTO_free,42_2_00007FFDFF261069
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261122 CRYPTO_free,42_2_00007FFDFF261122
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF297BF0 CRYPTO_free,42_2_00007FFDFF297BF0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2B1BE0 CRYPTO_malloc,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,CRYPTO_free,42_2_00007FFDFF2B1BE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2ADBE0 CRYPTO_free,CRYPTO_free,42_2_00007FFDFF2ADBE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2A7C50 CRYPTO_free,CRYPTO_strndup,42_2_00007FFDFF2A7C50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF297A70 CRYPTO_free,42_2_00007FFDFF297A70
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26176C CRYPTO_free,CRYPTO_malloc,memcmp,CRYPTO_memdup,42_2_00007FFDFF26176C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261A0A CRYPTO_zalloc,memcpy,memcpy,memcpy,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF261A0A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF29FAE0 CRYPTO_realloc,42_2_00007FFDFF29FAE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261163 EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF261163
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26129E CRYPTO_THREAD_run_once,42_2_00007FFDFF26129E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2B9990 CRYPTO_malloc,EVP_CIPHER_CTX_new,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_iv_length,RAND_bytes,EVP_sha256,EVP_EncryptUpdate,EVP_EncryptFinal,HMAC_Update,HMAC_Final,42_2_00007FFDFF2B9990
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2CD990 BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,CRYPTO_clear_free,BN_clear_free,BN_clear_free,BN_clear_free,42_2_00007FFDFF2CD990
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2610FF CRYPTO_zalloc,ERR_put_error,ERR_put_error,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,ERR_put_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,42_2_00007FFDFF2610FF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2A79C0 CRYPTO_free,CRYPTO_memdup,42_2_00007FFDFF2A79C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2939C0 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,42_2_00007FFDFF2939C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF287A10 X509_VERIFY_PARAM_free,CRYPTO_free_ex_data,BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,42_2_00007FFDFF287A10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2ABA00 X509_get0_pubkey,CRYPTO_malloc,RAND_bytes,EVP_PKEY_CTX_new,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_PKEY_CTX_free,42_2_00007FFDFF2ABA00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF285A07 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,42_2_00007FFDFF285A07
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF267A50 CRYPTO_free,42_2_00007FFDFF267A50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2616F4 CRYPTO_malloc,CRYPTO_THREAD_lock_new,X509_up_ref,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,ERR_put_error,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,42_2_00007FFDFF2616F4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF28FA54 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,42_2_00007FFDFF28FA54
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF262063 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,42_2_00007FFDFF262063
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2618DE CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,42_2_00007FFDFF2618DE
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261235 X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,42_2_00007FFDFF261235
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261DCF CRYPTO_malloc,CRYPTO_mem_ctrl,OPENSSL_sk_find,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,OPENSSL_sk_push,CRYPTO_mem_ctrl,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,42_2_00007FFDFF261DCF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261E15 ERR_put_error,CRYPTO_free,CRYPTO_strdup,42_2_00007FFDFF261E15
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2BB77C CRYPTO_free,CRYPTO_memdup,42_2_00007FFDFF2BB77C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261433 CRYPTO_free,CRYPTO_strndup,42_2_00007FFDFF261433
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2617BE OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,CRYPTO_memcmp,OPENSSL_sk_push,OPENSSL_sk_num,CRYPTO_free,X509_free,OPENSSL_sk_pop_free,OPENSSL_sk_value,X509_get0_pubkey,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free,42_2_00007FFDFF2617BE
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2897F0 ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_put_error,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data,42_2_00007FFDFF2897F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF277690 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,42_2_00007FFDFF277690
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261A8C memcmp,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,memcmp,memcmp,memcpy,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF261A8C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF297680 CRYPTO_free,42_2_00007FFDFF297680
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2B96D0 CRYPTO_free,CRYPTO_strndup,42_2_00007FFDFF2B96D0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26160E CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,42_2_00007FFDFF26160E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261988 CRYPTO_free,CRYPTO_memdup,memcmp,CRYPTO_memdup,42_2_00007FFDFF261988
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2976F0 CRYPTO_free,CRYPTO_strdup,CRYPTO_free,42_2_00007FFDFF2976F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26247D CRYPTO_malloc,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_put_error,CRYPTO_clear_free,42_2_00007FFDFF26247D
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2B3610 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,memcpy,42_2_00007FFDFF2B3610
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF269600 CRYPTO_malloc,ERR_put_error,CRYPTO_free,42_2_00007FFDFF269600
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2935F0 CRYPTO_THREAD_write_lock,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,42_2_00007FFDFF2935F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2AB630 CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,42_2_00007FFDFF2AB630
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261951 ERR_put_error,ASN1_item_free,memcpy,memcpy,_time64,X509_free,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,ASN1_item_free,42_2_00007FFDFF261951
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261929 BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,CRYPTO_free,CRYPTO_strdup,42_2_00007FFDFF261929
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2B94B0 CRYPTO_free,CRYPTO_memdup,42_2_00007FFDFF2B94B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2894F0 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,42_2_00007FFDFF2894F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF262004 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,_time64,42_2_00007FFDFF262004
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2619F1 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,42_2_00007FFDFF2619F1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF262388 CRYPTO_malloc,42_2_00007FFDFF262388
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261195 CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF261195
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26115E OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,42_2_00007FFDFF26115E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2853A4 CRYPTO_memdup,ERR_put_error,42_2_00007FFDFF2853A4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261933 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF261933
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF262298 CRYPTO_memdup,ERR_put_error,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF262298
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261073 ERR_put_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,42_2_00007FFDFF261073
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF262289 EVP_MD_size,EVP_CIPHER_iv_length,EVP_CIPHER_key_length,CRYPTO_clear_free,CRYPTO_malloc,42_2_00007FFDFF262289
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2614B5 ERR_put_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,OPENSSL_sk_value,X509_VERIFY_PARAM_get_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,42_2_00007FFDFF2614B5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26177B EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key,EVP_sha256,EVP_DigestSignInit,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,_time64,EVP_MD_CTX_free,EVP_PKEY_free,EVP_MD_CTX_free,EVP_PKEY_free,42_2_00007FFDFF26177B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2A9178 CRYPTO_free,CRYPTO_free,42_2_00007FFDFF2A9178
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2691C0 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF2691C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261FD2 CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF261FD2
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261E29 CRYPTO_malloc,42_2_00007FFDFF261E29
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2AB1F0 CRYPTO_malloc,EVP_DigestUpdate,EVP_MD_CTX_free,EVP_PKEY_CTX_free,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,42_2_00007FFDFF2AB1F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261479 CRYPTO_free,CRYPTO_free,CRYPTO_memdup,42_2_00007FFDFF261479
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2C1060 BN_bin2bn,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,42_2_00007FFDFF2C1060
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261BE0 EVP_MD_size,RAND_bytes,_time64,CRYPTO_free,CRYPTO_memdup,42_2_00007FFDFF261BE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261115 CRYPTO_zalloc,CRYPTO_free,42_2_00007FFDFF261115
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261A50 OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,CRYPTO_memcmp,42_2_00007FFDFF261A50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261802 CRYPTO_strdup,42_2_00007FFDFF261802
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26230B CRYPTO_memcmp,memchr,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,42_2_00007FFDFF26230B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2B9130 CRYPTO_memcmp,42_2_00007FFDFF2B9130
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF262554 BIO_s_file,BIO_new,BIO_ctrl,strncmp,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,42_2_00007FFDFF262554
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2A1120 CRYPTO_free,CRYPTO_strndup,42_2_00007FFDFF2A1120
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261078 CRYPTO_free,42_2_00007FFDFF261078
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF277008 CRYPTO_free,CRYPTO_strdup,42_2_00007FFDFF277008
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2AD050 EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF2AD050
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261410 CRYPTO_malloc,ERR_put_error,BIO_snprintf,42_2_00007FFDFF261410
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2AB020 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,42_2_00007FFDFF2AB020
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26157D CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,ERR_put_error,ERR_put_error,ERR_put_error,memcpy,42_2_00007FFDFF26157D
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF298E70 CRYPTO_zalloc,CRYPTO_free,42_2_00007FFDFF298E70
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2A0E70 CRYPTO_free,CRYPTO_memdup,42_2_00007FFDFF2A0E70
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF27CE60 CRYPTO_get_ex_new_index,42_2_00007FFDFF27CE60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF27CEC0 i2d_X509_NAME,i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF27CEC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26AEA0 CRYPTO_free,42_2_00007FFDFF26AEA0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26163B CRYPTO_free,CRYPTO_malloc,42_2_00007FFDFF26163B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF294EF0 CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,memcpy,42_2_00007FFDFF294EF0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261DC0 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_put_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,42_2_00007FFDFF261DC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF276F39 CRYPTO_free,CRYPTO_strdup,42_2_00007FFDFF276F39
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2624FA CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,42_2_00007FFDFF2624FA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26ED90 EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,42_2_00007FFDFF26ED90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261F37 CRYPTO_free,CRYPTO_malloc,RAND_bytes,42_2_00007FFDFF261F37
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF28CDC0 ERR_put_error,ERR_put_error,ERR_put_error,EVP_MD_size,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,d2i_X509,X509_get0_pubkey,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,X509_free,OPENSSL_sk_new_null,OPENSSL_sk_push,ERR_put_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,ERR_put_error,42_2_00007FFDFF28CDC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26220C ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,OPENSSL_LH_new,OPENSSL_sk_num,EVP_get_digestbyname,EVP_get_digestbyname,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,RAND_bytes,RAND_priv_bytes,RAND_priv_bytes,RAND_priv_bytes,42_2_00007FFDFF26220C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261393 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_clear_error,OPENSSL_sk_value,X509_get0_pubkey,X509_free,X509_up_ref,X509_free,OPENSSL_sk_pop_free,42_2_00007FFDFF261393
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2B2E00 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,42_2_00007FFDFF2B2E00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261B81 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,42_2_00007FFDFF261B81
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2A8E3D CRYPTO_malloc,42_2_00007FFDFF2A8E3D
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2C8E40 CRYPTO_free,CRYPTO_malloc,ERR_put_error,42_2_00007FFDFF2C8E40
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26189D CRYPTO_malloc,ERR_put_error,42_2_00007FFDFF26189D
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF262469 CRYPTO_malloc,memcpy,42_2_00007FFDFF262469
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2615C8 EVP_MD_CTX_new,EVP_PKEY_size,CRYPTO_malloc,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_DigestSignFinal,EVP_DigestSign,BUF_reverse,CRYPTO_free,EVP_MD_CTX_free,CRYPTO_free,EVP_MD_CTX_free,42_2_00007FFDFF2615C8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261D61 CRYPTO_clear_free,42_2_00007FFDFF261D61
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26243C CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,ERR_put_error,42_2_00007FFDFF26243C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261DA2 CRYPTO_THREAD_run_once,42_2_00007FFDFF261DA2
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF28CC00 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error,42_2_00007FFDFF28CC00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26132A CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,42_2_00007FFDFF26132A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF294A90 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,42_2_00007FFDFF294A90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF29AA70 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,42_2_00007FFDFF29AA70
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF27CAC0 OPENSSL_sk_num,X509_STORE_CTX_new,ERR_put_error,OPENSSL_sk_value,X509_STORE_CTX_init,ERR_put_error,X509_STORE_CTX_free,X509_STORE_CTX_set_flags,CRYPTO_THREAD_run_once,X509_STORE_CTX_set_ex_data,OPENSSL_sk_num,X509_STORE_CTX_set0_dane,X509_STORE_CTX_set_default,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_verify_cert,X509_STORE_CTX_get_error,OPENSSL_sk_pop_free,X509_STORE_CTX_get0_chain,X509_STORE_CTX_get1_chain,ERR_put_error,X509_VERIFY_PARAM_move_peername,X509_STORE_CTX_free,42_2_00007FFDFF27CAC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2A0AA0 CRYPTO_memcmp,42_2_00007FFDFF2A0AA0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF28CB10 CRYPTO_free,CRYPTO_free,42_2_00007FFDFF28CB10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261FBE CRYPTO_free,42_2_00007FFDFF261FBE
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261523 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,42_2_00007FFDFF261523
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2C0B50 EVP_PKEY_get0_RSA,RSA_size,CRYPTO_malloc,RAND_priv_bytes,CRYPTO_free,42_2_00007FFDFF2C0B50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2B0990 CRYPTO_free,CRYPTO_free,CRYPTO_strndup,42_2_00007FFDFF2B0990
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF268980 CRYPTO_free,42_2_00007FFDFF268980
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2BC980 CRYPTO_memcmp,42_2_00007FFDFF2BC980
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF28C970 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,42_2_00007FFDFF28C970
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26221B CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF26221B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26135C memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,42_2_00007FFDFF26135C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF262153 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,ENGINE_finish,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,CRYPTO_THREAD_lock_free,CRYPTO_free,42_2_00007FFDFF262153
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF262225 CRYPTO_free,CRYPTO_memdup,42_2_00007FFDFF262225
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26222A CRYPTO_free,42_2_00007FFDFF26222A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26101E CRYPTO_free,CRYPTO_free,42_2_00007FFDFF26101E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF29A850 CRYPTO_free,CRYPTO_memdup,42_2_00007FFDFF29A850
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261C08 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,42_2_00007FFDFF261C08
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2A883B CRYPTO_clear_free,42_2_00007FFDFF2A883B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2C0830 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,42_2_00007FFDFF2C0830
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2A0820 CRYPTO_free,CRYPTO_free,42_2_00007FFDFF2A0820
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2646C0 BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,42_2_00007FFDFF2646C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2613FC EVP_MD_CTX_new,EVP_MD_CTX_free,CRYPTO_memcmp,memcpy,memcpy,42_2_00007FFDFF2613FC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261AC8 CRYPTO_malloc,ERR_put_error,CRYPTO_free,42_2_00007FFDFF261AC8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2BE730 OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,CRYPTO_memcmp,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF2BE730
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26218A CONF_parse_list,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF26218A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261438 ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF261438
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261050 EVP_PKEY_free,BN_num_bits,BN_bn2bin,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_clear_free,42_2_00007FFDFF261050
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261BCC CRYPTO_strdup,CRYPTO_free,42_2_00007FFDFF261BCC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF29A5E0 CRYPTO_memcmp,42_2_00007FFDFF29A5E0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26236A CRYPTO_free,CRYPTO_malloc,ERR_put_error,memcpy,42_2_00007FFDFF26236A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261762 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error,42_2_00007FFDFF261762
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2621C1 _time64,CRYPTO_free,CRYPTO_malloc,EVP_sha256,EVP_Digest,EVP_MD_size,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF2621C1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261F14 CRYPTO_free,42_2_00007FFDFF261F14
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF264497 CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_set_data,BIO_clear_flags,42_2_00007FFDFF264497
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2684C0 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,42_2_00007FFDFF2684C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2622C5 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,42_2_00007FFDFF2622C5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF262414 CRYPTO_free,BIO_clear_flags,BIO_set_flags,BIO_snprintf,ERR_add_error_data,memcpy,42_2_00007FFDFF262414
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261DD4 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,_time64,memcpy,OPENSSL_cleanse,OPENSSL_cleanse,EVP_MD_size,42_2_00007FFDFF261DD4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2824E0 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,42_2_00007FFDFF2824E0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2A0550 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF2A0550
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF27E3C0 CRYPTO_THREAD_run_once,42_2_00007FFDFF27E3C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261CBC CRYPTO_clear_free,42_2_00007FFDFF261CBC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF268410 CRYPTO_zalloc,ERR_put_error,42_2_00007FFDFF268410
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261E7E CRYPTO_free,CRYPTO_malloc,42_2_00007FFDFF261E7E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2783F0 EVP_PKEY_CTX_new,EVP_PKEY_derive_init,EVP_PKEY_derive_set_peer,EVP_PKEY_derive,CRYPTO_malloc,EVP_PKEY_derive,CRYPTO_clear_free,EVP_PKEY_CTX_free,42_2_00007FFDFF2783F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261A00 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,42_2_00007FFDFF261A00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF27C280 CRYPTO_zalloc,ERR_put_error,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,42_2_00007FFDFF27C280
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF262293 CRYPTO_free,CRYPTO_memdup,42_2_00007FFDFF262293
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2B42B0 CRYPTO_malloc,memcpy,42_2_00007FFDFF2B42B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2862F0 ERR_put_error,CRYPTO_free,ERR_put_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,42_2_00007FFDFF2862F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2613B6 CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF2613B6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26E2E0 CRYPTO_malloc,42_2_00007FFDFF26E2E0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2620FE BN_bin2bn,BN_is_zero,CRYPTO_free,CRYPTO_strdup,CRYPTO_clear_free,42_2_00007FFDFF2620FE
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2B2350 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,42_2_00007FFDFF2B2350
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF276330 CRYPTO_free,42_2_00007FFDFF276330
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF27E180 COMP_zlib,CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,42_2_00007FFDFF27E180
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2761F8 CRYPTO_free,CRYPTO_strdup,42_2_00007FFDFF2761F8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261131 CRYPTO_free,42_2_00007FFDFF261131
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF27E090 CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,42_2_00007FFDFF27E090
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26E0B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,42_2_00007FFDFF26E0B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2640BA BIO_get_data,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_clear_flags,BIO_get_data,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,42_2_00007FFDFF2640BA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2980F0 CRYPTO_free,42_2_00007FFDFF2980F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF278130 CRYPTO_free,CRYPTO_memdup,42_2_00007FFDFF278130
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26195B EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,strncmp,strncmp,strncmp,strncmp,strncmp,42_2_00007FFDFF26195B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF262590 CRYPTO_free,CRYPTO_strdup,42_2_00007FFDFF262590
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E1386C0 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,AddUsersToEncryptedFile,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NoneStruct,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,free,free,free,42_2_00007FFE0E1386C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E137770 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,EncryptFileW,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,_Py_NoneStruct,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,42_2_00007FFE0E137770
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E139750 PyCapsule_IsValid,PyCapsule_GetContext,PyCapsule_GetPointer,CloseEncryptedFileRaw,42_2_00007FFE0E139750
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E1397A0 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyEval_SaveThread,OpenEncryptedFileRawW,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyCapsule_New,CloseEncryptedFileRaw,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,42_2_00007FFE0E1397A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E138440 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,QueryRecoveryAgentsOnEncryptedFile,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,FreeEncryptionCertificateHashList,42_2_00007FFE0E138440
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E139C90 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,PyCapsule_GetPointer,PyCallable_Check,PyExc_TypeError,PyErr_SetString,PyEval_SaveThread,WriteEncryptedFileRaw,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,PyErr_Occurred,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,42_2_00007FFE0E139C90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E138530 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,RemoveUsersFromEncryptedFile,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NoneStruct,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,free,free,free,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,42_2_00007FFE0E138530
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E139DD0 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,PyCapsule_IsValid,PyExc_TypeError,PyErr_Format,PyCapsule_GetDestructor,PyExc_TypeError,PyErr_Format,PyCapsule_GetContext,PyExc_ValueError,PyErr_Format,PyCapsule_GetPointer,CloseEncryptedFileRaw,PyCapsule_SetContext,_Py_NoneStruct,_Py_NoneStruct,42_2_00007FFE0E139DD0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E138350 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,QueryUsersOnEncryptedFile,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,FreeEncryptionCertificateHashList,42_2_00007FFE0E138350
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E138840 PyExc_NotImplementedError,PyErr_Format,_Py_NoneStruct,_PyArg_ParseTupleAndKeywords_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,?PyWinObject_AsSECURITY_ATTRIBUTES@@YAHPEAU_object@@PEAPEAU_SECURITY_ATTRIBUTES@@H@Z,DuplicateEncryptionInfoFile,_Py_NoneStruct,_Py_NoneStruct,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,42_2_00007FFE0E138840
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E137850 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,DecryptFileW,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,_Py_NoneStruct,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,42_2_00007FFE0E137850
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E137940 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,EncryptionDisable,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,_Py_NoneStruct,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,42_2_00007FFE0E137940
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E1399B0 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,PyCapsule_GetPointer,PyCallable_Check,PyExc_TypeError,PyErr_SetString,PyEval_SaveThread,ReadEncryptedFileRaw,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,PyErr_Occurred,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,42_2_00007FFE0E1399B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E137A30 PyExc_NotImplementedError,PyErr_Format,_PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,FileEncryptionStatusW,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,_Py_BuildValue_SizeT,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,42_2_00007FFE0E137A30
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E164B08 i2d_X509,PyBytes_FromStringAndSize,CRYPTO_free,42_2_00007FFE0E164B08
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E164D90 ASN1_STRING_type,ASN1_STRING_length,ASN1_STRING_get0_data,_Py_BuildValue_SizeT,ASN1_STRING_to_UTF8,_Py_Dealloc,_Py_BuildValue_SizeT,CRYPTO_free,42_2_00007FFE0E164D90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE101D5D4C CRYPTO_memcmp,61_2_00007FFE101D5D4C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE101D1640 _Py_NoneStruct,_PyArg_UnpackKeywords,PyObject_GetBuffer,PyBuffer_IsContiguous,PyObject_GetBuffer,PyBuffer_IsContiguous,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,EVP_PBE_scrypt,PyBytes_FromStringAndSize,PyEval_SaveThread,EVP_PBE_scrypt,PyEval_RestoreThread,PyExc_ValueError,PyErr_SetString,PyBuffer_Release,PyBuffer_Release,PyLong_AsLong,PyErr_Occurred,PyLong_AsLong,PyErr_Occurred,PyExc_ValueError,PyExc_ValueError,PyErr_Format,_PyArg_BadArgument,_PyArg_BadArgument,_PyArg_BadArgument,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,_PyArg_BadArgument,_PyArg_BadArgument,PyExc_OverflowError,PyExc_OverflowError,_Py_Dealloc,PyExc_ValueError,61_2_00007FFE101D1640
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IDmelon FCPJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1028\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1029\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1031\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1036\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1040\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1041\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1042\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1045\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1046\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1049\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1055\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\2052\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\3082\license.rtfJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\TEMP\_MEI76402\wheel-0.37.1.dist-info\LICENSE.txt
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\TEMP\_MEI74522\wheel-0.37.1.dist-info\LICENSE.txt
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1849586045.00007FFE007DC000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: Release\win32pipe.pdb source: IDmelonCredentialProviderFidoAgent.exe
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796830655.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850949242.00007FFE126EB000.00000002.00000001.01000000.00000016.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3559599006.00007FFE126EB000.00000002.00000001.01000000.0000002F.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1793960094.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1851997301.00007FFE148E5000.00000002.00000001.01000000.0000001B.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3561138586.00007FFE148E5000.00000002.00000001.01000000.00000034.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552191616.00007FFDFB173000.00000002.00000001.01000000.00000048.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850216402.00007FFE10250000.00000002.00000001.01000000.0000001A.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3557941772.00007FFE10250000.00000002.00000001.01000000.00000033.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797096628.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32net.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3556552498.00007FFE0CF8B000.00000002.00000001.01000000.00000046.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32net.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3556552498.00007FFE0CF8B000.00000002.00000001.01000000.00000046.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1848382146.00007FFDFB560000.00000002.00000001.01000000.00000020.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552738977.00007FFDFB560000.00000002.00000001.01000000.00000039.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1793705243.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1852374605.00007FFE1A471000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1851811168.00007FFE13340000.00000002.00000001.01000000.00000013.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3560831235.00007FFE13340000.00000002.00000001.01000000.0000002C.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3557684052.00007FFE101D6000.00000002.00000001.01000000.00000040.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb!! source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850081048.00007FFE0EB53000.00000002.00000001.01000000.0000001D.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3557550398.00007FFE0EB53000.00000002.00000001.01000000.00000036.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1794325546.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850346185.00007FFE10307000.00000002.00000001.01000000.00000022.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3558126165.00007FFE10307000.00000002.00000001.01000000.0000003B.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850692204.00007FFE11ED2000.00000002.00000001.01000000.00000017.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3559091949.00007FFE11ED2000.00000002.00000001.01000000.00000030.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850081048.00007FFE0EB53000.00000002.00000001.01000000.0000001D.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3557550398.00007FFE0EB53000.00000002.00000001.01000000.00000036.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796830655.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850949242.00007FFE126EB000.00000002.00000001.01000000.00000016.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3559599006.00007FFE126EB000.00000002.00000001.01000000.0000002F.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1795496166.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1851663900.00007FFE1331D000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32trace.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1808311402.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797329564.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850495884.00007FFE11518000.00000002.00000001.01000000.00000018.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3558762539.00007FFE11518000.00000002.00000001.01000000.00000031.sdmp
Source: Binary string: X509_SIGPKCS8_encrypt_excrypto\pkcs12\p12_p8e.cPKCS8_set0_pbe_excompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552191616.00007FFDFB173000.00000002.00000001.01000000.00000048.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32event.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807662583.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850825037.00007FFE126C5000.00000002.00000001.01000000.00000026.sdmp
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vc_redist.x64.exe, 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmp, vc_redist.x64.exe, 00000001.00000000.1743438340.000000000074B000.00000002.00000001.01000000.00000008.sdmp, VC_redist.x64.exe, 00000002.00000000.1744517622.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmp, VC_redist.x64.exe, 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1806410846.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3553644070.00007FFDFF24C000.00000002.00000001.01000000.00000043.sdmp
Source: Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1849359534.00007FFDFF2D6000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb}},GCTL source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1849586045.00007FFE007DC000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1848382146.00007FFDFB560000.00000002.00000001.01000000.00000020.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552738977.00007FFDFB560000.00000002.00000001.01000000.00000039.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797171782.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1851359154.00007FFE130C5000.00000002.00000001.01000000.00000023.sdmp
Source: Binary string: C:\projects\hidapi\windows\x64\Release\hidapi.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1801775652.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\libcrypto-1_1.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1848382146.00007FFDFB5E2000.00000002.00000001.01000000.00000020.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552738977.00007FFDFB5E2000.00000002.00000001.01000000.00000039.sdmp
Source: Binary string: win32event.pdb source: IDmelonCredentialProviderFidoAgent.exe
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32pipe.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1808188425.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1851215514.00007FFE12E15000.00000002.00000001.01000000.00000024.sdmp
Source: Binary string: D:\a\1\b\libssl-1_1.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1849359534.00007FFDFF2D6000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805593313.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1852181208.00007FFE1A453000.00000002.00000001.01000000.00000019.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3561376814.00007FFE1A453000.00000002.00000001.01000000.00000032.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32evtlog.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807773718.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_msi.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797014534.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3554382967.00007FFE00712000.00000002.00000001.01000000.0000005C.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32file.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1849767280.00007FFE0E145000.00000002.00000001.01000000.00000025.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3556996574.00007FFE0E145000.00000002.00000001.01000000.0000003E.sdmp
Source: Binary string: crypto\stack\stack.cOPENSSL_sk_dupOPENSSL_sk_deep_copysk_reserveOPENSSL_sk_new_reserveOPENSSL_sk_reserveOPENSSL_sk_insertOPENSSL_sk_seti=%dcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC3.1.4built on: Fri Nov 24 00:12:45 2023 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptoOPENSSL_atexitcrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552191616.00007FFDFB173000.00000002.00000001.01000000.00000048.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python310.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1848855199.00007FFDFB9AF000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797255867.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1851503816.00007FFE13303000.00000002.00000001.01000000.0000001E.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3560281403.00007FFE13303000.00000002.00000001.01000000.00000037.sdmp
Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-7t032bmh\src\rust\target\release\deps\cryptography_rust.pdbcQ source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552191616.00007FFDFB173000.00000002.00000001.01000000.00000048.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb** source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850216402.00007FFE10250000.00000002.00000001.01000000.0000001A.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3557941772.00007FFE10250000.00000002.00000001.01000000.00000033.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\_win32sysloader.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807395817.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-7t032bmh\src\rust\target\release\deps\cryptography_rust.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552191616.00007FFDFB173000.00000002.00000001.01000000.00000048.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803952195.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1844050931.000002B6C7D00000.00000002.00000001.01000000.00000012.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548123572.00000189154D0000.00000002.00000001.01000000.0000002B.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1849892218.00007FFE0E16D000.00000002.00000001.01000000.0000001F.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3557130778.00007FFE0E16D000.00000002.00000001.01000000.00000038.sdmp
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CF889A0 PyArg_ParseTuple,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyExc_ValueError,PyErr_SetString,NetUserEnum,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyList_New,Py_BuildValue,_Py_Dealloc,NetApiBufferFree,_Py_Dealloc,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,61_2_00007FFE0CF889A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C63
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_004068B4 FindFirstFileW,FindClose,0_2_004068B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_00703BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,1_2_00703BC3
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_00744315 FindFirstFileW,FindClose,1_2_00744315
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0071993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,1_2_0071993E
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B33BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,2_2_00B33BC3
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B74315 FindFirstFileW,FindClose,2_2_00B74315
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B4993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,2_2_00B4993E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE58110 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,33_2_00007FF6CFE58110
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE47B80 FindFirstFileExW,FindClose,33_2_00007FF6CFE47B80
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE620D4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,33_2_00007FF6CFE620D4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE58110 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,33_2_00007FF6CFE58110
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31322E _errno,malloc,_errno,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,42_2_00007FFDFB31322E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E13AC60 _Py_NoneStruct,_PyArg_ParseTupleAndKeywords_SizeT,?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z,PyExc_NotImplementedError,PyErr_Format,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,_PyObject_New,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,memset,PyEval_SaveThread,FindFirstFileTransactedW,FindFirstFileW,PyEval_RestoreThread,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,GetLastError,_Py_Dealloc,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,42_2_00007FFE0E13AC60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E13B100 PyExc_NotImplementedError,PyErr_Format,_Py_NoneStruct,_PyArg_ParseTupleAndKeywords_SizeT,?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z,PyExc_NotImplementedError,PyErr_Format,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,malloc,FindFirstFileNameTransactedW,FindFirstFileNameW,PyList_New,FindNextFileNameW,?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W@Z,PyList_Append,_Py_Dealloc,GetLastError,free,PyExc_MemoryError,PyErr_Format,_Py_Dealloc,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_Dealloc,FindClose,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,free,42_2_00007FFE0E13B100
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E13AA10 _Py_NoneStruct,_PyArg_ParseTupleAndKeywords_SizeT,?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z,PyExc_NotImplementedError,PyErr_Format,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,memset,FindFirstFileTransactedW,FindFirstFileW,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,GetLastError,PyList_New,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyList_New,FindClose,?PyObject_FromWIN32_FIND_DATAW@@YAPEAU_object@@PEAU_WIN32_FIND_DATAW@@@Z,PyList_Append,_Py_Dealloc,memset,FindNextFileW,GetLastError,FindClose,_Py_Dealloc,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,FindClose,_Py_Dealloc,42_2_00007FFE0E13AA10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0EB43740 _PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyList_New,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,FindFirstFileW,GetLastError,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,?PyObject_FromWIN32_FIND_DATAW@@YAPEAU_object@@PEAU_WIN32_FIND_DATAW@@@Z,PyList_Append,_Py_Dealloc,FindNextFileW,GetLastError,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,FindClose,_Py_Dealloc,42_2_00007FFE0EB43740
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31322E _errno,malloc,_errno,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,61_2_00007FFDFB31322E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0C0B7A14 FindFirstFileExA,61_2_00007FFE0C0B7A14
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0EB455A0 _PyArg_ParseTuple_SizeT,GetLogicalDriveStringsW,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,GetLogicalDriveStringsW,?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W_J@Z,42_2_00007FFE0EB455A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E136990 _PyArg_ParseTuple_SizeT,?PySocket_AsSOCKET@@YAHPEAU_object@@PEA_K@Z,?PyWinObject_AsOVERLAPPED@@YAHPEAU_object@@PEAPEAU_OVERLAPPED@@H@Z,?init@PyWinBufferView@@QEAA_NPEAU_object@@_N1@Z,PyEval_SaveThread,WSARecv,PyEval_RestoreThread,WSAGetLastError,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_Dealloc,_Py_Dealloc,??1PyWinBufferView@@QEAA@XZ,PyTuple_New,PyLong_FromLong,PyLong_FromLong,42_2_00007FFE0E136990
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550186386.0000018916D10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.../back.jpeg
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1846896524.000002B6C9350000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550037860.0000018916AF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://aka.ms/vcpython27
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1846896524.000002B6C9350000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://aka.ms/vcpython27P
Source: vc_redist.x64.exe, VC_redist.x64.exeString found in binary or memory: http://appsyndication.org/2006/appsyn
Source: vc_redist.x64.exe, 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmp, vc_redist.x64.exe, 00000001.00000000.1743438340.000000000074B000.00000002.00000001.01000000.00000008.sdmp, VC_redist.x64.exe, 00000002.00000000.1744517622.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmp, VC_redist.x64.exe, 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548777503.0000018915EE0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550821834.0000018917550000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.co
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.coI
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803051162.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796830655.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796440264.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925F0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797096628.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925F0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797329564.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1794325546.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797437275.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797171782.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803258113.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1806410846.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803806783.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797014534.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796291220.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797255867.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805593313.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1795496166.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1804394620.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803051162.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796830655.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796440264.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925F0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797096628.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797329564.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1794325546.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797437275.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797171782.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803258113.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1806410846.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803806783.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797014534.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796291220.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797255867.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805593313.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1795496166.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1804394620.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803952195.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796830655.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796440264.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797096628.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797329564.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1794325546.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797437275.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797171782.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803258113.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1806410846.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803806783.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797014534.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796291220.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797255867.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805593313.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1795496166.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1804394620.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803952195.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796830655.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796440264.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797096628.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925F0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797329564.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1794325546.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797437275.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797171782.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803258113.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1806410846.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803806783.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797014534.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796291220.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797255867.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805593313.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1795496166.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1804394620.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803952195.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003B.00000002.3547279801.000001E9C705C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.co
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1852969675.000001D1925DC000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000002.1853503473.000001D1925DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803051162.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796830655.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796440264.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925F0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797096628.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925F0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797329564.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1794325546.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797437275.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797171782.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803258113.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1806410846.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803806783.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797014534.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796291220.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797255867.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805593313.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1795496166.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1804394620.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803051162.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796830655.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796440264.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925F0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797096628.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797329564.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1794325546.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797437275.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797171782.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803258113.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1806410846.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803806783.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797014534.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796291220.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797255867.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805593313.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1795496166.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1804394620.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803952195.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796830655.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796440264.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797096628.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797329564.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1794325546.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797437275.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797171782.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803258113.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1806410846.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803806783.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797014534.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796291220.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797255867.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805593313.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1795496166.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1804394620.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803952195.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803952195.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803051162.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803051162.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796830655.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796440264.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925F0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797096628.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797329564.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1794325546.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797437275.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797171782.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803258113.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1806410846.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803806783.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797014534.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796291220.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797255867.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805593313.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1795496166.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1804394620.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803952195.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803051162.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548777503.0000018915EE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550821834.0000018917550000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916400000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550410842.0000018917074000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549889026.00000189168E0000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916558000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550260783.0000018916E30000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550821834.000001891761D000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550186386.0000018916D10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1827263064.000002B6C878A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1845056049.000002B6C8792000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1835060711.000002B6C8792000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1833195696.000002B6C8791000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1825592626.000002B6C8783000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1889276753.0000018916430000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1889276753.00000189163E1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1894052173.000001891601C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/pprint.html#pprint.pprint
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1824632133.000002B6C8D9B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1826384064.000002B6C8E3C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1824632133.000002B6C8E3C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1831394006.000002B6C8D9B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1829634308.000002B6C8E3D000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1831587270.000002B6C8DB7000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1847031718.000002B6C9464000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1826755988.000002B6C8E3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1824632133.000002B6C8D9B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1826384064.000002B6C8E3C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1824632133.000002B6C8E3C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1831394006.000002B6C8D9B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1829634308.000002B6C8E3D000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1831587270.000002B6C8DB7000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1826755988.000002B6C8E3C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1847031718.000002B6C94BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1824632133.000002B6C8D9B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1847031718.000002B6C9510000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1826384064.000002B6C8E3C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1824632133.000002B6C8E3C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1831394006.000002B6C8D9B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1829634308.000002B6C8E3D000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1831587270.000002B6C8DB7000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1826755988.000002B6C8E3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1846709124.000002B6C9150000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549889026.00000189168E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1823447211.000002B6C8E39000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1826008954.000002B6C8E52000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1823213302.000002B6C8E22000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1824632133.000002B6C8E3C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1825326013.000002B6C8E47000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1826578020.000002B6C8E53000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/library/unittest.html
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1845807872.000002B6C8B50000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1815399055.000002B6C88A8000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549142565.00000189162E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://github.com/ActiveState/appdirs
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1894328112.0000018916646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548777503.0000018915EE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916400000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1894052173.000001891601C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://mail.python.org/pipermail/distutils-sig/
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, 00000000.00000003.1833445682.0000000000529000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, 00000000.00000000.1683234838.000000000040A000.00000008.00000001.01000000.00000003.sdmp, SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: nssm.exe, nssm.exe, 00000003.00000002.1754583373.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000005.00000000.1755789435.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000007.00000002.1759170965.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000009.00000000.1759366190.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000000B.00000002.1761797434.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000000D.00000000.1763020089.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000000F.00000002.1767022783.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000011.00000002.1769910243.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000013.00000002.1773618174.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000015.00000002.1776669582.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000017.00000002.1778308187.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000019.00000000.1778598942.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000001B.00000002.1782225763.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000001D.00000002.1802264402.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000001F.00000000.1784612818.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000023.00000002.1803746734.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000025.00000000.1805095150.0000000140065000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://nssm.cc/
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925F0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797096628.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797329564.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1794325546.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797437275.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797171782.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803258113.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1806410846.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803806783.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797014534.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796291220.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797255867.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805593313.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1795496166.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1804394620.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803952195.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796830655.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796440264.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797096628.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925F0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797329564.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1794325546.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797437275.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797171782.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803258113.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1806410846.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803806783.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797014534.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796291220.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797255867.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805593313.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1795496166.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1804394620.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803952195.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796830655.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803051162.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796440264.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925F0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797096628.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925F0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797329564.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1794325546.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797437275.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797171782.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803258113.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1806410846.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803806783.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797014534.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796291220.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797255867.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805593313.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1795496166.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803051162.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796830655.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796440264.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797096628.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797329564.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1794325546.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797437275.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797171782.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803258113.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1806410846.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803806783.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797014534.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796291220.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797255867.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805593313.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1795496166.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1804394620.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803952195.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1852969675.000001D1925DC000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000002.1853503473.000001D1925DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803051162.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1845630706.000002B6C8950000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1844100921.000002B6C819C000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548349992.00000189158A0000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548998931.00000189160E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pyparsing.wikispaces.com
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1852969675.000001D1925DC000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000002.1853503473.000001D1925DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesi
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1846791313.000002B6C9250000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549964278.00000189169E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://stackoverflow.com/questions/19622133/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828283165.000002B6C85F4000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1827263064.000002B6C878A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1827715074.000002B6C85F1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1825448674.000002B6C85F1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828993642.000002B6C85F8000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1845980806.000002B6C8CA6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1831868832.000002B6C879A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1835395402.000002B6C8600000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1834526935.000002B6C8C9F000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1834637171.000002B6C85F9000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1832387790.000002B6C8C91000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1825592626.000002B6C8783000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1889276753.0000018916430000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1889276753.00000189163E1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular-
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550260783.0000018916E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803051162.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803051162.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803051162.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550821834.0000018917550000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wdavis.edtm
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: VC_redist.x64.exe, 00000002.00000003.1749953077.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, VC_redist.x64.exe, 00000002.00000003.1750587771.0000000002D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1845717835.000002B6C8A50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796830655.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796440264.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1802315155.000001D1925F0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797096628.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797329564.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1794325546.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797437275.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797171782.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803258113.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1806410846.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803806783.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797014534.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796291220.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797255867.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805593313.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1795496166.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1804394620.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803952195.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1824632133.000002B6C8D9B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1829540044.000002B6C8DC3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1827568606.000002B6C8DC2000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1827508354.000002B6C8DBC000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1824458321.000002B6C8EED000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1847031718.000002B6C945C000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1824458321.000002B6C8EFD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1846896524.000002B6C9350000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550037860.0000018916AF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.nightmare.com/squirl/python-ext/misc/syslog.py
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwwsearch.sf.net/):
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.jaraco.com/skeleton
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bugs.python.org/issue14976
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1846619333.000002B6C9050000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1846791313.000002B6C9250000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549964278.00000189169E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugs.python.org/issue44497.
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549650005.00000189166EF000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3557415734.00007FFE0EB2D000.00000002.00000001.01000000.00000044.sdmpString found in binary or memory: https://cbor.io/
Source: IDmelonCredentialProviderFidoAgent.exe, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3554851953.00007FFE0075C000.00000002.00000001.01000000.00000049.sdmpString found in binary or memory: https://cffi.readthedocs.io/en/latest/using.html#callbacks
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://codecov.io/gh/pypa/setuptools
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://codewithoutrules.com/2017/08/16/concurrency-python/
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/changelog/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552191616.00007FFDFB173000.00000002.00000001.01000000.00000048.sdmpString found in binary or memory: https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/installation/
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/security/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3551100109.0000018917DD4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://develop.sentry.dev/sdk/event-payloads/exception/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://develop.sentry.dev/sdk/event-payloads/transaction/#transaction-annotations
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3551100109.0000018917DD4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://develop.sentry.dev/sdk/performance/span-data-conventions/
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/channels/803025117553754132/815945031150993468
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550821834.00000189176A0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3551100109.0000018917DD4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.sentry.io/platforms/python/contextvars/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1845717835.000002B6C8A50000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1846896524.000002B6C9350000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550037860.0000018916AF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549650005.00000189166EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1839619187.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828699935.000002B6C77FD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1836955896.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1843799934.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828541079.000002B6C77E6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3546983612.0000018914E55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/getsentry/sentry-python/pull/484
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1894328112.0000018916646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: IDmelonCredentialProviderFidoAgent.exe, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3559489173.00007FFE126C9000.00000002.00000001.01000000.0000003F.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3559911661.00007FFE12E19000.00000002.00000001.01000000.0000003D.sdmpString found in binary or memory: https://github.com/mhammond/pywin32
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550821834.0000018917550000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/nylas/nylas-perftools
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/psf/black
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552191616.00007FFDFB173000.00000002.00000001.01000000.00000048.sdmpString found in binary or memory: https://github.com/pyca/cryptography/issues
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552191616.00007FFDFB173000.00000002.00000001.01000000.00000048.sdmpString found in binary or memory: https://github.com/pyca/cryptography/issues/8996
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807032426.000001D1925E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549142565.00000189162E0000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549964278.00000189169E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/packaging
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/actions?query=workflow%3A%22tests%22
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/issues
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1845807872.000002B6C8B50000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549142565.00000189162E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1846619333.000002B6C9050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/workflows/tests/badge.svg
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807032426.000001D1925E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/wheel
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807032426.000001D1925E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/wheel/issues
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1844100921.000002B6C819C000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548349992.00000189158A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3546983612.0000018914E55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1839619187.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828699935.000002B6C77FD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1836955896.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1843799934.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828541079.000002B6C77E6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3546983612.0000018914E55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/v3.6.12/Lib/functools.py
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/v3.6.12/Lib/queue.py
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sqlalchemy/sqlalchemy/blob/4eb747b61f0c1b1c25bdee3856d7195d10a0c227/lib/sqlalchem
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1839619187.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828699935.000002B6C77FD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1836955896.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1843799934.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828541079.000002B6C77E6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3546983612.0000018914E55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916400000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549650005.00000189166EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549650005.00000189166EF000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549650005.00000189166EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549650005.00000189166EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550186386.0000018916D10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/get
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/post
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/badge/code%20style-black-000000.svg
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/badge/skeleton-2021-informational
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/discord/803025117553754132
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/pyversions/setuptools.svg
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/v/setuptools.svg
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/readthedocs/setuptools/latest.svg
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916558000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1894328112.00000189165D8000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550186386.0000018916D10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.idmelon.com/auth/users/ctap-assertion
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550186386.0000018916D10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.idmelon.com/auth/users/ctap-assertion_cached__
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549650005.00000189166EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mahler:8092/site-updates.py
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/installing/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550260783.0000018916E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0440/#appendix-b-parsing-version-strings-with-regular-expressions
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/cryptography/
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/setuptools
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807032426.000001D1925E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/setuptools/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1848855199.00007FFDFB9AF000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/pypa/setuptools/main/docs/images/banner-640x320.svg
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1845717835.000002B6C8A50000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1846896524.000002B6C9350000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550037860.0000018916AF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://requests.readthedocs.io
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1825592626.000002B6C87E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1820812842.000002B6C87E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1830130338.000002B6C883F000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1814651942.000002B6C87BE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1816340638.000002B6C87E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1814563368.000002B6C8825000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1826317044.000002B6C8837000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1820812842.000002B6C87BE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1814736958.000002B6C87BF000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1816340638.000002B6C87BE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1887064636.0000018915F7B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1887064636.0000018915F2B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1886999530.0000018915F24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550186386.0000018916D10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://skm.idmelon.com/administrator/tokens/passwords
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550186386.0000018916D10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://skm.idmelon.com/administrator/tokens/passwords?type=
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550186386.0000018916D10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://skm.idmelon.com/users/detials
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1894328112.0000018916646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/badges/github/pypa/setuptools?style=flat
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/security
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=readme
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=referral
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548777503.0000018915EE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549650005.00000189166EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549964278.00000189169E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://upload.pypi.org/legacy/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916400000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550186386.0000018916D10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550260783.0000018916E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807032426.000001D1925E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wheel.readthedocs.io/
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807032426.000001D1925E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wheel.readthedocs.io/en/stable/news.html
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828699935.000002B6C77FD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1832287680.000002B6C7815000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1815399055.000002B6C88A8000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828541079.000002B6C77E6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1890856717.0000018915D69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wiki.debian.org/XDGBaseDirectorySpecification#state
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798782431.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798854498.000001D1925F1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798782431.000001D1925F1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798782431.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803051162.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1852969675.000001D1925DC000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000002.1853503473.000001D1925DC000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003B.00000002.3547279801.000001E9C705C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550821834.0000018917550000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803258113.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1849441339.00007FFDFF30B000.00000002.00000001.01000000.00000021.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1848590755.00007FFDFB659000.00000002.00000001.01000000.00000020.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552951046.00007FFDFB659000.00000002.00000001.01000000.00000039.sdmpString found in binary or memory: https://www.openssl.org/H
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549650005.00000189166EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797693535.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1845717835.000002B6C8A50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807032426.000001D1925E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/dev/peps/pep-0427/
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1844100921.000002B6C8110000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548349992.00000189158A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_0040571B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040571B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0EB44FC0 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,GetAsyncKeyState,PyEval_RestoreThread,_Py_BuildValue_SizeT,42_2_00007FFE0EB44FC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA1E90 PyList_New,GetActiveProcessorCount,PyErr_SetFromWindowsErr,_Py_Dealloc,free,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,PyExc_RuntimeError,PyErr_SetString,malloc,PyErr_NoMemory,NtQuerySystemInformation,Py_BuildValue,PyList_Append,_Py_Dealloc,free,_Py_Dealloc,61_2_00007FFE0CFA1E90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA6E40 PyExc_RuntimeError,PyErr_SetString,OpenProcess,GetLastError,NtQueryInformationProcess,CloseHandle,CloseHandle,calloc,PyErr_NoMemory,CloseHandle,NtQueryInformationProcess,calloc,PyErr_NoMemory,free,CloseHandle,wcscpy_s,free,CloseHandle,61_2_00007FFE0CFA6E40
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA6250 GetProcessHeap,HeapAlloc,GetFileType,SetLastError,NtQueryObject,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,PyErr_NoMemory,GetProcessHeap,HeapFree,61_2_00007FFE0CFA6250
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA4A70 PyArg_ParseTuple,OpenProcess,GetLastError,GetProcessHeap,HeapAlloc,NtQueryVirtualMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQueryVirtualMemory,PyExc_RuntimeError,PyErr_SetString,CloseHandle,PyErr_Clear,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,Py_BuildValue,PyErr_NoMemory,CloseHandle,61_2_00007FFE0CFA4A70
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA2480 GetActiveProcessorCount,PyErr_SetFromWindowsErr,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,PyExc_RuntimeError,PyErr_SetString,malloc,PyErr_NoMemory,NtQuerySystemInformation,free,malloc,PyErr_NoMemory,NtQuerySystemInformation,malloc,PyErr_NoMemory,NtQuerySystemInformation,free,free,free,free,free,Py_BuildValue,61_2_00007FFE0CFA2480
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA4680 PyArg_ParseTuple,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,Py_BuildValue,PyUnicode_FromWideChar,GetProcessHeap,HeapFree,PyErr_NoMemory,61_2_00007FFE0CFA4680
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA6AA0 OpenProcess,GetLastError,NtQueryInformationProcess,RtlNtStatusToDosErrorNoTeb,PyErr_SetFromWindowsErrWithFilename,CloseHandle,ReadProcessMemory,GetLastError,CloseHandle,ReadProcessMemory,NtQueryInformationProcess,CloseHandle,ReadProcessMemory,ReadProcessMemory,VirtualQueryEx,GetLastError,PyErr_SetFromWindowsErrWithFilename,CloseHandle,calloc,PyErr_NoMemory,CloseHandle,ReadProcessMemory,GetLastError,CloseHandle,free,CloseHandle,61_2_00007FFE0CFA6AA0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA73F0 malloc,NtQuerySystemInformation,free,malloc,PyErr_NoMemory,free,free,61_2_00007FFE0CFA73F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA4D00 PyArg_ParseTuple,OpenProcess,GetLastError,PyObject_IsTrue,NtSuspendProcess,NtResumeProcess,CloseHandle,_Py_NoneStruct,_Py_NoneStruct,61_2_00007FFE0CFA4D00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA6600 PyList_New,EnterCriticalSection,GetProcessHeap,HeapAlloc,PyErr_NoMemory,_Py_Dealloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,PyExc_RuntimeError,PyErr_SetString,GetCurrentProcess,DuplicateHandle,PyUnicode_FromWideChar,PyList_Append,_Py_Dealloc,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,_Py_Dealloc,GetProcessHeap,HeapFree,LeaveCriticalSection,61_2_00007FFE0CFA6600
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA5810 PyArg_ParseTuple,OpenProcess,GetLastError,NtSetInformationProcess,CloseHandle,_Py_NoneStruct,_Py_NoneStruct,61_2_00007FFE0CFA5810
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA5720 PyArg_ParseTuple,OpenProcess,GetLastError,NtQueryInformationProcess,CloseHandle,Py_BuildValue,61_2_00007FFE0CFA5720
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E133B30: _Py_NoneStruct,_PyArg_ParseTupleAndKeywords_SizeT,?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z,?init@PyWinBufferView@@QEAA_NPEAU_object@@_N1@Z,?PyWinObject_AsOVERLAPPED@@YAHPEAU_object@@PEAPEAU_OVERLAPPED@@H@Z,PyLong_AsLong,PyErr_Occurred,PyErr_Clear,?init@PyWinBufferView@@QEAA_NPEAU_object@@_N1@Z,PyErr_Clear,PyExc_TypeError,PyErr_Format,?PyBuffer_New@@YAPEAU_object@@_J@Z,?init@PyWinBufferView@@QEAA_NPEAU_object@@_N1@Z,_Py_Dealloc,PyBytes_FromStringAndSize,PyEval_SaveThread,DeviceIoControl,PyEval_RestoreThread,GetLastError,_Py_Dealloc,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PySequence_GetSlice,_Py_Dealloc,_PyBytes_Resize,??1PyWinBufferView@@QEAA@XZ,??1PyWinBufferView@@QEAA@XZ,42_2_00007FFE0E133B30
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_00000001400133A0 _snwprintf_s,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,3_2_00000001400133A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0EB45B30 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,ExitWindowsEx,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NoneStruct,_Py_NoneStruct,42_2_00007FFE0EB45B30
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0EB45A90 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,ExitWindowsEx,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NoneStruct,_Py_NoneStruct,42_2_00007FFE0EB45A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Windows\System32\IDmelonV2CredentialProvider.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeFile deleted: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_00406DC60_2_00406DC6
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_0040759D0_2_0040759D
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0072C0FA1_2_0072C0FA
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_007061841_2_00706184
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0073022D1_2_0073022D
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0073A3B01_2_0073A3B0
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_007306621_2_00730662
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0070A7EF1_2_0070A7EF
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0073A85E1_2_0073A85E
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0072F9191_2_0072F919
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_007169CC1_2_007169CC
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_00730A971_2_00730A97
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_00732B211_2_00732B21
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_00732D501_2_00732D50
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0073ED4C1_2_0073ED4C
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0072FE151_2_0072FE15
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B5C0FA2_2_00B5C0FA
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B361842_2_00B36184
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B6022D2_2_00B6022D
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B6A3B02_2_00B6A3B0
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B606622_2_00B60662
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B3A7EF2_2_00B3A7EF
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B6A85E2_2_00B6A85E
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B469CC2_2_00B469CC
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B5F9192_2_00B5F919
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B60A972_2_00B60A97
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B62B212_2_00B62B21
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B62D502_2_00B62D50
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B6ED4C2_2_00B6ED4C
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B5FE152_2_00B5FE15
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_000000014000D2D03_2_000000014000D2D0
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_00000001400238643_2_0000000140023864
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_00000001400104703_2_0000000140010470
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_00000001400070A03_2_00000001400070A0
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_0000000140019CB43_2_0000000140019CB4
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_00000001400030D03_2_00000001400030D0
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_000000014000F5003_2_000000014000F500
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_0000000140013D103_2_0000000140013D10
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_0000000140005D203_2_0000000140005D20
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_000000014000DD403_2_000000014000DD40
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_00000001400125503_2_0000000140012550
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_0000000140022D603_2_0000000140022D60
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_000000014001CDD43_2_000000014001CDD4
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_0000000140012E003_2_0000000140012E00
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_0000000140008E203_2_0000000140008E20
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_0000000140020A2C3_2_0000000140020A2C
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_000000014000EE503_2_000000014000EE50
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_0000000140021B403_2_0000000140021B40
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_0000000140002B503_2_0000000140002B50
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_000000014001ABAC3_2_000000014001ABAC
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_000000014001DBB83_2_000000014001DBB8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE6112833_2_00007FF6CFE61128
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE5811033_2_00007FF6CFE58110
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE6656033_2_00007FF6CFE66560
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE674AC33_2_00007FF6CFE674AC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE46B5033_2_00007FF6CFE46B50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE6490C33_2_00007FF6CFE6490C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE620D433_2_00007FF6CFE620D4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE667DC33_2_00007FF6CFE667DC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE517A433_2_00007FF6CFE517A4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE50F8433_2_00007FF6CFE50F84
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE5E77033_2_00007FF6CFE5E770
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE57F5C33_2_00007FF6CFE57F5C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE66F6033_2_00007FF6CFE66F60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE5270433_2_00007FF6CFE52704
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE5A6F033_2_00007FF6CFE5A6F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE5365433_2_00007FF6CFE53654
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE5EDF033_2_00007FF6CFE5EDF0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE515A033_2_00007FF6CFE515A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE50D8033_2_00007FF6CFE50D80
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE484A033_2_00007FF6CFE484A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE6112833_2_00007FF6CFE61128
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE6447033_2_00007FF6CFE64470
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE5139433_2_00007FF6CFE51394
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE5236C33_2_00007FF6CFE5236C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE5E2DC33_2_00007FF6CFE5E2DC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE53A5833_2_00007FF6CFE53A58
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE5811033_2_00007FF6CFE58110
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE5321C33_2_00007FF6CFE5321C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE6A1E833_2_00007FF6CFE6A1E8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE5899433_2_00007FF6CFE58994
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE5119033_2_00007FF6CFE51190
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE5618033_2_00007FF6CFE56180
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31707C42_2_00007FFDFB31707C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31369842_2_00007FFDFB313698
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31416A42_2_00007FFDFB31416A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31348B42_2_00007FFDFB31348B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB32BF2042_2_00007FFDFB32BF20
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3160DC42_2_00007FFDFB3160DC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB32BD6042_2_00007FFDFB32BD60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB315E2542_2_00007FFDFB315E25
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB315A6542_2_00007FFDFB315A65
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB443CC042_2_00007FFDFB443CC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB311CC642_2_00007FFDFB311CC6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB313BA742_2_00007FFDFB313BA7
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31267142_2_00007FFDFB312671
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31298742_2_00007FFDFB312987
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31383742_2_00007FFDFB313837
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31725742_2_00007FFDFB317257
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB316EF142_2_00007FFDFB316EF1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB33B1C042_2_00007FFDFB33B1C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31114F42_2_00007FFDFB31114F
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB32F20042_2_00007FFDFB32F200
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB32F06042_2_00007FFDFB32F060
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3150B042_2_00007FFDFB3150B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB4CB0E042_2_00007FFDFB4CB0E0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB44778042_2_00007FFDFB447780
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3157D642_2_00007FFDFB3157D6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31435E42_2_00007FFDFB31435E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB311B3642_2_00007FFDFB311B36
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31379242_2_00007FFDFB313792
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB37F70042_2_00007FFDFB37F700
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31474B42_2_00007FFDFB31474B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB44748042_2_00007FFDFB447480
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB312D1042_2_00007FFDFB312D10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB33B55042_2_00007FFDFB33B550
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB311B2742_2_00007FFDFB311B27
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB313A9442_2_00007FFDFB313A94
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB452C0042_2_00007FFDFB452C00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB315F1042_2_00007FFDFB315F10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB314D0942_2_00007FFDFB314D09
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB315DA342_2_00007FFDFB315DA3
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3123F642_2_00007FFDFB3123F6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3144CB42_2_00007FFDFB3144CB
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3153AD42_2_00007FFDFB3153AD
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB4CA90042_2_00007FFDFB4CA900
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31638E42_2_00007FFDFB31638E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB4B301042_2_00007FFDFB4B3010
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3153C642_2_00007FFDFB3153C6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31213A42_2_00007FFDFB31213A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31217142_2_00007FFDFB312171
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB314F4342_2_00007FFDFB314F43
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB32EF0042_2_00007FFDFB32EF00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31129942_2_00007FFDFB311299
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31656442_2_00007FFDFB316564
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3F2CD042_2_00007FFDFB3F2CD0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3154CF42_2_00007FFDFB3154CF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3115C842_2_00007FFDFB3115C8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31543442_2_00007FFDFB315434
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB316EBF42_2_00007FFDFB316EBF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB311A5042_2_00007FFDFB311A50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31363442_2_00007FFDFB313634
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31230142_2_00007FFDFB312301
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3126EE42_2_00007FFDFB3126EE
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB312FD142_2_00007FFDFB312FD1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3111CC42_2_00007FFDFB3111CC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB316D5C42_2_00007FFDFB316D5C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB4C610042_2_00007FFDFB4C6100
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB314E5342_2_00007FFDFB314E53
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3168CA42_2_00007FFDFB3168CA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB4525D042_2_00007FFDFB4525D0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31318E42_2_00007FFDFB31318E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB316FFF42_2_00007FFDFB316FFF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB43E5F042_2_00007FFDFB43E5F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31144C42_2_00007FFDFB31144C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31121742_2_00007FFDFB311217
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31440842_2_00007FFDFB314408
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3165A042_2_00007FFDFB3165A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3110AA42_2_00007FFDFB3110AA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB311D0242_2_00007FFDFB311D02
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31360242_2_00007FFDFB313602
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB43DC5042_2_00007FFDFB43DC50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB4C99D042_2_00007FFDFB4C99D0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3159FC42_2_00007FFDFB3159FC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB313A8A42_2_00007FFDFB313A8A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31142442_2_00007FFDFB311424
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31276142_2_00007FFDFB312761
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB314C1942_2_00007FFDFB314C19
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3122B142_2_00007FFDFB3122B1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31736A42_2_00007FFDFB31736A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB311D8842_2_00007FFDFB311D88
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3172AC42_2_00007FFDFB3172AC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31162242_2_00007FFDFB311622
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31228E42_2_00007FFDFB31228E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31551542_2_00007FFDFB315515
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31428C42_2_00007FFDFB31428C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB32D26042_2_00007FFDFB32D260
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3130C642_2_00007FFDFB3130C6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB315BF542_2_00007FFDFB315BF5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB33520042_2_00007FFDFB335200
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB4B50B042_2_00007FFDFB4B50B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB44913042_2_00007FFDFB449130
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31710D42_2_00007FFDFB31710D
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB4C910042_2_00007FFDFB4C9100
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB45176042_2_00007FFDFB451760
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB314C3C42_2_00007FFDFB314C3C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3154D442_2_00007FFDFB3154D4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB312E9142_2_00007FFDFB312E91
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31276B42_2_00007FFDFB31276B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB314ACA42_2_00007FFDFB314ACA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31504C42_2_00007FFDFB31504C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31561442_2_00007FFDFB315614
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3132EC42_2_00007FFDFB3132EC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB44149042_2_00007FFDFB441490
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31593442_2_00007FFDFB315934
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB311EA642_2_00007FFDFB311EA6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB44896042_2_00007FFDFB448960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31516E42_2_00007FFDFB31516E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB313B9842_2_00007FFDFB313B98
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB314A5942_2_00007FFDFB314A59
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB316CBC42_2_00007FFDFB316CBC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB312D7942_2_00007FFDFB312D79
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB315D8A42_2_00007FFDFB315D8A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31655F42_2_00007FFDFB31655F
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB313FDF42_2_00007FFDFB313FDF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB316A8742_2_00007FFDFB316A87
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB311F9B42_2_00007FFDFB311F9B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3121BC42_2_00007FFDFB3121BC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB316F2842_2_00007FFDFB316F28
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB550E0042_2_00007FFDFB550E00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3160A042_2_00007FFDFB3160A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3122ED42_2_00007FFDFB3122ED
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31114042_2_00007FFDFB311140
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31704A42_2_00007FFDFB31704A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3C044042_2_00007FFDFB3C0440
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB312C7A42_2_00007FFDFB312C7A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB315B1442_2_00007FFDFB315B14
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB4B417042_2_00007FFDFB4B4170
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31410642_2_00007FFDFB314106
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB315B7842_2_00007FFDFB315B78
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB316C2142_2_00007FFDFB316C21
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB314B5B42_2_00007FFDFB314B5B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB44C66042_2_00007FFDFB44C660
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3129D242_2_00007FFDFB3129D2
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31463842_2_00007FFDFB314638
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3125F442_2_00007FFDFB3125F4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB32C62042_2_00007FFDFB32C620
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31177B42_2_00007FFDFB31177B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3172C542_2_00007FFDFB3172C5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB32C48042_2_00007FFDFB32C480
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31214442_2_00007FFDFB312144
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB3169E742_2_00007FFDFB3169E7
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261C9942_2_00007FFDFF261C99
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26199C42_2_00007FFDFF26199C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26139842_2_00007FFDFF261398
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26114F42_2_00007FFDFF26114F
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26145142_2_00007FFDFF261451
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26F9C542_2_00007FFDFF26F9C5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2613F242_2_00007FFDFF2613F2
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2617BE42_2_00007FFDFF2617BE
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261A8C42_2_00007FFDFF261A8C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF27F66042_2_00007FFDFF27F660
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26B36042_2_00007FFDFF26B360
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26115E42_2_00007FFDFF26115E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2712F042_2_00007FFDFF2712F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2615B442_2_00007FFDFF2615B4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261BE042_2_00007FFDFF261BE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2620B342_2_00007FFDFF2620B3
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26168B42_2_00007FFDFF26168B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF266BA042_2_00007FFDFF266BA0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26153742_2_00007FFDFF261537
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2C0B5042_2_00007FFDFF2C0B50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26257242_2_00007FFDFF262572
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2C846042_2_00007FFDFF2C8460
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF261DD442_2_00007FFDFF261DD4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF2B024042_2_00007FFDFF2B0240
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF26195B42_2_00007FFDFF26195B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE007982C042_2_00007FFE007982C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE007BE07042_2_00007FFE007BE070
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE007B218042_2_00007FFE007B2180
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE007883F042_2_00007FFE007883F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE007BD6C042_2_00007FFE007BD6C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE007B26D042_2_00007FFE007B26D0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE007C08B042_2_00007FFE007C08B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE007A9AC042_2_00007FFE007A9AC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE007C6AE042_2_00007FFE007C6AE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE007ACBD042_2_00007FFE007ACBD0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE007C0BE042_2_00007FFE007C0BE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE007ABD2042_2_00007FFE007ABD20
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE00797E9042_2_00007FFE00797E90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E140E5042_2_00007FFE0E140E50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E13AE5042_2_00007FFE0E13AE50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E137DA042_2_00007FFE0E137DA0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E13161242_2_00007FFE0E131612
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E13809042_2_00007FFE0E138090
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E13AA1042_2_00007FFE0E13AA10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E1698DC42_2_00007FFE0E1698DC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E16950442_2_00007FFE0E169504
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E16815042_2_00007FFE0E168150
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E16B43442_2_00007FFE0E16B434
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E16563842_2_00007FFE0E165638
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0EB43B2042_2_00007FFE0EB43B20
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0EB4374042_2_00007FFE0EB43740
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0EB445C042_2_00007FFE0EB445C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31707C61_2_00007FFDFB31707C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31369861_2_00007FFDFB313698
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31416A61_2_00007FFDFB31416A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31348B61_2_00007FFDFB31348B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB32BF2061_2_00007FFDFB32BF20
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3160DC61_2_00007FFDFB3160DC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB32BD6061_2_00007FFDFB32BD60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB315E2561_2_00007FFDFB315E25
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB315A6561_2_00007FFDFB315A65
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB443CC061_2_00007FFDFB443CC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB311CC661_2_00007FFDFB311CC6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB313BA761_2_00007FFDFB313BA7
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31267161_2_00007FFDFB312671
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31298761_2_00007FFDFB312987
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31383761_2_00007FFDFB313837
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31725761_2_00007FFDFB317257
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB316EF161_2_00007FFDFB316EF1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB33B1C061_2_00007FFDFB33B1C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31114F61_2_00007FFDFB31114F
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB32F20061_2_00007FFDFB32F200
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB32F06061_2_00007FFDFB32F060
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3150B061_2_00007FFDFB3150B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB4CB0E061_2_00007FFDFB4CB0E0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB44778061_2_00007FFDFB447780
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3157D661_2_00007FFDFB3157D6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31435E61_2_00007FFDFB31435E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB311B3661_2_00007FFDFB311B36
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31379261_2_00007FFDFB313792
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB37F70061_2_00007FFDFB37F700
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31474B61_2_00007FFDFB31474B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB44748061_2_00007FFDFB447480
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB312D1061_2_00007FFDFB312D10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB33B55061_2_00007FFDFB33B550
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB311B2761_2_00007FFDFB311B27
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB313A9461_2_00007FFDFB313A94
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB452C0061_2_00007FFDFB452C00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB315F1061_2_00007FFDFB315F10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB314D0961_2_00007FFDFB314D09
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB315DA361_2_00007FFDFB315DA3
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3123F661_2_00007FFDFB3123F6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3144CB61_2_00007FFDFB3144CB
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3153AD61_2_00007FFDFB3153AD
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB4CA90061_2_00007FFDFB4CA900
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31638E61_2_00007FFDFB31638E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB4B301061_2_00007FFDFB4B3010
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3153C661_2_00007FFDFB3153C6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31213A61_2_00007FFDFB31213A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31217161_2_00007FFDFB312171
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB314F4361_2_00007FFDFB314F43
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB32EF0061_2_00007FFDFB32EF00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31129961_2_00007FFDFB311299
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31656461_2_00007FFDFB316564
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3F2CD061_2_00007FFDFB3F2CD0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3154CF61_2_00007FFDFB3154CF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3115C861_2_00007FFDFB3115C8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31543461_2_00007FFDFB315434
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB316EBF61_2_00007FFDFB316EBF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB311A5061_2_00007FFDFB311A50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31363461_2_00007FFDFB313634
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31230161_2_00007FFDFB312301
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3126EE61_2_00007FFDFB3126EE
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB312FD161_2_00007FFDFB312FD1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3111CC61_2_00007FFDFB3111CC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB316D5C61_2_00007FFDFB316D5C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB4C610061_2_00007FFDFB4C6100
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB314E5361_2_00007FFDFB314E53
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3168CA61_2_00007FFDFB3168CA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB4525D061_2_00007FFDFB4525D0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31318E61_2_00007FFDFB31318E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB316FFF61_2_00007FFDFB316FFF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB43E5F061_2_00007FFDFB43E5F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31144C61_2_00007FFDFB31144C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31121761_2_00007FFDFB311217
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31440861_2_00007FFDFB314408
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3165A061_2_00007FFDFB3165A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3110AA61_2_00007FFDFB3110AA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB311D0261_2_00007FFDFB311D02
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31360261_2_00007FFDFB313602
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB43DC5061_2_00007FFDFB43DC50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB4C99D061_2_00007FFDFB4C99D0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3159FC61_2_00007FFDFB3159FC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB313A8A61_2_00007FFDFB313A8A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31142461_2_00007FFDFB311424
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31276161_2_00007FFDFB312761
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB314C1961_2_00007FFDFB314C19
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3122B161_2_00007FFDFB3122B1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31736A61_2_00007FFDFB31736A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB311D8861_2_00007FFDFB311D88
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3172AC61_2_00007FFDFB3172AC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31162261_2_00007FFDFB311622
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31228E61_2_00007FFDFB31228E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31551561_2_00007FFDFB315515
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31428C61_2_00007FFDFB31428C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB32D26061_2_00007FFDFB32D260
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3130C661_2_00007FFDFB3130C6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB315BF561_2_00007FFDFB315BF5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB33520061_2_00007FFDFB335200
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB4B50B061_2_00007FFDFB4B50B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB44913061_2_00007FFDFB449130
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31710D61_2_00007FFDFB31710D
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB4C910061_2_00007FFDFB4C9100
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB45176061_2_00007FFDFB451760
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB314C3C61_2_00007FFDFB314C3C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3154D461_2_00007FFDFB3154D4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB312E9161_2_00007FFDFB312E91
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31276B61_2_00007FFDFB31276B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB314ACA61_2_00007FFDFB314ACA
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31504C61_2_00007FFDFB31504C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31561461_2_00007FFDFB315614
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3132EC61_2_00007FFDFB3132EC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB44149061_2_00007FFDFB441490
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31593461_2_00007FFDFB315934
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB311EA661_2_00007FFDFB311EA6
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB44896061_2_00007FFDFB448960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31516E61_2_00007FFDFB31516E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB313B9861_2_00007FFDFB313B98
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB314A5961_2_00007FFDFB314A59
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB316CBC61_2_00007FFDFB316CBC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB312D7961_2_00007FFDFB312D79
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB315D8A61_2_00007FFDFB315D8A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31655F61_2_00007FFDFB31655F
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB313FDF61_2_00007FFDFB313FDF
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB316A8761_2_00007FFDFB316A87
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB311F9B61_2_00007FFDFB311F9B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3121BC61_2_00007FFDFB3121BC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB316F2861_2_00007FFDFB316F28
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB550E0061_2_00007FFDFB550E00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3160A061_2_00007FFDFB3160A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3122ED61_2_00007FFDFB3122ED
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31114061_2_00007FFDFB311140
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31704A61_2_00007FFDFB31704A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3C044061_2_00007FFDFB3C0440
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB312C7A61_2_00007FFDFB312C7A
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB315B1461_2_00007FFDFB315B14
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB4B417061_2_00007FFDFB4B4170
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31410661_2_00007FFDFB314106
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB315B7861_2_00007FFDFB315B78
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB316C2161_2_00007FFDFB316C21
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB314B5B61_2_00007FFDFB314B5B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB44C66061_2_00007FFDFB44C660
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3129D261_2_00007FFDFB3129D2
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31463861_2_00007FFDFB314638
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3125F461_2_00007FFDFB3125F4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB32C62061_2_00007FFDFB32C620
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31177B61_2_00007FFDFB31177B
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3172C561_2_00007FFDFB3172C5
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB32C48061_2_00007FFDFB32C480
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31214461_2_00007FFDFB312144
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB3169E761_2_00007FFDFB3169E7
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFF14186061_2_00007FFDFF141860
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0032A88061_2_00007FFE0032A880
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE00324C8061_2_00007FFE00324C80
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0032E0B061_2_00007FFE0032E0B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0032BC4061_2_00007FFE0032BC40
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0032FD0061_2_00007FFE0032FD00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE003331A961_2_00007FFE003331A9
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0032F1B061_2_00007FFE0032F1B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE003251C461_2_00007FFE003251C4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE00328EBC61_2_00007FFE00328EBC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0032EEE061_2_00007FFE0032EEE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0032D6F061_2_00007FFE0032D6F0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0032575461_2_00007FFE00325754
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0072244061_2_00007FFE00722440
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE00721FD061_2_00007FFE00721FD0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE007345D061_2_00007FFE007345D0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0073482061_2_00007FFE00734820
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0074B2A061_2_00007FFE0074B2A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE01211FF061_2_00007FFE01211FF0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0121355061_2_00007FFE01213550
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE012129C061_2_00007FFE012129C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE01212EC061_2_00007FFE01212EC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE012124A061_2_00007FFE012124A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE01211D8061_2_00007FFE01211D80
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE01221D4061_2_00007FFE01221D40
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0122213061_2_00007FFE01222130
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE01471F1061_2_00007FFE01471F10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE014721C061_2_00007FFE014721C0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE014D1FA061_2_00007FFE014D1FA0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE01791D4061_2_00007FFE01791D40
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0179227061_2_00007FFE01792270
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0179238061_2_00007FFE01792380
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE02A1255061_2_00007FFE02A12550
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE02A11D4061_2_00007FFE02A11D40
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE08ED22D061_2_00007FFE08ED22D0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE08ED1D4061_2_00007FFE08ED1D40
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0B2C216061_2_00007FFE0B2C2160
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0C0A207061_2_00007FFE0C0A2070
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0C0B1C7061_2_00007FFE0C0B1C70
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0C0BCA8861_2_00007FFE0C0BCA88
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0C0B5FF461_2_00007FFE0C0B5FF4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0C0B780861_2_00007FFE0C0B7808
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CF86E3061_2_00007FFE0CF86E30
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA1E9061_2_00007FFE0CFA1E90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA99D061_2_00007FFE0CFA99D0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA2E7061_2_00007FFE0CFA2E70
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA399061_2_00007FFE0CFA3990
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA4DF061_2_00007FFE0CFA4DF0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA2B0061_2_00007FFE0CFA2B00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA660061_2_00007FFE0CFA6600
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA8F3061_2_00007FFE0CFA8F30
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFD017061_2_00007FFE0CFD0170
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFC3A0061_2_00007FFE0CFC3A00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFCC05061_2_00007FFE0CFCC050
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0EB2AB1061_2_00007FFE0EB2AB10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE101D164061_2_00007FFE101D1640
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE1023222061_2_00007FFE10232220
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\IDmelon\FCP\CommandLine.dll 2135B40FA819E58CF1942453E4409BFDEA2BE631077A354B878DE8402BE7E026
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: String function: 00B31F20 appears 54 times
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: String function: 00B7012F appears 678 times
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: String function: 00B7061A appears 34 times
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: String function: 00B337D3 appears 496 times
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: String function: 00B731C7 appears 83 times
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: String function: 0074061A appears 34 times
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: String function: 0074012F appears 678 times
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: String function: 00701F20 appears 54 times
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: String function: 007431C7 appears 84 times
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: String function: 007037D3 appears 496 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFDFB31688E appears 62 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFDFB313012 appears 110 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFE0E144D1B appears 54 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFDFB314D6D appears 68 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFDFB31698D appears 98 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFE007841D0 appears 68 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFDFB311EF6 appears 3160 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFE0CFA1D70 appears 39 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFE1024C010 appears 35 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFDFB314840 appears 258 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFE0034779C appears 32 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFE00798250 appears 248 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFDFB312A09 appears 344 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFE0CFC38C0 appears 96 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFDFB557EBA appears 58 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFDFB312739 appears 1032 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFE0CFA1070 appears 43 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFE00784B40 appears 77 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FF6CFE42010 appears 52 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFDFB312DD3 appears 38 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFE0CFC3850 appears 51 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFDFB3124BE appears 168 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFDFB31405C appears 1558 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFDFF2CDFBF appears 218 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFDFF2CE055 appears 105 times
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: String function: 00007FFDFF2612EE appears 568 times
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeStatic PE information: invalid certificate
Source: unicodedata.pyd.33.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: python3.dll.33.drStatic PE information: No import functions for PE file found
Source: IDmelonFcp.exe.0.drStatic PE information: No import functions for PE file found
Source: FileDeleter.exe.0.drStatic PE information: No import functions for PE file found
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal80.evad.winEXE@97/273@0/0
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0073FD20 FormatMessageW,GetLastError,LocalFree,1_2_0073FD20
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_007044E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,1_2_007044E9
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B344E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,2_2_00B344E9
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_000000014000A810 GetCurrentThread,OpenThreadToken,GetLastError,ImpersonateSelf,GetCurrentThread,OpenThreadToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,3_2_000000014000A810
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFA7DB0 GetCurrentProcess,OpenProcessToken,GetLastError,ImpersonateSelf,OpenProcessToken,GetLastError,PyErr_SetFromWindowsErrWithFilename,LookupPrivilegeValueA,GetLastError,PyErr_SetFromWindowsErrWithFilename,AdjustTokenPrivileges,GetLastError,PyErr_SetFromWindowsErrWithFilename,AdjustTokenPrivileges,RevertToSelf,CloseHandle,61_2_00007FFE0CFA7DB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_004049C7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004049C7
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: _snwprintf_s,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,3_2_00000001400133A0
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_000000014000ACB0 CreateToolhelp32Snapshot,GetLastError,GetLastError,CloseHandle,PostThreadMessageW,Thread32Next,PostThreadMessageW,Thread32Next,GetLastError,GetLastError,CloseHandle,3_2_000000014000ACB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_004021AF CoCreateInstance,0_2_004021AF
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_0000000140002840 GetUserDefaultLangID,FindResourceExW,GetLastError,FindResourceExW,LoadResource,CreateDialogIndirectParamW,3_2_0000000140002840
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_00726945 ChangeServiceConfigW,GetLastError,1_2_00726945
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_000000014000A2E0 _snwprintf_s,PathQuoteSpacesW,GetModuleFileNameW,GetModuleFileNameW,PathQuoteSpacesW,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError,3_2_000000014000A2E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelonJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3104:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4428:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8032:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1696:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:332:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7632:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Users\user\AppData\Local\Temp\nsrC545.tmpJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCommand line argument: cabinet.dll1_2_00701070
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCommand line argument: version.dll1_2_00701070
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCommand line argument: wininet.dll1_2_00701070
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCommand line argument: comres.dll1_2_00701070
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCommand line argument: clbcatq.dll1_2_00701070
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCommand line argument: feclient.dll1_2_00701070
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCommand line argument: cabinet.dll2_2_00B31070
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCommand line argument: msi.dll2_2_00B31070
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCommand line argument: version.dll2_2_00B31070
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCommand line argument: wininet.dll2_2_00B31070
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCommand line argument: comres.dll2_2_00B31070
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCommand line argument: clbcatq.dll2_2_00B31070
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCommand line argument: msasn1.dll2_2_00B31070
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCommand line argument: crypt32.dll2_2_00B31070
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCommand line argument: feclient.dll2_2_00B31070
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeReversingLabs: Detection: 18%
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeVirustotal: Detection: 12%
Source: vc_redist.x64.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x64.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exe "C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" /quiet
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeProcess created: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe "C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" -burn.filehandle.attached=508 -burn.filehandle.self=684 /quiet
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" install IDmelonFidoCredentialProviderService "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Application "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppDirectory "C:\Program Files (x86)\IDmelon\FCP"
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdout "C:\Program Files (x86)\IDmelon\FCP\logs.log"
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderr "C:\Program Files (x86)\IDmelon\FCP\logs.log"
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Description "Handles the FIDO authentication of IDmelon credential provider."
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdoutCreationDisposition 4
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderrCreationDisposition 4
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateFiles 1
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateOnline 0
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateSeconds 14400
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateBytes 5000000
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Start SERVICE_AUTO_START
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" restart IDmelonFidoCredentialProviderService
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" status IDmelonFidoCredentialProviderService
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" start IDmelonFidoCredentialProviderService
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "C:\Program Files (x86)\IDmelon\FCP\cashedData.xml" /e /p Everyone:f
Source: C:\Windows\SysWOW64\cacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "C:\Program Files (x86)\IDmelon\FCP\service_log.lo" /e /p Everyone:f
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Windows\SysWOW64\cacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Program Files (x86)\IDmelon\FCP" /inheritance:d
Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Program Files (x86)\IDmelon\FCP" /grant:r everyone:(OI)(CI)(F) /T
Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=out program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=out program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exe "C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" /quietJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" install IDmelonFidoCredentialProviderService "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Application "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppDirectory "C:\Program Files (x86)\IDmelon\FCP"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdout "C:\Program Files (x86)\IDmelon\FCP\logs.log"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderr "C:\Program Files (x86)\IDmelon\FCP\logs.log"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Description "Handles the FIDO authentication of IDmelon credential provider."Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdoutCreationDisposition 4Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderrCreationDisposition 4Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateFiles 1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateOnline 0Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateSeconds 14400Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateBytes 5000000Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Start SERVICE_AUTO_STARTJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" restart IDmelonFidoCredentialProviderServiceJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" status IDmelonFidoCredentialProviderServiceJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" start IDmelonFidoCredentialProviderServiceJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "C:\Program Files (x86)\IDmelon\FCP\cashedData.xml" /e /p Everyone:fJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "C:\Program Files (x86)\IDmelon\FCP\service_log.lo" /e /p Everyone:fJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Program Files (x86)\IDmelon\FCP" /inheritance:dJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Program Files (x86)\IDmelon\FCP" /grant:r everyone:(OI)(CI)(F) /TJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=out program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=out program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yesJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeProcess created: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe "C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" -burn.filehandle.attached=508 -burn.filehandle.self=684 /quietJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: msi.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: feclient.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: feclient.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: riched20.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: usp10.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: version.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: vcruntime140.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: libffi-7.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: vcruntime140_1.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: urlmon.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: iertutil.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: srvcli.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: netutils.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: secur32.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: sspicli.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: libcrypto-1_1.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: libssl-1_1.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: sfc.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: version.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: vcruntime140.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: libffi-7.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: vcruntime140_1.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: urlmon.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: iertutil.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: srvcli.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: netutils.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: secur32.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: sspicli.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: libcrypto-1_1.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: libssl-1_1.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: sfc.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: sfc_os.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: powrprof.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: pdh.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: umpdc.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: wtsapi32.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: netapi32.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: wkscli.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: logoncli.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: samcli.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: hid.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: winsta.dll
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeSection loaded: samlib.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile written: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\ioSpecial.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IDmelon FCPJump to behavior
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeStatic file information: File size 42660808 > 1048576
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1849586045.00007FFE007DC000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: Release\win32pipe.pdb source: IDmelonCredentialProviderFidoAgent.exe
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796830655.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850949242.00007FFE126EB000.00000002.00000001.01000000.00000016.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3559599006.00007FFE126EB000.00000002.00000001.01000000.0000002F.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1793960094.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1851997301.00007FFE148E5000.00000002.00000001.01000000.0000001B.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3561138586.00007FFE148E5000.00000002.00000001.01000000.00000034.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552191616.00007FFDFB173000.00000002.00000001.01000000.00000048.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850216402.00007FFE10250000.00000002.00000001.01000000.0000001A.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3557941772.00007FFE10250000.00000002.00000001.01000000.00000033.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797096628.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32net.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3556552498.00007FFE0CF8B000.00000002.00000001.01000000.00000046.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32net.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3556552498.00007FFE0CF8B000.00000002.00000001.01000000.00000046.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1848382146.00007FFDFB560000.00000002.00000001.01000000.00000020.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552738977.00007FFDFB560000.00000002.00000001.01000000.00000039.sdmp
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1793705243.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1852374605.00007FFE1A471000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1851811168.00007FFE13340000.00000002.00000001.01000000.00000013.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3560831235.00007FFE13340000.00000002.00000001.01000000.0000002C.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3557684052.00007FFE101D6000.00000002.00000001.01000000.00000040.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb!! source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850081048.00007FFE0EB53000.00000002.00000001.01000000.0000001D.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3557550398.00007FFE0EB53000.00000002.00000001.01000000.00000036.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1794325546.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850346185.00007FFE10307000.00000002.00000001.01000000.00000022.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3558126165.00007FFE10307000.00000002.00000001.01000000.0000003B.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850692204.00007FFE11ED2000.00000002.00000001.01000000.00000017.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3559091949.00007FFE11ED2000.00000002.00000001.01000000.00000030.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850081048.00007FFE0EB53000.00000002.00000001.01000000.0000001D.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3557550398.00007FFE0EB53000.00000002.00000001.01000000.00000036.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796830655.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850949242.00007FFE126EB000.00000002.00000001.01000000.00000016.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3559599006.00007FFE126EB000.00000002.00000001.01000000.0000002F.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1795496166.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1851663900.00007FFE1331D000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32trace.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1808311402.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797329564.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850495884.00007FFE11518000.00000002.00000001.01000000.00000018.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3558762539.00007FFE11518000.00000002.00000001.01000000.00000031.sdmp
Source: Binary string: X509_SIGPKCS8_encrypt_excrypto\pkcs12\p12_p8e.cPKCS8_set0_pbe_excompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552191616.00007FFDFB173000.00000002.00000001.01000000.00000048.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32event.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807662583.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850825037.00007FFE126C5000.00000002.00000001.01000000.00000026.sdmp
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vc_redist.x64.exe, 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmp, vc_redist.x64.exe, 00000001.00000000.1743438340.000000000074B000.00000002.00000001.01000000.00000008.sdmp, VC_redist.x64.exe, 00000002.00000000.1744517622.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmp, VC_redist.x64.exe, 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1806410846.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3553644070.00007FFDFF24C000.00000002.00000001.01000000.00000043.sdmp
Source: Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1849359534.00007FFDFF2D6000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb}},GCTL source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1849586045.00007FFE007DC000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1848382146.00007FFDFB560000.00000002.00000001.01000000.00000020.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552738977.00007FFDFB560000.00000002.00000001.01000000.00000039.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797171782.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1851359154.00007FFE130C5000.00000002.00000001.01000000.00000023.sdmp
Source: Binary string: C:\projects\hidapi\windows\x64\Release\hidapi.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1801775652.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\libcrypto-1_1.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1848382146.00007FFDFB5E2000.00000002.00000001.01000000.00000020.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552738977.00007FFDFB5E2000.00000002.00000001.01000000.00000039.sdmp
Source: Binary string: win32event.pdb source: IDmelonCredentialProviderFidoAgent.exe
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32pipe.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1808188425.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1851215514.00007FFE12E15000.00000002.00000001.01000000.00000024.sdmp
Source: Binary string: D:\a\1\b\libssl-1_1.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1849359534.00007FFDFF2D6000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805593313.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1852181208.00007FFE1A453000.00000002.00000001.01000000.00000019.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3561376814.00007FFE1A453000.00000002.00000001.01000000.00000032.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32evtlog.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807773718.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_msi.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797014534.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797550299.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3554382967.00007FFE00712000.00000002.00000001.01000000.0000005C.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32file.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1849767280.00007FFE0E145000.00000002.00000001.01000000.00000025.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3556996574.00007FFE0E145000.00000002.00000001.01000000.0000003E.sdmp
Source: Binary string: crypto\stack\stack.cOPENSSL_sk_dupOPENSSL_sk_deep_copysk_reserveOPENSSL_sk_new_reserveOPENSSL_sk_reserveOPENSSL_sk_insertOPENSSL_sk_seti=%dcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC3.1.4built on: Fri Nov 24 00:12:45 2023 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptoOPENSSL_atexitcrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552191616.00007FFDFB173000.00000002.00000001.01000000.00000048.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python310.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1848855199.00007FFDFB9AF000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797255867.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1851503816.00007FFE13303000.00000002.00000001.01000000.0000001E.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3560281403.00007FFE13303000.00000002.00000001.01000000.00000037.sdmp
Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-7t032bmh\src\rust\target\release\deps\cryptography_rust.pdbcQ source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552191616.00007FFDFB173000.00000002.00000001.01000000.00000048.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb** source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1850216402.00007FFE10250000.00000002.00000001.01000000.0000001A.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3557941772.00007FFE10250000.00000002.00000001.01000000.00000033.sdmp
Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\_win32sysloader.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807395817.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-7t032bmh\src\rust\target\release\deps\cryptography_rust.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552191616.00007FFDFB173000.00000002.00000001.01000000.00000048.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803952195.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1844050931.000002B6C7D00000.00000002.00000001.01000000.00000012.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548123572.00000189154D0000.00000002.00000001.01000000.0000002B.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1849892218.00007FFE0E16D000.00000002.00000001.01000000.0000001F.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3557130778.00007FFE0E16D000.00000002.00000001.01000000.00000038.sdmp
Source: Microsoft.Win32.Registry.dll.0.drStatic PE information: 0x80FC6AE5 [Thu Jul 29 14:21:25 2038 UTC]
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_0000000140023A88 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,3_2_0000000140023A88
Source: win32event.pyd.33.drStatic PE information: real checksum: 0x0 should be: 0xe713
Source: md.cp310-win_amd64.pyd.33.drStatic PE information: real checksum: 0x0 should be: 0x12854
Source: System.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x67cd
Source: EnVar.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xe868
Source: _psutil_windows.pyd.33.drStatic PE information: real checksum: 0x0 should be: 0x1d3ed
Source: _win32sysloader.pyd.33.drStatic PE information: real checksum: 0x0 should be: 0x5f00
Source: _rust.pyd.33.drStatic PE information: real checksum: 0x0 should be: 0x66978e
Source: hidapi.dll.33.drStatic PE information: real checksum: 0x0 should be: 0x1c6c2
Source: pywintypes310.dll.33.drStatic PE information: real checksum: 0x0 should be: 0x26a6c
Source: nsExec.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xc1ae
Source: win32evtlog.pyd.33.drStatic PE information: real checksum: 0x0 should be: 0x1ccde
Source: uninstall.exe.0.drStatic PE information: real checksum: 0x28b16b9 should be: 0x329d7
Source: win32net.pyd.33.drStatic PE information: real checksum: 0x0 should be: 0x26767
Source: win32file.pyd.33.drStatic PE information: real checksum: 0x0 should be: 0x30a26
Source: FileDeleter.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x2196a
Source: pythoncom310.dll.33.drStatic PE information: real checksum: 0x0 should be: 0xa906f
Source: md__mypyc.cp310-win_amd64.pyd.33.drStatic PE information: real checksum: 0x0 should be: 0x2bdb3
Source: win32api.pyd.33.drStatic PE information: real checksum: 0x0 should be: 0x272b8
Source: InstallOptions.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xb123
Source: vc_redist.x64.exe.0.drStatic PE information: section name: .wixburn
Source: IDmelonCredentialProviderFidoAgent.exe.0.drStatic PE information: section name: _RDATA
Source: VC_redist.x64.exe.1.drStatic PE information: section name: .wixburn
Source: libcrypto-1_1.dll.33.drStatic PE information: section name: .00cfg
Source: libssl-1_1.dll.33.drStatic PE information: section name: .00cfg
Source: python310.dll.33.drStatic PE information: section name: PyRuntim
Source: mfc140u.dll.33.drStatic PE information: section name: .didat
Source: VCRUNTIME140.dll.33.drStatic PE information: section name: _RDATA
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0072E876 push ecx; ret 1_2_0072E889
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B5E876 push ecx; ret 2_2_00B5E889
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_00000001400055DB push rcx; iretd 3_2_00000001400055DC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE8510C push rcx; retf 0000h33_2_00007FF6CFE8510D

Persistence and Installation Behavior

barindex
Contains functionality to infect the boot sector
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, \\.\PhysicalDrive%d61_2_00007FFE0CFA2B00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, PhysicalDrive%i61_2_00007FFE0CFA2B00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i61_2_00007FFE0CFA2B00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i61_2_00007FFE0CFA2B00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CF88950 NetUserAdd,61_2_00007FFE0CF88950
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32\win32api.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\PublicKey\_x25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\libssl-1_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA512.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\pyexpat.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32\win32event.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\python310.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\System.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32\_win32sysloader.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_ctypes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Math\_modexp.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\PublicKey\_x25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\CommandLine.dllJump to dropped file
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\wixstdba.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Util\_cpuid_c.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_multiprocessing.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\python3.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\pywin32_system32\pywintypes310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_des3.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_Salsa20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\VCRUNTIME140.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_lzma.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\libcrypto-1_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_decimal.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_MD2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_MD4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Util\_cpuid_c.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_bz2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\PublicKey\_ec_ws.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_ocb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_ofb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_poly1305.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32\win32trace.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_BLAKE2b.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\libcrypto-1_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Math\_modexp.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_cbc.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_overlapped.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_ARC4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32\win32file.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\libssl-1_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_hashlib.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_lzma.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_des3.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\FileDeleter.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\IDmelonFcp.exeJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_cast.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA1.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_MD2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA224.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA1.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ecb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_ghash_portable.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_MD4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ctr.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_socket.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\cryptography\hazmat\bindings\_rust.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32\win32api.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\libffi-7.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_cffi_backend.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_msi.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_ghash_clmul.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_ssl.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_uuid.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_des.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_RIPEMD160.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\System.Security.AccessControl.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_cast.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA224.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA512.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32\win32pipe.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Util\_strxor.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\python3.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_cfb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_ghash_portable.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\PublicKey\_ed448.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_keccak.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\nssm.exeJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_uuid.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_BLAKE2b.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\PublicKey\_ed25519.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\System.Security.Principal.Windows.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA384.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_overlapped.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32\win32pipe.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\pywin32_system32\pythoncom310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA256.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_chacha20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_asyncio.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\unicodedata.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_hashlib.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32\win32net.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_poly1305.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_arc2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_aesni.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\VCRUNTIME140_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_BLAKE2s.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32\_win32sysloader.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_aesni.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_MD5.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\pywin32_system32\pywintypes310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Pythonwin\mfc140u.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\select.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ofb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Protocol\_scrypt.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\select.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA384.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Pythonwin\mfc140u.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_Salsa20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_ecb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA256.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_arc2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32\win32event.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_multiprocessing.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_aes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_cbor2.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\libffi-7.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\pyexpat.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_cbc.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_RIPEMD160.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32\win32file.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\psutil\_psutil_windows.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_queue.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Protocol\_scrypt.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\VCRUNTIME140_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\Microsoft.Win32.Registry.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Pythonwin\win32ui.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\PublicKey\_ec_ws.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_ctypes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\hidapi.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_ghash_clmul.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Util\_strxor.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_keccak.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\PublicKey\_ed448.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_MD5.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_des.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_cbor2.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_decimal.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\PublicKey\_ed25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_ssl.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32\win32trace.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_aes.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\InstallOptions.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32com\shell\shell.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\unicodedata.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_cfb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\cryptography\hazmat\bindings\_rust.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\python310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_cffi_backend.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ocb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\hidapi.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32\win32net.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_chacha20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32com\shell\shell.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_bz2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\psutil\_psutil_windows.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_ARC4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_ctr.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_msi.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32\win32evtlog.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32\win32evtlog.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_asyncio.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\EnVar.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\VCRUNTIME140.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeFile created: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\log4net.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_BLAKE2s.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Windows\System32\IDmelonV2CredentialProvider.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\pywin32_system32\pythoncom310.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Program Files (x86)\IDmelon\FCP\uninstall.exeJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_queue.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Pythonwin\win32ui.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32\win32api.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\PublicKey\_x25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\libssl-1_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA512.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\pyexpat.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32\win32event.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\python310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32\_win32sysloader.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_ctypes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Math\_modexp.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\PublicKey\_x25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\wixstdba.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Util\_cpuid_c.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_multiprocessing.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\python3.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\pywin32_system32\pywintypes310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_des3.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_Salsa20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\VCRUNTIME140.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_lzma.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\libcrypto-1_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_decimal.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_MD2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_MD4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Util\_cpuid_c.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_bz2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\PublicKey\_ec_ws.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_ocb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_ofb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_poly1305.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32\win32trace.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_BLAKE2b.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\libcrypto-1_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Math\_modexp.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_cbc.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_overlapped.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_ARC4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32\win32file.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\libssl-1_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_hashlib.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_lzma.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_des3.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_cast.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA1.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_MD2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA224.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA1.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ecb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_ghash_portable.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_MD4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ctr.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_socket.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\cryptography\hazmat\bindings\_rust.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32\win32api.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\libffi-7.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_cffi_backend.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_msi.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_ghash_clmul.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_ssl.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_uuid.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_des.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_RIPEMD160.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_cast.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA224.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA512.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32\win32pipe.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Util\_strxor.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\python3.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_cfb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_ghash_portable.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\PublicKey\_ed448.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_keccak.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_uuid.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_BLAKE2b.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\PublicKey\_ed25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA384.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_overlapped.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32\win32pipe.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\pywin32_system32\pythoncom310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA256.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_chacha20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_asyncio.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\unicodedata.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_hashlib.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32\win32net.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_poly1305.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_arc2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_aesni.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\VCRUNTIME140_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_BLAKE2s.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32\_win32sysloader.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_aesni.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_MD5.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\pywin32_system32\pywintypes310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Pythonwin\mfc140u.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\select.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ofb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Protocol\_scrypt.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\select.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA384.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Pythonwin\mfc140u.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_Salsa20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_ecb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA256.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_arc2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32\win32event.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_multiprocessing.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_aes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_cbor2.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\libffi-7.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\pyexpat.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_cbc.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_RIPEMD160.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32\win32file.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\psutil\_psutil_windows.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_queue.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Protocol\_scrypt.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\VCRUNTIME140_1.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_socket.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Pythonwin\win32ui.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\PublicKey\_ec_ws.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_ctypes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\hidapi.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_ghash_clmul.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Util\_strxor.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Hash\_keccak.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\PublicKey\_ed448.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_MD5.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_des.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_cbor2.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_decimal.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\PublicKey\_ed25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_ssl.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32\win32trace.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_aes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32com\shell\shell.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\unicodedata.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_cfb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\cryptography\hazmat\bindings\_rust.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\python310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_cffi_backend.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ocb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\hidapi.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32\win32net.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_chacha20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32com\shell\shell.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_bz2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\psutil\_psutil_windows.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_ARC4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_ctr.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_msi.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\win32\win32evtlog.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\win32\win32evtlog.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\_asyncio.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\VCRUNTIME140.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeFile created: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Hash\_BLAKE2s.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeFile created: C:\Windows\System32\IDmelonV2CredentialProvider.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\pywin32_system32\pythoncom310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\_queue.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\Temp\_MEI74522\Pythonwin\win32ui.pydJump to dropped file
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1028\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1029\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1031\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1036\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1040\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1041\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1042\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1045\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1046\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1049\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1055\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\2052\license.rtfJump to behavior
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\3082\license.rtfJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\TEMP\_MEI76402\wheel-0.37.1.dist-info\LICENSE.txt
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeFile created: C:\Windows\TEMP\_MEI74522\wheel-0.37.1.dist-info\LICENSE.txt

Boot Survival

barindex
Contains functionality to infect the boot sector
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, \\.\PhysicalDrive%d61_2_00007FFE0CFA2B00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, PhysicalDrive%i61_2_00007FFE0CFA2B00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i61_2_00007FFE0CFA2B00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i61_2_00007FFE0CFA2B00
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\NSSMJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_000000014000A2E0 _snwprintf_s,PathQuoteSpacesW,GetModuleFileNameW,GetModuleFileNameW,PathQuoteSpacesW,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError,3_2_000000014000A2E0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE460F0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,33_2_00007FF6CFE460F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "C:\Program Files (x86)\IDmelon\FCP\cashedData.xml" /e /p Everyone:f
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB315731 rdtsc 42_2_00007FFDFB315731
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: OpenServiceW,GetServiceDisplayNameW,GetServiceKeyNameW,GetLastError,GetLastError,EnumServicesStatusExW,GetLastError,GetProcessHeap,HeapAlloc,EnumServicesStatusExW,GetLastError,GetProcessHeap,HeapFree,GetLastError,_snwprintf_s,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_000000014000EE50
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: EnumServicesStatusExW,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,EnumServicesStatusExW,GetLastError,_snwprintf_s,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_0000000140011A80
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: PyList_New,OpenSCManagerA,GetLastError,PyErr_SetFromWindowsErrWithFilename,EnumServicesStatusExW,GetLastError,free,malloc,EnumServicesStatusExW,PyUnicode_FromWideChar,PyUnicode_FromWideChar,Py_BuildValue,PyList_Append,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseServiceHandle,free,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseServiceHandle,free,61_2_00007FFE0CFA8170
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0C0B1C70 FreeLibrary,FreeLibrary,SetupDiGetClassDevsA,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailA,SetupDiGetDeviceInterfaceDetailA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,CreateFileA,CloseHandle,SetupDiEnumDeviceInterfaces,SetupDiDestroyDeviceInfoList,61_2_00007FFE0C0B1C70
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\PublicKey\_x25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\win32\win32api.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA512.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\pyexpat.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\python310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\win32\win32event.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\System.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\PublicKey\_x25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Math\_modexp.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\_ctypes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\win32\_win32sysloader.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\FCP\CommandLine.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Util\_cpuid_c.pydJump to dropped file
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeDropped PE file which has not been started: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\wixstdba.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\_multiprocessing.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\python3.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_des3.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\pywin32_system32\pywintypes310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_Salsa20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\_lzma.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\_decimal.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Hash\_MD4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Util\_cpuid_c.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Hash\_MD2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\_bz2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\PublicKey\_ec_ws.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_ocb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Hash\_poly1305.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_ofb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\win32\win32trace.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Hash\_BLAKE2b.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Math\_modexp.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_cbc.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\_overlapped.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_ARC4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\win32\win32file.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\_hashlib.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\_lzma.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_des3.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\FCP\FileDeleter.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\FCP\IDmelonFcp.exeJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_cast.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Hash\_MD2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA1.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA1.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA224.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ecb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Hash\_ghash_portable.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Hash\_MD4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ctr.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\_socket.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\cryptography\hazmat\bindings\_rust.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\win32\win32api.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\_cffi_backend.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\_msi.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Hash\_ghash_clmul.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\_uuid.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\_ssl.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_des.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Hash\_RIPEMD160.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_cast.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\FCP\System.Security.AccessControl.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA512.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA224.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\win32\win32pipe.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Util\_strxor.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\python3.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_cfb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Hash\_ghash_portable.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\PublicKey\_ed448.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Hash\_keccak.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\nsExec.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\_uuid.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Hash\_BLAKE2b.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\PublicKey\_ed25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA384.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\FCP\System.Security.Principal.Windows.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\_overlapped.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\win32\win32pipe.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\pywin32_system32\pythoncom310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA256.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_chacha20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\_asyncio.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\unicodedata.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\_hashlib.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\win32\win32net.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Hash\_poly1305.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_arc2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_aesni.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Hash\_BLAKE2s.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\win32\_win32sysloader.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Hash\_MD5.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_aesni.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Pythonwin\mfc140u.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\pywin32_system32\pywintypes310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ofb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\select.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Protocol\_scrypt.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\select.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA384.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Pythonwin\mfc140u.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_Salsa20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_ecb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA256.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_arc2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\win32\win32event.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\_multiprocessing.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_aes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\_cbor2.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\pyexpat.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_cbc.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Hash\_RIPEMD160.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\win32\win32file.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\_queue.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\psutil\_psutil_windows.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Protocol\_scrypt.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\_socket.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Pythonwin\win32ui.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\FCP\Microsoft.Win32.Registry.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\PublicKey\_ec_ws.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\_ctypes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\hidapi.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Hash\_ghash_clmul.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Util\_strxor.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Hash\_keccak.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\PublicKey\_ed448.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Hash\_MD5.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_des.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\_cbor2.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\_decimal.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\_ssl.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\PublicKey\_ed25519.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\win32\win32trace.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_aes.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\InstallOptions.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_cfb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\win32com\shell\shell.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\cryptography\hazmat\bindings\_rust.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\python310.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\_cffi_backend.cp310-win_amd64.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ocb.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\hidapi.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\win32\win32net.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_chacha20.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\win32com\shell\shell.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\_bz2.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\psutil\_psutil_windows.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_ARC4.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_ctr.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\_msi.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\win32\win32evtlog.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\win32\win32evtlog.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\_asyncio.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\EnVar.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Hash\_BLAKE2s.pydJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\FCP\log4net.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Windows\System32\IDmelonV2CredentialProvider.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\pywin32_system32\pythoncom310.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\FCP\uninstall.exeJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\_queue.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeDropped PE file which has not been started: C:\Windows\Temp\_MEI74522\Pythonwin\win32ui.pydJump to dropped file
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeAPI coverage: 4.3 %
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeAPI coverage: 2.7 %
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeAPI coverage: 1.1 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0073FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0073FE5Dh1_2_0073FDC2
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0073FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0073FE56h1_2_0073FDC2
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B6FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00B6FE5Dh2_2_00B6FDC2
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B6FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00B6FE56h2_2_00B6FDC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C63
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_004068B4 FindFirstFileW,FindClose,0_2_004068B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_00703BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,1_2_00703BC3
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_00744315 FindFirstFileW,FindClose,1_2_00744315
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0071993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,1_2_0071993E
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B33BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,2_2_00B33BC3
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B74315 FindFirstFileW,FindClose,2_2_00B74315
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B4993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,2_2_00B4993E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE58110 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,33_2_00007FF6CFE58110
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE47B80 FindFirstFileExW,FindClose,33_2_00007FF6CFE47B80
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE620D4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,33_2_00007FF6CFE620D4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE58110 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,33_2_00007FF6CFE58110
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31322E _errno,malloc,_errno,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,42_2_00007FFDFB31322E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E13AC60 _Py_NoneStruct,_PyArg_ParseTupleAndKeywords_SizeT,?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z,PyExc_NotImplementedError,PyErr_Format,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,_PyObject_New,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,memset,PyEval_SaveThread,FindFirstFileTransactedW,FindFirstFileW,PyEval_RestoreThread,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,GetLastError,_Py_Dealloc,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,42_2_00007FFE0E13AC60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E13B100 PyExc_NotImplementedError,PyErr_Format,_Py_NoneStruct,_PyArg_ParseTupleAndKeywords_SizeT,?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z,PyExc_NotImplementedError,PyErr_Format,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,malloc,FindFirstFileNameTransactedW,FindFirstFileNameW,PyList_New,FindNextFileNameW,?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W@Z,PyList_Append,_Py_Dealloc,GetLastError,free,PyExc_MemoryError,PyErr_Format,_Py_Dealloc,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_Dealloc,FindClose,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,free,42_2_00007FFE0E13B100
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E13AA10 _Py_NoneStruct,_PyArg_ParseTupleAndKeywords_SizeT,?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z,PyExc_NotImplementedError,PyErr_Format,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,memset,FindFirstFileTransactedW,FindFirstFileW,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,GetLastError,PyList_New,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyList_New,FindClose,?PyObject_FromWIN32_FIND_DATAW@@YAPEAU_object@@PEAU_WIN32_FIND_DATAW@@@Z,PyList_Append,_Py_Dealloc,memset,FindNextFileW,GetLastError,FindClose,_Py_Dealloc,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,FindClose,_Py_Dealloc,42_2_00007FFE0E13AA10
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0EB43740 _PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyList_New,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,FindFirstFileW,GetLastError,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,?PyObject_FromWIN32_FIND_DATAW@@YAPEAU_object@@PEAU_WIN32_FIND_DATAW@@@Z,PyList_Append,_Py_Dealloc,FindNextFileW,GetLastError,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,FindClose,_Py_Dealloc,42_2_00007FFE0EB43740
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31322E _errno,malloc,_errno,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,61_2_00007FFDFB31322E
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0C0B7A14 FindFirstFileExA,61_2_00007FFE0C0B7A14
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0EB455A0 _PyArg_ParseTuple_SizeT,GetLogicalDriveStringsW,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,GetLogicalDriveStringsW,?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W_J@Z,42_2_00007FFE0EB455A0
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0074962D VirtualQuery,GetSystemInfo,1_2_0074962D
Source: IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1797951437.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: netsh.exe, 00000032.00000003.1823231576.00000000012B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: netsh.exe, 00000037.00000002.1831867957.000000000088B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: netsh.exe, 00000035.00000003.1827998872.0000000000961000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000035.00000002.1828682936.0000000000964000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1890856717.0000018915D69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: netsh.exe, 00000030.00000002.1820071054.000000000074B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1825592626.000002B6C87E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1841257051.000002B6C8823000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828058531.000002B6C87E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1820812842.000002B6C87E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1816340638.000002B6C87E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1832238570.000002B6C8816000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWj
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeAPI call chain: ExitProcess graph end nodegraph_0-3390
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeAPI call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeAPI call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess information queried: ProcessInformation

Anti Debugging

barindex
Potentially malicious time measurement code found
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31573142_2_00007FFDFB315731
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB31424642_2_00007FFDFB314246
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31573161_2_00007FFDFB315731
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB31424661_2_00007FFDFB314246
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB315731 rdtsc 42_2_00007FFDFB315731
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0072E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0072E625
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_0000000140023A88 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,3_2_0000000140023A88
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_00734812 mov eax, dword ptr fs:[00000030h]1_2_00734812
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B64812 mov eax, dword ptr fs:[00000030h]2_2_00B64812
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_007038D4 GetProcessHeap,RtlAllocateHeap,1_2_007038D4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess token adjusted: Debug
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess token adjusted: Debug
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0072E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0072E188
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0072E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0072E625
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0072E773 SetUnhandledExceptionFilter,1_2_0072E773
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_00733BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00733BB0
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B5E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00B5E188
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B5E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00B5E625
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B5E773 SetUnhandledExceptionFilter,2_2_00B5E773
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeCode function: 2_2_00B63BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00B63BB0
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_0000000140018800 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0000000140018800
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_0000000140023D20 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0000000140023D20
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_0000000140020180 SetUnhandledExceptionFilter,3_2_0000000140020180
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_000000014001B6C4 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_000000014001B6C4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE5AE98 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,33_2_00007FF6CFE5AE98
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE4BC04 SetUnhandledExceptionFilter,33_2_00007FF6CFE4BC04
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE4BA5C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,33_2_00007FF6CFE4BA5C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 33_2_00007FF6CFE4B1B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,33_2_00007FF6CFE4B1B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB315A24 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FFDFB315A24
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFF262009 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FFDFF262009
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE007D910C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FFE007D910C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE007D92F4 SetUnhandledExceptionFilter,42_2_00007FFE007D92F4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE007D8774 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FFE007D8774
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E143658 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FFE0E143658
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E144254 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FFE0E144254
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E14443C SetUnhandledExceptionFilter,42_2_00007FFE0E14443C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E1624B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FFE0E1624B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0E162EF8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FFE0E162EF8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0EB51A88 SetUnhandledExceptionFilter,42_2_00007FFE0EB51A88
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0EB50C9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FFE0EB50C9C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0EB518A0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FFE0EB518A0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE1024E4DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_00007FFE1024E4DC
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE1024F5F4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_00007FFE1024F5F4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB315A24 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFDFB315A24
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFF143028 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFDFF143028
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFF142A60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFDFF142A60
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0033FD80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE0033FD80
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE003406A8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE003406A8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE00711A30 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE00711A30
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE00711460 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE00711460
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE00721960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE00721960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE00721390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE00721390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE00731960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE00731960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE00731390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE00731390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0075AEC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE0075AEC0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0075B828 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE0075B828
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE01211960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE01211960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE01211390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE01211390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE01221960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE01221960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE01221390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE01221390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE01471390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE01471390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE01471960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE01471960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE014C1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE014C1390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE014C1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE014C1960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE014D1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE014D1390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE014D1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE014D1960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE01791960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE01791960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE01791390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE01791390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE02A11960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE02A11960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE02A11390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE02A11390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE08ED1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE08ED1390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE08ED1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE08ED1960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0B2C1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE0B2C1960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0B2C1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE0B2C1390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0C0A1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE0C0A1960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0C0A1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE0C0A1390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0C0B3594 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE0C0B3594
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0C0B6630 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE0C0B6630
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0C0B2A84 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE0C0B2A84
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CF8A17C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE0CF8A17C
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CF8A364 SetUnhandledExceptionFilter,61_2_00007FFE0CF8A364
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CF897B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE0CF897B4
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFAA050 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE0CFAA050
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFAA978 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE0CFAA978
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFD3838 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE0CFD3838
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0CFD3270 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE0CFD3270
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0EA71960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE0EA71960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0EA71390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE0EA71390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0EB2BE50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE0EB2BE50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0EB2C418 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE0EB2C418
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE101D42B0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE101D42B0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE101D3CE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE101D3CE0
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE10231960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE10231960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE10231390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE10231390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE11071960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE11071960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE11071390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE11071390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE110F1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE110F1960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE110F1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE110F1390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE11501390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE11501390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE11501960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE11501960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE11EA1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE11EA1390
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE11EA1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE11EA1960
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE120C1A00 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,61_2_00007FFE120C1A00
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE120C1430 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,61_2_00007FFE120C1430
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: 3_2_000000014000A180 GetProcessHeap,HeapAlloc,GetCommandLineW,_snwprintf_s,ShellExecuteExW,GetProcessHeap,HeapFree,3_2_000000014000A180
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0EB4DC50 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,keybd_event,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,42_2_00007FFE0EB4DC50
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE0EB4DCF0 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,mouse_event,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,42_2_00007FFE0EB4DCF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" install IDmelonFidoCredentialProviderService "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Application "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppDirectory "C:\Program Files (x86)\IDmelon\FCP"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdout "C:\Program Files (x86)\IDmelon\FCP\logs.log"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderr "C:\Program Files (x86)\IDmelon\FCP\logs.log"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Description "Handles the FIDO authentication of IDmelon credential provider."Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdoutCreationDisposition 4Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderrCreationDisposition 4Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateFiles 1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateOnline 0Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateSeconds 14400Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateBytes 5000000Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Start SERVICE_AUTO_STARTJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" restart IDmelonFidoCredentialProviderServiceJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" status IDmelonFidoCredentialProviderServiceJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\nssm.exe "C:\Program Files (x86)\IDmelon\FCP\nssm.exe" start IDmelonFidoCredentialProviderServiceJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "C:\Program Files (x86)\IDmelon\FCP\cashedData.xml" /e /p Everyone:fJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "C:\Program Files (x86)\IDmelon\FCP\service_log.lo" /e /p Everyone:fJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Program Files (x86)\IDmelon\FCP" /inheritance:dJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Program Files (x86)\IDmelon\FCP" /grant:r everyone:(OI)(CI)(F) /TJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=out program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=out program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yesJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeProcess created: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe "C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" -burn.filehandle.attached=508 -burn.filehandle.self=684 /quietJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_007415CB InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,1_2_007415CB
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0074393B AllocateAndInitializeSid,CheckTokenMembership,1_2_0074393B
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0072E9A7 cpuid 1_2_0072E9A7
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeCode function: GetLocaleInfoA,3_2_00000001400245E8
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFE0C0B1C70 FreeLibrary,FreeLibrary,SetupDiGetClassDevsA,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailA,SetupDiGetDeviceInterfaceDetailA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,CreateFileA,CloseHandle,SetupDiEnumDeviceInterfaces,SetupDiDestroyDeviceInfoList,61_2_00007FFE0C0B1C70
Source: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exeQueries volume information: C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\logo.png VolumeInformationJump to behavior
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\logs.log VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto\Hash VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto\Hash VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto\PublicKey VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto\PublicKey VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto\Util VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Pythonwin VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\certifi VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\pywin32_system32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\logs.log VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\logs.log VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\_ctypes.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\_bz2.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\_lzma.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Pythonwin VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\pywin32_system32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\certifi VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\charset_normalizer VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\pyexpat.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\_socket.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\select.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\pywin32_system32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32\win32api.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32com VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32com VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32com VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Pythonwin VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Pythonwin VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\pywin32_system32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\tmpmwtcn8xe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\pywin32_system32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Pythonwin VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\pywin32_system32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Pythonwin VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\Pythonwin VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\pywin32_system32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\base_library.zip VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\_queue.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\_ssl.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\_asyncio.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\_overlapped.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32\win32pipe.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32\win32file.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32 VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI76402\win32\win32event.pyd VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\tmpmwtcn8xe VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto\Cipher VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto\Hash VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto\Hash VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto\Hash VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto\PublicKey VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Crypto\Util VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\Pythonwin VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\cryptography-41.0.7.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeQueries volume information: C:\Windows\Temp\_MEI74522\setuptools-60.2.0.dist-info VolumeInformation
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_00714CE8 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,1_2_00714CE8
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_0072E513 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_0072E513
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_007060BA GetUserNameW,GetLastError,1_2_007060BA
Source: C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exeCode function: 1_2_00748733 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,1_2_00748733
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeCode function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403532
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies the windows firewall
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files (x86)\IDmelon\FCP\nssm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFDFB312B62 bind,WSAGetLastError,42_2_00007FFDFB312B62
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE00792E90 _PyArg_ParseTuple_SizeT,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyObject_IsInstance,PyExc_ValueError,PyErr_Format,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,PyErr_SetString,PyEval_SaveThread,PyEval_RestoreThread,CreateBindCtx,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,_Py_NoneStruct,_Py_NoneStruct,?PyWinObject_FromIID@@YAPEAU_object@@AEBU_GUID@@@Z,PyDict_GetItem,_Py_Dealloc,PyErr_Clear,PyExc_TypeError,PyErr_SetString,PyEval_SaveThread,PyEval_RestoreThread,PyObject_IsSubclass,PyEval_SaveThread,MkParseDisplayName,PyEval_RestoreThread,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,_Py_Dealloc,_Py_NoneStruct,_Py_NoneStruct,?PyWinObject_FromIID@@YAPEAU_object@@AEBU_GUID@@@Z,PyDict_GetItem,_Py_Dealloc,PyErr_Clear,PyExc_TypeError,PyErr_SetString,PyEval_SaveThread,PyEval_RestoreThread,PyObject_IsSubclass,_Py_BuildValue_SizeT,42_2_00007FFE00792E90
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 42_2_00007FFE00794010 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,CreateBindCtx,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,?PyWinObject_FromIID@@YAPEAU_object@@AEBU_GUID@@@Z,PyEval_SaveThread,PyEval_RestoreThread,PyDict_GetItem,_Py_Dealloc,PyErr_Clear,PyObject_IsSubclass,PyExc_TypeError,PyErr_SetString,PyEval_SaveThread,PyEval_RestoreThread,42_2_00007FFE00794010
Source: C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exeCode function: 61_2_00007FFDFB312B62 bind,WSAGetLastError,61_2_00007FFDFB312B62

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Exploitation for Privilege Escalation		2
Disable or Modify Tools		11
Input Capture		12
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts3
Native API		1
Create Account		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol11
Input Capture		2
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts3
Command and Scripting Interpreter		24
Windows Service		1
Access Token Manipulation		2
Obfuscated Files or Information		Security Account Manager1
System Service Discovery		SMB/Windows Admin Shares1
Clipboard Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts12
Service Execution		1
Bootkit		24
Windows Service		1
Timestomp		NTDS4
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchd1
Services File Permissions Weakness		12
Process Injection		1
DLL Side-Loading		LSA Secrets46
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Services File Permissions Weakness		1
File Deletion		Cached Domain Credentials1
Network Share Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Masquerading		DCSync1
Query Registry		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Access Token Manipulation		Proc Filesystem141
Security Software Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
Process Injection		/etc/passwd and /etc/shadow2
Process Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Bootkit		Network Sniffing1
System Owner/User Discovery		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Services File Permissions Weakness		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1467386 Sample: SecuriteInfo.com.PUA.Tool.I... Startdate: 04/07/2024 Architecture: WINDOWS Score: 80 84 Antivirus detection for dropped file 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 2 other signatures 2->90 8 nssm.exe 2->8         started        10 SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe 10 45 2->10         started        14 svchost.exe 2->14         started        process3 file4 16 IDmelonCredentialProviderFidoAgent.exe 8->16         started        19 IDmelonCredentialProviderFidoAgent.exe 8->19         started        21 conhost.exe 8->21         started        23 conhost.exe 8->23         started        76 C:\...\IDmelonV2CredentialProvider.dll, PE32+ 10->76 dropped 78 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 10->78 dropped 80 C:\Users\user\AppData\Local\...\System.dll, PE32 10->80 dropped 82 13 other malicious files 10->82 dropped 92 Uses netsh to modify the Windows network and firewall settings 10->92 94 Modifies the windows firewall 10->94 25 vc_redist.x64.exe 3 10->25         started        27 nssm.exe 1 10->27         started        29 nssm.exe 1 10->29         started        31 23 other processes 10->31 signatures5 process6 file7 56 C:\Windows\Temp\_MEI76402\...\shell.pyd, PE32+ 16->56 dropped 58 C:\Windows\Temp\_MEI76402\...\win32trace.pyd, PE32+ 16->58 dropped 60 C:\Windows\Temp\_MEI76402\...\win32pipe.pyd, PE32+ 16->60 dropped 70 81 other files (78 malicious) 16->70 dropped 33 IDmelonCredentialProviderFidoAgent.exe 16->33         started        35 conhost.exe 16->35         started        62 C:\Windows\Temp\_MEI74522\...\shell.pyd, PE32+ 19->62 dropped 64 C:\Windows\Temp\_MEI74522\...\win32trace.pyd, PE32+ 19->64 dropped 66 C:\Windows\Temp\_MEI74522\...\win32pipe.pyd, PE32+ 19->66 dropped 72 81 other files (78 malicious) 19->72 dropped 37 IDmelonCredentialProviderFidoAgent.exe 19->37         started        39 conhost.exe 19->39         started        68 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 25->68 dropped 41 VC_redist.x64.exe 63 25->41         started        44 conhost.exe 27->44         started        46 conhost.exe 29->46         started        48 conhost.exe 31->48         started        50 22 other processes 31->50 process8 file9 52 cmd.exe 33->52         started        54 cmd.exe 37->54         started        74 C:\Windows\Temp\...\wixstdba.dll, PE32 41->74 dropped process10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe18%ReversingLabs
SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe12%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe100%AviraHEUR/AGEN.1305235
C:\Program Files (x86)\IDmelon\FCP\CommandLine.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\FileDeleter.exe0%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe5%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\IDmelonFcp.exe0%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\Microsoft.Win32.Registry.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\System.Security.AccessControl.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\System.Security.Principal.Windows.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\log4net.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\nssm.exe14%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\uninstall.exe0%ReversingLabs
C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\EnVar.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\InstallOptions.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\nsExec.dll0%ReversingLabs
C:\Windows\System32\IDmelonV2CredentialProvider.dll0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_ARC4.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_Salsa20.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_chacha20.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_pkcs1_decode.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_aes.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_aesni.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_arc2.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_blowfish.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_cast.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_cbc.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_cfb.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ctr.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_des.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_des3.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ecb.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_eksblowfish.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ocb.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ofb.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Hash\_BLAKE2b.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Hash\_BLAKE2s.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Hash\_MD2.pyd0%ReversingLabs
C:\Windows\Temp\_MEI74522\Crypto\Hash\_MD4.pyd0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.apache.org/licenses/0%URL Reputationsafe
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
https://cbor.io/0%Avira URL Cloudsafe
https://skm.idmelon.com/users/detials0%Avira URL Cloudsafe
https://github.com/pyca/cryptography/issues/89960%Avira URL Cloudsafe
https://develop.sentry.dev/sdk/performance/span-data-conventions/0%Avira URL Cloudsafe
https://github.com/giampaolo/psutil/issues/875.0%Avira URL Cloudsafe
http://wixtoolset.org/schemas/thmutil/20100%Avira URL Cloudsafe
http://aka.ms/vcpython270%Avira URL Cloudsafe
https://github.com/mhammond/pywin320%Avira URL Cloudsafe
https://github.com/pyca/cryptography/issues/89960%VirustotalBrowse
https://develop.sentry.dev/sdk/performance/span-data-conventions/0%VirustotalBrowse
https://img.shields.io/pypi/pyversions/setuptools.svg0%Avira URL Cloudsafe
http://wixtoolset.org/schemas/thmutil/20100%VirustotalBrowse
https://github.com/giampaolo/psutil/issues/875.0%VirustotalBrowse
https://github.com/mhammond/pywin320%VirustotalBrowse
https://img.shields.io/pypi/v/setuptools.svg0%Avira URL Cloudsafe
http://wdavis.edtm0%Avira URL Cloudsafe
https://skm.idmelon.com/users/detials0%VirustotalBrowse
http://docs.python.org/library/unittest.html0%Avira URL Cloudsafe
https://img.shields.io/pypi/v/setuptools.svg0%VirustotalBrowse
https://python.org/dev/peps/pep-0263/0%Avira URL Cloudsafe
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#0%Avira URL Cloudsafe
https://img.shields.io/pypi/pyversions/setuptools.svg0%VirustotalBrowse
https://wheel.readthedocs.io/en/stable/news.html0%Avira URL Cloudsafe
https://cbor.io/0%VirustotalBrowse
https://github.com/pyca/cryptography/actions?query=workflow%3ACI0%Avira URL Cloudsafe
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#0%VirustotalBrowse
https://tidelift.com/security0%Avira URL Cloudsafe
https://python.org/dev/peps/pep-0263/0%VirustotalBrowse
http://docs.python.org/library/unittest.html0%VirustotalBrowse
https://tools.ietf.org/html/rfc2388#section-4.40%Avira URL Cloudsafe
https://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
http://aka.ms/vcpython270%VirustotalBrowse
https://tidelift.com/security0%VirustotalBrowse
https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white0%Avira URL Cloudsafe
http://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular-0%Avira URL Cloudsafe
https://github.com/pypa/packaging0%Avira URL Cloudsafe
http://stackoverflow.com/questions/19622133/0%Avira URL Cloudsafe
https://tools.ietf.org/html/rfc2388#section-4.40%VirustotalBrowse
https://wheel.readthedocs.io/en/stable/news.html0%VirustotalBrowse
https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white0%VirustotalBrowse
https://github.com/pypa/setuptools0%Avira URL Cloudsafe
http://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular-0%VirustotalBrowse
https://github.com/pyca/cryptography/actions?query=workflow%3ACI0%VirustotalBrowse
https://github.com/pypa/packaging0%VirustotalBrowse
https://refspecs.linuxfoundation.org/elf/gabi40%Avira URL Cloudsafe
https://pypi.org/project/setuptools0%Avira URL Cloudsafe
https://github.com/pypa/setuptools/workflows/tests/badge.svg0%Avira URL Cloudsafe
http://docs.python.org/3/library/subprocess#subprocess.Popen.kill0%Avira URL Cloudsafe
http://stackoverflow.com/questions/19622133/0%VirustotalBrowse
https://blog.jaraco.com/skeleton0%Avira URL Cloudsafe
https://tools.ietf.org/html/rfc36100%Avira URL Cloudsafe
https://refspecs.linuxfoundation.org/elf/gabi40%VirustotalBrowse
https://github.com/pypa/setuptools0%VirustotalBrowse
https://pypi.org/project/setuptools0%VirustotalBrowse
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode0%Avira URL Cloudsafe
https://github.com/pypa/setuptools/workflows/tests/badge.svg0%VirustotalBrowse
https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md0%Avira URL Cloudsafe
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy0%Avira URL Cloudsafe
https://github.com/pypa/setuptools/actions?query=workflow%3A%22tests%220%Avira URL Cloudsafe
https://blog.jaraco.com/skeleton0%VirustotalBrowse
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L6880%Avira URL Cloudsafe
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy0%VirustotalBrowse
https://httpbin.org/get0%Avira URL Cloudsafe
https://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
https://github.com/python/cpython/blob/v3.6.12/Lib/functools.py0%Avira URL Cloudsafe
https://github.com/getsentry/sentry-python/pull/4840%Avira URL Cloudsafe
https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md0%VirustotalBrowse
https://tools.ietf.org/html/rfc36100%VirustotalBrowse
http://docs.python.org/3/library/subprocess#subprocess.Popen.kill0%VirustotalBrowse
https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access0%Avira URL Cloudsafe
http://nssm.cc/0%Avira URL Cloudsafe
https://docs.sentry.io/platforms/python/contextvars/0%Avira URL Cloudsafe
https://github.com/pypa/wheel0%Avira URL Cloudsafe
https://www.python.org/dev/peps/pep-0427/0%Avira URL Cloudsafe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader0%Avira URL Cloudsafe
https://httpbin.org/0%Avira URL Cloudsafe
https://login.idmelon.com/auth/users/ctap-assertion_cached__0%Avira URL Cloudsafe
https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main0%Avira URL Cloudsafe
https://codecov.io/gh/pypa/setuptools0%Avira URL Cloudsafe
https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file0%Avira URL Cloudsafe
https://codewithoutrules.com/2017/08/16/concurrency-python/0%Avira URL Cloudsafe
http://aka.ms/vcpython27P0%Avira URL Cloudsafe
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l5350%Avira URL Cloudsafe
http://mail.python.org/pipermail/distutils-sig/0%Avira URL Cloudsafe
https://cryptography.io/en/latest/installation/0%Avira URL Cloudsafe
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy0%Avira URL Cloudsafe
https://github.com/pypa/setuptools/issues/417#issuecomment-3922984010%Avira URL Cloudsafe
http://github.com/ActiveState/appdirs0%Avira URL Cloudsafe
https://wiki.debian.org/XDGBaseDirectorySpecification#state0%Avira URL Cloudsafe
http://wwwsearch.sf.net/):0%Avira URL Cloudsafe
https://skm.idmelon.com/administrator/tokens/passwords?type=0%Avira URL Cloudsafe
http://tools.ietf.org/html/rfc6125#section-6.4.30%Avira URL Cloudsafe
https://cryptography.io/en/latest/security/0%Avira URL Cloudsafe
https://cffi.readthedocs.io/en/latest/using.html#callbacks0%Avira URL Cloudsafe
https://bugs.python.org/issue44497.0%Avira URL Cloudsafe
https://google.com/mail0%Avira URL Cloudsafe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://cbor.io/IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549650005.00000189166EF000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3557415734.00007FFE0EB2D000.00000002.00000001.01000000.00000044.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://skm.idmelon.com/users/detialsIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550186386.0000018916D10000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/pyca/cryptography/issues/8996IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552191616.00007FFDFB173000.00000002.00000001.01000000.00000048.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://develop.sentry.dev/sdk/performance/span-data-conventions/IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3551100109.0000018917DD4000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/giampaolo/psutil/issues/875.IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1894328112.0000018916646000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://wixtoolset.org/schemas/thmutil/2010VC_redist.x64.exe, 00000002.00000003.1749953077.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, VC_redist.x64.exe, 00000002.00000003.1750587771.0000000002D80000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://aka.ms/vcpython27IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1846896524.000002B6C9350000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550037860.0000018916AF0000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/mhammond/pywin32IDmelonCredentialProviderFidoAgent.exe, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3559489173.00007FFE126C9000.00000002.00000001.01000000.0000003F.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3559911661.00007FFE12E19000.00000002.00000001.01000000.0000003D.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://img.shields.io/pypi/pyversions/setuptools.svgIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://img.shields.io/pypi/v/setuptools.svgIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://wdavis.edtmIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550821834.0000018917550000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://docs.python.org/library/unittest.htmlIDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1823447211.000002B6C8E39000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1826008954.000002B6C8E52000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1823213302.000002B6C8E22000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1824632133.000002B6C8E3C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1825326013.000002B6C8E47000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1826578020.000002B6C8E53000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916400000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://python.org/dev/peps/pep-0263/IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1848855199.00007FFDFB9AF000.00000002.00000001.01000000.00000010.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1839619187.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828699935.000002B6C77FD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1836955896.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1843799934.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828541079.000002B6C77E6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3546983612.0000018914E55000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://wheel.readthedocs.io/en/stable/news.htmlIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807032426.000001D1925E6000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/pyca/cryptography/actions?query=workflow%3ACIIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://tidelift.com/securityIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://tools.ietf.org/html/rfc2388#section-4.4IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.apache.org/licenses/LICENSE-2.0IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798854498.000001D1925F1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798782431.000001D1925F1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798782431.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=whiteIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular-IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828283165.000002B6C85F4000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1827263064.000002B6C878A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1827715074.000002B6C85F1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1825448674.000002B6C85F1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828993642.000002B6C85F8000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1845980806.000002B6C8CA6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1831868832.000002B6C879A000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1835395402.000002B6C8600000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1834526935.000002B6C8C9F000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1834637171.000002B6C85F9000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1832387790.000002B6C8C91000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1825592626.000002B6C8783000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1889276753.0000018916430000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1889276753.00000189163E1000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/pypa/packagingIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549142565.00000189162E0000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549964278.00000189169E0000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://stackoverflow.com/questions/19622133/IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1846791313.000002B6C9250000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549964278.00000189169E0000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/pypa/setuptoolsIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://refspecs.linuxfoundation.org/elf/gabi4IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1845717835.000002B6C8A50000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1846896524.000002B6C9350000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550037860.0000018916AF0000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://pypi.org/project/setuptoolsIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/pypa/setuptools/workflows/tests/badge.svgIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://docs.python.org/3/library/subprocess#subprocess.Popen.killIDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1824632133.000002B6C8D9B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1826384064.000002B6C8E3C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1824632133.000002B6C8E3C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1831394006.000002B6C8D9B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1829634308.000002B6C8E3D000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1831587270.000002B6C8DB7000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1847031718.000002B6C9464000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1826755988.000002B6C8E3C000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://blog.jaraco.com/skeletonIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://tools.ietf.org/html/rfc3610IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548777503.0000018915EE0000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncodeIDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1824632133.000002B6C8D9B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1826384064.000002B6C8E3C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1824632133.000002B6C8E3C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1831394006.000002B6C8D9B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1829634308.000002B6C8E3D000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1831587270.000002B6C8DB7000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1826755988.000002B6C8E3C000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1847031718.000002B6C94BC000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.mdIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807032426.000001D1925E6000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916400000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550186386.0000018916D10000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/pypa/setuptools/actions?query=workflow%3A%22tests%22IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1844100921.000002B6C819C000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548349992.00000189158A0000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://httpbin.org/getIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550186386.0000018916D10000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/python/cpython/blob/v3.6.12/Lib/functools.pyIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/getsentry/sentry-python/pull/484IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-accessIDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1825592626.000002B6C87E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1820812842.000002B6C87E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1830130338.000002B6C883F000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1814651942.000002B6C87BE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1816340638.000002B6C87E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1814563368.000002B6C8825000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1826317044.000002B6C8837000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1820812842.000002B6C87BE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1814736958.000002B6C87BF000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1816340638.000002B6C87BE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1887064636.0000018915F7B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1887064636.0000018915F2B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1886999530.0000018915F24000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://nssm.cc/nssm.exe, nssm.exe, 00000003.00000002.1754583373.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000005.00000000.1755789435.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000007.00000002.1759170965.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000009.00000000.1759366190.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000000B.00000002.1761797434.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000000D.00000000.1763020089.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000000F.00000002.1767022783.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000011.00000002.1769910243.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000013.00000002.1773618174.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000015.00000002.1776669582.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000017.00000002.1778308187.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000019.00000000.1778598942.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000001B.00000002.1782225763.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000001D.00000002.1802264402.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 0000001F.00000000.1784612818.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000023.00000002.1803746734.0000000140065000.00000002.00000001.01000000.0000000E.sdmp, nssm.exe, 00000025.00000000.1805095150.0000000140065000.00000002.00000001.01000000.0000000E.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://docs.sentry.io/platforms/python/contextvars/IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550821834.00000189176A0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3551100109.0000018917DD4000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/pypa/wheelIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807032426.000001D1925E6000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.python.org/dev/peps/pep-0427/IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807032426.000001D1925E6000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerIDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1839619187.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828699935.000002B6C77FD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1836955896.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1843799934.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828541079.000002B6C77E6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3546983612.0000018914E55000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://httpbin.org/IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549650005.00000189166EF000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.apache.org/licenses/IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798782431.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://login.idmelon.com/auth/users/ctap-assertion_cached__IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550186386.0000018916D10000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=mainIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://codecov.io/gh/pypa/setuptoolsIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-fileIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552191616.00007FFDFB173000.00000002.00000001.01000000.00000048.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://nsis.sf.net/NSIS_ErrorErrorSecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, 00000000.00000003.1833445682.0000000000529000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, 00000000.00000000.1683234838.000000000040A000.00000008.00000001.01000000.00000003.sdmp, SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
  • URL Reputation: safe
unknown
https://codewithoutrules.com/2017/08/16/concurrency-python/IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://aka.ms/vcpython27PIDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1846896524.000002B6C9350000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916400000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1894052173.000001891601C000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://mail.python.org/pipermail/distutils-sig/IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://cryptography.io/en/latest/installation/IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syIDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1839619187.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828699935.000002B6C77FD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1836955896.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1843799934.000002B6C77FE000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828541079.000002B6C77E6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3546983612.0000018914E55000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/pypa/setuptools/issues/417#issuecomment-392298401IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1846619333.000002B6C9050000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://github.com/ActiveState/appdirsIDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1845807872.000002B6C8B50000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1815399055.000002B6C88A8000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549142565.00000189162E0000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://wiki.debian.org/XDGBaseDirectorySpecification#stateIDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828699935.000002B6C77FD000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1832287680.000002B6C7815000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1815399055.000002B6C88A8000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1828541079.000002B6C77E6000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1890856717.0000018915D69000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://wwwsearch.sf.net/):IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916400000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://skm.idmelon.com/administrator/tokens/passwords?type=IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550186386.0000018916D10000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://tools.ietf.org/html/rfc6125#section-6.4.3IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550260783.0000018916E30000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://cryptography.io/en/latest/security/IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://cffi.readthedocs.io/en/latest/using.html#callbacksIDmelonCredentialProviderFidoAgent.exe, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3554851953.00007FFE0075C000.00000002.00000001.01000000.00000049.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://bugs.python.org/issue44497.IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1846619333.000002B6C9050000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1846791313.000002B6C9250000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549964278.00000189169E0000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://google.com/mailIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916558000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3546983612.0000018914E55000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.rfc-editor.org/info/rfc7253IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://develop.sentry.dev/sdk/event-payloads/transaction/#transaction-annotationsIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/pyca/cryptography/issuesIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3552191616.00007FFDFB173000.00000002.00000001.01000000.00000048.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdfIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548777503.0000018915EE0000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://readthedocs.org/projects/cryptography/badge/?version=latestIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916400000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549650005.00000189166EF000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://appsyndication.org/2006/appsynvc_redist.x64.exe, VC_redist.x64.exefalse
  • Avira URL Cloud: safe
unknown
https://packaging.python.org/installing/IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://google.com/IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000003.1894328112.0000018916646000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://mahler:8092/site-updates.pyIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549650005.00000189166EF000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://.../back.jpegIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550186386.0000018916D10000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/psf/blackIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/pyca/cryptographyIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.python.org/download/releases/2.3/mro/.IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000002.1844100921.000002B6C8110000.00000004.00001000.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548349992.00000189158A0000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.htmlIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548777503.0000018915EE0000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550821834.0000018917550000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://cryptography.io/IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/pypa/wheel/issuesIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807032426.000001D1925E6000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://httpbin.org/postIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916400000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://skm.idmelon.com/administrator/tokens/passwordsIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550186386.0000018916D10000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/pyca/cryptography/IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1798939966.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/Ousret/charset_normalizerIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549650005.00000189166EF000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=referralIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://yahoo.com/IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3548584023.0000018915CE9000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916558000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://develop.sentry.dev/sdk/event-payloads/exception/IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3551100109.0000018917DD4000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://raw.githubusercontent.com/pypa/setuptools/main/docs/images/banner-640x320.svgIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1805837120.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1824632133.000002B6C8D9B000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1829540044.000002B6C8DC3000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1827568606.000002B6C8DC2000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000002A.00000003.1827508354.000002B6C8DBC000.00000004.00000020.00020000.00000000.sdmp, IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.0000018916613000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://wheel.readthedocs.io/IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1807032426.000001D1925E6000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://cacerts.digicert.coIDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1796691603.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0IDmelonCredentialProviderFidoAgent.exe, 00000021.00000003.1803051162.000001D1925E3000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://bugs.python.org/issue14976IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549219413.00000189165C1000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://html.spec.whatwg.org/multipage/IDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3549650005.00000189166EF000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsIDmelonCredentialProviderFidoAgent.exe, 0000003D.00000002.3550260783.0000018916E30000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1467386
Start date and time:2024-07-04 06:41:28 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 14m 9s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Run with higher sleep bypass
Number of analysed new started processes analysed:67
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
Detection:MAL
Classification:mal80.evad.winEXE@97/273@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

  • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\Program Files (x86)\IDmelon\FCP\CommandLine.dllhttps://carbonatebrowser.com/Get hashmaliciousUnknownBrowse
    Carbonate.ed.exeGet hashmaliciousUnknownBrowse
      Carbonate.ed.exeGet hashmaliciousUnknownBrowse
        https://download.slido.com/slido-for-windows/230510075433_1.6.0.4110/SlidoSetup_v1.6.0.4110.exeGet hashmaliciousUnknownBrowse

          Created / dropped Files

          C:\Program Files (x86)\IDmelon\FCP\CommandLine.dll

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):225280
          Entropy (8bit):6.201066097308408
          Encrypted:false
          SSDEEP:6144:sG/zAnUPpKO6acJ8Ha+VbR9HGzIuIliUtf:syzAUPMeaIDGcfi
          MD5:2F345B6D207489E52DB3F85C2E4E617D
          SHA1:D0CD77AA88B8ED0AE5F07A8132EACA857DEA7795
          SHA-256:2135B40FA819E58CF1942453E4409BFDEA2BE631077A354B878DE8402BE7E026
          SHA-512:24AD3B3620E5E093EA57C1BEC486379853D625DBF962210B2DEB823115A45F9EC4083B6D4BB69610A9DAE4B6076284C11E3663430DB4EA739224E6DE93D88E8D
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Joe Sandbox View:
          • Filename: , Detection: malicious, Browse
          • Filename: Carbonate.ed.exe, Detection: malicious, Browse
          • Filename: Carbonate.ed.exe, Detection: malicious, Browse
          • Filename: , Detection: malicious, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..f............... ........... ...............................d....`.................................b...O.......................................T............................................ ............... ..H............text....e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H.......dJ...9............................................................{....*..{/...*V.(0.....}......}/...*...0..A........u........4.,/(1....{.....{....o2...,.(3....{/....{/...o4...*.*.*. a.(. )UU.Z(1....{....o5...X )UU.Z(3....{/...o6...X*...0..b........r...p......%..{.......%q!....!...-.&.+...!...o7....%..{/......%q"...."...-.&.+..."...o7....(8...*..{9...*..{:...*V.(0.....}9.....}:...*.0..A........u#.......4.,/(1....{9....{9...o2...,.(3....{:....{:...o4...*.*.*. ..% )UU.

          C:\Program Files (x86)\IDmelon\FCP\FileDeleter.exe

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):112128
          Entropy (8bit):3.6701691669294
          Encrypted:false
          SSDEEP:384:x6Djk5VqpY/zWabOc3sFE9r8l7n9KViZx1PPxv+Xo8152:l5kpODKE9uL9KgBVi2
          MD5:4872481CC7259458841E5B2660F835A9
          SHA1:A7B667687F021AE47B658343EE823CB80F956772
          SHA-256:AB52192C8413B75121610CD472A1FFF007783150694E5174B9D36522A564BAB0
          SHA-512:59EE2898B74E7915E1ED040631F83B2FD5DE4B6E9A08AD1BB5D543F1505303899CE52EC32B2365FF3335E19AB72377132AFD5204DC87B4AD30A31DE8E9F5FDD2
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...b2..........."...0.................. .....@..... ....................................`...@......@............... ...............................@..T............................(..8............................................................ ..H............text........ ...................... ..`.rsrc...T....@......................@..@........................................H.......$!...............................................................0...............(....,..(.....r...p(....(.....(....+..r/..p(....(.....(.....[&r_..p(.....(.....H.r...p.r...p.o....(....(.....(.....$.r...p.r...p.o....(....(.....(......*...(......>B..........>U.$........>y.$......(....*BSJB............v4.0.30319......l.......#~..........#Strings....P.......#US.T.......#GUID...d...t...#Blob...........G..........3........................................................!.o.....o...

          C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:PE32+ executable (console) x86-64, for MS Windows
          Category:dropped
          Size (bytes):17194344
          Entropy (8bit):7.993685883736123
          Encrypted:true
          SSDEEP:393216:hiIE7YoPQsSpUTLfhJKDfDgPc6U+gbtToNRQCaG:O7rPQfUTLJUb0k4gbtOQ4
          MD5:2B087903208E385308BF23C41F82E872
          SHA1:DEE1EB429C17CAC16CE50B38339FCE947F2F2CC8
          SHA-256:97B90732767B548D5CA570B0A5A1BA40372BD0CDB70CDA4934E38C7E113A18D6
          SHA-512:5B2399FA8774CF5EE84F87EC6A0B2A27E9B722E9A1F98A70D8EE7FC5F50572FB8B1CB8F8A48DDCFE73A3C4B731D8C8EE22C56AA9F72620F09B63E8F1A2EF185D
          Malicious:true
          Antivirus:
          • Antivirus: Avira, Detection: 100%
          • Antivirus: ReversingLabs, Detection: 5%
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1_..P1..P1..P1..(2..P1..(4.|P1..(5..P1../..P1../4..P1../5..P1../2..P1..(0..P1..P0..P1...5..P1...3..P1.Rich.P1.........................PE..d......e.........."....%......................@............................. ............`.....................................................P....`....... ...".. K..H.......\...P...................................@...............x............................text............................... ..`.rdata...).......*..................@..@.data...83..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc........`......................@..@.reloc..\...........................@..B................................................................................................................................................................................................

          C:\Program Files (x86)\IDmelon\FCP\IDmelonFcp.exe

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):127048
          Entropy (8bit):4.1857296096986545
          Encrypted:false
          SSDEEP:768:jBdKWI3P1eWnBh9Pge2lUKNgpODKE9uLdKghVC5k271Pw:fKWMZBrge2lUKapOT5kY1Pw
          MD5:E586DE437B9E9E6FD7FCB0DBFF66563E
          SHA1:DAD2020888C6F72F4DA1276883A7A3030ABE6586
          SHA-256:68B767FADF8D6AF9A6DBF4C683FB8B41301D1657A7B0FC8196F68A61ABF190D7
          SHA-512:68A6349C982CB74DBCE535D95941B224D2F52D0DE2A86292E238300EFB7EF0F85A81100A29038FD156CA6B3AE5DE07C1C6091264E7FA09FA3ADD6048D1369593
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..2............... .....@..... ....................... ......W.....`...@......@............... ...............................`..................H............O..8............................................................ ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@........................................H........'..T(...... ....................................................~....%-.&~......)...s....%.....s.....(....*.0..F.......(&...,4.($...r...p(.....,.rU..p(....r...p.o....(....(......r/..p(....*.............".....0..F.......(&...,4.($...r...p(.....,.r...p(....r...p.o....(....(......r/..p(....*.............".....0..C.......(%....3.r?..p(....+.r...p(.....".r...p(....ri..p.o....(....(......*......... ."....r(....%.o....r...p(....o....*r(....%.o....rf..p(....o....*...0..R........~..

          C:\Program Files (x86)\IDmelon\FCP\Microsoft.Win32.Registry.dll

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):26496
          Entropy (8bit):6.147606968484159
          Encrypted:false
          SSDEEP:384:j4nLpSumfSQrlHViaCZYvLPQmlJLfjnWn6GWfdHRN76+fVlGsa9h:j4QVrxViR9mlxd96lv
          MD5:59C48AACB1C413C108161AFE13FDBED9
          SHA1:31ACE4B26D8A069C84AAD6001E06C2A5483806F3
          SHA-256:E9A9D281C1A708AAAE366F82FD6A1742F65DA2918CC4FA5EAAAADA0BE24277D9
          SHA-512:8252ABE64C67863D9E4C70E820F0C69C517B8678A4B4C13A436118BC276E5F21E84522B93566C0BC009EFFCB251ED67BDBC60E4907ABEA2F33B6BE3764E28D1D
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j............" ..0..:..........jX... ...`....... ..............................a.....`..................................X..O....`...............D...#..........$W..T............................................ ............... ..H............text...p8... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............B..............@..B................LX......H........$..8"...........G.......V.......................................~....*..0..1.......(....,..%-.&.*..(.....o.......&...,...o....,..*.*....................(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%....(....*......(

          C:\Program Files (x86)\IDmelon\FCP\System.Security.AccessControl.dll

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):33672
          Entropy (8bit):5.963333780741011
          Encrypted:false
          SSDEEP:384:jFGa3siuaS/bRSqtesyvaMAdB+w3G5h9MCZYsMfpcrqmf9wEJqIxVRvFNgfBkyNp:jAa3FuQwetxWBkyNE0MXwVP
          MD5:996AAB294E1D369B148D732E5EC0DFDC
          SHA1:28465FD34680A082506F160107F350B46140A1AA
          SHA-256:1FDA491EEBDB19EA0A83CF6C16AB5DD004A1BFDFC845EDE017EBE0945BEB927F
          SHA-512:5E6B172D2DE5928915B38EC80C7B76F42430AAC959F04AA3521C63495B6F3C4F82DF139C275E9FC5024B1A0A4F307DAADE6130B6028779F98F456282AE8B61CD
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..V...........u... ........... ..............................yj....`..................................u..O....................`...#...........t..T............................................ ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............^..............@..B.................u......H........%..P2..........@X.......t.......................................~....*..0..1.......(....,..%-.&.*..(.....o.......&...,...o....,..*.*....................(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%....(....*......(

          C:\Program Files (x86)\IDmelon\FCP\System.Security.Principal.Windows.dll

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):18312
          Entropy (8bit):6.439506871486808
          Encrypted:false
          SSDEEP:384:cEwo6eTs14YY4cWpOW6dHRN7FYpJAlGspU:VwDdT463
          MD5:BE2962225B441CC23575456F32A9CF6A
          SHA1:9A5BE1FCF410FE5934D720329D36A2377E83747E
          SHA-256:B4D8E15ADC235D0E858E39B5133E5D00A4BAA8C94F4F39E3B5E791B0F9C0C806
          SHA-512:3F7692E94419BFFE3465D54C0E25C207330CD1368FCDFAD71DBEED1EE842474B5ABCB03DBA5BC124BD10033263F22DC9F462F12C20F866AEBC5C91EB151AF2E6
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r..........." ..0.............V8... ...@....... ..............................!.....`..................................8..O....@...............$...#...`.......6..T............................................ ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................68......H.......|!..............\4.. ...|6......................................:.(......}....*..{....*"..(....*"..(....*"..(....*..(....*..(....*..(....*..(....*:.(......}....*..{....*:.(......}....*..{....*:.(......}....*..{....*..(....*:.(......}....*..{....*^.(...........%...}....*:.(......}....*..{....*z.(......}...........%...}....*V.(......}......}....*..{....*..{....*..BSJB............v4.0.30319......l.......#~..@.......#Strings....8.......#US.<.......#GUID...L.......#Blob...

          C:\Program Files (x86)\IDmelon\FCP\log4net.dll

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):270336
          Entropy (8bit):5.596191661109029
          Encrypted:false
          SSDEEP:3072:h+8gmdoxSO7ZbQFroo7RVir/dtnK0sgdnogtHcU5qFG1RSGCkE9kKn7GCcaLoWn:c1N8LLI/PK0scnodG1RS1T93caL
          MD5:46319A38CE5D09020D2AC56B67829C6C
          SHA1:FFE64CA4D4BC9E1DAB1D195982D22121A6BAA058
          SHA-256:1D45A6AFA38F0B10814063F2A42E6EFCE45752853667650E765844B8566B3332
          SHA-512:0DE61771A92EE71470E51BCCF66D3A39C105AE23D60E73D8E4E7D44135DFF4C8D1DDDFF9BBB6BE72FF083D51C784E5CA829A6ADEFEE87FD901D2DE58DB0DDB03
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....O..........." ..0...... ........... ... ....... .......................`...........`.....................................O.... .......................@......|................................................ ............... ..H............text...(.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Program Files (x86)\IDmelon\FCP\logs.log

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          File Type:ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):1256
          Entropy (8bit):4.877975362165133
          Encrypted:false
          SSDEEP:12:f6Ge90DveQunddeWdGXRnroKVke90DveQunddeWdGXRn7rikZ4rOTpBTpjCbWk06:fdUYvgvDCdcQkUYvgvDCd7g5SwujOIm
          MD5:15FB7A397F29B284C4AD05F0CAEDF1ED
          SHA1:5F30F42E5B36DE03252210681B6869E4E5A7D0EA
          SHA-256:CF41BDFFF52BAA47A25D3B6523D577CBFE9DEE6EB751E911640119FF5031AEF4
          SHA-512:11DCF54A2CCC0D08C769651E736938009404F152B472CC83C6823CC075E9FDFF8A4DD6694C005B9CF904C555F315D55B869EBCADBE992FB9680A019B0D72C531
          Malicious:false
          Reputation:unknown
          Preview:Traceback (most recent call last):.. File "main.py", line 2, in <module>.. File "<frozen importlib._bootstrap>", line 1027, in _find_and_load.. File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked.. File "<frozen importlib._bootstrap>", line 688, in _load_unlocked.. File "PyInstaller\loader\pyimod02_importers.py", line 419, in exec_module.. File "dependencies\credential_provider_core_api.py", line 5, in <module>.. File "<frozen importlib._bootstrap>", line 1027, in _find_and_load.. File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked.. File "<frozen importlib._bootstrap>", line 688, in _load_unlocked.. File "PyInstaller\loader\pyimod02_importers.py", line 419, in exec_module.. File "dependencies\utilities\logger.py", line 49, in <module>.. File "dependencies\utilities\logger.py", line 11, in __init__.. File "logging\handlers.py", line 155, in __init__.. File "logging\handlers.py", line 58, in __init__.. File "logging\__init__

          C:\Program Files (x86)\IDmelon\FCP\nssm.exe

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:PE32+ executable (console) x86-64, for MS Windows
          Category:dropped
          Size (bytes):373288
          Entropy (8bit):5.612916865047601
          Encrypted:false
          SSDEEP:6144:dI6VyDGb+HiFr4kchE18dkuCj7jLwcYBQarDosNXUk:dIJDGb+Hiu9hE18dkxfdsNXV
          MD5:17DE7869B1B721B3FFF9DBE111CAAFF8
          SHA1:5CA75CBF7928732B5B022BC06146216CC7EEBC30
          SHA-256:852F71F992F9C6FE89875F468AB7058FD9E0CF03FC13654E7E2F291BC403517F
          SHA-512:A4C736EECDCC4DBED1D871B1E593B174A09001DFAB5D2FE1309918CCDF82DC25C09683799B35F6BF748E4A61466BC302A30A5FB62A350A6912C9112108501155
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 14%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"1P.C_..C_..C_..;...C_..;...C_...$..C_..C^.YC_..;...C_......C_..;...C_.Rich.C_.........................PE..d...]..Y..........#......D...X................@.........................................................................................................|...P..."......(............................................................`.. ............................text...4B.......D.................. ..`.rdata.......`.......H..............@..@.data...dC......."..................@....pdata..."...P...$..................@..@.rsrc....|.......~..."..............@..@................................................................................................................................................................................................................................................................................................................

          C:\Program Files (x86)\IDmelon\FCP\uninstall.exe

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
          Category:dropped
          Size (bytes):174762
          Entropy (8bit):5.434075073453572
          Encrypted:false
          SSDEEP:1536:bferrLkSRoe8C4UZsys0Dh1duppOwSdnhCVEb010n6BBteqmLAv:bfi3k+oWDBDh1duCvnzb0+n6Xteqmkv
          MD5:6787BBD72F237C093B03F66DDF142BF5
          SHA1:B89FBED6EA076DEA30A23CAB818460B75FCB116C
          SHA-256:D856C1CC16AEBD51DCB1D78DAD8F9BFFF51255482B5B1A998EE9F41CD76ABD3B
          SHA-512:FF4CCCB44B25164DC4E487366B98A2A863DCED86B012D81A2114FF08785A93E9A2B6DC9E49367805E7958FCCE9798C2D205126898453D14A4F48A153AC79D458
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...l.d.................j..........25............@..........................0............@...........................................................(............................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata...0...P...........................rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................

          C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exe

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):25226464
          Entropy (8bit):7.997252015933408
          Encrypted:true
          SSDEEP:786432:z3pXDWoLTNOqMDH7ZQil1SGuS68qjK5cXc1++9:LpXDhLTNJM77WMUGumS7c
          MD5:35431D059197B67227CD12F841733539
          SHA1:AE97F1E35C50A3C1B7B231995AD547828E71FE4C
          SHA-256:296F96CD102250636BCD23AB6E6CF70935337B1BBB3507FE8521D8D9CFAA932F
          SHA-512:DFC0A9BD4151CBB9407A1234E6C892B65D3DB35F1A95684547FC0F5334A9B3D19EFE88D5F2661D7B4A372489334098629FFB2C433D4128772C3B021ED259424E
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p...........@..............................................;.............((...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

          C:\ProgramData\IDmelon\FCP\service_logs.log

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:CSV text
          Category:dropped
          Size (bytes):264
          Entropy (8bit):4.738172136233677
          Encrypted:false
          SSDEEP:6:gASuF4s9WiIMEKDASuF4s9WiIMIIkDASuFDsF/iIMDbLVY+yKv:wwNlwNIIAmsF2DbW+yKv
          MD5:29B331B4B3863A220DD0845653F5183C
          SHA1:36F79EFA20F2C396ACBF6185877261D83709B6FB
          SHA-256:799CCE13EA7C28C92FC3CF52AEE3B1ED17FED10055CAA24D14732E6EB92C6104
          SHA-512:D0F8B5E2EA5A84019639AFEB3C4876FDA45D8F8DA0BF2D675E8D597F543793ACFF3D0F878A829B8DD5BA8111586FAEC53EAAE0D6B4CA2A4A97C9CA8F77E8B0E5
          Malicious:false
          Reputation:unknown
          Preview:2024-07-04 00:42:41,708 - INFO - IDmelon credential provider FIDO agent v1.1.0.0..2024-07-04 00:42:41,708 - INFO - IDmelon credential provider FIDO agent started...2024-07-04 00:42:41,708 - INFO - Waiting for credential provider to connect to the control pipe.....

          C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20240704004226.log

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):7142
          Entropy (8bit):5.423831841947451
          Encrypted:false
          SSDEEP:96:rnTuSD2pv4nRte1+1M1T1j1g1O1d1v04hPqKkZKl0KBY2LgX0dhEODZutep:zqh4n21+1M1T1j1g1O1d1vddhEltU
          MD5:27B15918C1177E5D2DA30583007CD907
          SHA1:B80D7CEB10F7B5D2601CF307C2AA0619BC6B5DD1
          SHA-256:0EE060659E7AB58D7DB0C3CED9F2F38A5CC5F4818D71D72F4FE16FE95660680B
          SHA-512:412505DFACD0A5B28ABB635C3612DFDADE54D1F8E1EBFBF07BD34229B766E2C067BF0618A381D6BB9D6DB5FE551F3CBD921619DF989CDDF0F638C72D32C36540
          Malicious:false
          Reputation:unknown
          Preview:[1DCC:1DD0][2024-07-04T00:42:26]i001: Burn v3.10.4.4718, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe..[1DCC:1DD0][2024-07-04T00:42:26]i009: Command Line: '"-burn.clean.room=C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" -burn.filehandle.attached=508 -burn.filehandle.self=684 /quiet'..[1DCC:1DD0][2024-07-04T00:42:26]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe'..[1DCC:1DD0][2024-07-04T00:42:26]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Program Files (x86)\IDmelon\FCP\vc\'..[1DCC:1DD0][2024-07-04T00:42:26]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20240704004226.log'..[1DCC:1DD0][2024-07-04T00:42:26]i000: Setting string variable 'WixBundleName' to value 'Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.29.30139'..[1D

          C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\EnVar.dll

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):10240
          Entropy (8bit):5.408403475729264
          Encrypted:false
          SSDEEP:192:hjD5Bzu8mRd7ylc01dOF6Nr4mNiFHFEH3HGH8t+zaY6GVIb6:V9BXI4cqxCa+WFAzUeC6
          MD5:4EE6C0578960BCB5DAD78947E0CBFFE9
          SHA1:DD90488FFDE0B0DF76E0A5E8DCA8192C77619D8B
          SHA-256:EB182D049BA19F697628E20228AF329780AAF62C3585A1E36B9FB988911FE697
          SHA-512:0592166761C32AA804A26FB90191F636173B6E5144E4C10B100841FCB4D05CC30D8FFC3716E823D02DD3BCC73CFB9106639CF8AE2AEEBA409213F2F40DF5932C
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f.....................................................Rich....................PE..L...,N"`...........!................p'.......0...............................`............@.........................@2......l0..P............................P..\...P0...............................................0..L............................text............................... ..`.rdata..k....0......................@..@.data........@......."..............@....reloc.......P.......&..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\InstallOptions.dll

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):15872
          Entropy (8bit):5.471472713414473
          Encrypted:false
          SSDEEP:192:EyGQtZkTktEQUrJaZfuyCnSmUsv3sY7L7cW8Y6Q86QvoTr11929WtshLAzgSrX8:EyNt+4t7uJalUnGesY7Lt8nCr/Yosa
          MD5:D095B082B7C5BA4665D40D9C5042AF6D
          SHA1:2220277304AF105CA6C56219F56F04E894B28D27
          SHA-256:B2091205E225FC07DAF1101218C64CE62A4690CACAC9C3D0644D12E93E4C213C
          SHA-512:61FB5CF84028437D8A63D0FDA53D9FE0F521D8FE04E96853A5B7A22050C4C4FB5528FF0CDBB3AE6BC74A5033563FC417FC7537E4778227C9FD6633AE844C47D9
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.px.q.+.q.+.q.+.q.+[q.+.~C+.q.+^R.+.q.+^R/+.q.+.w.+.q.+.Q.+.q.+Rich.q.+........PE..L...O.d...........!.........`.......+.......0............................................@..........................8......X1..................................X....................................................0..X............................text............................... ..`.rdata..G....0......."..............@..@.data...DL...@.......,..............@....rsrc................6..............@..@.reloc..x............8..............@..B........................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\System.dll

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):12288
          Entropy (8bit):5.805604762622714
          Encrypted:false
          SSDEEP:192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
          MD5:4ADD245D4BA34B04F213409BFE504C07
          SHA1:EF756D6581D70E87D58CC4982E3F4D18E0EA5B09
          SHA-256:9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
          SHA-512:1BD260CABE5EA3CEFBBC675162F30092AB157893510F45A1B571489E03EBB2903C55F64F89812754D3FE03C8F10012B8078D1261A7E73AC1F87C82F714BCE03D
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...S.d...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\ioSpecial.ini

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):1074
          Entropy (8bit):3.6969617606275933
          Encrypted:false
          SSDEEP:24:Q+sxv5SAD5ylSjqWCs7y6J9aH9nK/6k8lDCxGcC96sWYpG:rsxwAQSjqQz9aIN8lOcWx
          MD5:9BF741985CA75B7CC8BCCB1AB992EABD
          SHA1:32FEB86AF8FD3370BF436253C48A42BAA5BFF9A7
          SHA-256:31D2045EF5829B2E041A3A17E27BB982104C941813D9DEB2D5B08E244151672D
          SHA-512:2CCBE8E7CF2BE5252813BB584B8F5379E76110DD65FBFDA6D5ACE803727104E0E61610837B71638479934B362C9736341A0C1FD0406607658BEDF68E9F4938C0
          Malicious:false
          Reputation:unknown
          Preview:..[.S.e.t.t.i.n.g.s.].....R.e.c.t.=.1.0.4.4.....N.u.m.F.i.e.l.d.s.=.3.....R.T.L.=.0.....N.e.x.t.B.u.t.t.o.n.T.e.x.t.=.&.F.i.n.i.s.h.....C.a.n.c.e.l.E.n.a.b.l.e.d.=.....S.t.a.t.e.=.0.....[.F.i.e.l.d. .1.].....T.y.p.e.=.b.i.t.m.a.p.....L.e.f.t.=.0.....R.i.g.h.t.=.1.0.9.....T.o.p.=.0.....B.o.t.t.o.m.=.1.9.3.....F.l.a.g.s.=.R.E.S.I.Z.E.T.O.F.I.T.....T.e.x.t.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.n.s.s.C.5.E.3...t.m.p.\.m.o.d.e.r.n.-.w.i.z.a.r.d...b.m.p.....H.W.N.D.=.1.1.1.4.7.8.6.....[.F.i.e.l.d. .2.].....T.y.p.e.=.l.a.b.e.l.....L.e.f.t.=.1.2.0.....R.i.g.h.t.=.3.1.5.....T.o.p.=.1.0.....T.e.x.t.=.C.o.m.p.l.e.t.i.n.g. .I.D.m.e.l.o.n. .F.C.P. .S.e.t.u.p.....B.o.t.t.o.m.=.3.8.....H.W.N.D.=.5.9.0.4.7.2.....[.F.i.e.l.d. .3.].....T.y.p.e.=.l.a.b.e.l.....L.e.f.t.=.1.2.0.....R.i.g.h.t.=.3.1.5.....T.o.p.=.4.5.....B.o.t.t.o.m.=.1.8.5.....T.e.x.t.=.I.D.m.e.l.o.n. .F.C.P. .h.a.s. .b.e.e.n. .i.n.s.t.a.l.l.e.d. .o.n. .y.o.u.r. .c.o.m.p.u.t.e.r...\.r.\.n.\.r.\.n.C.l.i.c.k. .

          C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\modern-wizard.bmp

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118
          Category:dropped
          Size (bytes):26494
          Entropy (8bit):1.9568109962493656
          Encrypted:false
          SSDEEP:24:Qwika6aSaaDaVYoG6abuJsnZs5GhI11BayNXPcDrSsUWcSphsWwlEWqCl6aHAX2x:Qoi47a5G8SddzKFIcsOz3Xz
          MD5:CBE40FD2B1EC96DAEDC65DA172D90022
          SHA1:366C216220AA4329DFF6C485FD0E9B0F4F0A7944
          SHA-256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
          SHA-512:62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
          Malicious:false
          Reputation:unknown
          Preview:BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

          C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\nsExec.dll

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):7168
          Entropy (8bit):5.2959870663251625
          Encrypted:false
          SSDEEP:96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
          MD5:B4579BC396ACE8CAFD9E825FF63FE244
          SHA1:32A87ED28A510E3B3C06A451D1F3D0BA9FAF8D9C
          SHA-256:01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
          SHA-512:3A76E0E259A0CA12275FED922CE6E01BDFD9E33BA85973E80101B8025EF9243F5E32461A113BBCC6AA75E40894BB5D3A42D6B21045517B6B3CF12D76B4CFA36A
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L...Q.d...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

          Download File
          Process:C:\Program Files\Windows Defender\MpCmdRun.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:modified
          Size (bytes):4926
          Entropy (8bit):3.2430394806623437
          Encrypted:false
          SSDEEP:48:FaqdF79/0+AAHdKoqKFxcxkF3/waqdF7Z+AAHdKoqKFxcxkF5:cEi+AAsoJjykzEZ+AAsoJjykD
          MD5:FCE6F6734BBD659F51A8A6214F61F7AB
          SHA1:B473D9F8198E2CDD63E700446CDE92D4A6188DE5
          SHA-256:B97CFB0F2E735F1C1568376665258A3D1F56A695CF4DB5C30594B955D4212F1B
          SHA-512:72C3185AC1E20BC1812CF06B4D315180BEA3052EDEFBEB5ECCC129A196C9687CB88B503418D6436A2A001973024B1DDEED86468E3E5EB8615A91132F91975AD0
          Malicious:false
          Reputation:unknown
          Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. O.c.t. .. 0.4. .. 2.0.2.3. .1.2.:.0.3.:.4.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

          C:\Windows\System32\IDmelonV2CredentialProvider.dll

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):1787976
          Entropy (8bit):3.400243266399139
          Encrypted:false
          SSDEEP:6144:/iEh6ssRNdS8kcy4gEpb7LYbr5YtVM0cXyXs4NBLIT:hRsRNdS8g0Luy3tO
          MD5:DF4F7E77A3779AE9424A4D5FEA15CB92
          SHA1:B3485D8E9132F8AAC5589465946613F2D8FC5CA8
          SHA-256:CCB42CFD4CBCC890F1B1E6525DBA69ED326DABF46441237F32332EF7DD042854
          SHA-512:30E61D34E3722E69CE593DEF317C44B6F315E2660E4A2FB15A8BF45EB783B77476708F51ECB9D4535F003240CA76018E18EB3C1665604C541E96BB449E408854
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p.*.4.D.4.D.4.D.=f.$.D.2.@.<.D.2.G.1.D.2.A.(.D.2.E.2.D..fE.;.D.4.E...D.Y.M.9.D.Y.D.5.D.Y...5.D.4..5.D.Y.F.5.D.Rich4.D.........PE..d......e.........." ...&.N...........,.......................................p............`..........................................N.......N..h........p.......*...6..H....`.........p.......................(.......@............`...............................text....M.......N.................. ..`.rdata.. ....`.......R..............@..@.data...x=...p...4...\..............@....pdata...*.......,..................@..@.rsrc....p.......r..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\47_2hfd1

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):4
          Entropy (8bit):2.0
          Encrypted:false
          SSDEEP:3:qn:qn
          MD5:3F1D1D8D87177D3D8D897D7E421F84D6
          SHA1:DD082D742A5CB751290F1DB2BD519C286AA86D95
          SHA-256:F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
          SHA-512:2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
          Malicious:false
          Reputation:unknown
          Preview:blat

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_ARC4.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):11264
          Entropy (8bit):4.6989965032233245
          Encrypted:false
          SSDEEP:96:v9VD9daQ2iTrqT+y/ThvQ0I1uLfcC75JiC4Rs89EcYyGDPM0OcX6gY/7ECFV:39damqT3ThITst0E5DPKcqgY/79X
          MD5:56976443600793FF2302EE7634E496B3
          SHA1:018CE9250732A1794BBD0BDB8164061022B067AA
          SHA-256:10F461A94C3D616C19FF1A88DEC1EFEA5194F7150F5D490B38AC4E1B31F673DD
          SHA-512:A764C636D5D0B878B91DC61485E8699D7AA36F09AA1F0BD6AF33A8652098F28AEB3D7055008E56EBFC012BD3EA0868242A72E44DED0C83926F13D16866C31415
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_Salsa20.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):13824
          Entropy (8bit):5.047528837102683
          Encrypted:false
          SSDEEP:192:SF/1nb2eqCQtkluknuz4ceS4QDuEA7cqgYvEP:o2P6luLtn4QDHmgYvEP
          MD5:30F13366926DDC878B6D761BEC41879E
          SHA1:4B98075CCBF72A6CBF882B6C5CADEF8DC6EC91DB
          SHA-256:19D5F8081552A8AAFE901601D1FF5C054869308CEF92D03BCBE7BD2BB1291F23
          SHA-512:BDCEC85915AB6EC1D37C1D36B075AE2E69AA638B80CD08971D5FDFD9474B4D1CF442ABF8E93AA991F5A8DCF6DB9D79FB67A9FE7148581E6910D9C952A5E166B4
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..L............p..,....3...............................1..@............0...............................text...h........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_chacha20.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):13312
          Entropy (8bit):5.0513840905718395
          Encrypted:false
          SSDEEP:192:7XF/1nb2eqCQtkXnFYIrWjz0YgWDbu5Do0vdvZt49lkVcqgYvEMN:L2P6XTr0zXgWDbui0vdvZt49MgYvEMN
          MD5:CDF7D583B5C0150455BD3DAD43A6BF9B
          SHA1:9EE9B033892BEB0E9641A67F456975A78122E4FA
          SHA-256:4CA725A1CB10672EE5666ED2B18E926CAAE1A8D8722C14AB3BE2D84BABF646F6
          SHA-512:96123559D21A61B144E2989F96F16786C4E94E5FA4DDA0C018EAA7FEFFA61DD6F0ADFA9815DF9D224CDEBE2E7849376D2A79D5A0F51A7F3327A2FAA0A444CE9C
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..d............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_pkcs1_decode.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):12800
          Entropy (8bit):5.1050594710160535
          Encrypted:false
          SSDEEP:96:/PTF1siKeai1dqmJo0qVVLf/+NJSC6sc9kJ9oPobXXXP4IIYOxDmO8jcX6gRth2h:/LsiHfq5poUkJ97zIDmOucqgRvE
          MD5:7918BFE07DCB7AD21822DBAAA777566D
          SHA1:964F5B172759538C4E9E9131CE4BB39885D79842
          SHA-256:C00840D02ADA7031D294B1AB94A5F630C813AAE6897F18DD66C731F56931868E
          SHA-512:D4A05AB632D4F0EB0ED505D803F6A5C0DBE5117D12BA001CE820674903209F7249B690618555F9C061DB58BED1E03BE58AD5D5FE3BC35FC96DF27635639ABF25
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............l...l...l......l.q.m...l..m...l...m...l.q.i...l.q.h...l.q.o...l...d...l...l...l.......l...n...l.Rich..l.................PE..d....y.e.........." ...#............P.....................................................`.........................................P8..p....8..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@.......*..............@....pdata.......P.......,..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_aes.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):36352
          Entropy (8bit):6.55587798283519
          Encrypted:false
          SSDEEP:384:Of+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuTLg4HPy:WqWB7YJlmLJ3oD/S4j990th9VTsC
          MD5:4B032DA3C65EA0CFBDEB8610C4298C51
          SHA1:541F9F8D428F4518F96D44BB1037BC348EAE54CF
          SHA-256:4AEF77E1359439748E6D3DB1ADB531CF86F4E1A8E437CCD06E8414E83CA28900
          SHA-512:2667BF25FD3BF81374750B43AFC5AEFF839EC1FF6DFC3FDD662F1D34A5924F69FC513EA3CD310991F85902A19ADA8B58DED9A9ED7B5D631563F62EA7F2624102
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#.H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_aesni.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):15872
          Entropy (8bit):5.2919328525651945
          Encrypted:false
          SSDEEP:192:oJBjJPqZkEPYinXKccxrEWx4xLquhS3WQ67EIfD4A1ccqgwYUMvEW:6URwin7mrEYCLEGd7/fDnwgwYUMvE
          MD5:57E4DF965E41B1F385B02F00EA08AE20
          SHA1:583B08C3FC312C8943FECDDD67D6D0A5FC2FF98B
          SHA-256:3F64DFFEC486DCF9A2E80CB9D96251B98F08795D5922D43FB69F0A5AC2340FC2
          SHA-512:48C3F78AF4E35BFEF3B0023A8039CF83E6B2E496845A11B7A2C2FA8BB62C7CCDE52158D4D37755584716220C34BBF379ECE7F8E3439B009AD099B1890B42A3D9
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|X...................i.......................i.......i.......i.......................................Rich....................PE..d....y.e.........." ...#. ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_arc2.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):16384
          Entropy (8bit):5.565187477275172
          Encrypted:false
          SSDEEP:192:MeDd9Vk3yQ5f8vjVKChhXoJDkq6NS7oE2DDHlWw2XpmdcqgwNeecBU8:1k/5cj4shXED+o2Du8zgwNeO8
          MD5:F9C93FA6CA17FDF4FF2F13176684FD6C
          SHA1:6B6422B4CAF157147F7C0DD4B4BAB2374BE31502
          SHA-256:E9AEBB6F17BA05603E0763DFF1A91CE9D175C61C1C2E80F0881A0DEE8CFFBE3A
          SHA-512:09843E40E0D861A2DEE97320779C603550433BC9AB9402052EA284C6C74909E17CE0F6D3FDBA983F5EB6E120E2FE0C2B087420E138760BB0716D2999C10935C1
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#."... ......P.....................................................`.........................................0J.......J..d....p.......`..................,....C...............................B..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...8....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_blowfish.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):20992
          Entropy (8bit):6.058843128972375
          Encrypted:false
          SSDEEP:384:fHU/5cJMOZA0nmwBD+XpJgLa0Mp8Qhg4P2llyM:QK1XBD+DgLa1qTi
          MD5:E4969D864420FEB94F54CEF173D0AD4D
          SHA1:7F8FE4225BB6FD37F84EBCE8E64DF7192BA50FB6
          SHA-256:94D7D7B43E58170CAEA4520D7F741D743BC82B59BE50AA37D3D2FB7B8F1BB061
          SHA-512:F02F02A7DE647DDA723A344DBB043B75DA54D0783AE13E5D25EEC83072EA3B2375F672B710D6348D9FC829E30F8313FA44D5C28B4D65FDA8BB863700CAE994B7
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.$...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text....".......$.................. ..`.rdata..L....@... ...(..............@..@.data...8....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..4............P..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_cast.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):25088
          Entropy (8bit):6.458942954966616
          Encrypted:false
          SSDEEP:384:xVcaHLHm+kJ7ZXmrfXA+UA10ol31tuXyZQ7gLWi:8aHrm+kJNXmrXA+NNxWi28LWi
          MD5:CD4B96612DEFDAAC5CF923A3960F15B6
          SHA1:3F987086C05A4246D8CCA9A65E42523440C7FFEC
          SHA-256:5C25283C95FFF9B0E81FCC76614626EB8048EA3B3FD1CD89FE7E2689130E0447
          SHA-512:C650860A3ECC852A25839FF1E379526157EB79D4F158B361C90077875B757F5E7A4AA33FFE5F4F49B28DF5D60E3471370889FBE3BF4D9568474ECE511FF5E67D
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.$...@............................................................`.........................................@i.......i..d...............................4....b...............................a..@............@...............................text....".......$.................. ..`.rdata.......@...0...(..............@..@.data...8....p.......X..............@....pdata...............Z..............@..@.rsrc................^..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_cbc.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):12288
          Entropy (8bit):4.833693880012467
          Encrypted:false
          SSDEEP:192:BF/1nb2eqCQtkrAUj8OxKbDbzecqgYvEkrK:t2P6EE8OsbD2gYvEmK
          MD5:0C46D7B7CD00B3D474417DE5D6229C41
          SHA1:825BDB1EA8BBFE7DE69487B76ABB36196B5FDAC0
          SHA-256:9D0A5C9813AD6BA129CAFEF815741636336EB9426AC4204DE7BC0471F7B006E1
          SHA-512:D81B17B100A052899D1FD4F8CEA1B1919F907DAA52F1BAD8DC8E3F5AFC230A5BCA465BBAC2E45960E7F8072E51FDD86C00416D06CF2A1F07DB5AD8A4E3930864
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_cfb.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):13824
          Entropy (8bit):4.900216636767426
          Encrypted:false
          SSDEEP:192:YTI1RgPfqLlvIOP3bdS2hkPUDk9oCM/vPXcqgzQkvEmO:YTvYgAdDkUDDCWpgzQkvE
          MD5:3142C93A6D9393F071AB489478E16B86
          SHA1:4FE99C817ED3BCC7708A6631F100862EBDA2B33D
          SHA-256:5EA310E0F85316C8981ED6293086A952FA91A6D12CA3F8AF9581521EE2B15586
          SHA-512:DCAFEC54BD9F9F42042E6FA4AC5ED53FEB6CF8D56ADA6A1787CAFC3736AA72F14912BBD1B27D0AF87E79A6D406B0326602ECD1AD394ACDC6275AED4C41CDB9EF
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................?.....q......................q.......q.......q.........................S.............Rich............PE..d....y.e.........." ...#..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ctr.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):14848
          Entropy (8bit):5.302400096950382
          Encrypted:false
          SSDEEP:192:SJ1gSPqgKkwv0i8NSixSK57NEEE/qexcEtDr+DjRcqgUF6+6vEX:6E1si8NSixS0CqebtD+rgUUjvE
          MD5:A34F499EE5F1B69FC4FED692A5AFD3D6
          SHA1:6A37A35D4F5F772DAB18E1C2A51BE756DF16319A
          SHA-256:4F74BCF6CC81BAC37EA24CB1EF0B17F26B23EDB77F605531857EAA7B07D6C8B2
          SHA-512:301F7C31DEE8FF65BB11196F255122E47F3F1B6B592C86B6EC51AB7D9AC8926FECFBE274679AD4F383199378E47482B2DB707E09D73692BEE5E4EC79C244E3A8
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...,...,...,......,.q.-...,..-...,...-...,.q.)...,.q.(...,.q./...,...$...,...,...,.......,.......,.Rich..,.................PE..d....y.e.........." ...#..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_des.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):57856
          Entropy (8bit):4.25844209931351
          Encrypted:false
          SSDEEP:384:1UqVT1dZ/lHkJnYcZiGKdZHDLtiduprZAZB0JAIg+v:nHlHfJid3X
          MD5:007BE822C3657687A84A7596531D79B7
          SHA1:B24F74FDC6FA04EB7C4D1CD7C757C8F1C08D4674
          SHA-256:6CF2B3969E44C88B34FB145166ACCCDE02B53B46949A9D5C37D83CA9C921B8C8
          SHA-512:F9A8B070302BDFE39D0CD8D3E779BB16C9278AE207F5FADF5B27E1A69C088EEF272BFBCE6B977BA37F68183C8BBEAC7A31668662178EFE4DF8940E19FBCD9909
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..n...n...n......n.q.o...n...o...n...o...n.q.k...n.q.j...n.q.m...n...f...n...n...n.......n...l...n.Rich..n.........PE..d....y.e.........." ...#.8...................................................0............`.....................................................d...............l............ ..4...................................@...@............P...............................text....7.......8.................. ..`.rdata..f....P.......<..............@..@.data...8...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_des3.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):58368
          Entropy (8bit):4.274890605099198
          Encrypted:false
          SSDEEP:384:4Uqho9weF5/dHkRnYcZiGKdZHDL7idErZBZYmGg:ECndH//iduz
          MD5:A883798D95F76DA8513DA6B87D470A2A
          SHA1:0507D920C1935CE71461CA1982CDB8077DDB3413
          SHA-256:AED194DD10B1B68493481E7E89F0B088EF216AB5DB81959A94D14BB134643BFB
          SHA-512:5C65221542B3849CDFBC719A54678BB414E71DE4320196D608E363EFF69F2448520E620B5AA8398592D5B58D7F7EC1CC4C72652AD621308C398D45F294D05C9B
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..n...n...n......n.q.o...n...o...n...o...n.q.k...n.q.j...n.q.m...n...f...n...n...n.......n...l...n.Rich..n.........PE..d....y.e.........." ...#.:...................................................0............`.................................................P...d............................ ..4...................................@...@............P...............................text...x9.......:.................. ..`.rdata.......P.......>..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ecb.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):10752
          Entropy (8bit):4.5811635662773185
          Encrypted:false
          SSDEEP:192:PzWVddiTHThQTctEEI4qXDc1CkcqgbW6:PzWMdsc+EuXDc0YgbW
          MD5:DEDAE3EFDA452BAB95F69CAE7AEBB409
          SHA1:520F3D02693D7013EA60D51A605212EFED9CA46B
          SHA-256:6248FDF98F949D87D52232DDF61FADA5EF02CD3E404BB222D7541A84A3B07B8A
          SHA-512:8C1CAB8F34DE2623A42F0750F182B6B9A7E2AFFA2667912B3660AF620C7D9AD3BD5B46867B3C2D50C0CAE2A1BC03D03E20E4020B7BA0F313B6A599726F022C6C
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_eksblowfish.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):22016
          Entropy (8bit):6.1405490084747445
          Encrypted:false
          SSDEEP:384:WMU/5cRUtPMbNv37t6KjjNrDF6pJgLa0Mp8Qg0gYP2lcCM:WdKR8EbxwKflDFQgLa1AzP
          MD5:914EA1707EBA03E4BE45D3662BF2466E
          SHA1:3E110C9DBFE1D17E1B4BE69052E65C93DDC0BF26
          SHA-256:4D4F22633D5DB0AF58EE260B5233D48B54A6F531FFD58EE98A5305E37A00D376
          SHA-512:F6E6323655B351E5B7157231E04C352A488B0B49D7174855FC8594F119C87A26D31C602B3307C587A28AD408C2909A93B8BA8CB41166D0113BD5C6710C4162C3
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ocb.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):17920
          Entropy (8bit):5.350740516564008
          Encrypted:false
          SSDEEP:384:GPHdP3Mj7Be/yB/MsB3yRcb+IqcOYoQViCBD88g6Vf4A:APcnB8KEsB3ocb+pcOYLMCBDu
          MD5:52E481A15C3CE1B0DF8BA3B1B77DF9D0
          SHA1:C1F06E1E956DFDE0F89C2E237ADFE42075AAE954
          SHA-256:C85A6783557D96BFA6E49FE2F6EA4D2450CF110DA314C6B8DCEDD7590046879B
          SHA-512:108FB1344347F0BC27B4D02D3F4E75A76E44DE26EF54323CB2737604DF8860A94FA37121623A627937F452B3B923C3D9671B13102D2E5F1005E4766E80A05A96
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d....y.e.........." ...#.(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Cipher\_raw_ofb.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):12288
          Entropy (8bit):4.737329240938157
          Encrypted:false
          SSDEEP:192:BF/1nb2eqCQtkgU7L9D0T70fcqgYvEJPb:t2P6L9DWAxgYvEJj
          MD5:A13584F663393F382C6D8D5C0023BC80
          SHA1:D324D5FBD7A5DBA27AA9B0BDB5C2AEBFF17B55B1
          SHA-256:13C34A25D10C42C6A12D214B2D027E5DC4AE7253B83F21FD70A091FEDAC1E049
          SHA-512:14E4A6F2959BD68F441AA02A4E374740B1657AB1308783A34D588717F637611724BC90A73C80FC6B47BC48DAFB15CF2399DC7020515848F51072F29E4A8B4451
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Hash\_BLAKE2b.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):14848
          Entropy (8bit):5.2072665819239585
          Encrypted:false
          SSDEEP:192:iF/1nb2eqCQtkhlgJ2ycxFzShJD9CAac2QDeJKcqgQx2XY:Y2PKr+2j8JDefJagQx2XY
          MD5:104B480CB83BFF78101CF6940588D570
          SHA1:6FC56B9CF380B508B01CAB342FCC939494D1F595
          SHA-256:BA4F23BBDD1167B5724C04DB116A1305C687001FAC43304CD5119C44C3BA6588
          SHA-512:60617865C67115AD070BD6462B346B89B69F834CAF2BFE0EF315FB4296B833E095CD03F3F4D6D9499245C5DA8785F2FBE1AC7427049BD48428EBF74529229040
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d...~y.e.........." ...#..... ......P.....................................................`..........................................9......|:..d....`.......P..@............p..,....3...............................2..@............0...............................text...X........................... ..`.rdata.......0....... ..............@..@.data...8....@.......0..............@....pdata..@....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Hash\_BLAKE2s.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):14336
          Entropy (8bit):5.177411248432731
          Encrypted:false
          SSDEEP:192:mF/1nb2eqCQt7fSxp/CJPvADQZntxSOvbcqgEvcM+:c2PNKxZWPIDexVlgEvL
          MD5:06D3E941860BB0ABEDF1BAF1385D9445
          SHA1:E8C16C3E8956BA99A2D0DE860DCFC5021F1D7DE5
          SHA-256:1C340D2625DAD4F07B88BB04A81D5002AABF429561C92399B0EB8F6A72432325
          SHA-512:6F62ACFF39B77C1EC9F161A9BFA94F8E3B932D56E63DAEE0093C041543993B13422E12E29C8231D88BC85C0573AD9077C56AA7F7A307E27F269DA17FBA8EE5A3
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Hash\_MD2.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):14336
          Entropy (8bit):5.137579183601755
          Encrypted:false
          SSDEEP:192:5siHfq5po0ZUp8XnUp8XjEQnlDtW26rcqgcx2:nqDZUp8XUp8AclDN69gcx2
          MD5:F938A89AEC5F535AF25BD92221BBC141
          SHA1:384E1E92EBF1A6BBE068AB1493A26B50EFE43A7E
          SHA-256:774A39E65CC2D122F8D4EB314CED60848AFFF964FB5AD2627E32CB10EF28A6D0
          SHA-512:ED0506B9EBCEC26868F484464F9CC38E28F8056D6E55C536ECD2FD98F58F29F2D1CE96C5E574876A9AA6FD22D3756A49BC3EB464A7845CB3F28A1F3D1C98B4D7
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...qy.e.........." ...#..... ......P.....................................................`..........................................9......0:..d....`.......P..(............p..,....4...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Hash\_MD4.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):13824
          Entropy (8bit):5.158343521612926
          Encrypted:false
          SSDEEP:192:jsiHfq5pwUivkwXap8T0NchH73s47iDJxj2wcqgfvE:9qbi8wap8T0Ncp7n7iDbFgfvE
          MD5:173EED515A1ADDD1DA0179DD2621F137
          SHA1:D02F5E6EDA9FF08ABB4E88C8202BAD7DB926258F
          SHA-256:9D9574A71EB0DE0D14570B5EDA06C15C17CC2E989A20D1E8A4821CB813290D5F
          SHA-512:8926FBB78A00FD4DC67670670035D9E601AF27CDBE003DC45AD809E8DA1042DDECB997F44ED104BEC13391C8048051B0AAD0C10FDEEDFB7F858BA177E92FDC54
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...qy.e.........." ...#............P.....................................................`.........................................p8...... 9..d....`.......P..(............p..,...@3...............................2..@............0...............................text............................... ..`.rdata..p....0......................@..@.data...p....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Hash\_MD5.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):15360
          Entropy (8bit):5.469810464531962
          Encrypted:false
          SSDEEP:192:RZ9WfqP7M93g8UdsoS1hhiBvzcuiDSjeoGmDZNbRBP0rcqgjPrvE:sA0gHdzS1MwuiDSyoGmD/r89gjPrvE
          MD5:39B06A1707FF5FDC5B3170EB744D596D
          SHA1:37307B2826607EA8D5029293990EB1476AD6CC42
          SHA-256:2E8BB88D768890B6B68D5B6BB86820766ADA22B82F99F31C659F4C11DEF211A1
          SHA-512:98C3C45EB8089800EDF99ACEA0810820099BFD6D2C805B80E35D9239626CB67C7599F1D93D2A14D2F3847D435EAA065BF56DF726606BB5E8A96E527E1420633D
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...ry.e.........." ...#. ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Hash\_RIPEMD160.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):13824
          Entropy (8bit):5.137646874307781
          Encrypted:false
          SSDEEP:192:QF/1nb2eqCQtZl9k9VEmosHcBZTHGF31trDbu8oiZmtwcqgk+9TI:q2PXlG9VDos8BZA33rDbuNgk0gk+9U
          MD5:1DFC771325DD625DE5A72E0949D90E5F
          SHA1:8E1F39AAFD403EDA1E5CD39D5496B9FAA3387B52
          SHA-256:13F9ADBBD60D7D80ACEE80D8FFB461D7665C5744F8FF917D06893AA6A4E25E3A
          SHA-512:B678FB4AD6DF5F8465A80BFB9A2B0433CF6CFAD4C6A69EEBF951F3C4018FD09CB7F38B752BE5AB55C4BE6C88722F70521D22CBCBBB47F8C46DDB0B1ACBFD7D7E
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d...}y.e.........." ...#..... ......P.....................................................`..........................................9.......:..d....`.......P...............p..,....4..............................P3..@............0...............................text...X........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata.......P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA1.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):17920
          Entropy (8bit):5.687377356938656
          Encrypted:false
          SSDEEP:384:bPHdP3MjeQTh+QAZUUw8lMF6D+1tgj+kf4:xPcKQT3iw8lfDUej+
          MD5:9D15862569E033C5AA702F9E4041C928
          SHA1:11376E8CB76AD2D9A7D48D11F4A74FB12B78BCF6
          SHA-256:8970DF77D2F73350360DBE68F937E0523689FF3D7C0BE95EB7CA5820701F1493
          SHA-512:322F0F4947C9D5D2800DEEBFD198EABE730D44209C1B61BB9FD0F7F9ED5F719AE49F8397F7920BDB368BB386A598E9B215502DC46FBE72F9340876CF40AFFC8A
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...sy.e.........." ...#.*..........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA224.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):21504
          Entropy (8bit):5.9200472722347675
          Encrypted:false
          SSDEEP:384:pljwGpJpvrp/LTaqvYHp5RYcARQOj4MSTjqgPmJDcOwwgjxo:Ljw4JbZYtswvqDc51j
          MD5:7398EFD589FBE4FEFADE15B52632CD5C
          SHA1:5EA575056718D3EC9F57D3CFF4DF87D77D410A4B
          SHA-256:F1970DB1DA66EFB4CD8E065C40C888EED795685FF4E5A6FA58CA56A840FE5B80
          SHA-512:C26F6FF693782C84460535EBCD35F23AA3C95FB8C0C8A608FB9A849B0EFD735EF45125397549C61248AE06BD068554D2DE05F9A3BA64F363438EDB92DA59481B
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...wy.e.........." ...#.6... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..,............R..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA256.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):21504
          Entropy (8bit):5.922439979230845
          Encrypted:false
          SSDEEP:384:jljwGpJpvrp/LtaqvYHp5RYcARQOj4MSTjqgPmJDcbegjxo:hjw4JVZYtswvqDcb7j
          MD5:352F56E35D58ABE96D6F5DBBD40D1FEA
          SHA1:5F0C9596B84B8A54D855441C6253303D0C81AA1B
          SHA-256:44EED167431151E53A8F119466036F1D60773DDEB8350AF972C82B3789D5D397
          SHA-512:CB4862B62ABB780656F1A06DADD3F80AEA453E226C38EFAE4318812928A7B0B6A3A8A86FCC43F65354B84FC07C7235FF384B75C2244553052E00DC85699D422A
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...uy.e.........." ...#.6... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..,............R..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA384.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):26624
          Entropy (8bit):5.879121462749493
          Encrypted:false
          SSDEEP:768:pDLZ9BjjBui0gel9soFdkO66MlPGXmXcnRDbRj:VBfu/FZ6nPxMRDtj
          MD5:3C47F387A68629C11C871514962342C1
          SHA1:EA3E508A8FB2D3816C80CD54CDD9C8254809DB00
          SHA-256:EA8A361B060EB648C987ECAF453AE25034DBEA3D760DC0805B705AC9AA1C7DD9
          SHA-512:5C824E4C0E2AB13923DC8330D920DCD890A9B33331D97996BC1C3B73973DF7324FFFB6E940FA5AA92D6B23A0E6971532F3DB4BF899A9DF33CC0DD6CB1AC959DD
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...zy.e.........." ...#.H..."......P.....................................................`......................................... l.......m..d...............................,....e...............................d..@............`...............................text...HG.......H.................. ..`.rdata..X....`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..,............f..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Hash\_SHA512.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):26624
          Entropy (8bit):5.937696428849242
          Encrypted:false
          SSDEEP:768:VYL59Ugjaui0gel9soFdkO66MlPGXmXcXVDuSFAj:60xu/FZ6nPxMlD7Kj
          MD5:2F44F1B760EE24C89C13D9E8A06EA124
          SHA1:CF8E16D8324A7823B11474211BD7B95ADB321448
          SHA-256:7C7B6F59DD250BD0F8CBC5AF5BB2DB9F9E1A2A56BE6442464576CD578F0B2AE0
          SHA-512:2AACB2BB6A9EBA89549BF864DDA56A71F3B3FFEDB8F2B7EF3FC552AB3D42BC4B832F5FA0BA87C59F0F899EA9716872198680275A70F3C973D44CA7711DB44A14
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...|y.e.........." ...#.H..."......P.....................................................`..........................................l.......m..d...............................,...@f...............................e..@............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..,............f..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Hash\_ghash_clmul.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):12800
          Entropy (8bit):5.027823764756571
          Encrypted:false
          SSDEEP:192:/RF/1nb2eqCQtkbsAT2fixSrdYDt8ymjcqgQvEW:/d2P6bsK4H+DVwgQvEW
          MD5:64604EE3AEBEE62168F837A41BA61DB1
          SHA1:4D3FF7AC183BC28B89117240ED1F6D7A7D10AEF1
          SHA-256:20C3CC2F50B51397ACDCD461EE24F0326982F2DC0E0A1A71F0FBB2CF973BBEB2
          SHA-512:D03EEFF438AFB57E8B921CE080772DF485644DED1074F3D0AC12D3EBB1D6916BD6282E0E971408E89127FF1DAD1D0CB1D214D7B549D686193068DEA137A250CE
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Hash\_ghash_portable.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):13312
          Entropy (8bit):5.020783935465456
          Encrypted:false
          SSDEEP:192:+F/1nb2eqCQtks0iiNqdF4mtPjD0ZA5LPYcqgYvEL2x:02P6fFA/4GjDXcgYvEL2x
          MD5:E0EEDBAE588EE4EA1B3B3A59D2ED715A
          SHA1:4629B04E585899A7DCB4298138891A98C7F93D0B
          SHA-256:F507859F15A1E06A0F21E2A7B060D78491A9219A6A499472AA84176797F9DB02
          SHA-512:9FD82784C7E06F00257D387F96E732CE4A4BD065F9EC5B023265396D58051BECC2D129ABDE24D05276D5CD8447B7DED394A02C7B71035CED27CBF094ED82547D
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Hash\_keccak.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):15872
          Entropy (8bit):5.2616188776014665
          Encrypted:false
          SSDEEP:384:JP2T9FRjRskTdf4YBU7YP5yUYDE1give:qHlRl57IC8UYDEG
          MD5:1708C4D1B28C303DA19480AF3C6D04FF
          SHA1:BAC78207EFAA6D838A8684117E76FB871BD423D5
          SHA-256:C90FB9F28AD4E7DEED774597B12AA7785F01DC4458076BE514930BF7AB0D15EC
          SHA-512:2A174C1CB712E8B394CBEE20C33974AA277E09631701C80864B8935680F8A4570FD040EA6F59AD71631D421183B329B85C749F0977AEB9DE339DFABE7C23762E
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...}y.e.........." ...#. ... ......P.....................................................`.........................................`9......T:..d....`.......P..p............p..,....3...............................2..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......4..............@....pdata..p....P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Hash\_poly1305.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):15360
          Entropy (8bit):5.130670522779765
          Encrypted:false
          SSDEEP:192:nZNGfqDgvUh43G6coX2SSwmPL4V7wTdDl41Y2cqgWjvE:CFMhuGGF2L4STdDcYWgWjvE
          MD5:E08355F3952A748BADCA2DC2E82AA926
          SHA1:F24828A3EEFB15A2550D872B5E485E2254C11B48
          SHA-256:47C664CB7F738B4791C7D4C21A463E09E9C1AAAE2348E63FB2D13FC3E6E573EB
          SHA-512:E7F48A140AFEF5D6F64A4A27D95E25A8D78963BB1F9175B0232D4198D811F6178648280635499C562F398613E0B46D237F7DB74A39B52003D6C8768B80EC6FB6
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d....y.e.........." ...#..... ......P.....................................................`......................................... 9.......9..d....`.......P..|............p..,....3...............................1..@............0...............................text...X........................... ..`.rdata..(....0......."..............@..@.data........@.......2..............@....pdata..|....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Math\_modexp.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):34816
          Entropy (8bit):5.935249615462395
          Encrypted:false
          SSDEEP:768:gb+5F2hqrxS7yZAEfYcwcSPxpMgLp/GQNSpcVaGZ:gb+5Qwc7OAEfYcwJxpMgFJh
          MD5:DB56C985DBC562A60325D5D68D2E5C5B
          SHA1:854684CF126A10DE3B1C94FA6BCC018277275452
          SHA-256:089585F5322ADF572B938D34892C2B4C9F29B62F21A5CF90F481F1B6752BC59F
          SHA-512:274D9E4A200CAF6F60AC43F33AADF29C6853CC1A7E04DF7C8CA3E24A6243351E53F1E5D0207F23B34319DFC8EEE0D48B2821457B8F11B6D6A0DBA1AE820ACE43
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..|8k./8k./8k./1.Y/>k./....:k./s...;k./8k./.k./....4k./....0k./....;k./....:k./....9k./..5/9k./....9k./Rich8k./........................PE..d....y.e.........." ...#.\..........`.....................................................`..........................................~..d...$...d...............................,....s...............................q..@............p..(............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data................t..............@....pdata...............~..............@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Protocol\_scrypt.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):12288
          Entropy (8bit):4.799861986912974
          Encrypted:false
          SSDEEP:192:YTIekCffqPSTMeAk4OeR64ADpki6RcqgO5vE:YTNZMcPeR64ADh63gO5vE
          MD5:6229A84562A9B1FBB0C3CF891813AADD
          SHA1:4FAFB8AF76A7F858418AA18B812FEACADFA87B45
          SHA-256:149027958A821CBC2F0EC8A0384D56908761CC544914CED491989B2AD9D5A4DC
          SHA-512:599C33F81B77D094E97944BB0A93DA68D2CCB31E6871CE5679179FB6B9B2CE36A9F838617AC7308F131F8424559C5D1A44631E75D0847F3CC63AB7BB57FE1871
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................?.....q......................q.......q.......q.........................S.............Rich............PE..d....y.e.........." ...#............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\PublicKey\_ec_ws.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):754176
          Entropy (8bit):7.628627007698131
          Encrypted:false
          SSDEEP:12288:31ETHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h+b:lETHoxJFf1p34hcrn5Go9yQO6g
          MD5:BBB83671232E0BE361E812369A463E03
          SHA1:A37DAEC475AB230E14897077D17E20B7A5112B8D
          SHA-256:873A3E3E945421917BA780D95C78ECCB92D4E143227987D6812BC9F9E4653BE0
          SHA-512:BF6718DE5235F6A7C348A1E2F325FEE59C74356D4722DFA99DA36A2BE1E6386C544EEC09190E2EBBA58B7C6B4157D00409C59F29AE2CC7BC13CBC301B8592586
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.....L...L...L.V+L...LKR.M...L.V.M...L...L...LKR.M...LKR.M...LKR.M...L-S.M...L-S.M...L-SGL...L-S.M...LRich...L................PE..d....y.e.........." ...#.n..........`.....................................................`..........................................p..d...dq..d...............$...............4...@Z...............................Y..@...............(............................text....m.......n.................. ..`.rdata...............r..............@..@.data...x............h..............@....pdata..$............p..............@..@.rsrc................~..............@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\PublicKey\_ed25519.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):27648
          Entropy (8bit):5.799740467345125
          Encrypted:false
          SSDEEP:384:PvRwir5rOF2MZz1n0/kyTMIl9bhgIW0mvBaeoSzra2pftjGQDdsC0MgkbQ0e1r:PJLtg2MTeM+9dmvBaeoCtaQDekf
          MD5:7F2C691DEB4FF86F2F3B19F26C55115C
          SHA1:63A9D6FA3B149825EA691F5E9FDF81EEC98224AA
          SHA-256:BF9224037CAE862FE220094B6D690BC1992C19A79F7267172C90CBED0198582E
          SHA-512:3A51F43BF628E44736859781F7CFF0E0A6081CE7E5BDE2F82B3CDB52D75D0E3DFAE92FC2D5F7D003D0B313F6835DBA2E393A0A8436F9409D92E20B65D3AED7E2
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y...............i...................i......i......i......................m...........Rich...........PE..d....y.e.........." ...#.F...(......P.....................................................`..........................................j..0....k..d...............................,...pc..............................0b..@............`...............................text....D.......F.................. ..`.rdata.."....`.......J..............@..@.data................\..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..,............j..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\PublicKey\_ed448.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):67072
          Entropy (8bit):6.060804942512998
          Encrypted:false
          SSDEEP:1536:HqvnErJyGoqQXZKfp23mXKUULBeCFTUCqHF+PELb7MSAEfnctefBd5:HqvnErJyGoqQXZKfp2ayLsCFTUCqHEP4
          MD5:AF46798028AB3ED0E56889DFB593999B
          SHA1:D4D7B39A473E69774771B2292FDBF43097CE6015
          SHA-256:FD4F1F6306950276A362D2B3D46EDBB38FEABA017EDCA3CD3A2304340EC8DD6C
          SHA-512:58A80AFEEAC16D7C35F8063D03A1F71CA6D74F200742CAE4ADB3094CF4B3F2CD1A6B3F30A664BD75AB0AF85802D935B90DD9A1C29BFEA1B837C8C800261C6265
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..|8k./8k./8k./1.Y/>k./....:k./s...;k./8k./.k./....4k./....0k./....;k./....:k./....9k./..5/9k./....9k./Rich8k./........................PE..d....y.e.........." ...#.....8......`........................................@............`.............................................h.......d.... .......................0..,.......................................@............................................text............................... ..`.rdata..j...........................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..,....0......................@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\PublicKey\_x25519.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):10752
          Entropy (8bit):4.488129745837651
          Encrypted:false
          SSDEEP:96:kfuF7pVVdJvbrqTuy/Th/Y0IluLfcC75JiC4cs89EfqADQhDsAbcX6gn/7EC:TF/VddiTHThQTctdErDQDsicqgn/7
          MD5:F4B7324A8F7908C3655BE4C75EAC36E7
          SHA1:11A30562A85A444F580213417483BE8D4D9264AD
          SHA-256:5397E3F5762D15DCD84271F49FC52983ED8F2717B258C7EF370B24977A5D374B
          SHA-512:66CA15A9BAD39DD4BE7921A28112A034FFE9CD11F91093318845C269E263804AB22A4AF262182D1C6DAC8741D517362C1D595D9F79C2F729216738C3DD79D7C2
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4=.bUS.bUS.bUS.k-..`US..)R.`US.)-R.aUS.bUR.FUS..)V.iUS..)W.jUS..)P.aUS.([.cUS.(S.cUS.(..cUS.(Q.cUS.RichbUS.................PE..d....y.e.........." ...#............P........................................p............`..........................................'..P...0(..P....P.......@...............`..,...P#..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Util\_cpuid_c.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):10240
          Entropy (8bit):4.733990521299615
          Encrypted:false
          SSDEEP:192:PzVVddiTHThQTctEEaEDKDnMRWJcqgbW6:PzTMdsc+EaEDKDnCWvgbW
          MD5:3D566506052018F0556ADF9D499D4336
          SHA1:C3112FF145FACF47AF56B6C8DCA67DAE36E614A2
          SHA-256:B5899A53BC9D3112B3423C362A7F6278736418A297BF86D32FF3BE6A58D2DEEC
          SHA-512:0AC6A1FC0379F5C3C80D5C88C34957DFDB656E4BF1F10A9FA715AAD33873994835D1DE131FC55CD8B0DEBDA2997993E978700890308341873B8684C4CD59A411
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`..........................................'..|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Crypto\Util\_strxor.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):10240
          Entropy (8bit):4.689063511060661
          Encrypted:false
          SSDEEP:96:P/ryZVVdJvbrqTuy/Th/Y0IluLfcC75JiCKs89EMz3DIWMot4BcX6gbW6O:PzQVddiTHThQTctEEO3DSoKcqgbW6
          MD5:FAE081B2C91072288C1C8BF66AD1ABA5
          SHA1:CD23DDB83057D5B056CA2B3AB49C8A51538247DE
          SHA-256:AF76A5B10678F477069ADD6E0428E48461FB634D9F35FB518F9F6A10415E12D6
          SHA-512:0ADB0B1088CB6C8F089CB9BF7AEC9EEEB1717CF6CF44B61FB0B053761FA70201AB3F7A6461AAAE1BC438D689E4F8B33375D31B78F1972AA5A4BF86AFAD66D3A4
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Pythonwin\mfc140u.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
          Category:dropped
          Size (bytes):5653424
          Entropy (8bit):6.729277267882055
          Encrypted:false
          SSDEEP:49152:EuEsNcEc8/CK4b11P5ViH8gw0+NVQD5stWIlE7lva8iposS9j5fzSQzs7ID+AVuS:EnL8+5fiEnQFLOAkGkzdnEVomFHKnPS
          MD5:03A161718F1D5E41897236D48C91AE3C
          SHA1:32B10EB46BAFB9F81A402CB7EFF4767418956BD4
          SHA-256:E06C4BD078F4690AA8874A3DEB38E802B2A16CCB602A7EDC2E077E98C05B5807
          SHA-512:7ABCC90E845B43D264EE18C9565C7D0CBB383BFD72B9CEBB198BA60C4A46F56DA5480DA51C90FF82957AD4C84A4799FA3EB0CEDFFAA6195F1315B3FF3DA1BE47
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.cu...&...&...&...'...&...'...&...'...&..&...&G..'...&G..'...&...'...&...&..&G..'...&G..'...&G..'...&G..'...&G..&...&G..'...&Rich...&................PE..d....~.a.........." .....(-..X)......X,.......................................V......YV...`A..........................................:.....h.;.......?......`=..8....V..'...PU.0p..p.5.T...........................`...8............@-.P...0.:......................text....&-......(-................. ..`.rdata.......@-......,-.............@..@.data....6... <.......<.............@....pdata...8...`=..:....<.............@..@.didat..H.....?.......?.............@....rsrc.........?.......?.............@..@.reloc..0p...PU..r....T.............@..B................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\Pythonwin\win32ui.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):1142272
          Entropy (8bit):6.040548449175261
          Encrypted:false
          SSDEEP:12288:cLokSyhffpJSf6VJtHUR2L2mVSvya6Lx15IQnpKTlYcf9WBo:cLok/pXJdUzOSMx15dcTlYiK
          MD5:B505E88EB8995C2EC46129FB4B389E6C
          SHA1:CBFA8650730CBF6C07F5ED37B0744D983ABFE50A
          SHA-256:BE7918B4F7E7DE53674894A4B8CFADCACB4726CEA39B7DB477A6C70231C41790
          SHA-512:6A51B746D0FBC03F57FF28BE08F7E894AD2E9F2A2F3B61D88EAE22E7491CF35AE299CDB3261E85E4867F41D8FDA012AF5BD1EB8E1498F1A81ADC4354ADACDAAB
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aM.F%,r.%,r.%,r.,T../,r..Ys.',r..Es.',r.1Gs.+,r.wYv.-,r.wYq.!,r.wYw.3,r.%,s.-*r.wYs.",r..Y{..,r..Yr.$,r..Y..$,r..Yp.$,r.Rich%,r.........................PE..d......d.........." .........p......t.....................................................`..............................................T...q..h...............................`\..`...T.......................(.......8................0...........................text............................... ..`.rdata..............................@..@.data...............................@....pdata...............`..............@..@.rsrc...............................@..@.reloc..`\.......^..................@..B........................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\VCRUNTIME140.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
          Category:dropped
          Size (bytes):98224
          Entropy (8bit):6.452201564717313
          Encrypted:false
          SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
          MD5:F34EB034AA4A9735218686590CBA2E8B
          SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
          SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
          SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
          Malicious:false
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\VCRUNTIME140_1.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
          Category:dropped
          Size (bytes):37256
          Entropy (8bit):6.297533243519742
          Encrypted:false
          SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
          MD5:135359D350F72AD4BF716B764D39E749
          SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
          SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
          SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
          Malicious:false
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\_asyncio.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):65304
          Entropy (8bit):6.192082137044192
          Encrypted:false
          SSDEEP:1536:owmuopcJpmVwR40axzEfRILOnMv7SySmPxe:owmu4/mR40axzEfRILOnw3xe
          MD5:33D0B6DE555DDBBBD5CA229BFA91C329
          SHA1:03034826675AC93267CE0BF0EAEC9C8499E3FE17
          SHA-256:A9A99A2B847E46C0EFCE7FCFEFD27F4BCE58BAF9207277C17BFFD09EF4D274E5
          SHA-512:DBBD1DDFA445E22A0170A628387FCF3CB95E6F8B09465D76595555C4A67DA4274974BA7B348C4C81FE71C68D735C13AACB8063D3A964A8A0556FB000D68686B7
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.../../../..../....../...*../...+../...,../.V..../....../....../.V."../.V./../.V..../.V.-../.Rich../.........PE..d.....,d.........." .....T..........`.....................................................`.........................................p...P.......d......................../...........v..T...........................pv..8............p...............................text...aR.......T.................. ..`.rdata...I...p...J...X..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\_bz2.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):83736
          Entropy (8bit):6.595094797707322
          Encrypted:false
          SSDEEP:1536:hXOz78ZqjUyAsIi7W/5+D8W35mjZm35ILCVM7SyfYPxe:pOzwpyAFi7WMgW34jZm35ILCVMZoxe
          MD5:86D1B2A9070CD7D52124126A357FF067
          SHA1:18E30446FE51CED706F62C3544A8C8FDC08DE503
          SHA-256:62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
          SHA-512:7DB4B7E0C518A02AE901F4B24E3860122ACC67E38E73F98F993FE99EB20BB3AA539DB1ED40E63D6021861B54F34A5F5A364907FFD7DA182ADEA68BBDD5C2B535
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.>...m...m...m.}<m...m.p.l...m.jRm...m.p.l...m.p.l...m.p.l...mup.l...m.}.l...m...m...mup.l...mup.l...mupPm...mup.l...mRich...m................PE..d.....,d.........." .........\..............................................P............`......................................... ...H...h........0....... ..,......../...@......`...T...............................8............................................text.............................. ..`.rdata...=.......>..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\_cbor2.cp310-win_amd64.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):97280
          Entropy (8bit):5.863582949096841
          Encrypted:false
          SSDEEP:1536:DkpD/iwe/wv2yuaXLGq8AFrx/5SuGfQuTpyTPryTt3EO3O5Hk+FNniLfwy:63SLu8BTpEyTt0OyHniLfw
          MD5:D24F4FE64C38018AE7FC9661C67739F6
          SHA1:E7B2ECCCCA76C2B27A4A6BBCC97F435435977FE4
          SHA-256:CF69E5FD60CE55AB42DDF01D27305F2C4EDBBA63D3DADADF04380B6A4A9C07EF
          SHA-512:80C7C79ECAC160350C545D81AAAED8D73C53F43EC61238F0CFCD51CF0EF1A81C40A986ED3D3BFF7726EDA50238871B0C786D77162B13E8F37F74BCA580892191
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w\............................................................................................................Rich....................PE..d...~.c.........." ..."..................................................................`.........................................`I..\....I......................................P6...............................5..@............................................text...8........................... ..`.rdata..............................@..@.data... "...`.......L..............@....pdata...............f..............@..@.rsrc................v..............@..@.reloc...............x..............@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\_cffi_backend.cp310-win_amd64.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):181248
          Entropy (8bit):6.188683787528254
          Encrypted:false
          SSDEEP:3072:rZ1fKD8GVLHASq0TTjfQxnkVB0hcspEsHS7iiSTLkKetJb9Pu:rZNRGVb9TTCnaZsuMXiSTLLeD9
          MD5:EBB660902937073EC9695CE08900B13D
          SHA1:881537ACEAD160E63FE6BA8F2316A2FBBB5CB311
          SHA-256:52E5A0C3CA9B0D4FC67243BD8492F5C305FF1653E8D956A2A3D9D36AF0A3E4FD
          SHA-512:19D5000EF6E473D2F533603AFE8D50891F81422C59AE03BEAD580412EC756723DC3379310E20CD0C39E9683CE7C5204791012E1B6B73996EA5CB59E8D371DE24
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ih..-..C-..C-..C$qMC!..C.|.B/..CKf#C)..C.|.B&..C.|.B%..C.|.B)..Cfq.B)..C.|.B...C-..C...C.|.B)..C$qKC,..C.|.B,..C.|!C,..C.|.B,..CRich-..C........PE..d.....e.........." .........@...............................................0............`..........................................g..l...|g..................H............ .......M...............................M..8............................................text...h........................... ..`.rdata..l...........................@..@.data....\.......0...v..............@....pdata..H...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\_ctypes.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):123672
          Entropy (8bit):6.047035801914277
          Encrypted:false
          SSDEEP:3072:0OEESRiaiH6lU1vxqfrId0sx3gVILLPykxA:hj+I1vAfrIRx3gN
          MD5:1635A0C5A72DF5AE64072CBB0065AEBE
          SHA1:C975865208B3369E71E3464BBCC87B65718B2B1F
          SHA-256:1EA3DD3DF393FA9B27BF6595BE4AC859064CD8EF9908A12378A6021BBA1CB177
          SHA-512:6E34346EA8A0AACC29CCD480035DA66E280830A7F3D220FD2F12D4CFA3E1C03955D58C0B95C2674AEA698A36A1B674325D3588483505874C2CE018135320FF99
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............d...d...d.......d...e...d...a...d...`...d...g...d.d.e...d...`...d...e...d.:.e...d...e.I.d.d.i...d.d.d...d.d...d.d.f...d.Rich..d.........................PE..d.....,d.........." ................@Z..............................................!.....`..........................................P.......P..................D......../..............T...........................0...8...............H............................text............................... ..`.rdata...k.......l..................@..@.data...T>...p...8...\..............@....pdata..D...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\_decimal.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):254744
          Entropy (8bit):6.564308911485739
          Encrypted:false
          SSDEEP:6144:3LT2sto29vTlN5cdIKdo4/3VaV8FlBa9qWMa3pLW1A/T8O51j4iab9M:H2s/9vTlPcdk4vVtFU98iIu
          MD5:20C77203DDF9FF2FF96D6D11DEA2EDCF
          SHA1:0D660B8D1161E72C993C6E2AB0292A409F6379A5
          SHA-256:9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
          SHA-512:2B24346ECE2CBD1E9472A0E70768A8B4A5D2C12B3D83934F22EBDC9392D9023DCB44D2322ADA9EDBE2EB0E2C01B5742D2A83FA57CA23054080909EC6EB7CF3CA
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........76..VX..VX..VX.....VX..#Y..VX..#]..VX..#\..VX..#[..VX.t#Y..VX...Y..VX..VY.+VX.t#[..VX.t#U..VX.t#X..VX.t#...VX.t#Z..VX.Rich.VX.........................PE..d.....,d.........." .....|...:.......................................................r....`..........................................T..P...0U...................'......./......<...0...T...............................8............................................text....{.......|.................. ..`.rdata..............................@..@.data....)...p...$...X..............@....pdata...'.......(...|..............@..@.rsrc...............................@..@.reloc..<...........................@..B........................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\_hashlib.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):64792
          Entropy (8bit):6.223467179037751
          Encrypted:false
          SSDEEP:1536:/smKJPganCspF1dqZAC2QjP2RILOIld7SyEPxDF:/smKpgNoF1dqZDnjP2RILOIv2xB
          MD5:D4674750C732F0DB4C4DD6A83A9124FE
          SHA1:FD8D76817ABC847BB8359A7C268ACADA9D26BFD5
          SHA-256:CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
          SHA-512:97D57CFB80DD9DD822F2F30F836E13A52F771EE8485BC0FD29236882970F6BFBDFAAC3F2E333BBA5C25C20255E8C0F5AD82D8BC8A6B6E2F7A07EA94A9149C81E
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..b?..b?..b?......b?..>..b?..:..b?..;..b?..<..b?.2.>..b?..>..b?.7.>..b?..b>.pb?.2.2..b?.2.?..b?.2....b?.2.=..b?.Rich.b?.........PE..d.....,d.........." .....P...........<....................................................`............................................P...0............................/......T....k..T............................k..8............`.. ............................text....N.......P.................. ..`.rdata..4P...`...R...T..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\_lzma.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):158488
          Entropy (8bit):6.8491143497239655
          Encrypted:false
          SSDEEP:3072:j0k3SXjD9aWpAn3rb7SbuDlvNgS4fWqEznfo9mNoFTSlXZ8Ax5ILZ1GIxq:j0kiXjD9v8X7Euk4wYOFTafxn
          MD5:7447EFD8D71E8A1929BE0FAC722B42DC
          SHA1:6080C1B84C2DCBF03DCC2D95306615FF5FCE49A6
          SHA-256:60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
          SHA-512:C6295D45ED6C4F7534C1A38D47DDC55FEA8B9F62BBDC0743E4D22E8AD0484984F8AB077B73E683D0A92D11BF6588A1AE395456CFA57DA94BB2A6C4A1B07984DE
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.M...M...M...D..I.......O.......F.......E.......N.......N.......O...M...(.......w.......L.......L.......L...RichM...................PE..d...&.,d.........." .....`..........p3...............................................4....`.............................................L.......x....`.......@.......<.../...p..D...H{..T............................{..8............p...............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data........0......................@....pdata.......@......................@..@.rsrc........`.......0..............@..@.reloc..D....p.......:..............@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\_msi.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):44824
          Entropy (8bit):6.25910509143267
          Encrypted:false
          SSDEEP:768:6tZrHlbhCeruhfPxoUAIZdeoLuM3uJYVewp2m25SyG5ILCGSF5YiSyvkzLPxWElw:6PbtNruhfpuiVD2LSyG5ILCGSL7Sy83u
          MD5:8B07A1F0A073E33A990BAB943CF2F22C
          SHA1:D4FBED8732FDFE25FEC37F1152BBCAF3E0FB2D9B
          SHA-256:C26236A23EA4B99C19F9F9BB30CAE26BC5FF66D0FDD7FD65726A0BCB667CB160
          SHA-512:690A6F9EC6636DF89A43513554BE0BF4821DF8ECB60A578ADA8E0A6112846CD6BAFEF9449F85EF95BCDF91B3D3E0631F3413FC0EED14546F94FF42762270B7FE
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r..r6.|!6.|!6.|!?..!<.|!d.} 4.|!d.y =.|!d.x >.|!d.. 5.|!.} 4.|!}.} ?.|!6.}!L.|!.t 7.|!.| 7.|!.!7.|!.~ 7.|!Rich6.|!........................PE..d.....,d.........." .........T......p2..............................................s.....`..........................................b..H....b..................|......../...........V..T............................V..8............@...............................text....-.......................... ..`.rdata..H/...@...0...2..............@..@.data........p.......b..............@....pdata..|............n..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\_multiprocessing.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):34584
          Entropy (8bit):6.41423936733334
          Encrypted:false
          SSDEEP:768:eZt56pxGyC572edLMILWt3u5YiSyvCVPxWElj:eL5PyC572edLMILWt3E7SyqPx3
          MD5:A9A0588711147E01EED59BE23C7944A9
          SHA1:122494F75E8BB083DDB6545740C4FAE1F83970C9
          SHA-256:7581EDEA33C1DB0A49B8361E51E6291688601640E57D75909FB2007B2104FA4C
          SHA-512:6B580F5C53000DB5954DEB5B2400C14CB07F5F8BBCFC069B58C2481719A0F22F0D40854CA640EF8425C498FBAE98C9DE156B5CC04B168577F0DA0C6B13846A88
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........sF.. F.. F.. O.k D.. ...!D.. ...!J.. ...!N.. ...!E.. ...!D.. F.. ... ...!C.. ...!D.. ...!G.. ... G.. ...!G.. RichF.. ................PE..d.....,d.........." .........<......0.....................................................`.........................................0D..`....D..x....p.......`.......X.../..........P3..T............................3..8............0...............................text............................... ..`.rdata..L....0... ..."..............@..@.data........P.......B..............@....pdata.......`.......H..............@..@.rsrc........p.......L..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\_overlapped.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):49944
          Entropy (8bit):6.381980613434177
          Encrypted:false
          SSDEEP:768:8AM30ie6tyw0lTnj1TulWXaSV2cFVNILXtP5YiSyvWPxWElh7:8AM3hacSV2UNILXth7SyuPxd7
          MD5:FDF8663B99959031780583CCE98E10F5
          SHA1:6C0BAFC48646841A91625D74D6B7D1D53656944D
          SHA-256:2EBBB0583259528A5178DD37439A64AFFCB1AB28CF323C6DC36A8C30362AA992
          SHA-512:A5371D6F6055B92AC119A3E3B52B21E2D17604E5A5AC241C008EC60D1DB70B3CE4507D82A3C7CE580ED2EB7D83BB718F4EDC2943D10CB1D377FA006F4D0026B6
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........K..%..%..%.....%...$..%... ..%...!..%...&..%...$..%..$...%...$..%...!..%...(..%...%..%......%...'..%.Rich.%.........PE..d.....,d.........." .....>...X...... .....................................................`.........................................0w..X....w.........................../..........`U..T............................U..8............P...............................text....<.......>.................. ..`.rdata..F4...P...6...B..............@..@.data................x..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\_queue.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):31512
          Entropy (8bit):6.563116725717513
          Encrypted:false
          SSDEEP:768:bxrUGCpa6rIxdK/rAwVILQU85YiSyvz5PxWEaAc:trUZIzYrAwVILQUG7SydPxDc
          MD5:D8C1B81BBC125B6AD1F48A172181336E
          SHA1:3FF1D8DCEC04CE16E97E12263B9233FBF982340C
          SHA-256:925F05255F4AAE0997DC4EC94D900FD15950FD840685D5B8AA755427C7422B14
          SHA-512:CCC9F0D3ACA66729832F26BE12F8E7021834BBEE1F4A45DA9451B1AA5C2E63126C0031D223AF57CF71FAD2C85860782A56D78D8339B35720194DF139076E0772
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a............................................V...................V......V......V......V......Rich....................PE..d.....,d.........." .........6......................................................N.....`.........................................@C..L....C..d....p.......`.......L.../...........3..T...........................p3..8............0.. ............................text...~........................... ..`.rdata.......0......................@..@.data........P.......8..............@....pdata.......`.......<..............@..@.rsrc........p.......@..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\_socket.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):79128
          Entropy (8bit):6.284790077237953
          Encrypted:false
          SSDEEP:1536:ZmtvsXhgzrojAs9/s+S+pGLypbyxk/DDTBVILLwX7SyiPx9:c56OzyAs9/sT+pGLypb+k/XFVILLwX4f
          MD5:819166054FEC07EFCD1062F13C2147EE
          SHA1:93868EBCD6E013FDA9CD96D8065A1D70A66A2A26
          SHA-256:E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
          SHA-512:DA3A440C94CB99B8AF7D2BC8F8F0631AE9C112BD04BADF200EDBF7EA0C48D012843B4A9FB9F1E6D3A9674FD3D4EB6F0FA78FD1121FAD1F01F3B981028538B666
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...3.i.<...h...8...h...6...h...2...h...9.......8...:.......q...=.......;.......;.......;.......;...Rich:...........PE..d.....,d.........." .....l...........%.......................................P............`.............................................P............0....... ..<......../...@..........T..............................8............................................text...fj.......l.................. ..`.rdata..Ts.......t...p..............@..@.data...............................@....pdata..<.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\_ssl.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):160536
          Entropy (8bit):6.027748879187965
          Encrypted:false
          SSDEEP:3072:OwYiZ+PtocHnVXhLlasuvMETxoEBA+nbUtGnBSonJCNI5ILC7Gax1:FYk+PtocHVxx/uvPCEwhGJ
          MD5:7910FB2AF40E81BEE211182CFFEC0A06
          SHA1:251482ED44840B3C75426DD8E3280059D2CA06C6
          SHA-256:D2A7999E234E33828888AD455BAA6AB101D90323579ABC1095B8C42F0F723B6F
          SHA-512:BFE6506FEB27A592FE9CF1DB7D567D0D07F148EF1A2C969F1E4F7F29740C6BB8CCF946131E65FE5AA8EDE371686C272B0860BD4C0C223195AAA1A44F59301B27
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.-...-...-.....-...,...-...(...-...)...-.......-.W.,...-.R.,...-...,...-...,...-.W. ...-.W.-...-.W....-.W./...-.Rich..-.................PE..d.....,d.........." ................l*..............................................%.....`.............................................d...........`.......P.......D.../...p..8.......T...............................8............................................text...(........................... ..`.rdata..6...........................@..@.data....j.......f..................@....pdata.......P....... ..............@..@.rsrc........`.......,..............@..@.reloc..8....p.......6..............@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\_uuid.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):25368
          Entropy (8bit):6.613762885337037
          Encrypted:false
          SSDEEP:384:KYnvEaNKFDyuiBXK55ILZw59HQIYiSy1pCQNuPxh8E9VF0Ny8cIh:FTNK4uyXK55ILZwD5YiSyvEPxWEalh
          MD5:B68C98113C8E7E83AF56BA98FF3AC84A
          SHA1:448938564559570B269E05E745D9C52ECDA37154
          SHA-256:990586F2A2BA00D48B59BDD03D3C223B8E9FB7D7FAB6D414BAC2833EB1241CA2
          SHA-512:33C69199CBA8E58E235B96684346E748A17CC7F03FC068CFA8A7EC7B5F9F6FA90D90B5CDB43285ABF8B4108E71098D4E87FB0D06B28E2132357964B3EEA3A4F8
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........eG...)...)...)..|....)..q(...)..q,...)..q-...)..q*...).rq(...)..|(...)...(...).rq!...).rq)...).rq....).rq+...).Rich..).........PE..d.....,d.........." .........&...... ........................................p.......-....`......................................... )..L...l)..x....P.......@.......4.../...`..<...."..T...........................`"..8............ ..0............................text...X........................... ..`.rdata..f.... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..<....`.......2..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\base_library.zip

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:Zip archive data, at least v2.0 to extract, compression method=store
          Category:dropped
          Size (bytes):880569
          Entropy (8bit):5.682997344315044
          Encrypted:false
          SSDEEP:12288:lgYJu4KXWyBC6S4IEZjA4a2Ya2xdOVwx/fpEh+rtSLMN5:lgYJiVB3La2xTVwx/fpEh++MN5
          MD5:DCC69176BEA901A300A95298BD53E274
          SHA1:8A8227E3C6791393254DA3244630161064B36A30
          SHA-256:E1B4724D2A99B6E74B2DE4264302848BB1499DB777A7A76DE347720D0DC040D0
          SHA-512:CDF24D139E1240C5E97B702C28551EAF8E853625C4D5D99DEB8E087EDC776977F1DE3EBD27B41F97512A223CDAA28DE0D718AC36C2110C5A00809E911522A93A
          Malicious:false
          Reputation:unknown
          Preview:PK..........!..^".5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Z*e*..Z*e.e*..Z+e*.,....[*d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d*..d*e8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

          C:\Windows\Temp\_MEI74522\certifi\cacert.pem

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):290282
          Entropy (8bit):6.048183244201235
          Encrypted:false
          SSDEEP:6144:QW1H/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5Np:QWN/TRJLWURrI55MWavdF0L
          MD5:302B49C5F476C0AE35571430BB2E4AA0
          SHA1:35A7837A3F1B960807BF46B1C95EC22792262846
          SHA-256:CF9D37FA81407AFE11DCC0D70FE602561422AA2344708C324E4504DB8C6C5748
          SHA-512:1345AF52984B570B1FF223032575FEB36CDFB4F38E75E0BD3B998BC46E9C646F7AC5C583D23A70460219299B9C04875EF672BF5A0D614618731DF9B7A5637D0A
          Malicious:false
          Reputation:unknown
          Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

          C:\Windows\Temp\_MEI74522\charset_normalizer\md.cp310-win_amd64.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):10752
          Entropy (8bit):4.675182011095312
          Encrypted:false
          SSDEEP:96:FL8Khp72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFaiHrmHcX6g8cim1qeSC:Zj2HzzU2bRYoe4Hmcqgvimoe
          MD5:F33CA57D413E6B5313272FA54DBC8BAA
          SHA1:4E0CABE7D38FE8D649A0A497ED18D4D1CA5F4C44
          SHA-256:9B3D70922DCFAEB02812AFA9030A40433B9D2B58BCF088781F9AB68A74D20664
          SHA-512:F17C06F4202B6EDBB66660D68FF938D4F75B411F9FAB48636C3575E42ABAAB6464D66CB57BCE7F84E8E2B5755B6EF757A820A50C13DD5F85FAA63CD553D3FF32
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..^W..^W..^W..W/..\W..K(..\W.../..\W..K(..UW..K(..VW..K(..]W.."..]W..^W..xW..g.._W..g.._W..g.a._W..g.._W..Rich^W..........PE..d....hAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):120320
          Entropy (8bit):5.879886869577473
          Encrypted:false
          SSDEEP:3072:YKBCiXU2SBEUemE+OaOb3OEOz0fEDrF9pQKhN:YJZ2zOfdQKX
          MD5:494F5B9ADC1CFB7FDB919C9B1AF346E1
          SHA1:4A5FDDD47812D19948585390F76D5435C4220E6B
          SHA-256:AD9BCC0DE6815516DFDE91BB2E477F8FB5F099D7F5511D0F54B50FA77B721051
          SHA-512:2C0D68DA196075EA30D97B5FD853C673E28949DF2B6BF005AE72FD8B60A0C036F18103C5DE662CAC63BAAEF740B65B4ED2394FCD2E6DA4DFCFBEEF5B64DAB794
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........SRxr.Rxr.Rxr.[...Zxr.G.s.Pxr...s.Pxr.G.w._xr.G.v.Zxr.G.q.Qxr...s.Qxr.Rxs..xr.k.z.Sxr.k.r.Sxr.k...Sxr.k.p.Sxr.RichRxr.........................PE..d....hAe.........." ...%............02....................................... ............`.............................................d..........................................Px...............................w..@............@...............................text...X-.......................... ..`.rdata...X...@...Z...2..............@..@.data...8=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\cryptography-41.0.7.dist-info\INSTALLER

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):4
          Entropy (8bit):1.5
          Encrypted:false
          SSDEEP:3:Mn:M
          MD5:365C9BFEB7D89244F2CE01C1DE44CB85
          SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
          SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
          SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
          Malicious:false
          Reputation:unknown
          Preview:pip.

          C:\Windows\Temp\_MEI74522\cryptography-41.0.7.dist-info\LICENSE

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):197
          Entropy (8bit):4.61968998873571
          Encrypted:false
          SSDEEP:3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
          MD5:8C3617DB4FB6FAE01F1D253AB91511E4
          SHA1:E442040C26CD76D1B946822CAF29011A51F75D6D
          SHA-256:3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
          SHA-512:77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
          Malicious:false
          Reputation:unknown
          Preview:This software is made available under the terms of *either* of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of *both* these licenses..

          C:\Windows\Temp\_MEI74522\cryptography-41.0.7.dist-info\LICENSE.APACHE

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):11360
          Entropy (8bit):4.426756947907149
          Encrypted:false
          SSDEEP:192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
          MD5:4E168CCE331E5C827D4C2B68A6200E1B
          SHA1:DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
          SHA-256:AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
          SHA-512:F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
          Malicious:false
          Reputation:unknown
          Preview:. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

          C:\Windows\Temp\_MEI74522\cryptography-41.0.7.dist-info\LICENSE.BSD

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):1532
          Entropy (8bit):5.058591167088024
          Encrypted:false
          SSDEEP:24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
          MD5:5AE30BA4123BC4F2FA49AA0B0DCE887B
          SHA1:EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
          SHA-256:602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
          SHA-512:DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
          Malicious:false
          Reputation:unknown
          Preview:Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

          C:\Windows\Temp\_MEI74522\cryptography-41.0.7.dist-info\METADATA

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):5292
          Entropy (8bit):5.115440205505611
          Encrypted:false
          SSDEEP:96:DxapqZink/QIHQIyzQIZQILuQIR8vtklGovxNx6sWwCvCCcTKvIrrg9BMM6VwDjz:sJnkoBs/sqLz8cTKvIrrUiM6VwDjyeWs
          MD5:137D13F917D94C83137A0FA5AE12B467
          SHA1:01E93402C225BF2A4EE59F9A06F8062CB5E4801E
          SHA-256:36738E6971D2F20DB78433185A0EF7912A48544AA6FF7006505A7DC785158859
          SHA-512:1B22CBC6E22FA5E2BD5CC4A370443A342D00E7DD53330A4000E9A680DE80262BCA7188764E3568944D01025188291602AC8C53C971630984FBD9FA7D75AAB124
          Malicious:false
          Reputation:unknown
          Preview:Metadata-Version: 2.1..Name: cryptography..Version: 41.0.7..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Author-email: The Python Cryptographic Authority and individual contributors <cryptography-dev@python.org>..License: Apache-2.0 OR BSD-3-Clause..Project-URL: homepage, https://github.com/pyca/cryptography..Project-URL: documentation, https://cryptography.io/..Project-URL: source, https://github.com/pyca/cryptography/..Project-URL: issues, https://github.com/pyca/cryptography/issues..Project-URL: changelog, https://cryptography.io/en/latest/changelog/..Classifier: Development Status :: 5 - Production/Stable..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating Syst

          C:\Windows\Temp\_MEI74522\cryptography-41.0.7.dist-info\RECORD

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:CSV text
          Category:dropped
          Size (bytes):15334
          Entropy (8bit):5.555125785454221
          Encrypted:false
          SSDEEP:384:3X6eU/ZfaigPOSJN5E6W1HepPNx6uvnNLEw:3RUxfzOPtREw
          MD5:4ED1DF753C330417D290331FD1E18219
          SHA1:556BED31DCDFA36166B45D8BCBB04C0D3B66C745
          SHA-256:F71F64A0875F365A8C6CA53BC96CFB428C5102F98029459BA2091958802DCFD9
          SHA-512:6984EF6D5DFC1062E6AB655E7B0C0A8AB916F1A3D88D8FA7FAD799E2792A2CB06C5C78C2292CCDB983CB6F68BA92B9F6453996B060CFDE7EE9C293FCE5F4D698
          Malicious:false
          Reputation:unknown
          Preview:cryptography-41.0.7.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-41.0.7.dist-info/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-41.0.7.dist-info/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-41.0.7.dist-info/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography-41.0.7.dist-info/METADATA,sha256=NnOOaXHS8g23hDMYWg73kSpIVEqm_3AGUFp9x4UViFk,5292..cryptography-41.0.7.dist-info/RECORD,,..cryptography-41.0.7.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-41.0.7.dist-info/WHEEL,sha256=-EX5DQzNGQEoyL99Q-0P0-D-CXbfqafenaAeiSQ_Ufk,100..cryptography-41.0.7.dist-info/top_level.txt,sha256=KNaT-Sn2K4uxNaEbe6mYdDn3qWDMlp4y-MtWfB73nJc,13..cryptography/__about__.py,sha256=uPXMbbcptt7EzZ_jllGRx0pVdMn-NBsAM4L74hOv-b0,445..cryptography/__init__.py,sha256=iVPlBlXWTJyiFeRedxcbMPhyHB34viOM10d72vGnWuE,364..cryptography/__pycache__/_

          C:\Windows\Temp\_MEI74522\cryptography-41.0.7.dist-info\WHEEL

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):100
          Entropy (8bit):5.0203365408149025
          Encrypted:false
          SSDEEP:3:RtEeX7MWcSlVlbY3KgP+tkKc/SKQLn:RtBMwlVCxWKxDQLn
          MD5:4B432A99682DE414B29A683A3546B69F
          SHA1:F59C5016889EE5E9F62D09B22AEFBC2211A56C93
          SHA-256:F845F90D0CCD190128C8BF7D43ED0FD3E0FE0976DFA9A7DE9DA01E89243F51F9
          SHA-512:CBBF10E19B6F4072C416EA95D7AE259B9C5A1B89068B7B6660B7C637D6F2437AEA8D8202A2E26A0BEC36DAECD8BBB6B59016FC2DDEB13C545F0868B3E15479CA
          Malicious:false
          Reputation:unknown
          Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp37-abi3-win_amd64..

          C:\Windows\Temp\_MEI74522\cryptography-41.0.7.dist-info\top_level.txt

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):13
          Entropy (8bit):3.2389012566026314
          Encrypted:false
          SSDEEP:3:cOv:Nv
          MD5:E7274BD06FF93210298E7117D11EA631
          SHA1:7132C9EC1FD99924D658CC672F3AFE98AFEFAB8A
          SHA-256:28D693F929F62B8BB135A11B7BA9987439F7A960CC969E32F8CB567C1EF79C97
          SHA-512:AA6021C4E60A6382630BEBC1E16944F9B312359D645FC61219E9A3F19D876FD600E07DCA6932DCD7A1E15BFDEAC7DBDCEB9FFFCD5CA0E5377B82268ED19DE225
          Malicious:false
          Reputation:unknown
          Preview:cryptography.

          C:\Windows\Temp\_MEI74522\cryptography\hazmat\bindings\_rust.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):6673920
          Entropy (8bit):6.582002531606852
          Encrypted:false
          SSDEEP:98304:EzN+T+xtLlk0PPMAiGoTzeDy3x8lGBlWi9Nk:E5Y6Jk0PPMtfTzp3x8c
          MD5:486085AAC7BB246A173CEEA0879230AF
          SHA1:EF1095843B2A9C6D8285C7D9E8E334A9CE812FAE
          SHA-256:C3964FC08E4CA8BC193F131DEF6CC4B4724B18073AA0E12FED8B87C2E627DC83
          SHA-512:8A56774A08DA0AB9DD561D21FEBEEBC23A5DEA6F63D5638EA1B608CD923B857DF1F096262865E6EBD56B13EFD3BBA8D714FFDCE8316293229974532C49136460
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......QN.../.../.../...W(../......./......./......./......./...R.../...Z.../..^W.../.../...-../...",......./.../.../......./......./..Rich./..........PE..d...M7ee.........." ...&..M..........L...................................... f...........`......................................... .a.p.....a.|............Pb..............Pe.p...p.[.T.....................[.(...0.[.@............0M..............................text.....M.......M................. ..`.rdata.......0M.......M.............@..@.data........0a.......a.............@....pdata.......Pb.......b.............@..@.reloc..p....Pe.......e.............@..B........................................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\hidapi.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):100352
          Entropy (8bit):5.934692072315603
          Encrypted:false
          SSDEEP:3072:sEujSbDUbXE+Fw+Rt4PQyUN2exeYNTlI:xH8XZFwwtx8EI
          MD5:D9152F1CC7198047C19968B405F18CB7
          SHA1:BE2F3C405454624AA5010EFD15314CA5182D6B88
          SHA-256:E356DF68E5442CEA92CDBB52E5BFF09F11D082AB8067E20B3FDFCBF7199AB071
          SHA-512:E8D951EEA4C2158E661BB7B9FB4B3E5192B56E7E34FEB906F2F1A426D3390EF92FC89F4037E75E51890E31F2AB7CDED4D244D19C96AB0534EB6257F00F442DAA
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.3...]...]...].....]...t.].....].5!^...].5!X...].5!Y...]......]...\.h.].!U...].!]...].!....].!_...].Rich..].................PE..d......a.........." ................l0....................................................`......................................... g..d....i..<...................................@V..p............................V...............................................text............................... ..`.rdata..............................@..@.data................b..............@....pdata...............l..............@..@.gfids...............|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\libcrypto-1_1.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):3450648
          Entropy (8bit):6.098075450035195
          Encrypted:false
          SSDEEP:98304:YP+uemAdn67xfxw6rKsK1CPwDv3uFfJz1CmiX:OZemAYxfxw6HK1CPwDv3uFfJzUmA
          MD5:9D7A0C99256C50AFD5B0560BA2548930
          SHA1:76BD9F13597A46F5283AA35C30B53C21976D0824
          SHA-256:9B7B4A0AD212095A8C2E35C71694D8A1764CD72A829E8E17C8AFE3A55F147939
          SHA-512:CB39AA99B9D98C735FDACF1C5ED68A4D09D11F30262B91F6AA48C3F8520EFF95E499400D0CE7E280CA7A90FF6D7141D2D893EF0B33A8803A1CADB28BA9A9E3E2
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..$.................................................. 5......%5...`.........................................../..h...Z4.@.....4.|.....2......x4../....4..O....-.8.............................-.@............P4..............................text.....$.......$................. ..`.rdata..&.....%.......$.............@..@.data...!z....2..,....1.............@....pdata........2.......2.............@..@.idata..^#...P4..$....3.............@..@.00cfg..u.....4.......3.............@..@.rsrc...|.....4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

          C:\Windows\Temp\_MEI74522\libffi-7.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):32792
          Entropy (8bit):6.3566777719925565
          Encrypted:false
          SSDEEP:384:2nypDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYIoBneEAR8:2l0Vn5Q28J8qsqMttktDxOpWDG4yKRF
          MD5:EEF7981412BE8EA459064D3090F4B3AA
          SHA1:C60DA4830CE27AFC234B3C3014C583F7F0A5A925
          SHA-256:F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
          SHA-512:DC9FF4202F74A13CA9949A123DFF4C0223DA969F49E9348FEAF93DA4470F7BE82CFA1D392566EAAA836D77DDE7193FED15A8395509F72A0E9F97C66C0A096016
          Malicious:false
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....F...$.......I....................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\libssl-1_1.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):704792
          Entropy (8bit):5.5573527806738126
          Encrypted:false
          SSDEEP:12288:WhO7/rNKmrouK/POt6h+7ToRLgo479dQwwLOpWW/dQ0TGqwfU2lvz2:2is/POtrzbLp5dQ0TGqcU2lvz2
          MD5:BEC0F86F9DA765E2A02C9237259A7898
          SHA1:3CAA604C3FFF88E71F489977E4293A488FB5671C
          SHA-256:D74CE01319AE6F54483A19375524AA39D9F5FD91F06CF7DF238CA25E043130FD
          SHA-512:FFBC4E5FFDB49704E7AA6D74533E5AF76BBE5DB297713D8E59BD296143FE5F145FBB616B343EED3C48ECEACCCCC2431630470D8975A4A17C37EAFCC12EDD19F4
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1}q.1}q.1}q.8..=}q.~.p.3}q.z.p.3}q.~.t.=}q.~.u.9}q.~.r.5}q...p.2}q.1}p..|q...u..}q...q.0}q.....0}q...s.0}q.Rich1}q.........PE..d......c.........." ...".D...T......<................................................i....`..........................................A...N..@U..........s........N......./......h.......8...............................@............@..@............................text....B.......D.................. ..`.rdata.../...`...0...H..............@..@.data...AM.......D...x..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............l..............@..@.rsrc...s............n..............@..@.reloc..q............v..............@..B................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\psutil\_psutil_windows.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):67072
          Entropy (8bit):5.90551713971002
          Encrypted:false
          SSDEEP:1536:ZhseNxkc7Xva0Y420G1UD+dS4gBeLmRy:Z1kcbi0Y42bUD+dS4oeiRy
          MD5:01F9D30DD889A3519E3CA93FE6EFEE70
          SHA1:EBF55ADBD8CD938C4C11D076203A3E54D995AEFF
          SHA-256:A66444A08A8B9CEAFA05DAEFEB32AA1E65C8009A3C480599F648FA52A20AFB7D
          SHA-512:76FED302D62BB38A39E0BF6C9038730E83B6AFFFA2F36E7A62B85770D4847EA6C688098061945509A1FDB799FB7F5C88699F94E7DA1934F88A9C3B6A433EE9EF
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`T..$5..$5..$5..-M3..5..v@..&5..v@..(5..v@..,5..v@.. 5...k..&5..oM..55..$5...5...@..45...@..%5...@_.%5...@..%5..Rich$5..........................PE..d.....~e.........." .........h..............................................@............`.........................................P...`.......@.... .......................0..(.......................................8............................................text............................... ..`.rdata..|I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\pyexpat.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):198936
          Entropy (8bit):6.372446720663998
          Encrypted:false
          SSDEEP:3072:13BAJzkk5dT6F62eqf2A3zVnjIHdAPKReewMP12yGUfT0+SYyWgOmrpjAxvwnVIq:FQg4dT6N5OA3zVnjNed4yGKTKR/
          MD5:1118C1329F82CE9072D908CBD87E197C
          SHA1:C59382178FE695C2C5576DCA47C96B6DE4BBCFFD
          SHA-256:4A2D59993BCE76790C6D923AF81BF404F8E2CB73552E320113663B14CF78748C
          SHA-512:29F1B74E96A95B0B777EF00448DA8BD0844E2F1D8248788A284EC868AE098C774A694D234A00BD991B2D22C2372C34F762CDBD9EC523234861E39C0CA752DCAA
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7...sn.Jsn.Jsn.Jz.:J.n.J!..Kqn.J!..K.n.J!..K{n.J!..Kpn.J...Kqn.J8..Kpn.Jsn.J.n.J...Kwn.J...Krn.J..VJrn.J...Krn.JRichsn.J................PE..d.....,d.........." ......................................................................`.........................................p...P................................/...........4..T...........................05..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\python3.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):66328
          Entropy (8bit):6.162953246481027
          Encrypted:false
          SSDEEP:768:t68LeBLeeFtp5V1BfO2yvSk70QZF1nEyjnskQkr/RFB1qucwdBeCw0myou6ZwJqn:t6wewnvtjnsfwxVILL0S7SyuPxHO
          MD5:FD4A39E7C1F7F07CF635145A2AF0DC3A
          SHA1:05292BA14ACC978BB195818499A294028AB644BD
          SHA-256:DC909EB798A23BA8EE9F8E3F307D97755BC0D2DC0CB342CEDAE81FBBAD32A8A9
          SHA-512:37D3218BC767C44E8197555D3FA18D5AAD43A536CFE24AC17BF8A3084FB70BD4763CCFD16D2DF405538B657F720871E0CD312DFEB7F592F3AAC34D9D00D5A643
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........A.d.A.d.A.d...l.@.d...d.@.d.....@.d...f.@.d.RichA.d.........PE..d.....,d.........." .................................................................x....`.........................................`...`................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\python310.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):4458776
          Entropy (8bit):6.460390021076921
          Encrypted:false
          SSDEEP:49152:myrXfGIy+Bqk5c5Ad2nwZT3Q6wsV136cR2DZvbK30xLNZcAgVBvcpYcvl1IDWbH3:Uw5tVBlicWdvoDkHUMF7Ph/qe
          MD5:63A1FA9259A35EAEAC04174CECB90048
          SHA1:0DC0C91BCD6F69B80DCDD7E4020365DD7853885A
          SHA-256:14B06796F288BC6599E458FB23A944AB0C843E9868058F02A91D4606533505ED
          SHA-512:896CAA053F48B1E4102E0F41A7D13D932A746EEA69A894AE564EF5A84EF50890514DECA6496E915AAE40A500955220DBC1B1016FE0B8BCDDE0AD81B2917DEA8B
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<...<...<...I...<...Sc..<...I...<...I...<...I...<...D...<...D...<...<...=..+I../<..+I...<..+Ia..<..+I...<..Rich.<..........................PE..d.....,d.........." .....V#..v!...............................................E.....".D...`.........................................`.<.....@.=.|.....D......`B.......C../....D..t....$.T...........................P.$.8............p#.8............................text...bT#......V#................. ..`.rdata...B...p#..D...Z#.............@..@.data... .....=.......=.............@....pdata.......`B......HA.............@..@PyRuntim`....pD......VC.............@....rsrc.........D......ZC.............@..@.reloc...t....D..v...dC.............@..B........................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\pywin32_system32\pythoncom310.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):669184
          Entropy (8bit):6.03765159448253
          Encrypted:false
          SSDEEP:6144:zxxMpraRSS9Y68EuBPjIQN5cJzS7bUxgyPxFMH0PIXY3dVVVVAuLpdorrcK/CXjW:zxxMZMX1bQIJO7bazPEQSYNBLpdwNu
          MD5:65DD753F51CD492211986E7B700983EF
          SHA1:F5B469EC29A4BE76BC479B2219202F7D25A261E2
          SHA-256:C3B33BA6C4F646151AED4172562309D9F44A83858DDFD84B2D894A8B7DA72B1E
          SHA-512:8BD505E504110E40FA4973FEFF2FAE17EDC310A1CE1DC78B6AF7972EFDD93348087E6F16296BFD57ABFDBBE49AF769178F063BB0AA1DEE661C08659F47A6216D
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..x...+...+...+..P+...+T..*...+T..*...+T..*...+T..*...+..*...+...*...+...*...+...*...+...+U..+..*W..+..*...+..*...+Rich...+................PE..d...k..d.........." ................4.....................................................`..........................................U...c..............l....@...z............... ......T...........................0...8............................................text...#........................... ..`.rdata...$.......&..................@..@.data....I..........................@....pdata...z...@...|..................@..@.rsrc...l...........................@..@.reloc... ......."..................@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\pywin32_system32\pywintypes310.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):134656
          Entropy (8bit):5.992653928086484
          Encrypted:false
          SSDEEP:3072:DLVxziezwPZSMaAXpuuwNNDY/r06trfSsSYOejKVJBtGdI8hvnMu:HfziezwMMaAX2Y/rxjbOejKDBtG681n
          MD5:CEB06A956B276CEA73098D145FA64712
          SHA1:6F0BA21F0325ACC7CF6BF9F099D9A86470A786BF
          SHA-256:C8EC6429D243AEF1F78969863BE23D59273FA6303760A173AB36AB71D5676005
          SHA-512:05BAB4A293E4C7EFA85FA2491C32F299AFD46FDB079DCB7EE2CC4C31024E01286DAAF4AEAD5082FC1FD0D4169B2D1BE589D1670FCF875B06C6F15F634E0C6F34
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.$.X.w.X.w.X.w. [w.X.w.-.v.X.w.75w.X.w.-.v.X.w.-.v.X.w.-.v.X.w.3.v.X.wJ1.v.X.w.3.v.X.w.X.w.X.w,-.v.X.w,-.v.X.w,-.v.X.wRich.X.w........................PE..d......d.........." .........................................................P............`......................................... u..dB......,....0..l.......L............@..0...`Q..T............................Q..8............................................text............................... ..`.rdata..R...........................@..@.data....-.......(..................@....pdata..L...........................@..@.rsrc...l....0......................@..@.reloc..0....@......................@..B........................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\select.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):29976
          Entropy (8bit):6.627859470728624
          Encrypted:false
          SSDEEP:768:gUC2hwhVHqOmEVILQG35YiSyvrYPxWEl6:FC2ehVKOmEVILQGp7SyEPxe
          MD5:A653F35D05D2F6DEBC5D34DADDD3DFA1
          SHA1:1A2CEEC28EA44388F412420425665C3781AF2435
          SHA-256:DB85F2F94D4994283E1055057372594538AE11020389D966E45607413851D9E9
          SHA-512:5AEDE99C3BE25B1A962261B183AE7A7FB92CB0CB866065DC9CD7BB5FF6F41CC8813D2CC9DE54670A27B3AD07A33B833EAA95A5B46DAD7763CA97DFA0C1CE54C9
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!.F.O.F.O.F.O.O...D.O...N.D.O...J.M.O...K.N.O...L.B.O...N.D.O.F.N...O...N.C.O...B.G.O...O.G.O....G.O...M.G.O.RichF.O.................PE..d.....,d.........." .........0......................................................;\....`.........................................`@..L....@..x....p.......`.......F.../......H....2..T............................2..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata.......`.......6..............@..@.rsrc........p.......:..............@..@.reloc..H............D..............@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\setuptools-60.2.0.dist-info\INSTALLER

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):5
          Entropy (8bit):1.9219280948873623
          Encrypted:false
          SSDEEP:3:Lvn:Lv
          MD5:00305BC1FB89E33403A168E6E3E2EC08
          SHA1:A39CA102F6B0E1129E63235BCB0AD802A5572195
          SHA-256:0B77BDB04E0461147A7C783C200BC11A6591886E59E2509F5D7F6CB7179D01AB
          SHA-512:DB43B091F60DE7F8C983F5FC4009DB89673215CCD20FD8B2CED4983365A74B36AC371E2E85397CAC915C021377E26F2C4290915EA96F9E522E341E512C0FC169
          Malicious:false
          Reputation:unknown
          Preview:pip..

          C:\Windows\Temp\_MEI74522\setuptools-60.2.0.dist-info\LICENSE

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):1050
          Entropy (8bit):5.072538194763298
          Encrypted:false
          SSDEEP:24:1rmJHcwH0MP3gt8Hw1hj9QHOsUv4eOk4/+/m3oqMSFJ:1aJ8YHvEH5QHOs5exm3oEFJ
          MD5:7A7126E068206290F3FE9F8D6C713EA6
          SHA1:8E6689D37F82D5617B7F7F7232C94024D41066D1
          SHA-256:DB3F0246B1F9278F15845B99FEC478B8B506EB76487993722F8C6E254285FAF8
          SHA-512:C9F0870BC5D5EFF8769D9919E6D8DDE1B773543634F7D03503A9E8F191BD4ACC00A97E0399E173785D1B65318BAC79F41D3974AE6855E5C432AC5DACF8D13E8A
          Malicious:false
          Reputation:unknown
          Preview:Copyright Jason R. Coombs..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to.deal in the Software without restriction, including without limitation the.rights to use, copy, modify, merge, publish, distribute, sublicense, and/or.sell copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING.FROM, OUT OF OR IN CONNECTION WITH THE SOFTW

          C:\Windows\Temp\_MEI74522\setuptools-60.2.0.dist-info\METADATA

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):5131
          Entropy (8bit):5.122995579924766
          Encrypted:false
          SSDEEP:96:DpwYyJX4a113or1uCDIG0wMHodIDbVWKWddpnzYDiHNlP37POX7FwTtPMk:a4rMYIG0wMHodIDbAd/n7AFwTJ
          MD5:FFCB84AF49AB52C4FDD312F814E14B0D
          SHA1:89C9D3D82455A1BD5EB8B938DD3E5FCBFB1D36B0
          SHA-256:75CDE8A60801D637767D85E414FBBB80B222AA2774199A8B419E197BC245109A
          SHA-512:83219D0BF52253309AF3D5F9BF37474C765DF94A5D363ADFDCAE956D88B795D477237107321AAD90BBCF79D438200672C9354B44E4D4D2FD630FBC4AEF248972
          Malicious:false
          Reputation:unknown
          Preview:Metadata-Version: 2.1.Name: setuptools.Version: 60.2.0.Summary: Easily download, build, install, upgrade, and uninstall Python packages.Home-page: https://github.com/pypa/setuptools.Author: Python Packaging Authority.Author-email: distutils-sig@python.org.License: UNKNOWN.Project-URL: Documentation, https://setuptools.pypa.io/.Keywords: CPAN PyPI distutils eggs package management.Platform: UNKNOWN.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Topic :: Software Development :: Libraries :: Python Modules.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: Topic :: System :: Systems Administration.Classifier: Topic :: Utilities.Requires-Python: >=3.7.License-File: LICENSE.Provides-Extra: certs.Provides-Extra: docs.Requires-Dist: sphinx ; extra == 'docs'.Requ

          C:\Windows\Temp\_MEI74522\setuptools-60.2.0.dist-info\RECORD

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:CSV text
          Category:dropped
          Size (bytes):21957
          Entropy (8bit):5.622802101148321
          Encrypted:false
          SSDEEP:384:L46dEofm3e5I9cbmBBdJJa1uy/MqhHH7TPmT2ILwg:LTcY190qhHbT9q5
          MD5:B42FD355E6FFFC68D43E12963C0F7D47
          SHA1:81E5A1AA111B414DC8BCD642E21363BC17D4538D
          SHA-256:1FA525F06E0C9DD86266758AC257D53AA42A4944D07ACA85CBFC5970A0030BB3
          SHA-512:19A2AA1C5F1660AC920953F760D8BBA084725727A9E0D2A78659995AF677481C8349765DFE8539C2E0BC1418EC008C5BA89D005CCB9A3602ADF9629A5862D900
          Malicious:false
          Reputation:unknown
          Preview:distutils-precedence.pth,sha256=JjjOniUA5XKl4N5_rtZmHrVp0baW_LoHsN0iPaX10iQ,151._distutils_hack/__init__.py,sha256=YA_zRyutXEbuZDipUW6EQoLC6PuUbvYsGyBg-aL-PCs,4741._distutils_hack/override.py,sha256=Eu_s-NF6VIZ4Cqd0tbbA5wtWky2IZPNd8et6GLt1mzo,44.pkg_resources/__init__.py,sha256=uAnPq8FsTXHAEHFWK7UU9AhdNjE4o5Skfk8CyfbztO8,108573.pkg_resources/_vendor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0.pkg_resources/_vendor/appdirs.py,sha256=MievUEuv3l_mQISH5SF0shDk_BNhHHzYiAPrT3ITN4I,24701.pkg_resources/_vendor/pyparsing.py,sha256=tmrp-lu-qO1i75ZzIN5A12nKRRD1Cm4Vpk-5LR9rims,232055.pkg_resources/_vendor/packaging/__about__.py,sha256=IIRHpOsJlJSgkjq1UoeBoMTqhvNp3gN9FyMb5Kf8El4,661.pkg_resources/_vendor/packaging/__init__.py,sha256=b9Kk5MF7KxhhLgcDmiUWukN-LatWFxPdNug0joPhHSk,497.pkg_resources/_vendor/packaging/_manylinux.py,sha256=XcbiXB-qcjv3bcohp6N98TMpOP4_j3m-iOA8ptK2GWY,11488.pkg_resources/_vendor/packaging/_musllinux.py,sha256=z5yeG1ygOPx4uUyLdqj-p8Dk5UBb5H_b0NIjW9yo8oA,4

          C:\Windows\Temp\_MEI74522\setuptools-60.2.0.dist-info\WHEEL

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):92
          Entropy (8bit):4.820827594031884
          Encrypted:false
          SSDEEP:3:RtEeX7MWcSlViZHKRRP+tPCCfA5S:RtBMwlViojWBBf
          MD5:4D57030133E279CEB6A8236264823DFD
          SHA1:0FDC3988857C560E55D6C36DCC56EE21A51C196D
          SHA-256:1B5E87E00DC87A84269CEAD8578B9E6462928E18A95F1F3373C9EEF451A5BCC0
          SHA-512:CD98F2A416AC1B13BA82AF073D0819C0EA7C095079143CAB83037D48E9A5450D410DC5CF6B6CFF3F719544EDF1C5F0C7E32E87B746F1C04FE56FAFD614B39826
          Malicious:false
          Reputation:unknown
          Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.37.1).Root-Is-Purelib: true.Tag: py3-none-any..

          C:\Windows\Temp\_MEI74522\setuptools-60.2.0.dist-info\entry_points.txt

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):2636
          Entropy (8bit):4.537672046416617
          Encrypted:false
          SSDEEP:24:+MsTUR572Ku3ky1QchLtoZ+kMySDZZdmRxmgidTFLaelXdcEcijVbxS9djdh2PhN:l9Zvy3g6ySDsm90rZh2Phv4hhpTqToq
          MD5:57379A87F47EA4C2646046CE29BCC753
          SHA1:E339BE8333DA128C7E1BCF193BD8D61D511DE75D
          SHA-256:C299E12EB6EDCA4E21675A820B0E3C7024B1A103F350B32122E685AAC07B1B14
          SHA-512:EDF64E3354C7C5E07461658894DCB82FECD71B9A1DAC7FAAD6BAB378C43111D4349FAE6DC7FCE87D0F50099E55CB835431F2364A988067A46EEEC8BB81ADA319
          Malicious:false
          Reputation:unknown
          Preview:[distutils.commands].alias = setuptools.command.alias:alias.bdist_egg = setuptools.command.bdist_egg:bdist_egg.bdist_rpm = setuptools.command.bdist_rpm:bdist_rpm.build_clib = setuptools.command.build_clib:build_clib.build_ext = setuptools.command.build_ext:build_ext.build_py = setuptools.command.build_py:build_py.develop = setuptools.command.develop:develop.dist_info = setuptools.command.dist_info:dist_info.easy_install = setuptools.command.easy_install:easy_install.egg_info = setuptools.command.egg_info:egg_info.install = setuptools.command.install:install.install_egg_info = setuptools.command.install_egg_info:install_egg_info.install_lib = setuptools.command.install_lib:install_lib.install_scripts = setuptools.command.install_scripts:install_scripts.rotate = setuptools.command.rotate:rotate.saveopts = setuptools.command.saveopts:saveopts.sdist = setuptools.command.sdist:sdist.setopt = setuptools.command.setopt:setopt.test = setuptools.command.test:test.upload_docs = setuptools.comman

          C:\Windows\Temp\_MEI74522\setuptools-60.2.0.dist-info\top_level.txt

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):41
          Entropy (8bit):3.9115956018096876
          Encrypted:false
          SSDEEP:3:3Wd+Nt8AfQYv:3Wd+Nttv
          MD5:789A691C859DEA4BB010D18728BAD148
          SHA1:AEF2CBCCC6A9A8F43E4E150E7FCF1D7B03F0E249
          SHA-256:77DC8BDFDBFF5BBAA62830D21FAB13E1B1348FF2ECD4CDCFD7AD4E1A076C9B88
          SHA-512:BC2F7CAAD486EB056CB9F68E6C040D448788C3210FF028397CD9AF1277D0051746CAE58EB172F9E73EA731A65B2076C6091C10BCB54D911A7B09767AA6279EF6
          Malicious:false
          Reputation:unknown
          Preview:_distutils_hack.pkg_resources.setuptools.

          C:\Windows\Temp\_MEI74522\unicodedata.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):1123608
          Entropy (8bit):5.3853088605790385
          Encrypted:false
          SSDEEP:12288:6mwlRMmuZ63NTQCb5Pfhnzr0ql8L8kcM7IRG5eeme6VZyrIBHdQLhfFE+uQfk:ulRuUZV0m8UMMREtV6Vo4uYQfk
          MD5:81D62AD36CBDDB4E57A91018F3C0816E
          SHA1:FE4A4FC35DF240B50DB22B35824E4826059A807B
          SHA-256:1FB2D66C056F69E8BBDD8C6C910E72697874DAE680264F8FB4B4DF19AF98AA2E
          SHA-512:7D15D741378E671591356DFAAD4E1E03D3F5456CBDF87579B61D02A4A52AB9B6ECBFFAD3274CEDE8C876EA19EAEB8BA4372AD5986744D430A29F50B9CAFFB75D
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.eJ).eJ).eJ)...).eJ)..K(.eJ)..O(.eJ)..N(.eJ)..I(.eJ)|.K(.eJ)..K(.eJ).eK).eJ)|.G(.eJ)|.J(.eJ)|..).eJ)|.H(.eJ)Rich.eJ)........................PE..d.....,d.........." .....B.......... *.......................................@......Q.....`.............................................X............ ..........H......../...0.......`..T........................... a..8............`..x............................text...9A.......B.................. ..`.rdata.......`.......F..............@..@.data...............................@....pdata..H...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\wheel-0.37.1.dist-info\INSTALLER

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):5
          Entropy (8bit):1.9219280948873623
          Encrypted:false
          SSDEEP:3:Lvn:Lv
          MD5:00305BC1FB89E33403A168E6E3E2EC08
          SHA1:A39CA102F6B0E1129E63235BCB0AD802A5572195
          SHA-256:0B77BDB04E0461147A7C783C200BC11A6591886E59E2509F5D7F6CB7179D01AB
          SHA-512:DB43B091F60DE7F8C983F5FC4009DB89673215CCD20FD8B2CED4983365A74B36AC371E2E85397CAC915C021377E26F2C4290915EA96F9E522E341E512C0FC169
          Malicious:false
          Reputation:unknown
          Preview:pip..

          C:\Windows\Temp\_MEI74522\wheel-0.37.1.dist-info\LICENSE.txt

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):1125
          Entropy (8bit):5.143411674177603
          Encrypted:false
          SSDEEP:24:UYWBarRONJHLH0cPP3gtkHw1h39QHOsUv4eOk4/+jvho3nPz:LtONJbbvE/NQHOs5eNS3n7
          MD5:9D66B41BC2A080E7174ACC5DFFECD752
          SHA1:53AA128E9D6387E9BB9D945FDCBF1AB4D003BAED
          SHA-256:CCA9E20C6AF1FCFBF69408F377769286CBEEBCDED336100C9B4A3F35FBE635E4
          SHA-512:12CBE04D36D2F0A856DA2001DC7D98D9E431DA37CCCF08F8AF20DD537F5AE7A19E1A7015C3A5542C0329EFBEC7E582751E4CEBCCB459C779BE804AA5B34D5E95
          Malicious:false
          Reputation:unknown
          Preview:"wheel" copyright (c) 2012-2014 Daniel Holth <dholth@fastmail.fm> and.contributors...The MIT License..Permission is hereby granted, free of charge, to any person obtaining a.copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the.Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included.in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR.OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRA

          C:\Windows\Temp\_MEI74522\wheel-0.37.1.dist-info\METADATA

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:Unicode text, UTF-8 text
          Category:dropped
          Size (bytes):2328
          Entropy (8bit):5.1185004431709
          Encrypted:false
          SSDEEP:48:DE53Cnd+p8d+zztjaaxLiPktzCliwqrwOT8RfkD1UKd+mOl1Awr+:DE5yQPzztjaaxmPktW0lrfOfsUzmbY+
          MD5:DE7F3CDD29B458BD18463100490C8EFF
          SHA1:F6677870E4F8A9D914C13FCEF5DB1AF2A7BA5624
          SHA-256:62679B757C0F42517DF1DA7D57E0B2E01944F8CF9F14CF89F5C3D556F952522F
          SHA-512:584491196B7757B108FB6535B687E28B3C4BEB56162CC6DE4911C211B7A000B0AF2B7A26AFAB73422DA6876F568D4CCE23802D27C57CF7D6565BD02877B08A32
          Malicious:false
          Reputation:unknown
          Preview:Metadata-Version: 2.1.Name: wheel.Version: 0.37.1.Summary: A built-package format for Python.Home-page: https://github.com/pypa/wheel.Author: Daniel Holth.Author-email: dholth@fastmail.fm.Maintainer: Alex Gr.nholm.Maintainer-email: alex.gronholm@nextday.fi.License: MIT.Project-URL: Documentation, https://wheel.readthedocs.io/.Project-URL: Changelog, https://wheel.readthedocs.io/en/stable/news.html.Project-URL: Issue Tracker, https://github.com/pypa/wheel/issues.Keywords: wheel,packaging.Platform: UNKNOWN.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 2.Classifier: Programming Language :: Python :: 2.7.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3.5.Classifier: Programming Language :: Python ::

          C:\Windows\Temp\_MEI74522\wheel-0.37.1.dist-info\RECORD

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:CSV text
          Category:dropped
          Size (bytes):2657
          Entropy (8bit):5.738906743733574
          Encrypted:false
          SSDEEP:48:/exuRklpzybyrvGy+myCqTQgYvH6MHIS8mvinJ3yGnJ3ykz1lQERayzYsoRLmlJi:mxVlkmrvZnyCqTQDvH6MHp8uiJCGJCkc
          MD5:92F640958CC843ABF1B37B511B6BD5AE
          SHA1:5248FD1AAE16910FE6FDF9914CB5FC5B24F0906F
          SHA-256:E2028F94F2C8579CB22A3260083CD34D5FD3CD590150F471EB8169BEED7152D5
          SHA-512:949991767039F1DB9851F222CD3FA16F0D812CC2BD885A389C78E2091C3B68E9292C4AA876172CC4C48E09F84947013DA6DC2589911A7D192F5748C6DDEF4F86
          Malicious:false
          Reputation:unknown
          Preview:wheel/__init__.py,sha256=yLOqsEZUPaM3VNKOMxQraLgCCyF8q3k10KY4C1Hi_Lo,23.wheel/__main__.py,sha256=lF-YLO4hdQmoWuh4eWZd8YL1U95RSdm76sNLBXa0vjE,417.wheel/bdist_wheel.py,sha256=2vfv3g_b8BvZ5Do9bpLEBdu9dQEcvoMQ1flXpKYFJDU,19075.wheel/macosx_libfile.py,sha256=Xvp-IrFyRJ9RThIrPxfEpVCDGfljJPWRTZiyopk70hI,15930.wheel/metadata.py,sha256=b3kPhZn2w2D9wengltX5nGIZQ3ERUOQ5U-K5vHKPdeg,4344.wheel/pkginfo.py,sha256=GR76kupQzn1x9sKDaXuE6B6FsZ4OkfRtG7pndlXPvQ4,1257.wheel/util.py,sha256=mnNZkJCi9DHLI_q4lTudoD0mW97h_AoAWl7prNPLXJc,938.wheel/wheelfile.py,sha256=NyH8VcFLvu7jUwH6r4KoL_U45OKFVpUyJ5Z7gRAI_Lc,7574.wheel/cli/__init__.py,sha256=GWSoGUpRabTf8bk3FsNTPrc5Fsr8YOv2dX55iY2W7eY,2572.wheel/cli/convert.py,sha256=7F4vj23A2OghDDWn9gX2V-_TeXMza1a5nIejmFGEUJM,9498.wheel/cli/pack.py,sha256=Bfq6KrHicZKrpbktkreeRxIaWwBozUP99JQy2D8-ddY,3364.wheel/cli/unpack.py,sha256=0VWzT7U_xyenTPwEVavxqvdee93GPvAFHnR3Uu91aRc,673.wheel/vendored/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0.wheel/vendored/packag

          C:\Windows\Temp\_MEI74522\wheel-0.37.1.dist-info\WHEEL

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):110
          Entropy (8bit):4.816968543485036
          Encrypted:false
          SSDEEP:3:RtEeX7MWcSlViZHKRRP+tPCCf7irO5S:RtBMwlViojWBBwt
          MD5:8CFA23CB3A9E0E9F30077848A14BE857
          SHA1:E5AC311BA9EEC5C0CCDDC091AC7C0D62A72ECF72
          SHA-256:CFD8F4C406BF26650A3299B3EF62B464600B48CFE7FB04159866E5797C765478
          SHA-512:039CB61C67F02B3B349102FA40FBB55FCA46D54007309FD08B2707E2CAC74FDDDBB39B18730704209DB4852BB9BB18078EF6A6A57ACF0F0BA4951D7A249521BD
          Malicious:false
          Reputation:unknown
          Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.37.1).Root-Is-Purelib: true.Tag: py2-none-any.Tag: py3-none-any..

          C:\Windows\Temp\_MEI74522\wheel-0.37.1.dist-info\entry_points.txt

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):108
          Entropy (8bit):4.342039869160156
          Encrypted:false
          SSDEEP:3:1SSAsVYgh+MWTMhk6WjwVM5t5ln:1rb9WTMhk9jSM5t5ln
          MD5:7AB099DD08D127FFF9A98B12A6B127E0
          SHA1:8454C246D5A924CC6A13F5BFA188468E00F4D179
          SHA-256:37C1DB605493DF2ACD418781DB05D60443D4845B04B4A3513DA0851893F2AB27
          SHA-512:866EAFE67528CE8B692F474E7883BF776644CD41D13220D9C7F9446F7E325104C2F4ABF9B08701E470423756511D452885DFA1B875D4661D3472BC2002C28492
          Malicious:false
          Reputation:unknown
          Preview:[console_scripts].wheel = wheel.cli:main..[distutils.commands].bdist_wheel = wheel.bdist_wheel:bdist_wheel..

          C:\Windows\Temp\_MEI74522\wheel-0.37.1.dist-info\top_level.txt

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):6
          Entropy (8bit):2.2516291673878226
          Encrypted:false
          SSDEEP:3:/sv:/sv
          MD5:EF72659542687B41FB1A4225120F41FA
          SHA1:3EF6EE742B2E851DEA1F754CE60A1FC222194799
          SHA-256:1F148121B804B2D30F7B87856B0840EBA32AF90607328A5756802771F8DBFF57
          SHA-512:A16A6E11367C986B2A7B38C491943B28F402081D3E2D41474C9E61BE44941133E87CB821750AD27A1E46FA2AFF9F93B8584C37247BDE219ABAC12D3D6EE4477C
          Malicious:false
          Reputation:unknown
          Preview:wheel.

          C:\Windows\Temp\_MEI74522\win32\_win32sysloader.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):14848
          Entropy (8bit):5.112106937352672
          Encrypted:false
          SSDEEP:192:lGCm72PEO1jIUs0YqEcPbF55UgCWV4rofnbPmitE255qDLWn7ycLmrO/:8ardA0Bzx14r6nbN50W9/
          MD5:F9C9445BE13026F8DB777E2BBC26651D
          SHA1:E1D58C30E94B00B32AD1E9B806465643F4AFE980
          SHA-256:C953DB1F67BBD92114531FF44EE4D76492FDD3CF608DA57D5C04E4FE4FDD1B96
          SHA-512:587D9E8521C246865E16695E372A1675CFBC324E6258DD03479892D3238F634138EBB56985ED34E0C8C964C1AB75313182A4E687B598BB09C07FC143B506E9A8
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tSf.02..02..02..9J..22..bG..22..$Y..22..bG..;2..bG..82..bG..32..[..32..02...2...G..12...G..12...G..12..Rich02..................PE..d......d.........." ......................................................................`..........................................;..`...`;..d....p..t....`..................@...|2..T............................2..8............0..p............................text............................... ..`.rdata..$....0......................@..@.data........P......................@....pdata.......`.......0..............@..@.rsrc...t....p.......4..............@..@.reloc..@............8..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\win32\win32api.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):133632
          Entropy (8bit):5.849731189887005
          Encrypted:false
          SSDEEP:3072:l2J5loMoEg9enX4oD8cdf0nlRVFhLaNKP/IyymuqCyqJhe:cblovEgqXHdfqlRVlP/IyzCyy
          MD5:00E5DA545C6A4979A6577F8F091E85E1
          SHA1:A31A2C85E272234584DACF36F405D102D9C43C05
          SHA-256:AC483D60A565CC9CBF91A6F37EA516B2162A45D255888D50FBBB7E5FF12086EE
          SHA-512:9E4F834F56007F84E8B4EC1C16FB916E68C3BAADAB1A3F6B82FAF5360C57697DC69BE86F3C2EA6E30F95E7C32413BABBE5D29422D559C99E6CF4242357A85F31
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.uV....................N.......N.......N.......................N...................J...........................Rich............PE..d......d.........." .........................................................P............`..........................................................0..\....................@..$....v..T............................<..8............0..........@....................text............................... ..`.rdata......0......................@..@.data...x(......."..................@....pdata..............................@..@.rsrc...\....0......................@..@.reloc..$....@......................@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\win32\win32event.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):28672
          Entropy (8bit):5.557243649975138
          Encrypted:false
          SSDEEP:384:qwXwVM65Ix6Hey0a4SqSv/L/jhfWddbcQ857W5/hoOn0k/MwGCHRUyGa/:Fn6oDOb/jhfWddbcrwYOn0k/MwJYa
          MD5:98D246A539426C3A7A842D6CF286D46D
          SHA1:CEF7350297F7E1E2407C9125033DC972C3171122
          SHA-256:7461A15657C7516237B020357CCF6DE1D07B1C781149C0DA7892AEA0EA63A825
          SHA-512:F2FE96082C333210261A1247155373276A58A9E6128374A6FBA252D39CB78B286A30C48E05D2EB1E0B41653598BB114C0361BC55808FE091E8A13CDE0B59AC5F
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*.@sD.@sD.@sD.I...DsD...E.BsD...A.JsD...@.HsD...G.CsD..E.BsD...E.BsD.T.E.EsD.@sE..sD..M.AsD..D.AsD..F.AsD.Rich@sD.........PE..d......d.........." .....8...4.......3....................................................`..........................................f..T...$g..........d............................Z..T............................Z..8............P...............................text...(6.......8.................. ..`.rdata...#...P...$...<..............@..@.data................`..............@....pdata...............d..............@..@.rsrc...d............j..............@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\win32\win32evtlog.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):73216
          Entropy (8bit):5.762045981366128
          Encrypted:false
          SSDEEP:1536:idrARomwyEvN7xM8v2uuYTtEJaLGDXYBFB8Dmz:qIomwySmm2uuYJEJaLGDXkFB8qz
          MD5:20CA43E99D008452833394B4AB4D9239
          SHA1:97E6DC871483540551CBF44B7727CE91ADCDA844
          SHA-256:28783A9111E539BD0EDBB97C9204C983E1D15DC7A0E7A6D4DE02DF1A3D5E3566
          SHA-512:273323375886835BC4E737984586BC31FFDCC185A3FA3CA1181CB65B2D6D1867E527B3226484ECD8DD902A02CF94B4AB8F7C88744235543ED83620206E65E7C0
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u...u...u...|f).s...'k..q...'k..}...'k..v....k..w....w..w...'k..f...au..p...u........k..t....k..t....kE.t....k..t...Richu...................PE..d......d.........." ................P........................................`............`.............................................X...8........@.. ....0..|............P..l.......T...........................`...8...............`.......@....................text............................... ..`.rdata..&\.......^..................@..@.data...............................@....pdata..|....0......................@..@.rsrc... ....@......................@..@.reloc..l....P......................@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\win32\win32file.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):143360
          Entropy (8bit):5.9314950978938334
          Encrypted:false
          SSDEEP:3072:XkXeNNnoGygqaE7Byk+YXR4Ei1HPUb1+JybQhzacKG6t6BU:XkX8Nugqz7Byk+QRVi1vUbc0bCacu
          MD5:D09207A5F23C943F911B5FC301BBE97A
          SHA1:735C69217D80E1986C681B4B74629E79A3C95934
          SHA-256:B1B0A1F9C8903E2EC65B9D6A4AC746E72090DB9A34F2A180B79769C9C5B15085
          SHA-512:68BE8558026EBCEECFC29D91F6E040E4DDE2EF4DED2D471CB547C081B4D947CDF15B77CD5CD6C3BAA37FD2C92A297D2A5CA7B2ED2D27B88B09BB521F61725B4A
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=.ahn.ahn.ahn...n.ahn..io.ahn..mo.ahn..lo.ahn..ko.ahne.io.ahn..io.ahn..io.ahn.ain.`hne.ao.ahne.ho.ahne.jo.ahnRich.ahn........PE..d......d.........." .....@...........6.......................................p............`.............................................T...4........P..\....0...............`......x...T..............................8............P...............................text...N?.......@.................. ..`.rdata.......P.......D..............@..@.data....'....... ..................@....pdata.......0......................@..@.rsrc...\....P.......(..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\win32\win32net.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):93184
          Entropy (8bit):5.244759668592125
          Encrypted:false
          SSDEEP:1536:QJCZO2AJy8OCCyNNOYz0/bNFogGC6WEhj9BBP4f:QrtIpAmEhxBl4f
          MD5:4404218C4F6A61C338F332B2A9402C10
          SHA1:C48DDA2E4C2F06ED406F678131D485DB28294599
          SHA-256:E5002A894100FE9F43BACA194013702EBB8F8DF6A6909BE76D79E1C539E58FFD
          SHA-512:65E0F0DEE8F6A83951F8091FCF6CA62D559E125B8F0E9B306BF7F0A95EB59FC6CB42A95003E15AACC470DA10AF2CCCFC87518E6A4139FBBCEB117CB63594A75F
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:...T...T...T......T..U...T..Q...T..P...T..W...T.Z.U...T.<.U...T...U...T...U.).T.Z.]...T.Z.T...T.Z.V...T.Rich..T.........PE..d......d.........." ................t.....................................................`.............................................P...`...........\...........................\...T...............................8............................................text............................... ..`.rdata...b.......d..................@..@.data...hQ... ...L..................@....pdata...............R..............@..@.rsrc...\............b..............@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\win32\win32pipe.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):28160
          Entropy (8bit):5.501710845558622
          Encrypted:false
          SSDEEP:384:vvGJPNu6PrVo4r8MhY7jgzgCoASCwz8T8VBBr/kVyhPDmM/f:vv0/DpGXJC6VB5/LhKi
          MD5:43C630BE751F1B465DCD77E036797309
          SHA1:A10EE078EB475674BB7BCC349B5F4B283E763EB5
          SHA-256:DDE06EAA71699359C23D4C564AD25785FA933CE28DD117EBFB374D276537C6EC
          SHA-512:6FD2163860D7559C4D3E7E43EE5C462EC8B01FCFAEAC47ED4056CEA74C07E7D46863C5395D52A514D6844369AB7EA031186AAE54CEDFD636B94740A8BB276966
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t..X0...0...0...9.#.6...b..4...$...2...b..;...b..8...b..3......2......3...0...P......1......1......1...Rich0...........PE..d......d.........." .....4...6......T0....................................................`..........................................f..T...Tf..........\.......(...................@Z..T............................Z..8............P..@............................text...@3.......4.................. ..`.rdata..z$...P...&...8..............@..@.data................^..............@....pdata..(............b..............@..@.rsrc...\............h..............@..@.reloc...............l..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\win32\win32trace.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):23552
          Entropy (8bit):5.279236779449316
          Encrypted:false
          SSDEEP:384:peeH8ZmV+zknwMsADuVLw0T8DmrRl2j9BfEAZnpC9QJQ1BA:5+zi/uVDS9dl6pB
          MD5:B291ADAB2446DA62F93369A0DD662076
          SHA1:A6B6C1054C1F511C64AEFB5F6C031AFE553E70F0
          SHA-256:C5AD56E205530780326BD1081E94B212C65082B58E0F69788E3DC60EFFBD6410
          SHA-512:847CC9E82B9939DBDC58BFA3E5A9899D614642E0B07CF1508AA866CD69E4AD8C905DBF810A045D225E6C364E1D9F2A45006F0EB0895BCD5AAF9D81EE344D4AEA
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*U@qD.@qD.@qD.I...DqD...E.BqD...A.JqD...@.HqD...G.CqD...E.BqD...E.BqD.T.E.EqD.@qE..qD...M.AqD...D.AqD...F.AqD.Rich@qD.................PE..d......d.........." .....,...,.......(....................................................`..........................................Q..T...dQ..........d....p.......................G..T...........................0H..8............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...(....`.......L..............@....pdata.......p.......R..............@..@.rsrc...d............V..............@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI74522\win32com\shell\shell.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):527872
          Entropy (8bit):6.165923585421349
          Encrypted:false
          SSDEEP:6144:bXtpsewPjUA2jGZ90SmgopJgUCBKw84O3Rpd0K1VS0cTZdxi2y3:bXtp5sIAN90pleK1VSXXi2g
          MD5:C2E1B245D4221BDA4C198CF18D9CA6AF
          SHA1:9682B6E966495F7B58255348563A86C63FBD488C
          SHA-256:89A8651DAD701DCE6B42B0E20C18B07DF6D08A341123659E05381EE796D23858
          SHA-512:C2F57E9303D37547671E40086DDAD4B1FC31C52D43994CFCEC974B259125E125C644873073F216F28066BB0C213CBEB1B9A3C149727C9F1BC50F198AC45A4C8A
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......M................).....[......[......[......[...................................................O.................Rich............................PE..d...(..d.........." ....."..........t.....................................................`.............................................L...............L.......xx...............!......T..............................8............@...............................text...^!.......".................. ..`.rdata.......@.......&..............@..@.data...@....0...^..................@....pdata..xx.......z...n..............@..@.rsrc...L...........................@..@.reloc...!......."..................@..B................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_ARC4.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):11264
          Entropy (8bit):4.6989965032233245
          Encrypted:false
          SSDEEP:96:v9VD9daQ2iTrqT+y/ThvQ0I1uLfcC75JiC4Rs89EcYyGDPM0OcX6gY/7ECFV:39damqT3ThITst0E5DPKcqgY/79X
          MD5:56976443600793FF2302EE7634E496B3
          SHA1:018CE9250732A1794BBD0BDB8164061022B067AA
          SHA-256:10F461A94C3D616C19FF1A88DEC1EFEA5194F7150F5D490B38AC4E1B31F673DD
          SHA-512:A764C636D5D0B878B91DC61485E8699D7AA36F09AA1F0BD6AF33A8652098F28AEB3D7055008E56EBFC012BD3EA0868242A72E44DED0C83926F13D16866C31415
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_Salsa20.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):13824
          Entropy (8bit):5.047528837102683
          Encrypted:false
          SSDEEP:192:SF/1nb2eqCQtkluknuz4ceS4QDuEA7cqgYvEP:o2P6luLtn4QDHmgYvEP
          MD5:30F13366926DDC878B6D761BEC41879E
          SHA1:4B98075CCBF72A6CBF882B6C5CADEF8DC6EC91DB
          SHA-256:19D5F8081552A8AAFE901601D1FF5C054869308CEF92D03BCBE7BD2BB1291F23
          SHA-512:BDCEC85915AB6EC1D37C1D36B075AE2E69AA638B80CD08971D5FDFD9474B4D1CF442ABF8E93AA991F5A8DCF6DB9D79FB67A9FE7148581E6910D9C952A5E166B4
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..L............p..,....3...............................1..@............0...............................text...h........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_chacha20.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):13312
          Entropy (8bit):5.0513840905718395
          Encrypted:false
          SSDEEP:192:7XF/1nb2eqCQtkXnFYIrWjz0YgWDbu5Do0vdvZt49lkVcqgYvEMN:L2P6XTr0zXgWDbui0vdvZt49MgYvEMN
          MD5:CDF7D583B5C0150455BD3DAD43A6BF9B
          SHA1:9EE9B033892BEB0E9641A67F456975A78122E4FA
          SHA-256:4CA725A1CB10672EE5666ED2B18E926CAAE1A8D8722C14AB3BE2D84BABF646F6
          SHA-512:96123559D21A61B144E2989F96F16786C4E94E5FA4DDA0C018EAA7FEFFA61DD6F0ADFA9815DF9D224CDEBE2E7849376D2A79D5A0F51A7F3327A2FAA0A444CE9C
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..d............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_pkcs1_decode.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):12800
          Entropy (8bit):5.1050594710160535
          Encrypted:false
          SSDEEP:96:/PTF1siKeai1dqmJo0qVVLf/+NJSC6sc9kJ9oPobXXXP4IIYOxDmO8jcX6gRth2h:/LsiHfq5poUkJ97zIDmOucqgRvE
          MD5:7918BFE07DCB7AD21822DBAAA777566D
          SHA1:964F5B172759538C4E9E9131CE4BB39885D79842
          SHA-256:C00840D02ADA7031D294B1AB94A5F630C813AAE6897F18DD66C731F56931868E
          SHA-512:D4A05AB632D4F0EB0ED505D803F6A5C0DBE5117D12BA001CE820674903209F7249B690618555F9C061DB58BED1E03BE58AD5D5FE3BC35FC96DF27635639ABF25
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............l...l...l......l.q.m...l..m...l...m...l.q.i...l.q.h...l.q.o...l...d...l...l...l.......l...n...l.Rich..l.................PE..d....y.e.........." ...#............P.....................................................`.........................................P8..p....8..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@.......*..............@....pdata.......P.......,..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_aes.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):36352
          Entropy (8bit):6.55587798283519
          Encrypted:false
          SSDEEP:384:Of+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuTLg4HPy:WqWB7YJlmLJ3oD/S4j990th9VTsC
          MD5:4B032DA3C65EA0CFBDEB8610C4298C51
          SHA1:541F9F8D428F4518F96D44BB1037BC348EAE54CF
          SHA-256:4AEF77E1359439748E6D3DB1ADB531CF86F4E1A8E437CCD06E8414E83CA28900
          SHA-512:2667BF25FD3BF81374750B43AFC5AEFF839EC1FF6DFC3FDD662F1D34A5924F69FC513EA3CD310991F85902A19ADA8B58DED9A9ED7B5D631563F62EA7F2624102
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#.H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_aesni.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):15872
          Entropy (8bit):5.2919328525651945
          Encrypted:false
          SSDEEP:192:oJBjJPqZkEPYinXKccxrEWx4xLquhS3WQ67EIfD4A1ccqgwYUMvEW:6URwin7mrEYCLEGd7/fDnwgwYUMvE
          MD5:57E4DF965E41B1F385B02F00EA08AE20
          SHA1:583B08C3FC312C8943FECDDD67D6D0A5FC2FF98B
          SHA-256:3F64DFFEC486DCF9A2E80CB9D96251B98F08795D5922D43FB69F0A5AC2340FC2
          SHA-512:48C3F78AF4E35BFEF3B0023A8039CF83E6B2E496845A11B7A2C2FA8BB62C7CCDE52158D4D37755584716220C34BBF379ECE7F8E3439B009AD099B1890B42A3D9
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|X...................i.......................i.......i.......i.......................................Rich....................PE..d....y.e.........." ...#. ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_arc2.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):16384
          Entropy (8bit):5.565187477275172
          Encrypted:false
          SSDEEP:192:MeDd9Vk3yQ5f8vjVKChhXoJDkq6NS7oE2DDHlWw2XpmdcqgwNeecBU8:1k/5cj4shXED+o2Du8zgwNeO8
          MD5:F9C93FA6CA17FDF4FF2F13176684FD6C
          SHA1:6B6422B4CAF157147F7C0DD4B4BAB2374BE31502
          SHA-256:E9AEBB6F17BA05603E0763DFF1A91CE9D175C61C1C2E80F0881A0DEE8CFFBE3A
          SHA-512:09843E40E0D861A2DEE97320779C603550433BC9AB9402052EA284C6C74909E17CE0F6D3FDBA983F5EB6E120E2FE0C2B087420E138760BB0716D2999C10935C1
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#."... ......P.....................................................`.........................................0J.......J..d....p.......`..................,....C...............................B..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...8....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_blowfish.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):20992
          Entropy (8bit):6.058843128972375
          Encrypted:false
          SSDEEP:384:fHU/5cJMOZA0nmwBD+XpJgLa0Mp8Qhg4P2llyM:QK1XBD+DgLa1qTi
          MD5:E4969D864420FEB94F54CEF173D0AD4D
          SHA1:7F8FE4225BB6FD37F84EBCE8E64DF7192BA50FB6
          SHA-256:94D7D7B43E58170CAEA4520D7F741D743BC82B59BE50AA37D3D2FB7B8F1BB061
          SHA-512:F02F02A7DE647DDA723A344DBB043B75DA54D0783AE13E5D25EEC83072EA3B2375F672B710D6348D9FC829E30F8313FA44D5C28B4D65FDA8BB863700CAE994B7
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.$...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text....".......$.................. ..`.rdata..L....@... ...(..............@..@.data...8....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..4............P..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_cast.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):25088
          Entropy (8bit):6.458942954966616
          Encrypted:false
          SSDEEP:384:xVcaHLHm+kJ7ZXmrfXA+UA10ol31tuXyZQ7gLWi:8aHrm+kJNXmrXA+NNxWi28LWi
          MD5:CD4B96612DEFDAAC5CF923A3960F15B6
          SHA1:3F987086C05A4246D8CCA9A65E42523440C7FFEC
          SHA-256:5C25283C95FFF9B0E81FCC76614626EB8048EA3B3FD1CD89FE7E2689130E0447
          SHA-512:C650860A3ECC852A25839FF1E379526157EB79D4F158B361C90077875B757F5E7A4AA33FFE5F4F49B28DF5D60E3471370889FBE3BF4D9568474ECE511FF5E67D
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.$...@............................................................`.........................................@i.......i..d...............................4....b...............................a..@............@...............................text....".......$.................. ..`.rdata.......@...0...(..............@..@.data...8....p.......X..............@....pdata...............Z..............@..@.rsrc................^..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_cbc.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):12288
          Entropy (8bit):4.833693880012467
          Encrypted:false
          SSDEEP:192:BF/1nb2eqCQtkrAUj8OxKbDbzecqgYvEkrK:t2P6EE8OsbD2gYvEmK
          MD5:0C46D7B7CD00B3D474417DE5D6229C41
          SHA1:825BDB1EA8BBFE7DE69487B76ABB36196B5FDAC0
          SHA-256:9D0A5C9813AD6BA129CAFEF815741636336EB9426AC4204DE7BC0471F7B006E1
          SHA-512:D81B17B100A052899D1FD4F8CEA1B1919F907DAA52F1BAD8DC8E3F5AFC230A5BCA465BBAC2E45960E7F8072E51FDD86C00416D06CF2A1F07DB5AD8A4E3930864
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_cfb.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):13824
          Entropy (8bit):4.900216636767426
          Encrypted:false
          SSDEEP:192:YTI1RgPfqLlvIOP3bdS2hkPUDk9oCM/vPXcqgzQkvEmO:YTvYgAdDkUDDCWpgzQkvE
          MD5:3142C93A6D9393F071AB489478E16B86
          SHA1:4FE99C817ED3BCC7708A6631F100862EBDA2B33D
          SHA-256:5EA310E0F85316C8981ED6293086A952FA91A6D12CA3F8AF9581521EE2B15586
          SHA-512:DCAFEC54BD9F9F42042E6FA4AC5ED53FEB6CF8D56ADA6A1787CAFC3736AA72F14912BBD1B27D0AF87E79A6D406B0326602ECD1AD394ACDC6275AED4C41CDB9EF
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................?.....q......................q.......q.......q.........................S.............Rich............PE..d....y.e.........." ...#..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_ctr.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):14848
          Entropy (8bit):5.302400096950382
          Encrypted:false
          SSDEEP:192:SJ1gSPqgKkwv0i8NSixSK57NEEE/qexcEtDr+DjRcqgUF6+6vEX:6E1si8NSixS0CqebtD+rgUUjvE
          MD5:A34F499EE5F1B69FC4FED692A5AFD3D6
          SHA1:6A37A35D4F5F772DAB18E1C2A51BE756DF16319A
          SHA-256:4F74BCF6CC81BAC37EA24CB1EF0B17F26B23EDB77F605531857EAA7B07D6C8B2
          SHA-512:301F7C31DEE8FF65BB11196F255122E47F3F1B6B592C86B6EC51AB7D9AC8926FECFBE274679AD4F383199378E47482B2DB707E09D73692BEE5E4EC79C244E3A8
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...,...,...,......,.q.-...,..-...,...-...,.q.)...,.q.(...,.q./...,...$...,...,...,.......,.......,.Rich..,.................PE..d....y.e.........." ...#..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_des.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):57856
          Entropy (8bit):4.25844209931351
          Encrypted:false
          SSDEEP:384:1UqVT1dZ/lHkJnYcZiGKdZHDLtiduprZAZB0JAIg+v:nHlHfJid3X
          MD5:007BE822C3657687A84A7596531D79B7
          SHA1:B24F74FDC6FA04EB7C4D1CD7C757C8F1C08D4674
          SHA-256:6CF2B3969E44C88B34FB145166ACCCDE02B53B46949A9D5C37D83CA9C921B8C8
          SHA-512:F9A8B070302BDFE39D0CD8D3E779BB16C9278AE207F5FADF5B27E1A69C088EEF272BFBCE6B977BA37F68183C8BBEAC7A31668662178EFE4DF8940E19FBCD9909
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..n...n...n......n.q.o...n...o...n...o...n.q.k...n.q.j...n.q.m...n...f...n...n...n.......n...l...n.Rich..n.........PE..d....y.e.........." ...#.8...................................................0............`.....................................................d...............l............ ..4...................................@...@............P...............................text....7.......8.................. ..`.rdata..f....P.......<..............@..@.data...8...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_des3.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):58368
          Entropy (8bit):4.274890605099198
          Encrypted:false
          SSDEEP:384:4Uqho9weF5/dHkRnYcZiGKdZHDL7idErZBZYmGg:ECndH//iduz
          MD5:A883798D95F76DA8513DA6B87D470A2A
          SHA1:0507D920C1935CE71461CA1982CDB8077DDB3413
          SHA-256:AED194DD10B1B68493481E7E89F0B088EF216AB5DB81959A94D14BB134643BFB
          SHA-512:5C65221542B3849CDFBC719A54678BB414E71DE4320196D608E363EFF69F2448520E620B5AA8398592D5B58D7F7EC1CC4C72652AD621308C398D45F294D05C9B
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..n...n...n......n.q.o...n...o...n...o...n.q.k...n.q.j...n.q.m...n...f...n...n...n.......n...l...n.Rich..n.........PE..d....y.e.........." ...#.:...................................................0............`.................................................P...d............................ ..4...................................@...@............P...............................text...x9.......:.................. ..`.rdata.......P.......>..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_ecb.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):10752
          Entropy (8bit):4.5811635662773185
          Encrypted:false
          SSDEEP:192:PzWVddiTHThQTctEEI4qXDc1CkcqgbW6:PzWMdsc+EuXDc0YgbW
          MD5:DEDAE3EFDA452BAB95F69CAE7AEBB409
          SHA1:520F3D02693D7013EA60D51A605212EFED9CA46B
          SHA-256:6248FDF98F949D87D52232DDF61FADA5EF02CD3E404BB222D7541A84A3B07B8A
          SHA-512:8C1CAB8F34DE2623A42F0750F182B6B9A7E2AFFA2667912B3660AF620C7D9AD3BD5B46867B3C2D50C0CAE2A1BC03D03E20E4020B7BA0F313B6A599726F022C6C
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_eksblowfish.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):22016
          Entropy (8bit):6.1405490084747445
          Encrypted:false
          SSDEEP:384:WMU/5cRUtPMbNv37t6KjjNrDF6pJgLa0Mp8Qg0gYP2lcCM:WdKR8EbxwKflDFQgLa1AzP
          MD5:914EA1707EBA03E4BE45D3662BF2466E
          SHA1:3E110C9DBFE1D17E1B4BE69052E65C93DDC0BF26
          SHA-256:4D4F22633D5DB0AF58EE260B5233D48B54A6F531FFD58EE98A5305E37A00D376
          SHA-512:F6E6323655B351E5B7157231E04C352A488B0B49D7174855FC8594F119C87A26D31C602B3307C587A28AD408C2909A93B8BA8CB41166D0113BD5C6710C4162C3
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_ocb.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):17920
          Entropy (8bit):5.350740516564008
          Encrypted:false
          SSDEEP:384:GPHdP3Mj7Be/yB/MsB3yRcb+IqcOYoQViCBD88g6Vf4A:APcnB8KEsB3ocb+pcOYLMCBDu
          MD5:52E481A15C3CE1B0DF8BA3B1B77DF9D0
          SHA1:C1F06E1E956DFDE0F89C2E237ADFE42075AAE954
          SHA-256:C85A6783557D96BFA6E49FE2F6EA4D2450CF110DA314C6B8DCEDD7590046879B
          SHA-512:108FB1344347F0BC27B4D02D3F4E75A76E44DE26EF54323CB2737604DF8860A94FA37121623A627937F452B3B923C3D9671B13102D2E5F1005E4766E80A05A96
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d....y.e.........." ...#.(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Cipher\_raw_ofb.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):12288
          Entropy (8bit):4.737329240938157
          Encrypted:false
          SSDEEP:192:BF/1nb2eqCQtkgU7L9D0T70fcqgYvEJPb:t2P6L9DWAxgYvEJj
          MD5:A13584F663393F382C6D8D5C0023BC80
          SHA1:D324D5FBD7A5DBA27AA9B0BDB5C2AEBFF17B55B1
          SHA-256:13C34A25D10C42C6A12D214B2D027E5DC4AE7253B83F21FD70A091FEDAC1E049
          SHA-512:14E4A6F2959BD68F441AA02A4E374740B1657AB1308783A34D588717F637611724BC90A73C80FC6B47BC48DAFB15CF2399DC7020515848F51072F29E4A8B4451
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Hash\_BLAKE2b.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):14848
          Entropy (8bit):5.2072665819239585
          Encrypted:false
          SSDEEP:192:iF/1nb2eqCQtkhlgJ2ycxFzShJD9CAac2QDeJKcqgQx2XY:Y2PKr+2j8JDefJagQx2XY
          MD5:104B480CB83BFF78101CF6940588D570
          SHA1:6FC56B9CF380B508B01CAB342FCC939494D1F595
          SHA-256:BA4F23BBDD1167B5724C04DB116A1305C687001FAC43304CD5119C44C3BA6588
          SHA-512:60617865C67115AD070BD6462B346B89B69F834CAF2BFE0EF315FB4296B833E095CD03F3F4D6D9499245C5DA8785F2FBE1AC7427049BD48428EBF74529229040
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d...~y.e.........." ...#..... ......P.....................................................`..........................................9......|:..d....`.......P..@............p..,....3...............................2..@............0...............................text...X........................... ..`.rdata.......0....... ..............@..@.data...8....@.......0..............@....pdata..@....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Hash\_BLAKE2s.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):14336
          Entropy (8bit):5.177411248432731
          Encrypted:false
          SSDEEP:192:mF/1nb2eqCQt7fSxp/CJPvADQZntxSOvbcqgEvcM+:c2PNKxZWPIDexVlgEvL
          MD5:06D3E941860BB0ABEDF1BAF1385D9445
          SHA1:E8C16C3E8956BA99A2D0DE860DCFC5021F1D7DE5
          SHA-256:1C340D2625DAD4F07B88BB04A81D5002AABF429561C92399B0EB8F6A72432325
          SHA-512:6F62ACFF39B77C1EC9F161A9BFA94F8E3B932D56E63DAEE0093C041543993B13422E12E29C8231D88BC85C0573AD9077C56AA7F7A307E27F269DA17FBA8EE5A3
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Hash\_MD2.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):14336
          Entropy (8bit):5.137579183601755
          Encrypted:false
          SSDEEP:192:5siHfq5po0ZUp8XnUp8XjEQnlDtW26rcqgcx2:nqDZUp8XUp8AclDN69gcx2
          MD5:F938A89AEC5F535AF25BD92221BBC141
          SHA1:384E1E92EBF1A6BBE068AB1493A26B50EFE43A7E
          SHA-256:774A39E65CC2D122F8D4EB314CED60848AFFF964FB5AD2627E32CB10EF28A6D0
          SHA-512:ED0506B9EBCEC26868F484464F9CC38E28F8056D6E55C536ECD2FD98F58F29F2D1CE96C5E574876A9AA6FD22D3756A49BC3EB464A7845CB3F28A1F3D1C98B4D7
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...qy.e.........." ...#..... ......P.....................................................`..........................................9......0:..d....`.......P..(............p..,....4...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Hash\_MD4.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):13824
          Entropy (8bit):5.158343521612926
          Encrypted:false
          SSDEEP:192:jsiHfq5pwUivkwXap8T0NchH73s47iDJxj2wcqgfvE:9qbi8wap8T0Ncp7n7iDbFgfvE
          MD5:173EED515A1ADDD1DA0179DD2621F137
          SHA1:D02F5E6EDA9FF08ABB4E88C8202BAD7DB926258F
          SHA-256:9D9574A71EB0DE0D14570B5EDA06C15C17CC2E989A20D1E8A4821CB813290D5F
          SHA-512:8926FBB78A00FD4DC67670670035D9E601AF27CDBE003DC45AD809E8DA1042DDECB997F44ED104BEC13391C8048051B0AAD0C10FDEEDFB7F858BA177E92FDC54
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...qy.e.........." ...#............P.....................................................`.........................................p8...... 9..d....`.......P..(............p..,...@3...............................2..@............0...............................text............................... ..`.rdata..p....0......................@..@.data...p....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Hash\_MD5.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):15360
          Entropy (8bit):5.469810464531962
          Encrypted:false
          SSDEEP:192:RZ9WfqP7M93g8UdsoS1hhiBvzcuiDSjeoGmDZNbRBP0rcqgjPrvE:sA0gHdzS1MwuiDSyoGmD/r89gjPrvE
          MD5:39B06A1707FF5FDC5B3170EB744D596D
          SHA1:37307B2826607EA8D5029293990EB1476AD6CC42
          SHA-256:2E8BB88D768890B6B68D5B6BB86820766ADA22B82F99F31C659F4C11DEF211A1
          SHA-512:98C3C45EB8089800EDF99ACEA0810820099BFD6D2C805B80E35D9239626CB67C7599F1D93D2A14D2F3847D435EAA065BF56DF726606BB5E8A96E527E1420633D
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...ry.e.........." ...#. ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Hash\_RIPEMD160.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):13824
          Entropy (8bit):5.137646874307781
          Encrypted:false
          SSDEEP:192:QF/1nb2eqCQtZl9k9VEmosHcBZTHGF31trDbu8oiZmtwcqgk+9TI:q2PXlG9VDos8BZA33rDbuNgk0gk+9U
          MD5:1DFC771325DD625DE5A72E0949D90E5F
          SHA1:8E1F39AAFD403EDA1E5CD39D5496B9FAA3387B52
          SHA-256:13F9ADBBD60D7D80ACEE80D8FFB461D7665C5744F8FF917D06893AA6A4E25E3A
          SHA-512:B678FB4AD6DF5F8465A80BFB9A2B0433CF6CFAD4C6A69EEBF951F3C4018FD09CB7F38B752BE5AB55C4BE6C88722F70521D22CBCBBB47F8C46DDB0B1ACBFD7D7E
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d...}y.e.........." ...#..... ......P.....................................................`..........................................9.......:..d....`.......P...............p..,....4..............................P3..@............0...............................text...X........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata.......P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA1.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):17920
          Entropy (8bit):5.687377356938656
          Encrypted:false
          SSDEEP:384:bPHdP3MjeQTh+QAZUUw8lMF6D+1tgj+kf4:xPcKQT3iw8lfDUej+
          MD5:9D15862569E033C5AA702F9E4041C928
          SHA1:11376E8CB76AD2D9A7D48D11F4A74FB12B78BCF6
          SHA-256:8970DF77D2F73350360DBE68F937E0523689FF3D7C0BE95EB7CA5820701F1493
          SHA-512:322F0F4947C9D5D2800DEEBFD198EABE730D44209C1B61BB9FD0F7F9ED5F719AE49F8397F7920BDB368BB386A598E9B215502DC46FBE72F9340876CF40AFFC8A
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...sy.e.........." ...#.*..........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA224.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):21504
          Entropy (8bit):5.9200472722347675
          Encrypted:false
          SSDEEP:384:pljwGpJpvrp/LTaqvYHp5RYcARQOj4MSTjqgPmJDcOwwgjxo:Ljw4JbZYtswvqDc51j
          MD5:7398EFD589FBE4FEFADE15B52632CD5C
          SHA1:5EA575056718D3EC9F57D3CFF4DF87D77D410A4B
          SHA-256:F1970DB1DA66EFB4CD8E065C40C888EED795685FF4E5A6FA58CA56A840FE5B80
          SHA-512:C26F6FF693782C84460535EBCD35F23AA3C95FB8C0C8A608FB9A849B0EFD735EF45125397549C61248AE06BD068554D2DE05F9A3BA64F363438EDB92DA59481B
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...wy.e.........." ...#.6... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..,............R..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA256.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):21504
          Entropy (8bit):5.922439979230845
          Encrypted:false
          SSDEEP:384:jljwGpJpvrp/LtaqvYHp5RYcARQOj4MSTjqgPmJDcbegjxo:hjw4JVZYtswvqDcb7j
          MD5:352F56E35D58ABE96D6F5DBBD40D1FEA
          SHA1:5F0C9596B84B8A54D855441C6253303D0C81AA1B
          SHA-256:44EED167431151E53A8F119466036F1D60773DDEB8350AF972C82B3789D5D397
          SHA-512:CB4862B62ABB780656F1A06DADD3F80AEA453E226C38EFAE4318812928A7B0B6A3A8A86FCC43F65354B84FC07C7235FF384B75C2244553052E00DC85699D422A
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...uy.e.........." ...#.6... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..,............R..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA384.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):26624
          Entropy (8bit):5.879121462749493
          Encrypted:false
          SSDEEP:768:pDLZ9BjjBui0gel9soFdkO66MlPGXmXcnRDbRj:VBfu/FZ6nPxMRDtj
          MD5:3C47F387A68629C11C871514962342C1
          SHA1:EA3E508A8FB2D3816C80CD54CDD9C8254809DB00
          SHA-256:EA8A361B060EB648C987ECAF453AE25034DBEA3D760DC0805B705AC9AA1C7DD9
          SHA-512:5C824E4C0E2AB13923DC8330D920DCD890A9B33331D97996BC1C3B73973DF7324FFFB6E940FA5AA92D6B23A0E6971532F3DB4BF899A9DF33CC0DD6CB1AC959DD
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...zy.e.........." ...#.H..."......P.....................................................`......................................... l.......m..d...............................,....e...............................d..@............`...............................text...HG.......H.................. ..`.rdata..X....`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..,............f..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Hash\_SHA512.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):26624
          Entropy (8bit):5.937696428849242
          Encrypted:false
          SSDEEP:768:VYL59Ugjaui0gel9soFdkO66MlPGXmXcXVDuSFAj:60xu/FZ6nPxMlD7Kj
          MD5:2F44F1B760EE24C89C13D9E8A06EA124
          SHA1:CF8E16D8324A7823B11474211BD7B95ADB321448
          SHA-256:7C7B6F59DD250BD0F8CBC5AF5BB2DB9F9E1A2A56BE6442464576CD578F0B2AE0
          SHA-512:2AACB2BB6A9EBA89549BF864DDA56A71F3B3FFEDB8F2B7EF3FC552AB3D42BC4B832F5FA0BA87C59F0F899EA9716872198680275A70F3C973D44CA7711DB44A14
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...|y.e.........." ...#.H..."......P.....................................................`..........................................l.......m..d...............................,...@f...............................e..@............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..,............f..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Hash\_ghash_clmul.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):12800
          Entropy (8bit):5.027823764756571
          Encrypted:false
          SSDEEP:192:/RF/1nb2eqCQtkbsAT2fixSrdYDt8ymjcqgQvEW:/d2P6bsK4H+DVwgQvEW
          MD5:64604EE3AEBEE62168F837A41BA61DB1
          SHA1:4D3FF7AC183BC28B89117240ED1F6D7A7D10AEF1
          SHA-256:20C3CC2F50B51397ACDCD461EE24F0326982F2DC0E0A1A71F0FBB2CF973BBEB2
          SHA-512:D03EEFF438AFB57E8B921CE080772DF485644DED1074F3D0AC12D3EBB1D6916BD6282E0E971408E89127FF1DAD1D0CB1D214D7B549D686193068DEA137A250CE
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Hash\_ghash_portable.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):13312
          Entropy (8bit):5.020783935465456
          Encrypted:false
          SSDEEP:192:+F/1nb2eqCQtks0iiNqdF4mtPjD0ZA5LPYcqgYvEL2x:02P6fFA/4GjDXcgYvEL2x
          MD5:E0EEDBAE588EE4EA1B3B3A59D2ED715A
          SHA1:4629B04E585899A7DCB4298138891A98C7F93D0B
          SHA-256:F507859F15A1E06A0F21E2A7B060D78491A9219A6A499472AA84176797F9DB02
          SHA-512:9FD82784C7E06F00257D387F96E732CE4A4BD065F9EC5B023265396D58051BECC2D129ABDE24D05276D5CD8447B7DED394A02C7B71035CED27CBF094ED82547D
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Hash\_keccak.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):15872
          Entropy (8bit):5.2616188776014665
          Encrypted:false
          SSDEEP:384:JP2T9FRjRskTdf4YBU7YP5yUYDE1give:qHlRl57IC8UYDEG
          MD5:1708C4D1B28C303DA19480AF3C6D04FF
          SHA1:BAC78207EFAA6D838A8684117E76FB871BD423D5
          SHA-256:C90FB9F28AD4E7DEED774597B12AA7785F01DC4458076BE514930BF7AB0D15EC
          SHA-512:2A174C1CB712E8B394CBEE20C33974AA277E09631701C80864B8935680F8A4570FD040EA6F59AD71631D421183B329B85C749F0977AEB9DE339DFABE7C23762E
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...}y.e.........." ...#. ... ......P.....................................................`.........................................`9......T:..d....`.......P..p............p..,....3...............................2..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......4..............@....pdata..p....P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Hash\_poly1305.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):15360
          Entropy (8bit):5.130670522779765
          Encrypted:false
          SSDEEP:192:nZNGfqDgvUh43G6coX2SSwmPL4V7wTdDl41Y2cqgWjvE:CFMhuGGF2L4STdDcYWgWjvE
          MD5:E08355F3952A748BADCA2DC2E82AA926
          SHA1:F24828A3EEFB15A2550D872B5E485E2254C11B48
          SHA-256:47C664CB7F738B4791C7D4C21A463E09E9C1AAAE2348E63FB2D13FC3E6E573EB
          SHA-512:E7F48A140AFEF5D6F64A4A27D95E25A8D78963BB1F9175B0232D4198D811F6178648280635499C562F398613E0B46D237F7DB74A39B52003D6C8768B80EC6FB6
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d....y.e.........." ...#..... ......P.....................................................`......................................... 9.......9..d....`.......P..|............p..,....3...............................1..@............0...............................text...X........................... ..`.rdata..(....0......."..............@..@.data........@.......2..............@....pdata..|....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Math\_modexp.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):34816
          Entropy (8bit):5.935249615462395
          Encrypted:false
          SSDEEP:768:gb+5F2hqrxS7yZAEfYcwcSPxpMgLp/GQNSpcVaGZ:gb+5Qwc7OAEfYcwJxpMgFJh
          MD5:DB56C985DBC562A60325D5D68D2E5C5B
          SHA1:854684CF126A10DE3B1C94FA6BCC018277275452
          SHA-256:089585F5322ADF572B938D34892C2B4C9F29B62F21A5CF90F481F1B6752BC59F
          SHA-512:274D9E4A200CAF6F60AC43F33AADF29C6853CC1A7E04DF7C8CA3E24A6243351E53F1E5D0207F23B34319DFC8EEE0D48B2821457B8F11B6D6A0DBA1AE820ACE43
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..|8k./8k./8k./1.Y/>k./....:k./s...;k./8k./.k./....4k./....0k./....;k./....:k./....9k./..5/9k./....9k./Rich8k./........................PE..d....y.e.........." ...#.\..........`.....................................................`..........................................~..d...$...d...............................,....s...............................q..@............p..(............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data................t..............@....pdata...............~..............@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Protocol\_scrypt.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):12288
          Entropy (8bit):4.799861986912974
          Encrypted:false
          SSDEEP:192:YTIekCffqPSTMeAk4OeR64ADpki6RcqgO5vE:YTNZMcPeR64ADh63gO5vE
          MD5:6229A84562A9B1FBB0C3CF891813AADD
          SHA1:4FAFB8AF76A7F858418AA18B812FEACADFA87B45
          SHA-256:149027958A821CBC2F0EC8A0384D56908761CC544914CED491989B2AD9D5A4DC
          SHA-512:599C33F81B77D094E97944BB0A93DA68D2CCB31E6871CE5679179FB6B9B2CE36A9F838617AC7308F131F8424559C5D1A44631E75D0847F3CC63AB7BB57FE1871
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................?.....q......................q.......q.......q.........................S.............Rich............PE..d....y.e.........." ...#............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\PublicKey\_ec_ws.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):754176
          Entropy (8bit):7.628627007698131
          Encrypted:false
          SSDEEP:12288:31ETHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h+b:lETHoxJFf1p34hcrn5Go9yQO6g
          MD5:BBB83671232E0BE361E812369A463E03
          SHA1:A37DAEC475AB230E14897077D17E20B7A5112B8D
          SHA-256:873A3E3E945421917BA780D95C78ECCB92D4E143227987D6812BC9F9E4653BE0
          SHA-512:BF6718DE5235F6A7C348A1E2F325FEE59C74356D4722DFA99DA36A2BE1E6386C544EEC09190E2EBBA58B7C6B4157D00409C59F29AE2CC7BC13CBC301B8592586
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.....L...L...L.V+L...LKR.M...L.V.M...L...L...LKR.M...LKR.M...LKR.M...L-S.M...L-S.M...L-SGL...L-S.M...LRich...L................PE..d....y.e.........." ...#.n..........`.....................................................`..........................................p..d...dq..d...............$...............4...@Z...............................Y..@...............(............................text....m.......n.................. ..`.rdata...............r..............@..@.data...x............h..............@....pdata..$............p..............@..@.rsrc................~..............@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\PublicKey\_ed25519.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):27648
          Entropy (8bit):5.799740467345125
          Encrypted:false
          SSDEEP:384:PvRwir5rOF2MZz1n0/kyTMIl9bhgIW0mvBaeoSzra2pftjGQDdsC0MgkbQ0e1r:PJLtg2MTeM+9dmvBaeoCtaQDekf
          MD5:7F2C691DEB4FF86F2F3B19F26C55115C
          SHA1:63A9D6FA3B149825EA691F5E9FDF81EEC98224AA
          SHA-256:BF9224037CAE862FE220094B6D690BC1992C19A79F7267172C90CBED0198582E
          SHA-512:3A51F43BF628E44736859781F7CFF0E0A6081CE7E5BDE2F82B3CDB52D75D0E3DFAE92FC2D5F7D003D0B313F6835DBA2E393A0A8436F9409D92E20B65D3AED7E2
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y...............i...................i......i......i......................m...........Rich...........PE..d....y.e.........." ...#.F...(......P.....................................................`..........................................j..0....k..d...............................,...pc..............................0b..@............`...............................text....D.......F.................. ..`.rdata.."....`.......J..............@..@.data................\..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..,............j..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\PublicKey\_ed448.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):67072
          Entropy (8bit):6.060804942512998
          Encrypted:false
          SSDEEP:1536:HqvnErJyGoqQXZKfp23mXKUULBeCFTUCqHF+PELb7MSAEfnctefBd5:HqvnErJyGoqQXZKfp2ayLsCFTUCqHEP4
          MD5:AF46798028AB3ED0E56889DFB593999B
          SHA1:D4D7B39A473E69774771B2292FDBF43097CE6015
          SHA-256:FD4F1F6306950276A362D2B3D46EDBB38FEABA017EDCA3CD3A2304340EC8DD6C
          SHA-512:58A80AFEEAC16D7C35F8063D03A1F71CA6D74F200742CAE4ADB3094CF4B3F2CD1A6B3F30A664BD75AB0AF85802D935B90DD9A1C29BFEA1B837C8C800261C6265
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..|8k./8k./8k./1.Y/>k./....:k./s...;k./8k./.k./....4k./....0k./....;k./....:k./....9k./..5/9k./....9k./Rich8k./........................PE..d....y.e.........." ...#.....8......`........................................@............`.............................................h.......d.... .......................0..,.......................................@............................................text............................... ..`.rdata..j...........................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..,....0......................@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\PublicKey\_x25519.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):10752
          Entropy (8bit):4.488129745837651
          Encrypted:false
          SSDEEP:96:kfuF7pVVdJvbrqTuy/Th/Y0IluLfcC75JiC4cs89EfqADQhDsAbcX6gn/7EC:TF/VddiTHThQTctdErDQDsicqgn/7
          MD5:F4B7324A8F7908C3655BE4C75EAC36E7
          SHA1:11A30562A85A444F580213417483BE8D4D9264AD
          SHA-256:5397E3F5762D15DCD84271F49FC52983ED8F2717B258C7EF370B24977A5D374B
          SHA-512:66CA15A9BAD39DD4BE7921A28112A034FFE9CD11F91093318845C269E263804AB22A4AF262182D1C6DAC8741D517362C1D595D9F79C2F729216738C3DD79D7C2
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4=.bUS.bUS.bUS.k-..`US..)R.`US.)-R.aUS.bUR.FUS..)V.iUS..)W.jUS..)P.aUS.([.cUS.(S.cUS.(..cUS.(Q.cUS.RichbUS.................PE..d....y.e.........." ...#............P........................................p............`..........................................'..P...0(..P....P.......@...............`..,...P#..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Util\_cpuid_c.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):10240
          Entropy (8bit):4.733990521299615
          Encrypted:false
          SSDEEP:192:PzVVddiTHThQTctEEaEDKDnMRWJcqgbW6:PzTMdsc+EaEDKDnCWvgbW
          MD5:3D566506052018F0556ADF9D499D4336
          SHA1:C3112FF145FACF47AF56B6C8DCA67DAE36E614A2
          SHA-256:B5899A53BC9D3112B3423C362A7F6278736418A297BF86D32FF3BE6A58D2DEEC
          SHA-512:0AC6A1FC0379F5C3C80D5C88C34957DFDB656E4BF1F10A9FA715AAD33873994835D1DE131FC55CD8B0DEBDA2997993E978700890308341873B8684C4CD59A411
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`..........................................'..|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Crypto\Util\_strxor.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):10240
          Entropy (8bit):4.689063511060661
          Encrypted:false
          SSDEEP:96:P/ryZVVdJvbrqTuy/Th/Y0IluLfcC75JiCKs89EMz3DIWMot4BcX6gbW6O:PzQVddiTHThQTctEEO3DSoKcqgbW6
          MD5:FAE081B2C91072288C1C8BF66AD1ABA5
          SHA1:CD23DDB83057D5B056CA2B3AB49C8A51538247DE
          SHA-256:AF76A5B10678F477069ADD6E0428E48461FB634D9F35FB518F9F6A10415E12D6
          SHA-512:0ADB0B1088CB6C8F089CB9BF7AEC9EEEB1717CF6CF44B61FB0B053761FA70201AB3F7A6461AAAE1BC438D689E4F8B33375D31B78F1972AA5A4BF86AFAD66D3A4
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B........................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Pythonwin\mfc140u.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
          Category:dropped
          Size (bytes):5653424
          Entropy (8bit):6.729277267882055
          Encrypted:false
          SSDEEP:49152:EuEsNcEc8/CK4b11P5ViH8gw0+NVQD5stWIlE7lva8iposS9j5fzSQzs7ID+AVuS:EnL8+5fiEnQFLOAkGkzdnEVomFHKnPS
          MD5:03A161718F1D5E41897236D48C91AE3C
          SHA1:32B10EB46BAFB9F81A402CB7EFF4767418956BD4
          SHA-256:E06C4BD078F4690AA8874A3DEB38E802B2A16CCB602A7EDC2E077E98C05B5807
          SHA-512:7ABCC90E845B43D264EE18C9565C7D0CBB383BFD72B9CEBB198BA60C4A46F56DA5480DA51C90FF82957AD4C84A4799FA3EB0CEDFFAA6195F1315B3FF3DA1BE47
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.cu...&...&...&...'...&...'...&...'...&..&...&G..'...&G..'...&...'...&...&..&G..'...&G..'...&G..'...&G..'...&G..&...&G..'...&Rich...&................PE..d....~.a.........." .....(-..X)......X,.......................................V......YV...`A..........................................:.....h.;.......?......`=..8....V..'...PU.0p..p.5.T...........................`...8............@-.P...0.:......................text....&-......(-................. ..`.rdata.......@-......,-.............@..@.data....6... <.......<.............@....pdata...8...`=..:....<.............@..@.didat..H.....?.......?.............@....rsrc.........?.......?.............@..@.reloc..0p...PU..r....T.............@..B................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\Pythonwin\win32ui.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):1142272
          Entropy (8bit):6.040548449175261
          Encrypted:false
          SSDEEP:12288:cLokSyhffpJSf6VJtHUR2L2mVSvya6Lx15IQnpKTlYcf9WBo:cLok/pXJdUzOSMx15dcTlYiK
          MD5:B505E88EB8995C2EC46129FB4B389E6C
          SHA1:CBFA8650730CBF6C07F5ED37B0744D983ABFE50A
          SHA-256:BE7918B4F7E7DE53674894A4B8CFADCACB4726CEA39B7DB477A6C70231C41790
          SHA-512:6A51B746D0FBC03F57FF28BE08F7E894AD2E9F2A2F3B61D88EAE22E7491CF35AE299CDB3261E85E4867F41D8FDA012AF5BD1EB8E1498F1A81ADC4354ADACDAAB
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aM.F%,r.%,r.%,r.,T../,r..Ys.',r..Es.',r.1Gs.+,r.wYv.-,r.wYq.!,r.wYw.3,r.%,s.-*r.wYs.",r..Y{..,r..Yr.$,r..Y..$,r..Yp.$,r.Rich%,r.........................PE..d......d.........." .........p......t.....................................................`..............................................T...q..h...............................`\..`...T.......................(.......8................0...........................text............................... ..`.rdata..............................@..@.data...............................@....pdata...............`..............@..@.rsrc...............................@..@.reloc..`\.......^..................@..B........................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\VCRUNTIME140.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
          Category:dropped
          Size (bytes):98224
          Entropy (8bit):6.452201564717313
          Encrypted:false
          SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
          MD5:F34EB034AA4A9735218686590CBA2E8B
          SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
          SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
          SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
          Malicious:false
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\VCRUNTIME140_1.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
          Category:dropped
          Size (bytes):37256
          Entropy (8bit):6.297533243519742
          Encrypted:false
          SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
          MD5:135359D350F72AD4BF716B764D39E749
          SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
          SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
          SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
          Malicious:false
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\_asyncio.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):65304
          Entropy (8bit):6.192082137044192
          Encrypted:false
          SSDEEP:1536:owmuopcJpmVwR40axzEfRILOnMv7SySmPxe:owmu4/mR40axzEfRILOnw3xe
          MD5:33D0B6DE555DDBBBD5CA229BFA91C329
          SHA1:03034826675AC93267CE0BF0EAEC9C8499E3FE17
          SHA-256:A9A99A2B847E46C0EFCE7FCFEFD27F4BCE58BAF9207277C17BFFD09EF4D274E5
          SHA-512:DBBD1DDFA445E22A0170A628387FCF3CB95E6F8B09465D76595555C4A67DA4274974BA7B348C4C81FE71C68D735C13AACB8063D3A964A8A0556FB000D68686B7
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.../../../..../....../...*../...+../...,../.V..../....../....../.V."../.V./../.V..../.V.-../.Rich../.........PE..d.....,d.........." .....T..........`.....................................................`.........................................p...P.......d......................../...........v..T...........................pv..8............p...............................text...aR.......T.................. ..`.rdata...I...p...J...X..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\_bz2.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):83736
          Entropy (8bit):6.595094797707322
          Encrypted:false
          SSDEEP:1536:hXOz78ZqjUyAsIi7W/5+D8W35mjZm35ILCVM7SyfYPxe:pOzwpyAFi7WMgW34jZm35ILCVMZoxe
          MD5:86D1B2A9070CD7D52124126A357FF067
          SHA1:18E30446FE51CED706F62C3544A8C8FDC08DE503
          SHA-256:62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
          SHA-512:7DB4B7E0C518A02AE901F4B24E3860122ACC67E38E73F98F993FE99EB20BB3AA539DB1ED40E63D6021861B54F34A5F5A364907FFD7DA182ADEA68BBDD5C2B535
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.>...m...m...m.}<m...m.p.l...m.jRm...m.p.l...m.p.l...m.p.l...mup.l...m.}.l...m...m...mup.l...mup.l...mupPm...mup.l...mRich...m................PE..d.....,d.........." .........\..............................................P............`......................................... ...H...h........0....... ..,......../...@......`...T...............................8............................................text.............................. ..`.rdata...=.......>..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\_cbor2.cp310-win_amd64.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):97280
          Entropy (8bit):5.863582949096841
          Encrypted:false
          SSDEEP:1536:DkpD/iwe/wv2yuaXLGq8AFrx/5SuGfQuTpyTPryTt3EO3O5Hk+FNniLfwy:63SLu8BTpEyTt0OyHniLfw
          MD5:D24F4FE64C38018AE7FC9661C67739F6
          SHA1:E7B2ECCCCA76C2B27A4A6BBCC97F435435977FE4
          SHA-256:CF69E5FD60CE55AB42DDF01D27305F2C4EDBBA63D3DADADF04380B6A4A9C07EF
          SHA-512:80C7C79ECAC160350C545D81AAAED8D73C53F43EC61238F0CFCD51CF0EF1A81C40A986ED3D3BFF7726EDA50238871B0C786D77162B13E8F37F74BCA580892191
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w\............................................................................................................Rich....................PE..d...~.c.........." ..."..................................................................`.........................................`I..\....I......................................P6...............................5..@............................................text...8........................... ..`.rdata..............................@..@.data... "...`.......L..............@....pdata...............f..............@..@.rsrc................v..............@..@.reloc...............x..............@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\_cffi_backend.cp310-win_amd64.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):181248
          Entropy (8bit):6.188683787528254
          Encrypted:false
          SSDEEP:3072:rZ1fKD8GVLHASq0TTjfQxnkVB0hcspEsHS7iiSTLkKetJb9Pu:rZNRGVb9TTCnaZsuMXiSTLLeD9
          MD5:EBB660902937073EC9695CE08900B13D
          SHA1:881537ACEAD160E63FE6BA8F2316A2FBBB5CB311
          SHA-256:52E5A0C3CA9B0D4FC67243BD8492F5C305FF1653E8D956A2A3D9D36AF0A3E4FD
          SHA-512:19D5000EF6E473D2F533603AFE8D50891F81422C59AE03BEAD580412EC756723DC3379310E20CD0C39E9683CE7C5204791012E1B6B73996EA5CB59E8D371DE24
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ih..-..C-..C-..C$qMC!..C.|.B/..CKf#C)..C.|.B&..C.|.B%..C.|.B)..Cfq.B)..C.|.B...C-..C...C.|.B)..C$qKC,..C.|.B,..C.|!C,..C.|.B,..CRich-..C........PE..d.....e.........." .........@...............................................0............`..........................................g..l...|g..................H............ .......M...............................M..8............................................text...h........................... ..`.rdata..l...........................@..@.data....\.......0...v..............@....pdata..H...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\_ctypes.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):123672
          Entropy (8bit):6.047035801914277
          Encrypted:false
          SSDEEP:3072:0OEESRiaiH6lU1vxqfrId0sx3gVILLPykxA:hj+I1vAfrIRx3gN
          MD5:1635A0C5A72DF5AE64072CBB0065AEBE
          SHA1:C975865208B3369E71E3464BBCC87B65718B2B1F
          SHA-256:1EA3DD3DF393FA9B27BF6595BE4AC859064CD8EF9908A12378A6021BBA1CB177
          SHA-512:6E34346EA8A0AACC29CCD480035DA66E280830A7F3D220FD2F12D4CFA3E1C03955D58C0B95C2674AEA698A36A1B674325D3588483505874C2CE018135320FF99
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............d...d...d.......d...e...d...a...d...`...d...g...d.d.e...d...`...d...e...d.:.e...d...e.I.d.d.i...d.d.d...d.d...d.d.f...d.Rich..d.........................PE..d.....,d.........." ................@Z..............................................!.....`..........................................P.......P..................D......../..............T...........................0...8...............H............................text............................... ..`.rdata...k.......l..................@..@.data...T>...p...8...\..............@....pdata..D...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\_decimal.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):254744
          Entropy (8bit):6.564308911485739
          Encrypted:false
          SSDEEP:6144:3LT2sto29vTlN5cdIKdo4/3VaV8FlBa9qWMa3pLW1A/T8O51j4iab9M:H2s/9vTlPcdk4vVtFU98iIu
          MD5:20C77203DDF9FF2FF96D6D11DEA2EDCF
          SHA1:0D660B8D1161E72C993C6E2AB0292A409F6379A5
          SHA-256:9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
          SHA-512:2B24346ECE2CBD1E9472A0E70768A8B4A5D2C12B3D83934F22EBDC9392D9023DCB44D2322ADA9EDBE2EB0E2C01B5742D2A83FA57CA23054080909EC6EB7CF3CA
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........76..VX..VX..VX.....VX..#Y..VX..#]..VX..#\..VX..#[..VX.t#Y..VX...Y..VX..VY.+VX.t#[..VX.t#U..VX.t#X..VX.t#...VX.t#Z..VX.Rich.VX.........................PE..d.....,d.........." .....|...:.......................................................r....`..........................................T..P...0U...................'......./......<...0...T...............................8............................................text....{.......|.................. ..`.rdata..............................@..@.data....)...p...$...X..............@....pdata...'.......(...|..............@..@.rsrc...............................@..@.reloc..<...........................@..B........................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\_hashlib.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):64792
          Entropy (8bit):6.223467179037751
          Encrypted:false
          SSDEEP:1536:/smKJPganCspF1dqZAC2QjP2RILOIld7SyEPxDF:/smKpgNoF1dqZDnjP2RILOIv2xB
          MD5:D4674750C732F0DB4C4DD6A83A9124FE
          SHA1:FD8D76817ABC847BB8359A7C268ACADA9D26BFD5
          SHA-256:CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
          SHA-512:97D57CFB80DD9DD822F2F30F836E13A52F771EE8485BC0FD29236882970F6BFBDFAAC3F2E333BBA5C25C20255E8C0F5AD82D8BC8A6B6E2F7A07EA94A9149C81E
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..b?..b?..b?......b?..>..b?..:..b?..;..b?..<..b?.2.>..b?..>..b?.7.>..b?..b>.pb?.2.2..b?.2.?..b?.2....b?.2.=..b?.Rich.b?.........PE..d.....,d.........." .....P...........<....................................................`............................................P...0............................/......T....k..T............................k..8............`.. ............................text....N.......P.................. ..`.rdata..4P...`...R...T..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\_lzma.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):158488
          Entropy (8bit):6.8491143497239655
          Encrypted:false
          SSDEEP:3072:j0k3SXjD9aWpAn3rb7SbuDlvNgS4fWqEznfo9mNoFTSlXZ8Ax5ILZ1GIxq:j0kiXjD9v8X7Euk4wYOFTafxn
          MD5:7447EFD8D71E8A1929BE0FAC722B42DC
          SHA1:6080C1B84C2DCBF03DCC2D95306615FF5FCE49A6
          SHA-256:60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
          SHA-512:C6295D45ED6C4F7534C1A38D47DDC55FEA8B9F62BBDC0743E4D22E8AD0484984F8AB077B73E683D0A92D11BF6588A1AE395456CFA57DA94BB2A6C4A1B07984DE
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.M...M...M...D..I.......O.......F.......E.......N.......N.......O...M...(.......w.......L.......L.......L...RichM...................PE..d...&.,d.........." .....`..........p3...............................................4....`.............................................L.......x....`.......@.......<.../...p..D...H{..T............................{..8............p...............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data........0......................@....pdata.......@......................@..@.rsrc........`.......0..............@..@.reloc..D....p.......:..............@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\_msi.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):44824
          Entropy (8bit):6.25910509143267
          Encrypted:false
          SSDEEP:768:6tZrHlbhCeruhfPxoUAIZdeoLuM3uJYVewp2m25SyG5ILCGSF5YiSyvkzLPxWElw:6PbtNruhfpuiVD2LSyG5ILCGSL7Sy83u
          MD5:8B07A1F0A073E33A990BAB943CF2F22C
          SHA1:D4FBED8732FDFE25FEC37F1152BBCAF3E0FB2D9B
          SHA-256:C26236A23EA4B99C19F9F9BB30CAE26BC5FF66D0FDD7FD65726A0BCB667CB160
          SHA-512:690A6F9EC6636DF89A43513554BE0BF4821DF8ECB60A578ADA8E0A6112846CD6BAFEF9449F85EF95BCDF91B3D3E0631F3413FC0EED14546F94FF42762270B7FE
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r..r6.|!6.|!6.|!?..!<.|!d.} 4.|!d.y =.|!d.x >.|!d.. 5.|!.} 4.|!}.} ?.|!6.}!L.|!.t 7.|!.| 7.|!.!7.|!.~ 7.|!Rich6.|!........................PE..d.....,d.........." .........T......p2..............................................s.....`..........................................b..H....b..................|......../...........V..T............................V..8............@...............................text....-.......................... ..`.rdata..H/...@...0...2..............@..@.data........p.......b..............@....pdata..|............n..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\_multiprocessing.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):34584
          Entropy (8bit):6.41423936733334
          Encrypted:false
          SSDEEP:768:eZt56pxGyC572edLMILWt3u5YiSyvCVPxWElj:eL5PyC572edLMILWt3E7SyqPx3
          MD5:A9A0588711147E01EED59BE23C7944A9
          SHA1:122494F75E8BB083DDB6545740C4FAE1F83970C9
          SHA-256:7581EDEA33C1DB0A49B8361E51E6291688601640E57D75909FB2007B2104FA4C
          SHA-512:6B580F5C53000DB5954DEB5B2400C14CB07F5F8BBCFC069B58C2481719A0F22F0D40854CA640EF8425C498FBAE98C9DE156B5CC04B168577F0DA0C6B13846A88
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........sF.. F.. F.. O.k D.. ...!D.. ...!J.. ...!N.. ...!E.. ...!D.. F.. ... ...!C.. ...!D.. ...!G.. ... G.. ...!G.. RichF.. ................PE..d.....,d.........." .........<......0.....................................................`.........................................0D..`....D..x....p.......`.......X.../..........P3..T............................3..8............0...............................text............................... ..`.rdata..L....0... ..."..............@..@.data........P.......B..............@....pdata.......`.......H..............@..@.rsrc........p.......L..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\_overlapped.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):49944
          Entropy (8bit):6.381980613434177
          Encrypted:false
          SSDEEP:768:8AM30ie6tyw0lTnj1TulWXaSV2cFVNILXtP5YiSyvWPxWElh7:8AM3hacSV2UNILXth7SyuPxd7
          MD5:FDF8663B99959031780583CCE98E10F5
          SHA1:6C0BAFC48646841A91625D74D6B7D1D53656944D
          SHA-256:2EBBB0583259528A5178DD37439A64AFFCB1AB28CF323C6DC36A8C30362AA992
          SHA-512:A5371D6F6055B92AC119A3E3B52B21E2D17604E5A5AC241C008EC60D1DB70B3CE4507D82A3C7CE580ED2EB7D83BB718F4EDC2943D10CB1D377FA006F4D0026B6
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........K..%..%..%.....%...$..%... ..%...!..%...&..%...$..%..$...%...$..%...!..%...(..%...%..%......%...'..%.Rich.%.........PE..d.....,d.........." .....>...X...... .....................................................`.........................................0w..X....w.........................../..........`U..T............................U..8............P...............................text....<.......>.................. ..`.rdata..F4...P...6...B..............@..@.data................x..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\_queue.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):31512
          Entropy (8bit):6.563116725717513
          Encrypted:false
          SSDEEP:768:bxrUGCpa6rIxdK/rAwVILQU85YiSyvz5PxWEaAc:trUZIzYrAwVILQUG7SydPxDc
          MD5:D8C1B81BBC125B6AD1F48A172181336E
          SHA1:3FF1D8DCEC04CE16E97E12263B9233FBF982340C
          SHA-256:925F05255F4AAE0997DC4EC94D900FD15950FD840685D5B8AA755427C7422B14
          SHA-512:CCC9F0D3ACA66729832F26BE12F8E7021834BBEE1F4A45DA9451B1AA5C2E63126C0031D223AF57CF71FAD2C85860782A56D78D8339B35720194DF139076E0772
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a............................................V...................V......V......V......V......Rich....................PE..d.....,d.........." .........6......................................................N.....`.........................................@C..L....C..d....p.......`.......L.../...........3..T...........................p3..8............0.. ............................text...~........................... ..`.rdata.......0......................@..@.data........P.......8..............@....pdata.......`.......<..............@..@.rsrc........p.......@..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\_socket.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):79128
          Entropy (8bit):6.284790077237953
          Encrypted:false
          SSDEEP:1536:ZmtvsXhgzrojAs9/s+S+pGLypbyxk/DDTBVILLwX7SyiPx9:c56OzyAs9/sT+pGLypb+k/XFVILLwX4f
          MD5:819166054FEC07EFCD1062F13C2147EE
          SHA1:93868EBCD6E013FDA9CD96D8065A1D70A66A2A26
          SHA-256:E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
          SHA-512:DA3A440C94CB99B8AF7D2BC8F8F0631AE9C112BD04BADF200EDBF7EA0C48D012843B4A9FB9F1E6D3A9674FD3D4EB6F0FA78FD1121FAD1F01F3B981028538B666
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...3.i.<...h...8...h...6...h...2...h...9.......8...:.......q...=.......;.......;.......;.......;...Rich:...........PE..d.....,d.........." .....l...........%.......................................P............`.............................................P............0....... ..<......../...@..........T..............................8............................................text...fj.......l.................. ..`.rdata..Ts.......t...p..............@..@.data...............................@....pdata..<.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\_ssl.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):160536
          Entropy (8bit):6.027748879187965
          Encrypted:false
          SSDEEP:3072:OwYiZ+PtocHnVXhLlasuvMETxoEBA+nbUtGnBSonJCNI5ILC7Gax1:FYk+PtocHVxx/uvPCEwhGJ
          MD5:7910FB2AF40E81BEE211182CFFEC0A06
          SHA1:251482ED44840B3C75426DD8E3280059D2CA06C6
          SHA-256:D2A7999E234E33828888AD455BAA6AB101D90323579ABC1095B8C42F0F723B6F
          SHA-512:BFE6506FEB27A592FE9CF1DB7D567D0D07F148EF1A2C969F1E4F7F29740C6BB8CCF946131E65FE5AA8EDE371686C272B0860BD4C0C223195AAA1A44F59301B27
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.-...-...-.....-...,...-...(...-...)...-.......-.W.,...-.R.,...-...,...-...,...-.W. ...-.W.-...-.W....-.W./...-.Rich..-.................PE..d.....,d.........." ................l*..............................................%.....`.............................................d...........`.......P.......D.../...p..8.......T...............................8............................................text...(........................... ..`.rdata..6...........................@..@.data....j.......f..................@....pdata.......P....... ..............@..@.rsrc........`.......,..............@..@.reloc..8....p.......6..............@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\_uuid.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):25368
          Entropy (8bit):6.613762885337037
          Encrypted:false
          SSDEEP:384:KYnvEaNKFDyuiBXK55ILZw59HQIYiSy1pCQNuPxh8E9VF0Ny8cIh:FTNK4uyXK55ILZwD5YiSyvEPxWEalh
          MD5:B68C98113C8E7E83AF56BA98FF3AC84A
          SHA1:448938564559570B269E05E745D9C52ECDA37154
          SHA-256:990586F2A2BA00D48B59BDD03D3C223B8E9FB7D7FAB6D414BAC2833EB1241CA2
          SHA-512:33C69199CBA8E58E235B96684346E748A17CC7F03FC068CFA8A7EC7B5F9F6FA90D90B5CDB43285ABF8B4108E71098D4E87FB0D06B28E2132357964B3EEA3A4F8
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........eG...)...)...)..|....)..q(...)..q,...)..q-...)..q*...).rq(...)..|(...)...(...).rq!...).rq)...).rq....).rq+...).Rich..).........PE..d.....,d.........." .........&...... ........................................p.......-....`......................................... )..L...l)..x....P.......@.......4.../...`..<...."..T...........................`"..8............ ..0............................text...X........................... ..`.rdata..f.... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..<....`.......2..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\base_library.zip

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:Zip archive data, at least v2.0 to extract, compression method=store
          Category:dropped
          Size (bytes):880569
          Entropy (8bit):5.682997344315044
          Encrypted:false
          SSDEEP:12288:lgYJu4KXWyBC6S4IEZjA4a2Ya2xdOVwx/fpEh+rtSLMN5:lgYJiVB3La2xTVwx/fpEh++MN5
          MD5:DCC69176BEA901A300A95298BD53E274
          SHA1:8A8227E3C6791393254DA3244630161064B36A30
          SHA-256:E1B4724D2A99B6E74B2DE4264302848BB1499DB777A7A76DE347720D0DC040D0
          SHA-512:CDF24D139E1240C5E97B702C28551EAF8E853625C4D5D99DEB8E087EDC776977F1DE3EBD27B41F97512A223CDAA28DE0D718AC36C2110C5A00809E911522A93A
          Malicious:false
          Reputation:unknown
          Preview:PK..........!..^".5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Z*e*..Z*e.e*..Z+e*.,....[*d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d*..d*e8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

          C:\Windows\Temp\_MEI76402\certifi\cacert.pem

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):290282
          Entropy (8bit):6.048183244201235
          Encrypted:false
          SSDEEP:6144:QW1H/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5Np:QWN/TRJLWURrI55MWavdF0L
          MD5:302B49C5F476C0AE35571430BB2E4AA0
          SHA1:35A7837A3F1B960807BF46B1C95EC22792262846
          SHA-256:CF9D37FA81407AFE11DCC0D70FE602561422AA2344708C324E4504DB8C6C5748
          SHA-512:1345AF52984B570B1FF223032575FEB36CDFB4F38E75E0BD3B998BC46E9C646F7AC5C583D23A70460219299B9C04875EF672BF5A0D614618731DF9B7A5637D0A
          Malicious:false
          Reputation:unknown
          Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

          C:\Windows\Temp\_MEI76402\charset_normalizer\md.cp310-win_amd64.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):10752
          Entropy (8bit):4.675182011095312
          Encrypted:false
          SSDEEP:96:FL8Khp72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFaiHrmHcX6g8cim1qeSC:Zj2HzzU2bRYoe4Hmcqgvimoe
          MD5:F33CA57D413E6B5313272FA54DBC8BAA
          SHA1:4E0CABE7D38FE8D649A0A497ED18D4D1CA5F4C44
          SHA-256:9B3D70922DCFAEB02812AFA9030A40433B9D2B58BCF088781F9AB68A74D20664
          SHA-512:F17C06F4202B6EDBB66660D68FF938D4F75B411F9FAB48636C3575E42ABAAB6464D66CB57BCE7F84E8E2B5755B6EF757A820A50C13DD5F85FAA63CD553D3FF32
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..^W..^W..^W..W/..\W..K(..\W.../..\W..K(..UW..K(..VW..K(..]W.."..]W..^W..xW..g.._W..g.._W..g.a._W..g.._W..Rich^W..........PE..d....hAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):120320
          Entropy (8bit):5.879886869577473
          Encrypted:false
          SSDEEP:3072:YKBCiXU2SBEUemE+OaOb3OEOz0fEDrF9pQKhN:YJZ2zOfdQKX
          MD5:494F5B9ADC1CFB7FDB919C9B1AF346E1
          SHA1:4A5FDDD47812D19948585390F76D5435C4220E6B
          SHA-256:AD9BCC0DE6815516DFDE91BB2E477F8FB5F099D7F5511D0F54B50FA77B721051
          SHA-512:2C0D68DA196075EA30D97B5FD853C673E28949DF2B6BF005AE72FD8B60A0C036F18103C5DE662CAC63BAAEF740B65B4ED2394FCD2E6DA4DFCFBEEF5B64DAB794
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........SRxr.Rxr.Rxr.[...Zxr.G.s.Pxr...s.Pxr.G.w._xr.G.v.Zxr.G.q.Qxr...s.Qxr.Rxs..xr.k.z.Sxr.k.r.Sxr.k...Sxr.k.p.Sxr.RichRxr.........................PE..d....hAe.........." ...%............02....................................... ............`.............................................d..........................................Px...............................w..@............@...............................text...X-.......................... ..`.rdata...X...@...Z...2..............@..@.data...8=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info\INSTALLER

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):4
          Entropy (8bit):1.5
          Encrypted:false
          SSDEEP:3:Mn:M
          MD5:365C9BFEB7D89244F2CE01C1DE44CB85
          SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
          SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
          SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
          Malicious:false
          Reputation:unknown
          Preview:pip.

          C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info\LICENSE

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):197
          Entropy (8bit):4.61968998873571
          Encrypted:false
          SSDEEP:3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
          MD5:8C3617DB4FB6FAE01F1D253AB91511E4
          SHA1:E442040C26CD76D1B946822CAF29011A51F75D6D
          SHA-256:3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
          SHA-512:77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
          Malicious:false
          Reputation:unknown
          Preview:This software is made available under the terms of *either* of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of *both* these licenses..

          C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info\LICENSE.APACHE

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):11360
          Entropy (8bit):4.426756947907149
          Encrypted:false
          SSDEEP:192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
          MD5:4E168CCE331E5C827D4C2B68A6200E1B
          SHA1:DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
          SHA-256:AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
          SHA-512:F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
          Malicious:false
          Reputation:unknown
          Preview:. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

          C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info\LICENSE.BSD

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):1532
          Entropy (8bit):5.058591167088024
          Encrypted:false
          SSDEEP:24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
          MD5:5AE30BA4123BC4F2FA49AA0B0DCE887B
          SHA1:EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
          SHA-256:602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
          SHA-512:DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
          Malicious:false
          Reputation:unknown
          Preview:Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

          C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info\METADATA

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):5292
          Entropy (8bit):5.115440205505611
          Encrypted:false
          SSDEEP:96:DxapqZink/QIHQIyzQIZQILuQIR8vtklGovxNx6sWwCvCCcTKvIrrg9BMM6VwDjz:sJnkoBs/sqLz8cTKvIrrUiM6VwDjyeWs
          MD5:137D13F917D94C83137A0FA5AE12B467
          SHA1:01E93402C225BF2A4EE59F9A06F8062CB5E4801E
          SHA-256:36738E6971D2F20DB78433185A0EF7912A48544AA6FF7006505A7DC785158859
          SHA-512:1B22CBC6E22FA5E2BD5CC4A370443A342D00E7DD53330A4000E9A680DE80262BCA7188764E3568944D01025188291602AC8C53C971630984FBD9FA7D75AAB124
          Malicious:false
          Reputation:unknown
          Preview:Metadata-Version: 2.1..Name: cryptography..Version: 41.0.7..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Author-email: The Python Cryptographic Authority and individual contributors <cryptography-dev@python.org>..License: Apache-2.0 OR BSD-3-Clause..Project-URL: homepage, https://github.com/pyca/cryptography..Project-URL: documentation, https://cryptography.io/..Project-URL: source, https://github.com/pyca/cryptography/..Project-URL: issues, https://github.com/pyca/cryptography/issues..Project-URL: changelog, https://cryptography.io/en/latest/changelog/..Classifier: Development Status :: 5 - Production/Stable..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating Syst

          C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info\RECORD

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:CSV text
          Category:dropped
          Size (bytes):15334
          Entropy (8bit):5.555125785454221
          Encrypted:false
          SSDEEP:384:3X6eU/ZfaigPOSJN5E6W1HepPNx6uvnNLEw:3RUxfzOPtREw
          MD5:4ED1DF753C330417D290331FD1E18219
          SHA1:556BED31DCDFA36166B45D8BCBB04C0D3B66C745
          SHA-256:F71F64A0875F365A8C6CA53BC96CFB428C5102F98029459BA2091958802DCFD9
          SHA-512:6984EF6D5DFC1062E6AB655E7B0C0A8AB916F1A3D88D8FA7FAD799E2792A2CB06C5C78C2292CCDB983CB6F68BA92B9F6453996B060CFDE7EE9C293FCE5F4D698
          Malicious:false
          Reputation:unknown
          Preview:cryptography-41.0.7.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-41.0.7.dist-info/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-41.0.7.dist-info/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-41.0.7.dist-info/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography-41.0.7.dist-info/METADATA,sha256=NnOOaXHS8g23hDMYWg73kSpIVEqm_3AGUFp9x4UViFk,5292..cryptography-41.0.7.dist-info/RECORD,,..cryptography-41.0.7.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-41.0.7.dist-info/WHEEL,sha256=-EX5DQzNGQEoyL99Q-0P0-D-CXbfqafenaAeiSQ_Ufk,100..cryptography-41.0.7.dist-info/top_level.txt,sha256=KNaT-Sn2K4uxNaEbe6mYdDn3qWDMlp4y-MtWfB73nJc,13..cryptography/__about__.py,sha256=uPXMbbcptt7EzZ_jllGRx0pVdMn-NBsAM4L74hOv-b0,445..cryptography/__init__.py,sha256=iVPlBlXWTJyiFeRedxcbMPhyHB34viOM10d72vGnWuE,364..cryptography/__pycache__/_

          C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info\WHEEL

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):100
          Entropy (8bit):5.0203365408149025
          Encrypted:false
          SSDEEP:3:RtEeX7MWcSlVlbY3KgP+tkKc/SKQLn:RtBMwlVCxWKxDQLn
          MD5:4B432A99682DE414B29A683A3546B69F
          SHA1:F59C5016889EE5E9F62D09B22AEFBC2211A56C93
          SHA-256:F845F90D0CCD190128C8BF7D43ED0FD3E0FE0976DFA9A7DE9DA01E89243F51F9
          SHA-512:CBBF10E19B6F4072C416EA95D7AE259B9C5A1B89068B7B6660B7C637D6F2437AEA8D8202A2E26A0BEC36DAECD8BBB6B59016FC2DDEB13C545F0868B3E15479CA
          Malicious:false
          Reputation:unknown
          Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp37-abi3-win_amd64..

          C:\Windows\Temp\_MEI76402\cryptography-41.0.7.dist-info\top_level.txt

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):13
          Entropy (8bit):3.2389012566026314
          Encrypted:false
          SSDEEP:3:cOv:Nv
          MD5:E7274BD06FF93210298E7117D11EA631
          SHA1:7132C9EC1FD99924D658CC672F3AFE98AFEFAB8A
          SHA-256:28D693F929F62B8BB135A11B7BA9987439F7A960CC969E32F8CB567C1EF79C97
          SHA-512:AA6021C4E60A6382630BEBC1E16944F9B312359D645FC61219E9A3F19D876FD600E07DCA6932DCD7A1E15BFDEAC7DBDCEB9FFFCD5CA0E5377B82268ED19DE225
          Malicious:false
          Reputation:unknown
          Preview:cryptography.

          C:\Windows\Temp\_MEI76402\cryptography\hazmat\bindings\_rust.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):6673920
          Entropy (8bit):6.582002531606852
          Encrypted:false
          SSDEEP:98304:EzN+T+xtLlk0PPMAiGoTzeDy3x8lGBlWi9Nk:E5Y6Jk0PPMtfTzp3x8c
          MD5:486085AAC7BB246A173CEEA0879230AF
          SHA1:EF1095843B2A9C6D8285C7D9E8E334A9CE812FAE
          SHA-256:C3964FC08E4CA8BC193F131DEF6CC4B4724B18073AA0E12FED8B87C2E627DC83
          SHA-512:8A56774A08DA0AB9DD561D21FEBEEBC23A5DEA6F63D5638EA1B608CD923B857DF1F096262865E6EBD56B13EFD3BBA8D714FFDCE8316293229974532C49136460
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......QN.../.../.../...W(../......./......./......./......./...R.../...Z.../..^W.../.../...-../...",......./.../.../......./......./..Rich./..........PE..d...M7ee.........." ...&..M..........L...................................... f...........`......................................... .a.p.....a.|............Pb..............Pe.p...p.[.T.....................[.(...0.[.@............0M..............................text.....M.......M................. ..`.rdata.......0M.......M.............@..@.data........0a.......a.............@....pdata.......Pb.......b.............@..@.reloc..p....Pe.......e.............@..B........................................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\hidapi.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):100352
          Entropy (8bit):5.934692072315603
          Encrypted:false
          SSDEEP:3072:sEujSbDUbXE+Fw+Rt4PQyUN2exeYNTlI:xH8XZFwwtx8EI
          MD5:D9152F1CC7198047C19968B405F18CB7
          SHA1:BE2F3C405454624AA5010EFD15314CA5182D6B88
          SHA-256:E356DF68E5442CEA92CDBB52E5BFF09F11D082AB8067E20B3FDFCBF7199AB071
          SHA-512:E8D951EEA4C2158E661BB7B9FB4B3E5192B56E7E34FEB906F2F1A426D3390EF92FC89F4037E75E51890E31F2AB7CDED4D244D19C96AB0534EB6257F00F442DAA
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.3...]...]...].....]...t.].....].5!^...].5!X...].5!Y...]......]...\.h.].!U...].!]...].!....].!_...].Rich..].................PE..d......a.........." ................l0....................................................`......................................... g..d....i..<...................................@V..p............................V...............................................text............................... ..`.rdata..............................@..@.data................b..............@....pdata...............l..............@..@.gfids...............|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\libcrypto-1_1.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):3450648
          Entropy (8bit):6.098075450035195
          Encrypted:false
          SSDEEP:98304:YP+uemAdn67xfxw6rKsK1CPwDv3uFfJz1CmiX:OZemAYxfxw6HK1CPwDv3uFfJzUmA
          MD5:9D7A0C99256C50AFD5B0560BA2548930
          SHA1:76BD9F13597A46F5283AA35C30B53C21976D0824
          SHA-256:9B7B4A0AD212095A8C2E35C71694D8A1764CD72A829E8E17C8AFE3A55F147939
          SHA-512:CB39AA99B9D98C735FDACF1C5ED68A4D09D11F30262B91F6AA48C3F8520EFF95E499400D0CE7E280CA7A90FF6D7141D2D893EF0B33A8803A1CADB28BA9A9E3E2
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..$.................................................. 5......%5...`.........................................../..h...Z4.@.....4.|.....2......x4../....4..O....-.8.............................-.@............P4..............................text.....$.......$................. ..`.rdata..&.....%.......$.............@..@.data...!z....2..,....1.............@....pdata........2.......2.............@..@.idata..^#...P4..$....3.............@..@.00cfg..u.....4.......3.............@..@.rsrc...|.....4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

          C:\Windows\Temp\_MEI76402\libffi-7.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):32792
          Entropy (8bit):6.3566777719925565
          Encrypted:false
          SSDEEP:384:2nypDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYIoBneEAR8:2l0Vn5Q28J8qsqMttktDxOpWDG4yKRF
          MD5:EEF7981412BE8EA459064D3090F4B3AA
          SHA1:C60DA4830CE27AFC234B3C3014C583F7F0A5A925
          SHA-256:F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
          SHA-512:DC9FF4202F74A13CA9949A123DFF4C0223DA969F49E9348FEAF93DA4470F7BE82CFA1D392566EAAA836D77DDE7193FED15A8395509F72A0E9F97C66C0A096016
          Malicious:false
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....F...$.......I....................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\libssl-1_1.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):704792
          Entropy (8bit):5.5573527806738126
          Encrypted:false
          SSDEEP:12288:WhO7/rNKmrouK/POt6h+7ToRLgo479dQwwLOpWW/dQ0TGqwfU2lvz2:2is/POtrzbLp5dQ0TGqcU2lvz2
          MD5:BEC0F86F9DA765E2A02C9237259A7898
          SHA1:3CAA604C3FFF88E71F489977E4293A488FB5671C
          SHA-256:D74CE01319AE6F54483A19375524AA39D9F5FD91F06CF7DF238CA25E043130FD
          SHA-512:FFBC4E5FFDB49704E7AA6D74533E5AF76BBE5DB297713D8E59BD296143FE5F145FBB616B343EED3C48ECEACCCCC2431630470D8975A4A17C37EAFCC12EDD19F4
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1}q.1}q.1}q.8..=}q.~.p.3}q.z.p.3}q.~.t.=}q.~.u.9}q.~.r.5}q...p.2}q.1}p..|q...u..}q...q.0}q.....0}q...s.0}q.Rich1}q.........PE..d......c.........." ...".D...T......<................................................i....`..........................................A...N..@U..........s........N......./......h.......8...............................@............@..@............................text....B.......D.................. ..`.rdata.../...`...0...H..............@..@.data...AM.......D...x..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............l..............@..@.rsrc...s............n..............@..@.reloc..q............v..............@..B................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\psutil\_psutil_windows.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):67072
          Entropy (8bit):5.90551713971002
          Encrypted:false
          SSDEEP:1536:ZhseNxkc7Xva0Y420G1UD+dS4gBeLmRy:Z1kcbi0Y42bUD+dS4oeiRy
          MD5:01F9D30DD889A3519E3CA93FE6EFEE70
          SHA1:EBF55ADBD8CD938C4C11D076203A3E54D995AEFF
          SHA-256:A66444A08A8B9CEAFA05DAEFEB32AA1E65C8009A3C480599F648FA52A20AFB7D
          SHA-512:76FED302D62BB38A39E0BF6C9038730E83B6AFFFA2F36E7A62B85770D4847EA6C688098061945509A1FDB799FB7F5C88699F94E7DA1934F88A9C3B6A433EE9EF
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`T..$5..$5..$5..-M3..5..v@..&5..v@..(5..v@..,5..v@.. 5...k..&5..oM..55..$5...5...@..45...@..%5...@_.%5...@..%5..Rich$5..........................PE..d.....~e.........." .........h..............................................@............`.........................................P...`.......@.... .......................0..(.......................................8............................................text............................... ..`.rdata..|I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\pyexpat.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):198936
          Entropy (8bit):6.372446720663998
          Encrypted:false
          SSDEEP:3072:13BAJzkk5dT6F62eqf2A3zVnjIHdAPKReewMP12yGUfT0+SYyWgOmrpjAxvwnVIq:FQg4dT6N5OA3zVnjNed4yGKTKR/
          MD5:1118C1329F82CE9072D908CBD87E197C
          SHA1:C59382178FE695C2C5576DCA47C96B6DE4BBCFFD
          SHA-256:4A2D59993BCE76790C6D923AF81BF404F8E2CB73552E320113663B14CF78748C
          SHA-512:29F1B74E96A95B0B777EF00448DA8BD0844E2F1D8248788A284EC868AE098C774A694D234A00BD991B2D22C2372C34F762CDBD9EC523234861E39C0CA752DCAA
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7...sn.Jsn.Jsn.Jz.:J.n.J!..Kqn.J!..K.n.J!..K{n.J!..Kpn.J...Kqn.J8..Kpn.Jsn.J.n.J...Kwn.J...Krn.J..VJrn.J...Krn.JRichsn.J................PE..d.....,d.........." ......................................................................`.........................................p...P................................/...........4..T...........................05..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\python3.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):66328
          Entropy (8bit):6.162953246481027
          Encrypted:false
          SSDEEP:768:t68LeBLeeFtp5V1BfO2yvSk70QZF1nEyjnskQkr/RFB1qucwdBeCw0myou6ZwJqn:t6wewnvtjnsfwxVILL0S7SyuPxHO
          MD5:FD4A39E7C1F7F07CF635145A2AF0DC3A
          SHA1:05292BA14ACC978BB195818499A294028AB644BD
          SHA-256:DC909EB798A23BA8EE9F8E3F307D97755BC0D2DC0CB342CEDAE81FBBAD32A8A9
          SHA-512:37D3218BC767C44E8197555D3FA18D5AAD43A536CFE24AC17BF8A3084FB70BD4763CCFD16D2DF405538B657F720871E0CD312DFEB7F592F3AAC34D9D00D5A643
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........A.d.A.d.A.d...l.@.d...d.@.d.....@.d...f.@.d.RichA.d.........PE..d.....,d.........." .................................................................x....`.........................................`...`................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\python310.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):4458776
          Entropy (8bit):6.460390021076921
          Encrypted:false
          SSDEEP:49152:myrXfGIy+Bqk5c5Ad2nwZT3Q6wsV136cR2DZvbK30xLNZcAgVBvcpYcvl1IDWbH3:Uw5tVBlicWdvoDkHUMF7Ph/qe
          MD5:63A1FA9259A35EAEAC04174CECB90048
          SHA1:0DC0C91BCD6F69B80DCDD7E4020365DD7853885A
          SHA-256:14B06796F288BC6599E458FB23A944AB0C843E9868058F02A91D4606533505ED
          SHA-512:896CAA053F48B1E4102E0F41A7D13D932A746EEA69A894AE564EF5A84EF50890514DECA6496E915AAE40A500955220DBC1B1016FE0B8BCDDE0AD81B2917DEA8B
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<...<...<...I...<...Sc..<...I...<...I...<...I...<...D...<...D...<...<...=..+I../<..+I...<..+Ia..<..+I...<..Rich.<..........................PE..d.....,d.........." .....V#..v!...............................................E.....".D...`.........................................`.<.....@.=.|.....D......`B.......C../....D..t....$.T...........................P.$.8............p#.8............................text...bT#......V#................. ..`.rdata...B...p#..D...Z#.............@..@.data... .....=.......=.............@....pdata.......`B......HA.............@..@PyRuntim`....pD......VC.............@....rsrc.........D......ZC.............@..@.reloc...t....D..v...dC.............@..B........................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\pywin32_system32\pythoncom310.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):669184
          Entropy (8bit):6.03765159448253
          Encrypted:false
          SSDEEP:6144:zxxMpraRSS9Y68EuBPjIQN5cJzS7bUxgyPxFMH0PIXY3dVVVVAuLpdorrcK/CXjW:zxxMZMX1bQIJO7bazPEQSYNBLpdwNu
          MD5:65DD753F51CD492211986E7B700983EF
          SHA1:F5B469EC29A4BE76BC479B2219202F7D25A261E2
          SHA-256:C3B33BA6C4F646151AED4172562309D9F44A83858DDFD84B2D894A8B7DA72B1E
          SHA-512:8BD505E504110E40FA4973FEFF2FAE17EDC310A1CE1DC78B6AF7972EFDD93348087E6F16296BFD57ABFDBBE49AF769178F063BB0AA1DEE661C08659F47A6216D
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..x...+...+...+..P+...+T..*...+T..*...+T..*...+T..*...+..*...+...*...+...*...+...*...+...+U..+..*W..+..*...+..*...+Rich...+................PE..d...k..d.........." ................4.....................................................`..........................................U...c..............l....@...z............... ......T...........................0...8............................................text...#........................... ..`.rdata...$.......&..................@..@.data....I..........................@....pdata...z...@...|..................@..@.rsrc...l...........................@..@.reloc... ......."..................@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\pywin32_system32\pywintypes310.dll

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):134656
          Entropy (8bit):5.992653928086484
          Encrypted:false
          SSDEEP:3072:DLVxziezwPZSMaAXpuuwNNDY/r06trfSsSYOejKVJBtGdI8hvnMu:HfziezwMMaAX2Y/rxjbOejKDBtG681n
          MD5:CEB06A956B276CEA73098D145FA64712
          SHA1:6F0BA21F0325ACC7CF6BF9F099D9A86470A786BF
          SHA-256:C8EC6429D243AEF1F78969863BE23D59273FA6303760A173AB36AB71D5676005
          SHA-512:05BAB4A293E4C7EFA85FA2491C32F299AFD46FDB079DCB7EE2CC4C31024E01286DAAF4AEAD5082FC1FD0D4169B2D1BE589D1670FCF875B06C6F15F634E0C6F34
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.$.X.w.X.w.X.w. [w.X.w.-.v.X.w.75w.X.w.-.v.X.w.-.v.X.w.-.v.X.w.3.v.X.wJ1.v.X.w.3.v.X.w.X.w.X.w,-.v.X.w,-.v.X.w,-.v.X.wRich.X.w........................PE..d......d.........." .........................................................P............`......................................... u..dB......,....0..l.......L............@..0...`Q..T............................Q..8............................................text............................... ..`.rdata..R...........................@..@.data....-.......(..................@....pdata..L...........................@..@.rsrc...l....0......................@..@.reloc..0....@......................@..B........................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\select.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):29976
          Entropy (8bit):6.627859470728624
          Encrypted:false
          SSDEEP:768:gUC2hwhVHqOmEVILQG35YiSyvrYPxWEl6:FC2ehVKOmEVILQGp7SyEPxe
          MD5:A653F35D05D2F6DEBC5D34DADDD3DFA1
          SHA1:1A2CEEC28EA44388F412420425665C3781AF2435
          SHA-256:DB85F2F94D4994283E1055057372594538AE11020389D966E45607413851D9E9
          SHA-512:5AEDE99C3BE25B1A962261B183AE7A7FB92CB0CB866065DC9CD7BB5FF6F41CC8813D2CC9DE54670A27B3AD07A33B833EAA95A5B46DAD7763CA97DFA0C1CE54C9
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!.F.O.F.O.F.O.O...D.O...N.D.O...J.M.O...K.N.O...L.B.O...N.D.O.F.N...O...N.C.O...B.G.O...O.G.O....G.O...M.G.O.RichF.O.................PE..d.....,d.........." .........0......................................................;\....`.........................................`@..L....@..x....p.......`.......F.../......H....2..T............................2..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata.......`.......6..............@..@.rsrc........p.......:..............@..@.reloc..H............D..............@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info\INSTALLER

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):5
          Entropy (8bit):1.9219280948873623
          Encrypted:false
          SSDEEP:3:Lvn:Lv
          MD5:00305BC1FB89E33403A168E6E3E2EC08
          SHA1:A39CA102F6B0E1129E63235BCB0AD802A5572195
          SHA-256:0B77BDB04E0461147A7C783C200BC11A6591886E59E2509F5D7F6CB7179D01AB
          SHA-512:DB43B091F60DE7F8C983F5FC4009DB89673215CCD20FD8B2CED4983365A74B36AC371E2E85397CAC915C021377E26F2C4290915EA96F9E522E341E512C0FC169
          Malicious:false
          Reputation:unknown
          Preview:pip..

          C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info\LICENSE

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):1050
          Entropy (8bit):5.072538194763298
          Encrypted:false
          SSDEEP:24:1rmJHcwH0MP3gt8Hw1hj9QHOsUv4eOk4/+/m3oqMSFJ:1aJ8YHvEH5QHOs5exm3oEFJ
          MD5:7A7126E068206290F3FE9F8D6C713EA6
          SHA1:8E6689D37F82D5617B7F7F7232C94024D41066D1
          SHA-256:DB3F0246B1F9278F15845B99FEC478B8B506EB76487993722F8C6E254285FAF8
          SHA-512:C9F0870BC5D5EFF8769D9919E6D8DDE1B773543634F7D03503A9E8F191BD4ACC00A97E0399E173785D1B65318BAC79F41D3974AE6855E5C432AC5DACF8D13E8A
          Malicious:false
          Reputation:unknown
          Preview:Copyright Jason R. Coombs..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to.deal in the Software without restriction, including without limitation the.rights to use, copy, modify, merge, publish, distribute, sublicense, and/or.sell copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING.FROM, OUT OF OR IN CONNECTION WITH THE SOFTW

          C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info\METADATA

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):5131
          Entropy (8bit):5.122995579924766
          Encrypted:false
          SSDEEP:96:DpwYyJX4a113or1uCDIG0wMHodIDbVWKWddpnzYDiHNlP37POX7FwTtPMk:a4rMYIG0wMHodIDbAd/n7AFwTJ
          MD5:FFCB84AF49AB52C4FDD312F814E14B0D
          SHA1:89C9D3D82455A1BD5EB8B938DD3E5FCBFB1D36B0
          SHA-256:75CDE8A60801D637767D85E414FBBB80B222AA2774199A8B419E197BC245109A
          SHA-512:83219D0BF52253309AF3D5F9BF37474C765DF94A5D363ADFDCAE956D88B795D477237107321AAD90BBCF79D438200672C9354B44E4D4D2FD630FBC4AEF248972
          Malicious:false
          Reputation:unknown
          Preview:Metadata-Version: 2.1.Name: setuptools.Version: 60.2.0.Summary: Easily download, build, install, upgrade, and uninstall Python packages.Home-page: https://github.com/pypa/setuptools.Author: Python Packaging Authority.Author-email: distutils-sig@python.org.License: UNKNOWN.Project-URL: Documentation, https://setuptools.pypa.io/.Keywords: CPAN PyPI distutils eggs package management.Platform: UNKNOWN.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Topic :: Software Development :: Libraries :: Python Modules.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: Topic :: System :: Systems Administration.Classifier: Topic :: Utilities.Requires-Python: >=3.7.License-File: LICENSE.Provides-Extra: certs.Provides-Extra: docs.Requires-Dist: sphinx ; extra == 'docs'.Requ

          C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info\RECORD

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:CSV text
          Category:dropped
          Size (bytes):21957
          Entropy (8bit):5.622802101148321
          Encrypted:false
          SSDEEP:384:L46dEofm3e5I9cbmBBdJJa1uy/MqhHH7TPmT2ILwg:LTcY190qhHbT9q5
          MD5:B42FD355E6FFFC68D43E12963C0F7D47
          SHA1:81E5A1AA111B414DC8BCD642E21363BC17D4538D
          SHA-256:1FA525F06E0C9DD86266758AC257D53AA42A4944D07ACA85CBFC5970A0030BB3
          SHA-512:19A2AA1C5F1660AC920953F760D8BBA084725727A9E0D2A78659995AF677481C8349765DFE8539C2E0BC1418EC008C5BA89D005CCB9A3602ADF9629A5862D900
          Malicious:false
          Reputation:unknown
          Preview:distutils-precedence.pth,sha256=JjjOniUA5XKl4N5_rtZmHrVp0baW_LoHsN0iPaX10iQ,151._distutils_hack/__init__.py,sha256=YA_zRyutXEbuZDipUW6EQoLC6PuUbvYsGyBg-aL-PCs,4741._distutils_hack/override.py,sha256=Eu_s-NF6VIZ4Cqd0tbbA5wtWky2IZPNd8et6GLt1mzo,44.pkg_resources/__init__.py,sha256=uAnPq8FsTXHAEHFWK7UU9AhdNjE4o5Skfk8CyfbztO8,108573.pkg_resources/_vendor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0.pkg_resources/_vendor/appdirs.py,sha256=MievUEuv3l_mQISH5SF0shDk_BNhHHzYiAPrT3ITN4I,24701.pkg_resources/_vendor/pyparsing.py,sha256=tmrp-lu-qO1i75ZzIN5A12nKRRD1Cm4Vpk-5LR9rims,232055.pkg_resources/_vendor/packaging/__about__.py,sha256=IIRHpOsJlJSgkjq1UoeBoMTqhvNp3gN9FyMb5Kf8El4,661.pkg_resources/_vendor/packaging/__init__.py,sha256=b9Kk5MF7KxhhLgcDmiUWukN-LatWFxPdNug0joPhHSk,497.pkg_resources/_vendor/packaging/_manylinux.py,sha256=XcbiXB-qcjv3bcohp6N98TMpOP4_j3m-iOA8ptK2GWY,11488.pkg_resources/_vendor/packaging/_musllinux.py,sha256=z5yeG1ygOPx4uUyLdqj-p8Dk5UBb5H_b0NIjW9yo8oA,4

          C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info\WHEEL

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):92
          Entropy (8bit):4.820827594031884
          Encrypted:false
          SSDEEP:3:RtEeX7MWcSlViZHKRRP+tPCCfA5S:RtBMwlViojWBBf
          MD5:4D57030133E279CEB6A8236264823DFD
          SHA1:0FDC3988857C560E55D6C36DCC56EE21A51C196D
          SHA-256:1B5E87E00DC87A84269CEAD8578B9E6462928E18A95F1F3373C9EEF451A5BCC0
          SHA-512:CD98F2A416AC1B13BA82AF073D0819C0EA7C095079143CAB83037D48E9A5450D410DC5CF6B6CFF3F719544EDF1C5F0C7E32E87B746F1C04FE56FAFD614B39826
          Malicious:false
          Reputation:unknown
          Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.37.1).Root-Is-Purelib: true.Tag: py3-none-any..

          C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info\entry_points.txt

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):2636
          Entropy (8bit):4.537672046416617
          Encrypted:false
          SSDEEP:24:+MsTUR572Ku3ky1QchLtoZ+kMySDZZdmRxmgidTFLaelXdcEcijVbxS9djdh2PhN:l9Zvy3g6ySDsm90rZh2Phv4hhpTqToq
          MD5:57379A87F47EA4C2646046CE29BCC753
          SHA1:E339BE8333DA128C7E1BCF193BD8D61D511DE75D
          SHA-256:C299E12EB6EDCA4E21675A820B0E3C7024B1A103F350B32122E685AAC07B1B14
          SHA-512:EDF64E3354C7C5E07461658894DCB82FECD71B9A1DAC7FAAD6BAB378C43111D4349FAE6DC7FCE87D0F50099E55CB835431F2364A988067A46EEEC8BB81ADA319
          Malicious:false
          Reputation:unknown
          Preview:[distutils.commands].alias = setuptools.command.alias:alias.bdist_egg = setuptools.command.bdist_egg:bdist_egg.bdist_rpm = setuptools.command.bdist_rpm:bdist_rpm.build_clib = setuptools.command.build_clib:build_clib.build_ext = setuptools.command.build_ext:build_ext.build_py = setuptools.command.build_py:build_py.develop = setuptools.command.develop:develop.dist_info = setuptools.command.dist_info:dist_info.easy_install = setuptools.command.easy_install:easy_install.egg_info = setuptools.command.egg_info:egg_info.install = setuptools.command.install:install.install_egg_info = setuptools.command.install_egg_info:install_egg_info.install_lib = setuptools.command.install_lib:install_lib.install_scripts = setuptools.command.install_scripts:install_scripts.rotate = setuptools.command.rotate:rotate.saveopts = setuptools.command.saveopts:saveopts.sdist = setuptools.command.sdist:sdist.setopt = setuptools.command.setopt:setopt.test = setuptools.command.test:test.upload_docs = setuptools.comman

          C:\Windows\Temp\_MEI76402\setuptools-60.2.0.dist-info\top_level.txt

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):41
          Entropy (8bit):3.9115956018096876
          Encrypted:false
          SSDEEP:3:3Wd+Nt8AfQYv:3Wd+Nttv
          MD5:789A691C859DEA4BB010D18728BAD148
          SHA1:AEF2CBCCC6A9A8F43E4E150E7FCF1D7B03F0E249
          SHA-256:77DC8BDFDBFF5BBAA62830D21FAB13E1B1348FF2ECD4CDCFD7AD4E1A076C9B88
          SHA-512:BC2F7CAAD486EB056CB9F68E6C040D448788C3210FF028397CD9AF1277D0051746CAE58EB172F9E73EA731A65B2076C6091C10BCB54D911A7B09767AA6279EF6
          Malicious:false
          Reputation:unknown
          Preview:_distutils_hack.pkg_resources.setuptools.

          C:\Windows\Temp\_MEI76402\unicodedata.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):1123608
          Entropy (8bit):5.3853088605790385
          Encrypted:false
          SSDEEP:12288:6mwlRMmuZ63NTQCb5Pfhnzr0ql8L8kcM7IRG5eeme6VZyrIBHdQLhfFE+uQfk:ulRuUZV0m8UMMREtV6Vo4uYQfk
          MD5:81D62AD36CBDDB4E57A91018F3C0816E
          SHA1:FE4A4FC35DF240B50DB22B35824E4826059A807B
          SHA-256:1FB2D66C056F69E8BBDD8C6C910E72697874DAE680264F8FB4B4DF19AF98AA2E
          SHA-512:7D15D741378E671591356DFAAD4E1E03D3F5456CBDF87579B61D02A4A52AB9B6ECBFFAD3274CEDE8C876EA19EAEB8BA4372AD5986744D430A29F50B9CAFFB75D
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.eJ).eJ).eJ)...).eJ)..K(.eJ)..O(.eJ)..N(.eJ)..I(.eJ)|.K(.eJ)..K(.eJ).eK).eJ)|.G(.eJ)|.J(.eJ)|..).eJ)|.H(.eJ)Rich.eJ)........................PE..d.....,d.........." .....B.......... *.......................................@......Q.....`.............................................X............ ..........H......../...0.......`..T........................... a..8............`..x............................text...9A.......B.................. ..`.rdata.......`.......F..............@..@.data...............................@....pdata..H...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info\INSTALLER

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):5
          Entropy (8bit):1.9219280948873623
          Encrypted:false
          SSDEEP:3:Lvn:Lv
          MD5:00305BC1FB89E33403A168E6E3E2EC08
          SHA1:A39CA102F6B0E1129E63235BCB0AD802A5572195
          SHA-256:0B77BDB04E0461147A7C783C200BC11A6591886E59E2509F5D7F6CB7179D01AB
          SHA-512:DB43B091F60DE7F8C983F5FC4009DB89673215CCD20FD8B2CED4983365A74B36AC371E2E85397CAC915C021377E26F2C4290915EA96F9E522E341E512C0FC169
          Malicious:false
          Reputation:unknown
          Preview:pip..

          C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info\LICENSE.txt

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):1125
          Entropy (8bit):5.143411674177603
          Encrypted:false
          SSDEEP:24:UYWBarRONJHLH0cPP3gtkHw1h39QHOsUv4eOk4/+jvho3nPz:LtONJbbvE/NQHOs5eNS3n7
          MD5:9D66B41BC2A080E7174ACC5DFFECD752
          SHA1:53AA128E9D6387E9BB9D945FDCBF1AB4D003BAED
          SHA-256:CCA9E20C6AF1FCFBF69408F377769286CBEEBCDED336100C9B4A3F35FBE635E4
          SHA-512:12CBE04D36D2F0A856DA2001DC7D98D9E431DA37CCCF08F8AF20DD537F5AE7A19E1A7015C3A5542C0329EFBEC7E582751E4CEBCCB459C779BE804AA5B34D5E95
          Malicious:false
          Reputation:unknown
          Preview:"wheel" copyright (c) 2012-2014 Daniel Holth <dholth@fastmail.fm> and.contributors...The MIT License..Permission is hereby granted, free of charge, to any person obtaining a.copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the.Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included.in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR.OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRA

          C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info\METADATA

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:Unicode text, UTF-8 text
          Category:dropped
          Size (bytes):2328
          Entropy (8bit):5.1185004431709
          Encrypted:false
          SSDEEP:48:DE53Cnd+p8d+zztjaaxLiPktzCliwqrwOT8RfkD1UKd+mOl1Awr+:DE5yQPzztjaaxmPktW0lrfOfsUzmbY+
          MD5:DE7F3CDD29B458BD18463100490C8EFF
          SHA1:F6677870E4F8A9D914C13FCEF5DB1AF2A7BA5624
          SHA-256:62679B757C0F42517DF1DA7D57E0B2E01944F8CF9F14CF89F5C3D556F952522F
          SHA-512:584491196B7757B108FB6535B687E28B3C4BEB56162CC6DE4911C211B7A000B0AF2B7A26AFAB73422DA6876F568D4CCE23802D27C57CF7D6565BD02877B08A32
          Malicious:false
          Reputation:unknown
          Preview:Metadata-Version: 2.1.Name: wheel.Version: 0.37.1.Summary: A built-package format for Python.Home-page: https://github.com/pypa/wheel.Author: Daniel Holth.Author-email: dholth@fastmail.fm.Maintainer: Alex Gr.nholm.Maintainer-email: alex.gronholm@nextday.fi.License: MIT.Project-URL: Documentation, https://wheel.readthedocs.io/.Project-URL: Changelog, https://wheel.readthedocs.io/en/stable/news.html.Project-URL: Issue Tracker, https://github.com/pypa/wheel/issues.Keywords: wheel,packaging.Platform: UNKNOWN.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 2.Classifier: Programming Language :: Python :: 2.7.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3.5.Classifier: Programming Language :: Python ::

          C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info\RECORD

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:CSV text
          Category:dropped
          Size (bytes):2657
          Entropy (8bit):5.738906743733574
          Encrypted:false
          SSDEEP:48:/exuRklpzybyrvGy+myCqTQgYvH6MHIS8mvinJ3yGnJ3ykz1lQERayzYsoRLmlJi:mxVlkmrvZnyCqTQDvH6MHp8uiJCGJCkc
          MD5:92F640958CC843ABF1B37B511B6BD5AE
          SHA1:5248FD1AAE16910FE6FDF9914CB5FC5B24F0906F
          SHA-256:E2028F94F2C8579CB22A3260083CD34D5FD3CD590150F471EB8169BEED7152D5
          SHA-512:949991767039F1DB9851F222CD3FA16F0D812CC2BD885A389C78E2091C3B68E9292C4AA876172CC4C48E09F84947013DA6DC2589911A7D192F5748C6DDEF4F86
          Malicious:false
          Reputation:unknown
          Preview:wheel/__init__.py,sha256=yLOqsEZUPaM3VNKOMxQraLgCCyF8q3k10KY4C1Hi_Lo,23.wheel/__main__.py,sha256=lF-YLO4hdQmoWuh4eWZd8YL1U95RSdm76sNLBXa0vjE,417.wheel/bdist_wheel.py,sha256=2vfv3g_b8BvZ5Do9bpLEBdu9dQEcvoMQ1flXpKYFJDU,19075.wheel/macosx_libfile.py,sha256=Xvp-IrFyRJ9RThIrPxfEpVCDGfljJPWRTZiyopk70hI,15930.wheel/metadata.py,sha256=b3kPhZn2w2D9wengltX5nGIZQ3ERUOQ5U-K5vHKPdeg,4344.wheel/pkginfo.py,sha256=GR76kupQzn1x9sKDaXuE6B6FsZ4OkfRtG7pndlXPvQ4,1257.wheel/util.py,sha256=mnNZkJCi9DHLI_q4lTudoD0mW97h_AoAWl7prNPLXJc,938.wheel/wheelfile.py,sha256=NyH8VcFLvu7jUwH6r4KoL_U45OKFVpUyJ5Z7gRAI_Lc,7574.wheel/cli/__init__.py,sha256=GWSoGUpRabTf8bk3FsNTPrc5Fsr8YOv2dX55iY2W7eY,2572.wheel/cli/convert.py,sha256=7F4vj23A2OghDDWn9gX2V-_TeXMza1a5nIejmFGEUJM,9498.wheel/cli/pack.py,sha256=Bfq6KrHicZKrpbktkreeRxIaWwBozUP99JQy2D8-ddY,3364.wheel/cli/unpack.py,sha256=0VWzT7U_xyenTPwEVavxqvdee93GPvAFHnR3Uu91aRc,673.wheel/vendored/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0.wheel/vendored/packag

          C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info\WHEEL

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):110
          Entropy (8bit):4.816968543485036
          Encrypted:false
          SSDEEP:3:RtEeX7MWcSlViZHKRRP+tPCCf7irO5S:RtBMwlViojWBBwt
          MD5:8CFA23CB3A9E0E9F30077848A14BE857
          SHA1:E5AC311BA9EEC5C0CCDDC091AC7C0D62A72ECF72
          SHA-256:CFD8F4C406BF26650A3299B3EF62B464600B48CFE7FB04159866E5797C765478
          SHA-512:039CB61C67F02B3B349102FA40FBB55FCA46D54007309FD08B2707E2CAC74FDDDBB39B18730704209DB4852BB9BB18078EF6A6A57ACF0F0BA4951D7A249521BD
          Malicious:false
          Reputation:unknown
          Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.37.1).Root-Is-Purelib: true.Tag: py2-none-any.Tag: py3-none-any..

          C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info\entry_points.txt

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):108
          Entropy (8bit):4.342039869160156
          Encrypted:false
          SSDEEP:3:1SSAsVYgh+MWTMhk6WjwVM5t5ln:1rb9WTMhk9jSM5t5ln
          MD5:7AB099DD08D127FFF9A98B12A6B127E0
          SHA1:8454C246D5A924CC6A13F5BFA188468E00F4D179
          SHA-256:37C1DB605493DF2ACD418781DB05D60443D4845B04B4A3513DA0851893F2AB27
          SHA-512:866EAFE67528CE8B692F474E7883BF776644CD41D13220D9C7F9446F7E325104C2F4ABF9B08701E470423756511D452885DFA1B875D4661D3472BC2002C28492
          Malicious:false
          Reputation:unknown
          Preview:[console_scripts].wheel = wheel.cli:main..[distutils.commands].bdist_wheel = wheel.bdist_wheel:bdist_wheel..

          C:\Windows\Temp\_MEI76402\wheel-0.37.1.dist-info\top_level.txt

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text
          Category:dropped
          Size (bytes):6
          Entropy (8bit):2.2516291673878226
          Encrypted:false
          SSDEEP:3:/sv:/sv
          MD5:EF72659542687B41FB1A4225120F41FA
          SHA1:3EF6EE742B2E851DEA1F754CE60A1FC222194799
          SHA-256:1F148121B804B2D30F7B87856B0840EBA32AF90607328A5756802771F8DBFF57
          SHA-512:A16A6E11367C986B2A7B38C491943B28F402081D3E2D41474C9E61BE44941133E87CB821750AD27A1E46FA2AFF9F93B8584C37247BDE219ABAC12D3D6EE4477C
          Malicious:false
          Reputation:unknown
          Preview:wheel.

          C:\Windows\Temp\_MEI76402\win32\_win32sysloader.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):14848
          Entropy (8bit):5.112106937352672
          Encrypted:false
          SSDEEP:192:lGCm72PEO1jIUs0YqEcPbF55UgCWV4rofnbPmitE255qDLWn7ycLmrO/:8ardA0Bzx14r6nbN50W9/
          MD5:F9C9445BE13026F8DB777E2BBC26651D
          SHA1:E1D58C30E94B00B32AD1E9B806465643F4AFE980
          SHA-256:C953DB1F67BBD92114531FF44EE4D76492FDD3CF608DA57D5C04E4FE4FDD1B96
          SHA-512:587D9E8521C246865E16695E372A1675CFBC324E6258DD03479892D3238F634138EBB56985ED34E0C8C964C1AB75313182A4E687B598BB09C07FC143B506E9A8
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tSf.02..02..02..9J..22..bG..22..$Y..22..bG..;2..bG..82..bG..32..[..32..02...2...G..12...G..12...G..12..Rich02..................PE..d......d.........." ......................................................................`..........................................;..`...`;..d....p..t....`..................@...|2..T............................2..8............0..p............................text............................... ..`.rdata..$....0......................@..@.data........P......................@....pdata.......`.......0..............@..@.rsrc...t....p.......4..............@..@.reloc..@............8..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\win32\win32api.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):133632
          Entropy (8bit):5.849731189887005
          Encrypted:false
          SSDEEP:3072:l2J5loMoEg9enX4oD8cdf0nlRVFhLaNKP/IyymuqCyqJhe:cblovEgqXHdfqlRVlP/IyzCyy
          MD5:00E5DA545C6A4979A6577F8F091E85E1
          SHA1:A31A2C85E272234584DACF36F405D102D9C43C05
          SHA-256:AC483D60A565CC9CBF91A6F37EA516B2162A45D255888D50FBBB7E5FF12086EE
          SHA-512:9E4F834F56007F84E8B4EC1C16FB916E68C3BAADAB1A3F6B82FAF5360C57697DC69BE86F3C2EA6E30F95E7C32413BABBE5D29422D559C99E6CF4242357A85F31
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.uV....................N.......N.......N.......................N...................J...........................Rich............PE..d......d.........." .........................................................P............`..........................................................0..\....................@..$....v..T............................<..8............0..........@....................text............................... ..`.rdata......0......................@..@.data...x(......."..................@....pdata..............................@..@.rsrc...\....0......................@..@.reloc..$....@......................@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\win32\win32event.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):28672
          Entropy (8bit):5.557243649975138
          Encrypted:false
          SSDEEP:384:qwXwVM65Ix6Hey0a4SqSv/L/jhfWddbcQ857W5/hoOn0k/MwGCHRUyGa/:Fn6oDOb/jhfWddbcrwYOn0k/MwJYa
          MD5:98D246A539426C3A7A842D6CF286D46D
          SHA1:CEF7350297F7E1E2407C9125033DC972C3171122
          SHA-256:7461A15657C7516237B020357CCF6DE1D07B1C781149C0DA7892AEA0EA63A825
          SHA-512:F2FE96082C333210261A1247155373276A58A9E6128374A6FBA252D39CB78B286A30C48E05D2EB1E0B41653598BB114C0361BC55808FE091E8A13CDE0B59AC5F
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*.@sD.@sD.@sD.I...DsD...E.BsD...A.JsD...@.HsD...G.CsD..E.BsD...E.BsD.T.E.EsD.@sE..sD..M.AsD..D.AsD..F.AsD.Rich@sD.........PE..d......d.........." .....8...4.......3....................................................`..........................................f..T...$g..........d............................Z..T............................Z..8............P...............................text...(6.......8.................. ..`.rdata...#...P...$...<..............@..@.data................`..............@....pdata...............d..............@..@.rsrc...d............j..............@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\win32\win32evtlog.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):73216
          Entropy (8bit):5.762045981366128
          Encrypted:false
          SSDEEP:1536:idrARomwyEvN7xM8v2uuYTtEJaLGDXYBFB8Dmz:qIomwySmm2uuYJEJaLGDXkFB8qz
          MD5:20CA43E99D008452833394B4AB4D9239
          SHA1:97E6DC871483540551CBF44B7727CE91ADCDA844
          SHA-256:28783A9111E539BD0EDBB97C9204C983E1D15DC7A0E7A6D4DE02DF1A3D5E3566
          SHA-512:273323375886835BC4E737984586BC31FFDCC185A3FA3CA1181CB65B2D6D1867E527B3226484ECD8DD902A02CF94B4AB8F7C88744235543ED83620206E65E7C0
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u...u...u...|f).s...'k..q...'k..}...'k..v....k..w....w..w...'k..f...au..p...u........k..t....k..t....kE.t....k..t...Richu...................PE..d......d.........." ................P........................................`............`.............................................X...8........@.. ....0..|............P..l.......T...........................`...8...............`.......@....................text............................... ..`.rdata..&\.......^..................@..@.data...............................@....pdata..|....0......................@..@.rsrc... ....@......................@..@.reloc..l....P......................@..B................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\win32\win32file.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):143360
          Entropy (8bit):5.9314950978938334
          Encrypted:false
          SSDEEP:3072:XkXeNNnoGygqaE7Byk+YXR4Ei1HPUb1+JybQhzacKG6t6BU:XkX8Nugqz7Byk+QRVi1vUbc0bCacu
          MD5:D09207A5F23C943F911B5FC301BBE97A
          SHA1:735C69217D80E1986C681B4B74629E79A3C95934
          SHA-256:B1B0A1F9C8903E2EC65B9D6A4AC746E72090DB9A34F2A180B79769C9C5B15085
          SHA-512:68BE8558026EBCEECFC29D91F6E040E4DDE2EF4DED2D471CB547C081B4D947CDF15B77CD5CD6C3BAA37FD2C92A297D2A5CA7B2ED2D27B88B09BB521F61725B4A
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=.ahn.ahn.ahn...n.ahn..io.ahn..mo.ahn..lo.ahn..ko.ahne.io.ahn..io.ahn..io.ahn.ain.`hne.ao.ahne.ho.ahne.jo.ahnRich.ahn........PE..d......d.........." .....@...........6.......................................p............`.............................................T...4........P..\....0...............`......x...T..............................8............P...............................text...N?.......@.................. ..`.rdata.......P.......D..............@..@.data....'....... ..................@....pdata.......0......................@..@.rsrc...\....P.......(..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\win32\win32net.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):93184
          Entropy (8bit):5.244759668592125
          Encrypted:false
          SSDEEP:1536:QJCZO2AJy8OCCyNNOYz0/bNFogGC6WEhj9BBP4f:QrtIpAmEhxBl4f
          MD5:4404218C4F6A61C338F332B2A9402C10
          SHA1:C48DDA2E4C2F06ED406F678131D485DB28294599
          SHA-256:E5002A894100FE9F43BACA194013702EBB8F8DF6A6909BE76D79E1C539E58FFD
          SHA-512:65E0F0DEE8F6A83951F8091FCF6CA62D559E125B8F0E9B306BF7F0A95EB59FC6CB42A95003E15AACC470DA10AF2CCCFC87518E6A4139FBBCEB117CB63594A75F
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:...T...T...T......T..U...T..Q...T..P...T..W...T.Z.U...T.<.U...T...U...T...U.).T.Z.]...T.Z.T...T.Z.V...T.Rich..T.........PE..d......d.........." ................t.....................................................`.............................................P...`...........\...........................\...T...............................8............................................text............................... ..`.rdata...b.......d..................@..@.data...hQ... ...L..................@....pdata...............R..............@..@.rsrc...\............b..............@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\win32\win32pipe.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):28160
          Entropy (8bit):5.501710845558622
          Encrypted:false
          SSDEEP:384:vvGJPNu6PrVo4r8MhY7jgzgCoASCwz8T8VBBr/kVyhPDmM/f:vv0/DpGXJC6VB5/LhKi
          MD5:43C630BE751F1B465DCD77E036797309
          SHA1:A10EE078EB475674BB7BCC349B5F4B283E763EB5
          SHA-256:DDE06EAA71699359C23D4C564AD25785FA933CE28DD117EBFB374D276537C6EC
          SHA-512:6FD2163860D7559C4D3E7E43EE5C462EC8B01FCFAEAC47ED4056CEA74C07E7D46863C5395D52A514D6844369AB7EA031186AAE54CEDFD636B94740A8BB276966
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t..X0...0...0...9.#.6...b..4...$...2...b..;...b..8...b..3......2......3...0...P......1......1......1...Rich0...........PE..d......d.........." .....4...6......T0....................................................`..........................................f..T...Tf..........\.......(...................@Z..T............................Z..8............P..@............................text...@3.......4.................. ..`.rdata..z$...P...&...8..............@..@.data................^..............@....pdata..(............b..............@..@.rsrc...\............h..............@..@.reloc...............l..............@..B................................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\win32\win32trace.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):23552
          Entropy (8bit):5.279236779449316
          Encrypted:false
          SSDEEP:384:peeH8ZmV+zknwMsADuVLw0T8DmrRl2j9BfEAZnpC9QJQ1BA:5+zi/uVDS9dl6pB
          MD5:B291ADAB2446DA62F93369A0DD662076
          SHA1:A6B6C1054C1F511C64AEFB5F6C031AFE553E70F0
          SHA-256:C5AD56E205530780326BD1081E94B212C65082B58E0F69788E3DC60EFFBD6410
          SHA-512:847CC9E82B9939DBDC58BFA3E5A9899D614642E0B07CF1508AA866CD69E4AD8C905DBF810A045D225E6C364E1D9F2A45006F0EB0895BCD5AAF9D81EE344D4AEA
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*U@qD.@qD.@qD.I...DqD...E.BqD...A.JqD...@.HqD...G.CqD...E.BqD...E.BqD.T.E.EqD.@qE..qD...M.AqD...D.AqD...F.AqD.Rich@qD.................PE..d......d.........." .....,...,.......(....................................................`..........................................Q..T...dQ..........d....p.......................G..T...........................0H..8............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...(....`.......L..............@....pdata.......p.......R..............@..@.rsrc...d............V..............@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\_MEI76402\win32com\shell\shell.pyd

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):527872
          Entropy (8bit):6.165923585421349
          Encrypted:false
          SSDEEP:6144:bXtpsewPjUA2jGZ90SmgopJgUCBKw84O3Rpd0K1VS0cTZdxi2y3:bXtp5sIAN90pleK1VSXXi2g
          MD5:C2E1B245D4221BDA4C198CF18D9CA6AF
          SHA1:9682B6E966495F7B58255348563A86C63FBD488C
          SHA-256:89A8651DAD701DCE6B42B0E20C18B07DF6D08A341123659E05381EE796D23858
          SHA-512:C2F57E9303D37547671E40086DDAD4B1FC31C52D43994CFCEC974B259125E125C644873073F216F28066BB0C213CBEB1B9A3C149727C9F1BC50F198AC45A4C8A
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......M................).....[......[......[......[...................................................O.................Rich............................PE..d...(..d.........." ....."..........t.....................................................`.............................................L...............L.......xx...............!......T..............................8............@...............................text...^!.......".................. ..`.rdata.......@.......&..............@..@.data...@....0...^..................@....pdata..xx.......z...n..............@..@.rsrc...L...........................@..@.reloc...!......."..................@..B................................................................................................................................................................................................................

          C:\Windows\Temp\oktcmpvh

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):4
          Entropy (8bit):2.0
          Encrypted:false
          SSDEEP:3:qn:qn
          MD5:3F1D1D8D87177D3D8D897D7E421F84D6
          SHA1:DD082D742A5CB751290F1DB2BD519C286AA86D95
          SHA-256:F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
          SHA-512:2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
          Malicious:false
          Reputation:unknown
          Preview:blat

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1028\license.rtf

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
          Category:dropped
          Size (bytes):18127
          Entropy (8bit):4.036737741619669
          Encrypted:false
          SSDEEP:192:xaz+aCQbjdBCLCgfvtfLEmmVxJzLKLIW7cBFCoSM0fvJ93eyryH1MqG1xcRY/c5f:seh/IMHexG4q2
          MD5:B7F65A3A169484D21FA075CCA79083ED
          SHA1:5DBFA18928529A798FF84C14FD333CB08B3377C0
          SHA-256:32585B93E69272B6D42DAC718E04D954769FE31AC9217C6431510E9EEAD78C49
          SHA-512:EDA2F946C2E35464E4272B1C3E4A8DC5F17093C05DAB9A685DBEFD5A870B9D872D8A1645ED6F5B9A72BBB2A59D22DFA58FBF420F6440278CCBE07B6D0555C283
          Malicious:false
          Reputation:unknown
          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'dc\'9b\'f3\'77\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'ca\'c7\'d9\'46\'d3\'c3\'91\'f4\'c5\'63\f0 Microsoft Corporation (\f1\'bb\'f2\'c6\'e4\'ea\'50\'82\'53\'c6\'f3\'98\'49\'a3\'ac\'d2\'95\'d9\'46\'d3\'c3\'91\'f4\'cb\'f9\'be\'d3\'d7\'a1\'b5\'c4\'b5\'d8\'fc\'63\'b6\'f8\'b6\'a8\f0 ) \f1\'d6\'ae\'e9\'67\'b3\'c9\'c1\'a2\'b5\'c4\'ba\'cf\'bc\'73\'a1\'a3\'cb\'fb\'82\'83\'df\'6d\'d3\'c3\'ec\'b6\'c9\'cf\'ca\'f6\'dc\'9b\'f3\'77\'a3\'ac\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'d2\'e0\'df\'6d\'d3\'c3\'ec\'b6\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'84\'d5\'bb\'f2\'b1\'be\'dc\'9b\'f3\'77\'d6\'ae\'b8\'fc\'d0\'c2\'a3

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1028\thm.wxl

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):2980
          Entropy (8bit):6.163758160900388
          Encrypted:false
          SSDEEP:48:c5DiTlOtMes9T/JhDXsA9EHSniarRFeOrw8N3mZNNTN2N08CEjMUWFPmDlTKJKy2:uDiTlFrDDsA9tfHP8+8nhM0WamzqDFqD
          MD5:472ABBEDCBAD24DBA5B5F5E8D02C340F
          SHA1:974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
          SHA-256:8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
          SHA-512:676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ................. ......................../passive | /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1029\license.rtf

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
          Category:dropped
          Size (bytes):13053
          Entropy (8bit):5.125552901367032
          Encrypted:false
          SSDEEP:192:TKwfs7OUpXLa5HEXQwNCNvZSjotXxiwH++3kamdEj6ZDbugDHgbGNlv6NbrYGY9x:Lfs7c5DRH0aHmJGpafU0AliwGra2
          MD5:B408556A89FCE3B47CD61302ECA64AC9
          SHA1:AAC1CDAF085162EFF5EAABF562452C93B73370CB
          SHA-256:21DDCBB0B0860E15FF9294CBB3C4E25B1FE48619210B8A1FDEC90BDCDC8C04BC
          SHA-512:BDE33918E68388C60750C964CDC213EC069CE1F6430C2AA7CF1626E6785C7C865094E59420D00026918E04B9B8D19FA22AC440F851ADC360759977676F8891E7
          Malicious:false
          Reputation:unknown
          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 LICEN\f1\'c8N\f0\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\f1\'c8NOSTI MICROSOFT\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Tyto licen\f1\'e8n\f0\'ed podm\'ednky p\f1\'f8edstavuj\f0\'ed smlouvu mezi spole\f1\'e8nost\f0\'ed Microsoft Corporation (nebo n\f1\'eckterou z\~jej\f0\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte) a\~v\'e1mi. Vztahuj\'ed se na v\'fd\f1\'9ae uveden\f0\'fd software. Podm\'ednky se rovn\f1\'ec\'9e vztahuj\f0\'ed na jak\'e9koli slu\f1\'9eby Microsoft nebo aktualizace pro software, pokud se na slu\'9eby nebo aktualizace nevztahuj\f0\'ed odli\f1\'9an\f0\'e9 podm\'ednky.\par..\b DODR\f1\'8e\f0\'cdTE-LI TYTO

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1029\thm.wxl

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):3333
          Entropy (8bit):5.370651462060085
          Encrypted:false
          SSDEEP:48:c5DiTlOtesM6H2hDdxHOjZxsaIIy3Iy5sDMN3mkNFN7NwcfiPc3hKPnWZLF0hKqZ:uDiTlVxxHOy/9xXfpZJYnL8xK2S
          MD5:16343005D29EC431891B02F048C7F581
          SHA1:85A14C40C482D9351271F6119D272D19407C3CE9
          SHA-256:07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
          SHA-512:FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive | /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1031\license.rtf

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
          Category:dropped
          Size (bytes):11936
          Entropy (8bit):5.194264396634094
          Encrypted:false
          SSDEEP:192:+XkOmRUOl6WBsl4kA+sn+mvtI0qHl4qj+iPqk6kVV9iX9GzYNvQ8yOejIpRMrhC2:DDHMFPCeV3i4zOHyOejIpkC2
          MD5:C2CFA4CE43DFF1FCD200EDD2B1212F0A
          SHA1:E8286E843192802E5EBF1BE67AE30BCAD75AC4BB
          SHA-256:F861DB23B972FAAA54520558810387D742878947057CF853DC74E5F6432E6A1B
          SHA-512:6FDF02A2DC9EF10DD52404F19C300429E7EA40469F00A43CA627F3B7F3868D1724450F99C65B70B9B7B1F2E1FA9D62B8BE1833A8C5AA3CD31C940459F359F30B
          Malicious:false
          Reputation:unknown
          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT-SOFTWARE-LIZENZBESTIMMUNGEN\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Diese Lizenzbestimmungen sind ein Vertrag zwischen Ihnen und der Microsoft Corporation (bzw. abh\'e4ngig von Ihrem Wohnsitz einem mit Microsoft verbundenen Unternehmen). Sie gelten f\'fcr die oben angef\'fchrte Software. Die Bestimmungen gelten ebenso f\'fcr jegliche von Microsoft angebotenen Dienste oder Updates f\'fcr die Software, sofern diesen keine anderen Bestimmungen beiliegen.\par..\b SOFERN SIE DIESE LIZENZBESTIMMUNGEN EINHALTEN, SIND SIE ZU FOLGENDEM BERECHTIGT:\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 RECHTE ZUR INSTALLATION UND NUTZUNG. \

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1031\thm.wxl

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):3379
          Entropy (8bit):5.094097800535488
          Encrypted:false
          SSDEEP:48:c5DiTlOZuesXJhDEVTORNxSMoZN3mteNSiNGNsZuiAXEqicMwhPXbhu9KwKlK8Kq:uDiTl3N7xSbu0N8+AhSNnm
          MD5:561F3F32DB2453647D1992D4D932E872
          SHA1:109548642FB7C5CC0159BEDDBCF7752B12B264C0
          SHA-256:8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
          SHA-512:CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive | /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1036\license.rtf

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
          Category:dropped
          Size (bytes):11593
          Entropy (8bit):5.106817099949188
          Encrypted:false
          SSDEEP:192:aRAbNYjVk+z5GUSLse5GgALEXmAWL+/3FEShP9sJgi8+Ra8woh+89EQdhwQPely6:K4yrPqm9LcVEg9sVp2ohHVdKoXJXci9a
          MD5:F0FF747B85B1088A317399B0E11D2101
          SHA1:F13902A39CEAE703A4713AC883D55CFEE5F1876C
          SHA-256:4D9B7F06BE847E9E135AB3373F381ED7A841E51631E3C2D16E5C40B535DA3BCF
          SHA-512:AA850F05571FFC361A764A14CA9C1A465E2646A8307DEEE0589852E6ACC61AF145AEF26B502835724D7245900F9F0D441451DD8C055404788CE64415F5B79506
          Malicious:false
          Reputation:unknown
          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMES DU CONTRAT DE LICENCE LOGICIEL MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Les pr\'e9sents termes du contrat de licence constituent un contrat entre Microsoft Corporation (ou, en fonction de votre lieu de r\'e9sidence, l\rquote un de ses affili\'e9s) et vous. Ils s\rquote appliquent au logiciel vis\'e9 ci-dessus. Les termes s\rquote appliquent \'e9galement \'e0 tout service et \'e0 toute mise \'e0 jour Microsoft pour ce logiciel, \'e0 moins que d\rquote autres termes n\rquote accompagnent ces \'e9l\'e9ments.\par..\b SI VOUS VOUS CONFORMEZ AUX PR\'c9SENTS TERMES DU CONTRAT DE LICENCE, VOUS AVEZ LES DROITS CI-DESSOUS.\par....\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\s

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1036\thm.wxl

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):3366
          Entropy (8bit):5.0912204406356905
          Encrypted:false
          SSDEEP:48:c5DiTlO1BesgKLhD1K8cocDSN3m4NlN2ZfNmXL8ePZFcZkLPqUf9fQKRLKeKqZfj:uDiTlABzH1/qt4qgcXY
          MD5:7B46AE8698459830A0F9116BC27DE7DF
          SHA1:D9BB14D483B88996A591392AE03E245CAE19C6C3
          SHA-256:704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
          SHA-512:FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive | /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1040\license.rtf

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
          Category:dropped
          Size (bytes):11281
          Entropy (8bit):5.046489958240229
          Encrypted:false
          SSDEEP:192:WBGNX6UXR2+5SmgS/ChMErYkQvowHVw6zdgkycEGCDLQ+n3YJ2d8XSiej+T4Ma8f:gAzSVARBR5jEPLQY3YJpSjTP2
          MD5:9D98044BAC59684489C4CF66C3B34C85
          SHA1:36AAE7F10A19D336C725CAFC8583B26D1F5E2325
          SHA-256:A3F745C01DEA84CE746BA630814E68C7C592B965B048DDC4B1BBE1D6E533BE22
          SHA-512:D849BBB6C87C182CC98C4E2314C0829BB48BAD483D0CD97BF409E75457C3695049C3A8ADFE865E1ECBC989A910096D2C1CDF333705AAC4D22025DF91B355278E
          Malicious:false
          Reputation:unknown
          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 CONTRATTO DI LICENZA PER IL SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario, Tali condizioni si applicano al software Microsoft di cui sopra. Le condizioni si applicano inoltre a qualsiasi servizio o aggiornamento di Microsoft relativo al software, a meno che questo non sia accompagnato da condizioni differenti.\par..\b QUALORA IL LICENZIATARIO SI ATTENGA ALLE PRESENTI CONDIZIONI DI LICENZA, DISPORR\'c0 DEI DIRITTI INDICATI DI SEGUITO.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\p

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1040\thm.wxl

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):3319
          Entropy (8bit):5.019774955491369
          Encrypted:false
          SSDEEP:48:c5DiTlO1eesy+hD9BOtBFv5Vo8BbQhMNDJN3msNlNohNNz+wcPclM+PAoYKp+K/u:uDiTlfQvo8WutJ/s9FHNOJp
          MD5:D90BC60FA15299925986A52861B8E5D5
          SHA1:FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
          SHA-256:0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
          SHA-512:11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive | /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1041\license.rtf

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
          Category:dropped
          Size (bytes):28232
          Entropy (8bit):3.7669201853275722
          Encrypted:false
          SSDEEP:192:Qkb65jNkzrUJVbpEiTskXHH1AZWoJxfnVnkDYUqfQFXBue6hX2JSfR7q05kWZxhY:epCD3y/ybox2yrk2
          MD5:8C49936EC4CF0F64CA2398191C462698
          SHA1:CC069FE8F8BC3B6EE2085A4EACF40DB26C842BAC
          SHA-256:7355367B7C48F1BBACC66DFFE1D4BF016C16156D020D4156F288C2B2207ED1C2
          SHA-512:4381147FF6707C3D31C5AE591F68BC61897811112CB507831EFF5E71DD281009400EDA3300E7D3EFDE3545B89BCB71F2036F776C6FDFC73B6B2B2B8FBC084499
          Malicious:false
          Reputation:unknown
          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset128 MS Gothic;}{\f1\fnil\fcharset0 MS Gothic;}{\f2\fnil\fcharset134 SimSun;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67 \'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41 \'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\par..\f1 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\'82\'cd\f2\'a1\'a2\f1 Microsoft Corporation (\f0\'82\'dc\'82\'bd\'82\'cd\'82\'a8\'8b\'71\'97\'6c\'82\'cc\'8f\'8a\'8d\'dd\'92\'6e\'82\'c9\'89\'9e\'82\'b6\'82\'c4\'82\'cd\'82\'bb\'82\'cc\'8a\'d6\'98\'41\'89\'ef\'8e\'d0) \'82\'c6\'82\'a8\'8b\'71\'97\'6c\'82\'c6\'82\'cc\'8c\'5f\'96\'f1\'82\'f0\'8d\'5c\'90\'ac\'82\'b5\'82\'dc\'82\'b7\'81\'42\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1041\thm.wxl

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):3959
          Entropy (8bit):5.955167044943003
          Encrypted:false
          SSDEEP:96:uDiTlDuB1n+RNmvFo6bnpojeTPk0R/vueX5OA17IHdGWz:5uB1+gD1DU4EdGE
          MD5:DC81ED54FD28FC6DB6F139C8DA1BDED6
          SHA1:9C719C32844F78AAE523ADB8EE42A54D019C2B05
          SHA-256:6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
          SHA-512:FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ............ ......... .........................

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1042\license.rtf

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
          Category:dropped
          Size (bytes):27936
          Entropy (8bit):3.871317037004171
          Encrypted:false
          SSDEEP:384:kKIgbA2uBsarNG/HxPvCL1ewjxsXmEw4C7C7R4jAeqCBO968y7yNRylBSFfQv9yH:d3ar8Xa/XAeqoc0wfBB4qN
          MD5:184D94082717E684EAF081CEC3CBA4B1
          SHA1:960B9DA48F4CDDF29E78BBAE995B52204B26D51B
          SHA-256:A4C25DA9E3FBCED47464152C10538F16EE06D8E06BC62E1CF4808D293AA1AFA2
          SHA-512:E4016C0CA348299B5EF761F456E3B5AD9B99E5E100C07ACAB1369DFEC214E75AA88E9AD2A0952C0CC1B707E2732779E6E3810B3DA6C839F0181DC81E3560CBDA
          Malicious:false
          Reputation:unknown
          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset129 Malgun Gothic;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 Microsoft \f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'bc\'ad\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'ba\'bb\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'c0\'ba\f0 Microsoft Corporation(\f1\'b6\'c7\'b4\'c2\f0 \f1\'b0\'c5\'c1\'d6\f0 \f1\'c1\'f6\'bf\'aa\'bf\'a1\f0 \f1\'b5\'fb\'b6\'f3\f0 \f1\'b0\'e8\'bf\'ad\'bb\'e7\f0 \f1\'c1\'df\f0 \f1\'c7\'cf\'b3\'aa\f0 )\f1\'b0\'fa\f0 \f1\'b1\'cd\'c7\'cf\f0 \f1\'b0\'a3\'bf\'a1\f0 \f1\'c3\'bc\'b0\'e1\'b5\'c7\'b4\'c2\f0 \f1\'b0\'e8\'be\'e0\'c0\'d4\'b4\'cf\'b4\'d9\f0 . \f1\'ba\'bb\f0 \f1\'c1\'b6\'b0\'c7\'c0\'ba\f0 \f1\'c0\'a7\'bf\'a1\f0 \f1\'b8\'ed\'bd\'c3\'b5\'c8\f0 \f1

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1042\thm.wxl

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):3249
          Entropy (8bit):5.985100495461761
          Encrypted:false
          SSDEEP:48:c5DiTlO4TesKOwhDNJCkt1NhEN3m/NFNkbKNdExpVgUnqx6IPaRc0KoUK9TKz0KR:uDiTlUJJCsgqf6YVoz4uU5vI54U5TY
          MD5:B3399648C2F30930487F20B50378CEC1
          SHA1:CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
          SHA-256:AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
          SHA-512:C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive | /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1045\license.rtf

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
          Category:dropped
          Size (bytes):13265
          Entropy (8bit):5.358483628484379
          Encrypted:false
          SSDEEP:192:TKpWRd0NE41Y/od7V/sHFos7YLQY9DbLM5D+Vw1VAOb0P4/sHLS7VHwHMPw95a+Q:uy0CG9KZ7qQCw1VAOZ/sHOJfcY2wf6p2
          MD5:5B9DF97FC98938BF2936437430E31ECA
          SHA1:AB1DA8FECDF85CF487709774033F5B4B79DFF8DE
          SHA-256:8CB5EB330AA07ACCD6D1C8961F715F66A4F3D69FB291765F8D9F1850105AF617
          SHA-512:4EF61A484DF85C487BE326AB4F95870813B9D0644DF788CE22D3BEB6E062CDF80732CB0B77FCDA5D4C951A0D67AECF8F5DCD94EA6FA028CFCA11D85AA97714E3
          Malicious:false
          Reputation:unknown
          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 POSTANOWIENIA LICENCYJNE DOTYCZ\f1\'a5CE OPROGRAMOWANIA\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Niniejsze postanowienia licencyjne stanowi\f1\'b9 umow\'ea mi\'eadzy Microsoft Corporation (lub, w\~zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jednym z\~podmiot\f0\'f3w stowarzyszonych Microsoft Corporation) a\~Licencjobiorc\f1\'b9. Maj\'b9 one zastosowanie do wskazanego powy\'bfej oprogramowania. Niniejsze postanowienia maj\'b9 r\f0\'f3wnie\f1\'bf zastosowanie do wszelkich us\'b3ug i aktualizacji Microsoft dla niniejszego oprogramowania, z wyj\'b9tkiem tych, kt\f0\'f3rym towarzysz\f1\'b9 inne postanowienia.\par..\b\

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1045\thm.wxl

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):3212
          Entropy (8bit):5.268378763359481
          Encrypted:false
          SSDEEP:48:c5DiTlOPesar4hDo7zGriQjDCN3mDNN0NrsNGl3vxkIP2hUdKLK0KbK4n6W0sfNM:uDiTlusPGriQw8n2rOij4JsU
          MD5:15172EAF5C2C2E2B008DE04A250A62A1
          SHA1:ED60F870C473EE87DF39D1584880D964796E6888
          SHA-256:440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
          SHA-512:48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive | /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1046\license.rtf

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
          Category:dropped
          Size (bytes):10656
          Entropy (8bit):5.092962528947159
          Encrypted:false
          SSDEEP:192:WIPAufWXXF0+YkR6E0/CiTS0CsGlHIMqf29H7KxLY/aYzApT3anawLXCBX2:VPAufb+YSSCYrCb5BmW4UDaTqzLwX2
          MD5:360FC4A7FFCDB915A7CF440221AFAD36
          SHA1:009F36BBDAD5B9972E8069E53855FC656EA05800
          SHA-256:9BF79B54F4D62BE501FF53EEDEB18683052A4AE38FF411750A764B3A59077F52
          SHA-512:9550A99641F194BB504A76DE011D07C1183EE1D83371EE49782FC3D05BF779415630450174DD0C03CB182A5575F6515012337B899E2D084203717D9F110A6FFE
          Malicious:false
          Reputation:unknown
          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMOS DE LICEN\'c7A PARA SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Estes termos de licen\'e7a formam um contrato firmado entre a Microsoft Corporation (ou com base no seu pa\'eds de resid\'eancia, uma de suas afiliadas) e voc\'ea. Eles se aplicam ao software indicado acima. Os termos tamb\'e9m se aplicam a quaisquer servi\'e7os ou atualiza\'e7\'f5es da Microsoft para o software, exceto at\'e9 a extens\'e3o de que eles tenham termos diferentes.\par..\b SE VOC\'ca CONCORDAR COM ESTES TERMOS DE LICEN\'c7A, TER\'c1 OS DIREITOS INDICADOS ABAIXO.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\t

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1046\thm.wxl

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):3095
          Entropy (8bit):5.150868216959352
          Encrypted:false
          SSDEEP:48:c5DiTlO5es/4ThDzmU6lDj4N3mBl0N+NWNP4hHCc9skPDXeKKeK9KfKt4eJ2RQdg:uDiTlJhJGl2UsZMLe6
          MD5:BE27B98E086D2B8068B16DBF43E18D50
          SHA1:6FAF34A36C8D9DE55650D0466563852552927603
          SHA-256:F52B54A0E0D0E8F12CBA9823D88E9FD6822B669074DD1DC69DAD6553F7CB8913
          SHA-512:3B7C773EF72D40A8B123FDB8FC11C4F354A3B152CF6D247F02E494B0770C28483392C76F3C222E3719CF500FE98F535014192ACDDD2ED9EF971718EA3EC0A73E
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [diret.rio - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive | /quiet - exibe a IU m.nima sem nenhum prompt ou n.o exibe nenhuma IU e.. nenhum prompt. Por padr.o, a IU e todos os prompts s.o exibidos...../norestart - suprime qualquer tentativa de reiniciar. Por padr.o, a IU perguntar. antes de reiniciar

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1049\license.rtf

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
          Category:dropped
          Size (bytes):31915
          Entropy (8bit):3.6440775919653996
          Encrypted:false
          SSDEEP:384:ntaMxngQEqQUaAEJxkSjjujcme51oVwuZOFsrnkGxunWxGc9wtvVYgCzkSxN1S2:npgnmWWNEvVYgCzxD
          MD5:A59C893E2C2B4063AE821E42519F9812
          SHA1:C00D0B11F6B25246357053F6620E57D990EFC698
          SHA-256:0EC8368E87B3DFC92141885A2930BDD99371526E09FC52B84B764C91C5FC47B8
          SHA-512:B9AD8223DDA2208EC2068DBB85742A03BE0291942E60D4498E3DAB4DDF559AA6DCF9879952F5819223CFC5F4CB71D4E06E4103E129727AACFB8EFE48403A04FA
          Malicious:false
          Reputation:unknown
          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset204 Tahoma;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset204 Garamond;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang1049\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c5 \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'c5 MICROSOFT\par..\f1\lang9 MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0\f0\lang1049\'cd\'e0\'f1\'f2\'ee\'ff\'f9\'e8\'e5 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \'ec\'e5\'e6\'e4\'f3 \'ea\'ee\'f0\'ef\'ee\'f0\'e0\'f6\'e8\'e5\'e9 Microsoft (\'e8\'eb\'e8, \'e2 \'e7\'e0\'e2\'e8\'f1\'e8\'ec\'ee\'f1\'f2\'e8 \'ee\'f2 \'ec\'e5\'f1\'f2\'e0 \'e2\'e0\'f8\'e5\'e3\'ee \'ef\'f0\'ee\'e6\'e8\'e2\'e0\'ed\'e8\'ff, \'ee\

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1049\thm.wxl

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):4150
          Entropy (8bit):5.444436038992627
          Encrypted:false
          SSDEEP:48:c5DiTlDhQt9esbrohDTWJt49kAr7DHN3m5GNDCNvNLIkflhrWncPingGdZwK1Kqp:uDiTlDYVgmt4xJ88k193ipzjvL
          MD5:17C652452E5EE930A7F1E5E312C17324
          SHA1:59F3308B87143D8EA0EA319A1F1A1F5DA5759DD3
          SHA-256:7333BC8E52548821D82B53DBD7D7C4AA1703C85155480CB83CEFD78380C95661
          SHA-512:53FD207B96D6BCF0A442E2D90B92E26CBB3ECC6ED71B753A416730E8067E831E9EB32981A9E9368C4CCA16AFBCB2051483FDCFC474EA8F0D652FCA934634FBE8
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.... <String Id="Caption">......... ......... [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [.......] - ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... - ............../passive | /quiet - ........... ....

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1055\license.rtf

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
          Category:dropped
          Size (bytes):13379
          Entropy (8bit):5.214715951393874
          Encrypted:false
          SSDEEP:192:1fGkc01jIjZTUDUTvXt2QpfC5VAlCPpDwuOfH7df3YwnnbZIWG2XjQeoO9uBO8CA:Iiqx4Uh2QpMVA8haDdv9nbZzG6oQR2
          MD5:BD2DC15DFEE66076BBA6D15A527089E7
          SHA1:8768518F2318F1B8A3F8908A056213042A377CC4
          SHA-256:62A07232017702A32F4B6E43E9C6F063B67098A1483EEDDB31D7C73EAF80A6AF
          SHA-512:9C9467A2F2D0886FF4302A44AEA89734FCEFBD3CBE04D895BCEACBA1586AB746E62391800E07B6228E054014BE51F14FF63BA71237268F94019063C8C8B7EF74
          Malicious:false
          Reputation:unknown
          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT YAZILIMI L\f1\u304?SANS KO\'aaULLARI\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Bu lisans ko\f1\'baullar\u305?, Microsoft Corporation (veya ya\'baad\u305?\u287?\u305?n\u305?z yere g\f0\'f6re bir ba\f1\u287?l\u305? \'bairketi) ile sizin aran\u305?zda yap\u305?lan anla\'bamay\u305? olu\'baturur. Bu ko\'baullar, yukar\u305?da ad\u305? ge\f0\'e7en yaz\f1\u305?l\u305?m i\f0\'e7in ge\'e7erlidir. \f1\'aaartlar, yaz\u305?l\u305?m i\f0\'e7in t\'fcm Microsoft hizmetleri veya g\'fcncelle\f1\'batirmeleri i\f0\'e7in, beraberlerinde farkl\f1\u305? \'baartlar bulunmad\u305?\u287?\u305? s\f0\'fcrece ge\'e7erlidir.\par..\b BU L\f1\u304?SANS \'aaARTLARINA UYDU\u286?UNUZ TAKD\u304?RDE A\'aaA\u286?IDAK\u3

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\1055\thm.wxl

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):3221
          Entropy (8bit):5.280530692056262
          Encrypted:false
          SSDEEP:48:c5DiTlOaesHEqhDTHV4zVy6oBzdp0DYK2GP2ZmN3majyNXNoNKQXVvChcPc+WKb0:uDiTl3PHcIflKNTPgdi12xgg
          MD5:DEFBEA001DC4EB66553630AC7CE47CCA
          SHA1:90CED64EC7C861F03484B5D5616FDBCDA8F64788
          SHA-256:E5ABE3CB3BF84207DAC4E6F5BBA1E693341D01AEA076DD2D91EAA21C6A6CB925
          SHA-512:B3B7A22D0CDADA21A977F1DCEAF2D73212A4CDDBD298532B1AC97575F36113D45E8D71C60A6D8F8CC2E9DBF18EE1000167CFBF0B2E7ED6F05462D77E0BCA0E90
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive | /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler g.r.nt.lenir...../norestart - yeniden ba.lama denemelerini engeller. Varsay.lan olarak UI yeniden ba.l

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\2052\license.rtf

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
          Category:dropped
          Size (bytes):17863
          Entropy (8bit):3.9617786349452775
          Encrypted:false
          SSDEEP:192:BxoqPyOj+/8Tk5VigWgijAlk5xWvSCI5lgios0EhGXxGMLVGW+uUoqyLZDvAJxMx:vbIeaE7q3KGgzD2
          MD5:3CF16377C0D1B2E16FFD6E32BF139AC5
          SHA1:D1A8C3730231D51C7BB85A7A15B948794E99BDCE
          SHA-256:E95CA64C326A0EF7EF3CED6CDAB072509096356C15D1761646E3C7FDA744D0E0
          SHA-512:E9862FD0E8EC2B2C2180183D06535A16A527756F6907E6A1D2DB85092636F72C497508E793EE8F2CC8E0D1A5E090C6CCF465F78BC1FA8E68DAF7C68815A0EE16
          Malicious:false
          Reputation:unknown
          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset134 SimSun;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'ce\'a2\'c8\'ed\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f1\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'d5\'e2\'d0\'a9\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\f1 Microsoft Corporation\f0\'a3\'a8\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\f1 Microsoft \f0\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\'a3\'a9\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'ca\'ca\'d3\'c3\'d3\'da\'c9\'cf\'ca\'f6\'c8\'ed\'bc\'fe\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'d2\'b2\'ca\'ca\'d3\'c3\'d3\'da\'d5\'eb\'b6\'d4\'b8\'c3\'c8\'ed\'bc\'fe\'b5\'c4\'c8\'ce\'ba\'ce\'ce\'a2\'c8\'ed\'b7\'fe\'ce\'f1\'bb\'f2\'b8\'fc\'d0\'c2\'a3\'ac\'b5\'ab\'d3\'d0\'b2\'bb\'cd\

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\2052\thm.wxl

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):2978
          Entropy (8bit):6.135205733555905
          Encrypted:false
          SSDEEP:48:c5DiTlOtKesi+hDtkQf7lz+W0gopN3m5+3cNONeN1ra8vWqPtlTKxKUTKlKXRoR+:uDiTlV5kQR9GLeE0ZxV6gIV
          MD5:3D1E15DEEACE801322E222969A574F17
          SHA1:58074C83775E1A884FED6679ACF9AC78ABB8A169
          SHA-256:2AC8B7C19A5189662DE36A0581C90DBAD96DF259EC00A28F609B644C3F39F9CA
          SHA-512:10797919845C57C5831234E866D730EBD13255E5BF8BA8087D53F1D0FC5D72DC6D5F6945DBEBEE69ACC6A2E20378750C4B78083AE0390632743C184532358E10
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [..] - .......... ..................Install ........../passive | /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ..................... UI.../log log.txt - ............. %TEMP% ...

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\3082\license.rtf

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
          Category:dropped
          Size (bytes):10714
          Entropy (8bit):5.122578090102117
          Encrypted:false
          SSDEEP:192:WthGE/9wd8eQF/hJOmQeNrXT77uOlQ+v3AqHqc3wpXGYdjvsk2cwBb2:mhGuhj+ed388Bb2
          MD5:FBF293EE95AFEF818EAF07BB088A1596
          SHA1:BBA1991BA6459C9F19B235C43A9B781A24324606
          SHA-256:1FEC058E374C20CB213F53EB3C44392DDFB2CAA1E04B7120FFD3FA7A296C83E2
          SHA-512:6971F20964EF74B19077EE81F953342DC6D2895A8640EC84855CECCEA5AEB581E6A628BCD3BA97A5D3ACB6CBE7971FDF84EF670BDDF901857C3CD28855212019
          Malicious:false
          Reputation:unknown
          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 T\'c9RMINOS DE LA LICENCIA DE SOFTWARE DE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0 Estos t\'e9rminos de licencia constituyen un contrato entre Microsoft Corporation (o, en funci\'f3n de donde resida, una de sus filiales) y usted. Se aplican al software antes mencionado. Los t\'e9rminos tambi\'e9n se aplican a cualquier servicio o actualizaci\'f3n de Microsoft para el software, excepto en la medida que tengan t\'e9rminos diferentes.\par..\b SI USTED CUMPLE CON LOS PRESENTES T\'c9RMINOS DE ESTA LICENCIA, DISPONDR\'c1 DE LOS DERECHOS QUE SE DESCRIBEN A CONTINUACI\'d3N.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\3082\thm.wxl

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):3265
          Entropy (8bit):5.0491645049584655
          Encrypted:false
          SSDEEP:48:c5DiTlO/esS6VGhDv4tiUiyRUqzC4U+aD6N3m7xNh1NWNGbPz+9o3PWeKK9K9KfT:uDiTlxouUTiySqyIwz9sgxqvjIk8
          MD5:47F9F8D342C9C22D0C9636BC7362FA8F
          SHA1:3922D1589E284CE76AB39800E2B064F71123C1C5
          SHA-256:9CBB2B312C100B309A1B1495E84E2228B937612885F7A642FBBD67969B632C3A
          SHA-512:E458DF875E9B0622AEBE3C1449868AA6A2826A1F851DB71165A872B2897CF870CCF85046944FF51FFC13BB15E54E9D9424EC36CAF5A2F38CE8B7D6DC0E9B2363
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="HelpHeader">Ayuda de configuraci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. La opci.n predeterminada es la instalaci.n...../passive | /quiet - muestra una IU m.nima sin solicitudes o no muestra ninguna IU ni.. solicitud. De forma predeterminada, se muestran la IU y todas las solicitudes...../norestart - elimina cualquier intento

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\BootstrapperApplicationData.xml

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (633), with CRLF line terminators
          Category:dropped
          Size (bytes):15322
          Entropy (8bit):3.743290405091565
          Encrypted:false
          SSDEEP:192:X0s1IDnH5zHqQHG0Hd8Hz7HE06HA0rH3pNpbZZtHxLU7CzLG0LXFYtHJq5b0vI0Q:X0sGdLbmnoNPZtRkuJpYtnIsVEpJEg
          MD5:C798D20CD6935F46A91F16B26E4D7A2F
          SHA1:F6415ED976A9EF75ACCB417FEBD540AEF7815978
          SHA-256:1C4192698669988EF08043C0CA96D5A2DC1669B0611568AF60E2E5717E7CB888
          SHA-512:E330A1CC57F778E51F7765945FB970C4A3560AB37963F3163506CFF3E2706885E2CEE27E948E88970443DF97BFF823DD9EEE6B0BDAB1C92A0704422F59B09A93
          Malicious:false
          Reputation:unknown
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T.6.4. .&.g.t.;.=. .v.6...0. .O.R. .(.V.e.r.s.i.o.n.N.T.6.4. .=. .v.5...2. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .X.P. .S.P.1. .(.x.6.4.). .a.n.d. .n.e.w.e.r. .p.l.a.t.f.o.r.m.s...". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.6.4.). .-. .1.4...2.9...3.0.1.3.9.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".y.e.

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\license.rtf

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
          Category:dropped
          Size (bytes):9046
          Entropy (8bit):5.157073875669985
          Encrypted:false
          SSDEEP:192:W8lZ1UVDWkgWZTIsvPhghtQ1Qf4lCfnEtHixEGx736wHqItfSpOy2:9T15WZMgAYlOnjt5HLoL2
          MD5:2EABBB391ACB89942396DF5C1CA2BAD8
          SHA1:182A6F93703549290BCDE92920D37BC1DEC712BB
          SHA-256:E3156D170014CED8D17A02B3C4FF63237615E5C2A8983B100A78CB1F881D6F38
          SHA-512:20D656A123A220CD3CA3CCBF61CC58E924B44F1F0A74E70D6850F39CECD101A69BCE73C5ED14018456E022E85B62958F046AA4BD1398AA27303C2E86407C3899
          Malicious:false
          Reputation:unknown
          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT SOFTWARE LICENSE TERMS\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software, except to the extent those have different terms.\par..\b IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 INSTALLATION AND USE RIGHTS. \b0\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-363\

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\logo.png

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:PNG image data, 64 x 64, 8-bit colormap, non-interlaced
          Category:dropped
          Size (bytes):1861
          Entropy (8bit):6.868587546770907
          Encrypted:false
          SSDEEP:24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
          MD5:D6BD210F227442B3362493D046CEA233
          SHA1:FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
          SHA-256:335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
          SHA-512:464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
          Malicious:false
          Reputation:unknown
          Preview:.PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#|i${j$|n*~n*.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\thm.wxl

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):2952
          Entropy (8bit):5.052095286906672
          Encrypted:false
          SSDEEP:48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
          MD5:FBFCBC4DACC566A3C426F43CE10907B6
          SHA1:63C45F9A771161740E100FAF710F30EED017D723
          SHA-256:70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
          SHA-512:063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\thm.xml

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):8332
          Entropy (8bit):5.184632608060528
          Encrypted:false
          SSDEEP:96:8L2HdQG+3VzHfz96zYFGaPSWXdhRAmImlqFQKFBiUxn7Ke5A82rkO/pWk3nswP:ZHAzZ/3
          MD5:F62729C6D2540015E072514226C121C7
          SHA1:C1E189D693F41AC2EAFCC363F7890FC0FEA6979C
          SHA-256:F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
          SHA-512:CBBFBFA7E013A2B85B78D71D32FDF65323534816978E7544CA6CEA5286A0F6E8E7E5FFC4C538200211F11B94373D5658732D5D8AA1D01F9CCFDBF20F154F1471
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Heig

          C:\Windows\Temp\{244C48BF-A412-4586-A30B-37BBD97B3B71}\.ba\wixstdba.dll

          Download File
          Process:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):195600
          Entropy (8bit):6.682530937585544
          Encrypted:false
          SSDEEP:3072:OXoiFK6b0k77I+QfaIl191rSJHvlalB+8BHkY6v53EfcUzN0m6I+WxBlnKzeZuqt:OXoQNb++gDrSJdr8BHkPh3wIgnK/IU1a
          MD5:EAB9CAF4277829ABDF6223EC1EFA0EDD
          SHA1:74862ECF349A9BEDD32699F2A7A4E00B4727543D
          SHA-256:A4EFBDB2CE55788FFE92A244CB775EFD475526EF5B61AD78DE2BCDFADDAC7041
          SHA-512:45B15ADE68E0A90EA7300AEB6DCA9BC9E347A63DBA5CE72A635957564D1BDF0B1584A5E34191916498850FC7B3B7ECFBCBFCB246B39DBF59D47F66BC825C6FD2
          Malicious:false
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..R...R...R..h.N..R..h.L.R..h.M..R.......R.......R.......R...*<..R...*,..R...R...S..K....R..K....R..N.@..R...R(..R..K....R..Rich.R..................PE..L......Z...........!................d.....................................................@..............................................................D......,.......T...............................@...............X............................text............................... ..`.rdata.............................@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

          C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe

          Download File
          Process:C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):649368
          Entropy (8bit):7.2207843016075115
          Encrypted:false
          SSDEEP:12288:vnMwHskY7gjcjhVIEhqgM7bWvcsi6aVEbIyoYw8EU40vy3W/ceKSHM9iFyex9VP/:/MysZgjS1hqgSC/izwfo/8fjymk4HM6Z
          MD5:24323F69876BDA1B9909A0D0D6B981BA
          SHA1:75761D5303828E5CDEB9A3BA0BD9EBAEDB56E9B0
          SHA-256:7B1B012D525323F4E6C2E3B53E9F55BDA9D01D8761A86F03317E46D4F28AE808
          SHA-512:01ED192274BD3559DF05ADB8DE057A6D26BC77376C0FBC2D7AB8A8306620E8515CFBFFABD2289417F3513982BBF2B7ED68897C649F14848858690985C9B262C3
          Malicious:true
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;..........p...((...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
          Entropy (8bit):7.998282879971225
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          File size:42'660'808 bytes
          MD5:9bae70489ffa1fd07797f8964350af30
          SHA1:274d484c8de888ba87f3232f451c888e436337b5
          SHA256:38afba1a62ee831a679ed728da8ca167b4c80a432a3ddf575c784bdd29d33975
          SHA512:fed7c1bc02fba7047a40749ccb4b490f10de960fec66ffdbae612ff32d3d45dba24eeb32fabc6b03ba8a251c0077aace51ce46494b623c8b2adafabb68758080
          SSDEEP:786432:DDXX2y7L9rwbfDRqaLpFNuLbT4U4VXpbmAlf2+oEcuQdU8N/IbwUI:DDH2y7h2dqEpFNuLbTh4lpSe++oSor1
          TLSH:F59733C6B6486E35F8F0833B4461698CBE396CA77251E5DA7218B656CF3F57340E8A0C
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...l..d.................j.........

          File Icon

          Icon Hash:183d47474b433d85

          Static PE Info

          General

          Entrypoint:0x403532
          Entrypoint Section:.text
          Digitally signed:true
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Time Stamp:0x64A0DC6C [Sun Jul 2 02:09:48 2023 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f4639a0b3116c2cfc71144b88a929cfd

          Authenticode Signature

          Signature Valid:false
          Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
          Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
          Error Number:-2146762495
          Not Before, Not After
          • 08/05/2024 20:43:05 15/06/2025 21:25:45
          Subject Chain
          • CN=IDMELON TECHNOLOGIES INC., O=IDMELON TECHNOLOGIES INC., L=Vancouver, S=British Columbia, C=CA, OID.1.3.6.1.4.1.311.60.2.1.2=British Columbia, OID.1.3.6.1.4.1.311.60.2.1.3=CA, SERIALNUMBER=BC1233812, OID.2.5.4.15=Private Organization
          Version:3
          Thumbprint MD5:BFF7C718161D1B0634325495D4B5FD56
          Thumbprint SHA-1:02C6A1A590289496DCA4D0C7997872B2081DF44F
          Thumbprint SHA-256:5D1F98182AB7C9B075B727E829DBB46C0C7A69ECEC32C5C9C7230713EDA617BA
          Serial:5D1D6B9CF96BC0FC88A26BE6

          Entrypoint Preview

          Instruction
          sub esp, 000003F8h
          push ebp
          push esi
          push edi
          push 00000020h
          pop edi
          xor ebp, ebp
          push 00008001h
          mov dword ptr [esp+20h], ebp
          mov dword ptr [esp+18h], 0040A2D8h
          mov dword ptr [esp+14h], ebp
          call dword ptr [004080A4h]
          mov esi, dword ptr [004080A8h]
          lea eax, dword ptr [esp+34h]
          push eax
          mov dword ptr [esp+4Ch], ebp
          mov dword ptr [esp+0000014Ch], ebp
          mov dword ptr [esp+00000150h], ebp
          mov dword ptr [esp+38h], 0000011Ch
          call esi
          test eax, eax
          jne 00007F3A6852831Ah
          lea eax, dword ptr [esp+34h]
          mov dword ptr [esp+34h], 00000114h
          push eax
          call esi
          mov ax, word ptr [esp+48h]
          mov ecx, dword ptr [esp+62h]
          sub ax, 00000053h
          add ecx, FFFFFFD0h
          neg ax
          sbb eax, eax
          mov byte ptr [esp+0000014Eh], 00000004h
          not eax
          and eax, ecx
          mov word ptr [esp+00000148h], ax
          cmp dword ptr [esp+38h], 0Ah
          jnc 00007F3A685282E8h
          and word ptr [esp+42h], 0000h
          mov eax, dword ptr [esp+40h]
          movzx ecx, byte ptr [esp+3Ch]
          mov dword ptr [004347B8h], eax
          xor eax, eax
          mov ah, byte ptr [esp+38h]
          movzx eax, ax
          or eax, ecx
          xor ecx, ecx
          mov ch, byte ptr [esp+00000148h]
          movzx ecx, cx
          shl eax, 10h
          or eax, ecx
          movzx ecx, byte ptr [esp+0000004Eh]

          Rich Headers

          Programming Language:
          • [EXP] VC++ 6.0 SP5 build 8804

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x86080xa0.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x480000x1afd8.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x28ae1a00x1228
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x68d80x6a00742185983fa6320c910f81782213e56fFalse0.6695165094339622data6.478461709868021IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x80000x14640x1600a995b118b38426885fc6ccaa984c8b7aFalse0.4314630681818182data4.969091535632612IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xa0000x2a8180x6009a9bf385a30f1656fc362172b16d9268False0.5247395833333334data4.172601271908501IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .ndata0x350000x130000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0x480000x1afd80x1b000626eb3cb5ec0a37aa78d99cea5be314cFalse0.14038990162037038data3.616410153321358IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0x482f80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 8504 x 8504 px/mEnglishUnited States0.04499881698805158
          RT_ICON0x58b200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 8504 x 8504 px/mEnglishUnited States0.08384506376948513
          RT_ICON0x5cd480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 8504 x 8504 px/mEnglishUnited States0.11784232365145228
          RT_ICON0x5f2f00x1c6bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9774570446735396
          RT_ICON0x60f600x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 8504 x 8504 px/mEnglishUnited States0.16674484052532834
          RT_ICON0x620080x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 8504 x 8504 px/mEnglishUnited States0.32092198581560283
          RT_DIALOG0x624700x202dataEnglishUnited States0.4085603112840467
          RT_DIALOG0x626780xf8dataEnglishUnited States0.6290322580645161
          RT_DIALOG0x627700xa0dataEnglishUnited States0.60625
          RT_DIALOG0x628100xeedataEnglishUnited States0.6302521008403361
          RT_GROUP_ICON0x629000x5adataEnglishUnited States0.7777777777777778
          RT_VERSION0x629600x248dataEnglishUnited States0.5085616438356164
          RT_MANIFEST0x62ba80x42eXML 1.0 document, ASCII text, with very long lines (1070), with no line terminatorsEnglishUnited States0.5130841121495328

          Imports

          DLLImport
          ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
          SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
          ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
          COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
          USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
          GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
          KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:00:42:20
          Start date:04/07/2024
          Path:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"
          Imagebase:0x400000
          File size:42'660'808 bytes
          MD5 hash:9BAE70489FFA1FD07797F8964350AF30
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:1
          Start time:00:42:26
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\vc\vc_redist.x64.exe
          Wow64 process (32bit):true
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" /quiet
          Imagebase:0x700000
          File size:25'226'464 bytes
          MD5 hash:35431D059197B67227CD12F841733539
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Antivirus matches:
          • Detection: 0%, ReversingLabs
          Reputation:moderate
          Has exited:true

          General

          Target ID:2
          Start time:00:42:26
          Start date:04/07/2024
          Path:C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Temp\{479EB665-D50D-49A6-9E96-19B2966E4EBE}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files (x86)\IDmelon\FCP\vc\VC_redist.x64.exe" -burn.filehandle.attached=508 -burn.filehandle.self=684 /quiet
          Imagebase:0xb30000
          File size:649'368 bytes
          MD5 hash:24323F69876BDA1B9909A0D0D6B981BA
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:true

          General

          Target ID:3
          Start time:00:42:27
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" install IDmelonFidoCredentialProviderService "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
          Imagebase:0x140000000
          File size:373'288 bytes
          MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Antivirus matches:
          • Detection: 14%, ReversingLabs
          Reputation:low
          Has exited:true

          General

          Target ID:4
          Start time:00:42:27
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:5
          Start time:00:42:27
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Application "C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
          Imagebase:0x140000000
          File size:373'288 bytes
          MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:6
          Start time:00:42:27
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:7
          Start time:00:42:27
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppDirectory "C:\Program Files (x86)\IDmelon\FCP"
          Imagebase:0x140000000
          File size:373'288 bytes
          MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:8
          Start time:00:42:27
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x980000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:9
          Start time:00:42:27
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdout "C:\Program Files (x86)\IDmelon\FCP\logs.log"
          Imagebase:0x140000000
          File size:373'288 bytes
          MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:10
          Start time:00:42:27
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:11
          Start time:00:42:28
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderr "C:\Program Files (x86)\IDmelon\FCP\logs.log"
          Imagebase:0x140000000
          File size:373'288 bytes
          MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:12
          Start time:00:42:28
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:13
          Start time:00:42:28
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Description "Handles the FIDO authentication of IDmelon credential provider."
          Imagebase:0x140000000
          File size:373'288 bytes
          MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:14
          Start time:00:42:28
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:15
          Start time:00:42:28
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStdoutCreationDisposition 4
          Imagebase:0x140000000
          File size:373'288 bytes
          MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:16
          Start time:00:42:28
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:17
          Start time:00:42:28
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppStderrCreationDisposition 4
          Imagebase:0x140000000
          File size:373'288 bytes
          MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:18
          Start time:00:42:28
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:19
          Start time:00:42:29
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateFiles 1
          Imagebase:0x140000000
          File size:373'288 bytes
          MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:20
          Start time:00:42:29
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:21
          Start time:00:42:29
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateOnline 0
          Imagebase:0x140000000
          File size:373'288 bytes
          MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:22
          Start time:00:42:29
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:23
          Start time:00:42:29
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateSeconds 14400
          Imagebase:0x140000000
          File size:373'288 bytes
          MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:24
          Start time:00:42:29
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:25
          Start time:00:42:29
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService AppRotateBytes 5000000
          Imagebase:0x140000000
          File size:373'288 bytes
          MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:26
          Start time:00:42:29
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:27
          Start time:00:42:30
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" set IDmelonFidoCredentialProviderService Start SERVICE_AUTO_START
          Imagebase:0x140000000
          File size:373'288 bytes
          MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:28
          Start time:00:42:30
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:29
          Start time:00:42:30
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" restart IDmelonFidoCredentialProviderService
          Imagebase:0x140000000
          File size:373'288 bytes
          MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:30
          Start time:00:42:30
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:31
          Start time:00:42:30
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe"
          Imagebase:0x140000000
          File size:373'288 bytes
          MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:false

          General

          Target ID:32
          Start time:00:42:30
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:33
          Start time:00:42:30
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
          Imagebase:0x7ff6cfe40000
          File size:17'194'344 bytes
          MD5 hash:2B087903208E385308BF23C41F82E872
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Antivirus matches:
          • Detection: 100%, Avira
          • Detection: 5%, ReversingLabs
          Has exited:true

          General

          Target ID:34
          Start time:00:42:30
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:35
          Start time:00:42:32
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" status IDmelonFidoCredentialProviderService
          Imagebase:0x140000000
          File size:373'288 bytes
          MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:36
          Start time:00:42:32
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:37
          Start time:00:42:32
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\nssm.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\nssm.exe" start IDmelonFidoCredentialProviderService
          Imagebase:0x140000000
          File size:373'288 bytes
          MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:38
          Start time:00:42:32
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:39
          Start time:00:42:32
          Start date:04/07/2024
          Path:C:\Windows\SysWOW64\cacls.exe
          Wow64 process (32bit):true
          Commandline:CACLS "C:\Program Files (x86)\IDmelon\FCP\cashedData.xml" /e /p Everyone:f
          Imagebase:0x3a0000
          File size:27'648 bytes
          MD5 hash:00BAAE10C69DAD58F169A3ED638D6C59
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:40
          Start time:00:42:32
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:41
          Start time:00:42:32
          Start date:04/07/2024
          Path:C:\Windows\SysWOW64\cacls.exe
          Wow64 process (32bit):true
          Commandline:CACLS "C:\Program Files (x86)\IDmelon\FCP\service_log.lo" /e /p Everyone:f
          Imagebase:0x3a0000
          File size:27'648 bytes
          MD5 hash:00BAAE10C69DAD58F169A3ED638D6C59
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:42
          Start time:00:42:32
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
          Imagebase:0x7ff6cfe40000
          File size:17'194'344 bytes
          MD5 hash:2B087903208E385308BF23C41F82E872
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:43
          Start time:00:42:32
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:44
          Start time:00:42:33
          Start date:04/07/2024
          Path:C:\Windows\SysWOW64\icacls.exe
          Wow64 process (32bit):true
          Commandline:icacls "C:\Program Files (x86)\IDmelon\FCP" /inheritance:d
          Imagebase:0x6e0000
          File size:29'696 bytes
          MD5 hash:2E49585E4E08565F52090B144062F97E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:45
          Start time:00:42:33
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:46
          Start time:00:42:33
          Start date:04/07/2024
          Path:C:\Windows\SysWOW64\icacls.exe
          Wow64 process (32bit):true
          Commandline:icacls "C:\Program Files (x86)\IDmelon\FCP" /grant:r everyone:(OI)(CI)(F) /T
          Imagebase:0x6e0000
          File size:29'696 bytes
          MD5 hash:2E49585E4E08565F52090B144062F97E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:47
          Start time:00:42:33
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:48
          Start time:00:42:33
          Start date:04/07/2024
          Path:C:\Windows\SysWOW64\netsh.exe
          Wow64 process (32bit):true
          Commandline:netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
          Imagebase:0x1560000
          File size:82'432 bytes
          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:49
          Start time:00:42:33
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:50
          Start time:00:42:34
          Start date:04/07/2024
          Path:C:\Windows\SysWOW64\netsh.exe
          Wow64 process (32bit):true
          Commandline:netsh.exe advfirewall firewall add rule "IDmelon FCP" dir=out program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
          Imagebase:0x1560000
          File size:82'432 bytes
          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:51
          Start time:00:42:34
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:52
          Start time:00:42:34
          Start date:04/07/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c "ver"
          Imagebase:0x7ff6707a0000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:53
          Start time:00:42:34
          Start date:04/07/2024
          Path:C:\Windows\SysWOW64\netsh.exe
          Wow64 process (32bit):true
          Commandline:netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=in program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
          Imagebase:0x1560000
          File size:82'432 bytes
          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:54
          Start time:00:42:34
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:55
          Start time:00:42:35
          Start date:04/07/2024
          Path:C:\Windows\SysWOW64\netsh.exe
          Wow64 process (32bit):true
          Commandline:netsh.exe advfirewall firewall add rule IDmelonFidoCredentialProviderService dir=out program="C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe" profile=any action=allow protocol=any enable=yes
          Imagebase:0x1560000
          File size:82'432 bytes
          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:56
          Start time:00:42:35
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:58
          Start time:00:42:37
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:59
          Start time:00:42:37
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
          Imagebase:0x7ff6cfe40000
          File size:17'194'344 bytes
          MD5 hash:2B087903208E385308BF23C41F82E872
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:false

          General

          Target ID:60
          Start time:00:42:37
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:false

          General

          Target ID:61
          Start time:00:42:40
          Start date:04/07/2024
          Path:C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\IDmelon\FCP\IDmelonCredentialProviderFidoAgent.exe"
          Imagebase:0x7ff6cfe40000
          File size:17'194'344 bytes
          MD5 hash:2B087903208E385308BF23C41F82E872
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:false

          General

          Target ID:62
          Start time:00:42:41
          Start date:04/07/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\cmd.exe /c "ver"
          Imagebase:0x7ff6707a0000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:63
          Start time:00:42:42
          Start date:04/07/2024
          Path:C:\Program Files\Windows Defender\MpCmdRun.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
          Imagebase:0x7ff6b9e70000
          File size:468'120 bytes
          MD5 hash:B3676839B2EE96983F9ED735CD044159
          Has elevated privileges:true
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:64
          Start time:00:42:42
          Start date:04/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:true

          General

          Target ID:65
          Start time:00:43:04
          Start date:04/07/2024
          Path:C:\Windows\System32\svchost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
          Imagebase:0x7ff6eef20000
          File size:55'320 bytes
          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
          Has elevated privileges:true
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Has exited:false

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:27.9%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:16.5%
            Total number of Nodes:1346
            Total number of Limit Nodes:45
            execution_graph 3825 404f43 GetDlgItem GetDlgItem 3826 404f95 7 API calls 3825->3826 3834 4051ba 3825->3834 3827 40503c DeleteObject 3826->3827 3828 40502f SendMessageW 3826->3828 3829 405045 3827->3829 3828->3827 3830 40507c 3829->3830 3835 406594 21 API calls 3829->3835 3832 4044d6 22 API calls 3830->3832 3831 40529c 3833 405348 3831->3833 3838 4051ad 3831->3838 3844 4052f5 SendMessageW 3831->3844 3837 405090 3832->3837 3839 405352 SendMessageW 3833->3839 3840 40535a 3833->3840 3834->3831 3859 405229 3834->3859 3879 404e91 SendMessageW 3834->3879 3836 40505e SendMessageW SendMessageW 3835->3836 3836->3829 3843 4044d6 22 API calls 3837->3843 3841 40453d 8 API calls 3838->3841 3839->3840 3847 405373 3840->3847 3848 40536c ImageList_Destroy 3840->3848 3855 405383 3840->3855 3846 405549 3841->3846 3860 4050a1 3843->3860 3844->3838 3850 40530a SendMessageW 3844->3850 3845 40528e SendMessageW 3845->3831 3851 40537c GlobalFree 3847->3851 3847->3855 3848->3847 3849 4054fd 3849->3838 3856 40550f ShowWindow GetDlgItem ShowWindow 3849->3856 3853 40531d 3850->3853 3851->3855 3852 40517c GetWindowLongW SetWindowLongW 3854 405195 3852->3854 3864 40532e SendMessageW 3853->3864 3857 4051b2 3854->3857 3858 40519a ShowWindow 3854->3858 3855->3849 3872 4053be 3855->3872 3884 404f11 3855->3884 3856->3838 3878 40450b SendMessageW 3857->3878 3877 40450b SendMessageW 3858->3877 3859->3831 3859->3845 3860->3852 3863 4050f4 SendMessageW 3860->3863 3865 405177 3860->3865 3866 405132 SendMessageW 3860->3866 3867 405146 SendMessageW 3860->3867 3863->3860 3864->3833 3865->3852 3865->3854 3866->3860 3867->3860 3869 4054c8 3870 4054d3 InvalidateRect 3869->3870 3874 4054df 3869->3874 3870->3874 3871 4053ec SendMessageW 3873 405402 3871->3873 3872->3871 3872->3873 3873->3869 3875 405476 SendMessageW SendMessageW 3873->3875 3874->3849 3893 404e4c 3874->3893 3875->3873 3877->3838 3878->3834 3880 404ef0 SendMessageW 3879->3880 3881 404eb4 GetMessagePos ScreenToClient SendMessageW 3879->3881 3882 404ee8 3880->3882 3881->3882 3883 404eed 3881->3883 3882->3859 3883->3880 3896 406557 lstrcpynW 3884->3896 3886 404f24 3897 40649e wsprintfW 3886->3897 3888 404f2e 3889 40140b 2 API calls 3888->3889 3890 404f37 3889->3890 3898 406557 lstrcpynW 3890->3898 3892 404f3e 3892->3872 3899 404d83 3893->3899 3895 404e61 3895->3849 3896->3886 3897->3888 3898->3892 3900 404d9c 3899->3900 3901 406594 21 API calls 3900->3901 3902 404e00 3901->3902 3903 406594 21 API calls 3902->3903 3904 404e0b 3903->3904 3905 406594 21 API calls 3904->3905 3906 404e21 lstrlenW wsprintfW SetDlgItemTextW 3905->3906 3906->3895 3907 402643 3908 402672 3907->3908 3909 402657 3907->3909 3911 4026a2 3908->3911 3912 402677 3908->3912 3910 402d89 21 API calls 3909->3910 3921 40265e 3910->3921 3914 402dab 21 API calls 3911->3914 3913 402dab 21 API calls 3912->3913 3915 40267e 3913->3915 3916 4026a9 lstrlenW 3914->3916 3924 406579 WideCharToMultiByte 3915->3924 3916->3921 3918 402692 lstrlenA 3918->3921 3919 4026d6 3920 4026ec 3919->3920 3922 4060f9 WriteFile 3919->3922 3921->3919 3921->3920 3925 406128 SetFilePointer 3921->3925 3922->3920 3924->3918 3926 406144 3925->3926 3927 40615c 3925->3927 3928 4060ca ReadFile 3926->3928 3927->3919 3929 406150 3928->3929 3929->3927 3930 406165 SetFilePointer 3929->3930 3931 40618d SetFilePointer 3929->3931 3930->3931 3932 406170 3930->3932 3931->3927 3933 4060f9 WriteFile 3932->3933 3933->3927 3040 4015c6 3041 402dab 21 API calls 3040->3041 3042 4015cd 3041->3042 3059 405ed1 CharNextW CharNextW 3042->3059 3044 401636 3046 401668 3044->3046 3047 40163b 3044->3047 3045 405e53 CharNextW 3048 4015d6 3045->3048 3050 401423 28 API calls 3046->3050 3071 401423 3047->3071 3048->3044 3048->3045 3057 40161c GetFileAttributesW 3048->3057 3065 405b22 3048->3065 3068 405aab CreateDirectoryW 3048->3068 3075 405b05 CreateDirectoryW 3048->3075 3056 401660 3050->3056 3055 40164f SetCurrentDirectoryW 3055->3056 3057->3048 3060 405eee 3059->3060 3063 405f00 3059->3063 3062 405efb CharNextW 3060->3062 3060->3063 3061 405f24 3061->3048 3062->3061 3063->3061 3064 405e53 CharNextW 3063->3064 3064->3063 3066 40694b 5 API calls 3065->3066 3067 405b29 3066->3067 3067->3048 3069 405af7 3068->3069 3070 405afb GetLastError 3068->3070 3069->3048 3070->3069 3078 4055dc 3071->3078 3074 406557 lstrcpynW 3074->3055 3076 405b15 3075->3076 3077 405b19 GetLastError 3075->3077 3076->3048 3077->3076 3079 4055f7 3078->3079 3080 401431 3078->3080 3081 405613 lstrlenW 3079->3081 3084 406594 21 API calls 3079->3084 3080->3074 3082 405621 lstrlenW 3081->3082 3083 40563c 3081->3083 3082->3080 3085 405633 lstrcatW 3082->3085 3086 405642 SetWindowTextW 3083->3086 3087 40564f 3083->3087 3084->3081 3085->3083 3086->3087 3087->3080 3088 405655 SendMessageW SendMessageW SendMessageW 3087->3088 3088->3080 3089 401946 3090 401948 3089->3090 3091 402dab 21 API calls 3090->3091 3092 40194d 3091->3092 3095 405c63 3092->3095 3131 405f2e 3095->3131 3098 405ca2 3100 405dc2 3098->3100 3145 406557 lstrcpynW 3098->3145 3099 405c8b DeleteFileW 3128 401956 3099->3128 3100->3128 3163 4068b4 FindFirstFileW 3100->3163 3102 405cc8 3103 405cdb 3102->3103 3104 405cce lstrcatW 3102->3104 3146 405e72 lstrlenW 3103->3146 3105 405ce1 3104->3105 3108 405cf1 lstrcatW 3105->3108 3110 405cfc lstrlenW FindFirstFileW 3105->3110 3108->3110 3110->3100 3112 405d1e 3110->3112 3114 405da5 FindNextFileW 3112->3114 3124 405c63 64 API calls 3112->3124 3126 4055dc 28 API calls 3112->3126 3129 4055dc 28 API calls 3112->3129 3150 406557 lstrcpynW 3112->3150 3151 405c1b 3112->3151 3159 406317 MoveFileExW 3112->3159 3114->3112 3118 405dbb FindClose 3114->3118 3115 405c1b 5 API calls 3117 405dfd 3115->3117 3119 405e17 3117->3119 3120 405e01 3117->3120 3118->3100 3122 4055dc 28 API calls 3119->3122 3123 4055dc 28 API calls 3120->3123 3120->3128 3122->3128 3125 405e0e 3123->3125 3124->3112 3127 406317 40 API calls 3125->3127 3126->3114 3127->3128 3129->3112 3169 406557 lstrcpynW 3131->3169 3133 405f3f 3134 405ed1 4 API calls 3133->3134 3135 405f45 3134->3135 3136 405c83 3135->3136 3137 406805 5 API calls 3135->3137 3136->3098 3136->3099 3143 405f55 3137->3143 3138 405f86 lstrlenW 3139 405f91 3138->3139 3138->3143 3141 405e26 3 API calls 3139->3141 3140 4068b4 2 API calls 3140->3143 3142 405f96 GetFileAttributesW 3141->3142 3142->3136 3143->3136 3143->3138 3143->3140 3144 405e72 2 API calls 3143->3144 3144->3138 3145->3102 3147 405e80 3146->3147 3148 405e92 3147->3148 3149 405e86 CharPrevW 3147->3149 3148->3105 3149->3147 3149->3148 3150->3112 3170 406022 GetFileAttributesW 3151->3170 3154 405c48 3154->3112 3155 405c36 RemoveDirectoryW 3157 405c44 3155->3157 3156 405c3e DeleteFileW 3156->3157 3157->3154 3158 405c54 SetFileAttributesW 3157->3158 3158->3154 3160 40632b 3159->3160 3162 406338 3159->3162 3173 40619d 3160->3173 3162->3112 3164 405de7 3163->3164 3165 4068ca FindClose 3163->3165 3164->3128 3166 405e26 lstrlenW CharPrevW 3164->3166 3165->3164 3167 405e42 lstrcatW 3166->3167 3168 405df1 3166->3168 3167->3168 3168->3115 3169->3133 3171 405c27 3170->3171 3172 406034 SetFileAttributesW 3170->3172 3171->3154 3171->3155 3171->3156 3172->3171 3174 4061f3 GetShortPathNameW 3173->3174 3175 4061cd 3173->3175 3177 406312 3174->3177 3178 406208 3174->3178 3200 406047 GetFileAttributesW CreateFileW 3175->3200 3177->3162 3178->3177 3179 406210 wsprintfA 3178->3179 3181 406594 21 API calls 3179->3181 3180 4061d7 CloseHandle GetShortPathNameW 3180->3177 3182 4061eb 3180->3182 3183 406238 3181->3183 3182->3174 3182->3177 3201 406047 GetFileAttributesW CreateFileW 3183->3201 3185 406245 3185->3177 3186 406254 GetFileSize GlobalAlloc 3185->3186 3187 406276 3186->3187 3188 40630b CloseHandle 3186->3188 3202 4060ca ReadFile 3187->3202 3188->3177 3193 406295 lstrcpyA 3196 4062b7 3193->3196 3194 4062a9 3195 405fac 4 API calls 3194->3195 3195->3196 3197 4062ee SetFilePointer 3196->3197 3209 4060f9 WriteFile 3197->3209 3200->3180 3201->3185 3203 4060e8 3202->3203 3203->3188 3204 405fac lstrlenA 3203->3204 3205 405fed lstrlenA 3204->3205 3206 405ff5 3205->3206 3207 405fc6 lstrcmpiA 3205->3207 3206->3193 3206->3194 3207->3206 3208 405fe4 CharNextA 3207->3208 3208->3205 3210 406117 GlobalFree 3209->3210 3210->3188 3934 404646 lstrlenW 3935 404665 3934->3935 3936 404667 WideCharToMultiByte 3934->3936 3935->3936 3937 4049c7 3938 4049f3 3937->3938 3939 404a04 3937->3939 3998 405b9b GetDlgItemTextW 3938->3998 3941 404a10 GetDlgItem 3939->3941 3943 404a6f 3939->3943 3942 404a24 3941->3942 3947 404a38 SetWindowTextW 3942->3947 3950 405ed1 4 API calls 3942->3950 3944 404b53 3943->3944 3952 406594 21 API calls 3943->3952 3996 404d02 3943->3996 3944->3996 4000 405b9b GetDlgItemTextW 3944->4000 3945 4049fe 3946 406805 5 API calls 3945->3946 3946->3939 3951 4044d6 22 API calls 3947->3951 3949 40453d 8 API calls 3954 404d16 3949->3954 3955 404a2e 3950->3955 3956 404a54 3951->3956 3957 404ae3 SHBrowseForFolderW 3952->3957 3953 404b83 3958 405f2e 18 API calls 3953->3958 3955->3947 3962 405e26 3 API calls 3955->3962 3959 4044d6 22 API calls 3956->3959 3957->3944 3960 404afb CoTaskMemFree 3957->3960 3961 404b89 3958->3961 3963 404a62 3959->3963 3964 405e26 3 API calls 3960->3964 4001 406557 lstrcpynW 3961->4001 3962->3947 3999 40450b SendMessageW 3963->3999 3971 404b08 3964->3971 3967 404a68 3970 40694b 5 API calls 3967->3970 3968 404b3f SetDlgItemTextW 3968->3944 3969 404ba0 3972 40694b 5 API calls 3969->3972 3970->3943 3971->3968 3973 406594 21 API calls 3971->3973 3979 404ba7 3972->3979 3974 404b27 lstrcmpiW 3973->3974 3974->3968 3976 404b38 lstrcatW 3974->3976 3975 404be8 4002 406557 lstrcpynW 3975->4002 3976->3968 3978 404bef 3980 405ed1 4 API calls 3978->3980 3979->3975 3984 405e72 2 API calls 3979->3984 3985 404c40 3979->3985 3981 404bf5 GetDiskFreeSpaceW 3980->3981 3983 404c19 MulDiv 3981->3983 3981->3985 3983->3985 3984->3979 3986 404cb1 3985->3986 3988 404e4c 24 API calls 3985->3988 3987 404cd4 3986->3987 3989 40140b 2 API calls 3986->3989 4003 4044f8 KiUserCallbackDispatcher 3987->4003 3990 404c9e 3988->3990 3989->3987 3992 404cb3 SetDlgItemTextW 3990->3992 3993 404ca3 3990->3993 3992->3986 3994 404d83 24 API calls 3993->3994 3994->3986 3995 404cf0 3995->3996 4004 404920 3995->4004 3996->3949 3998->3945 3999->3967 4000->3953 4001->3969 4002->3978 4003->3995 4005 404933 SendMessageW 4004->4005 4006 40492e 4004->4006 4005->3996 4006->4005 3211 401c48 3212 402d89 21 API calls 3211->3212 3213 401c4f 3212->3213 3214 402d89 21 API calls 3213->3214 3215 401c5c 3214->3215 3216 401c71 3215->3216 3217 402dab 21 API calls 3215->3217 3218 402dab 21 API calls 3216->3218 3222 401c81 3216->3222 3217->3216 3218->3222 3219 401cd8 3221 402dab 21 API calls 3219->3221 3220 401c8c 3223 402d89 21 API calls 3220->3223 3224 401cdd 3221->3224 3222->3219 3222->3220 3225 401c91 3223->3225 3226 402dab 21 API calls 3224->3226 3227 402d89 21 API calls 3225->3227 3229 401ce6 FindWindowExW 3226->3229 3228 401c9d 3227->3228 3230 401cc8 SendMessageW 3228->3230 3231 401caa SendMessageTimeoutW 3228->3231 3232 401d08 3229->3232 3230->3232 3231->3232 4007 4028c9 4008 4028cf 4007->4008 4009 4028d7 FindClose 4008->4009 4010 402c2f 4008->4010 4009->4010 3262 403b4f 3263 403b67 3262->3263 3264 403b59 CloseHandle 3262->3264 3269 403b94 3263->3269 3264->3263 3267 405c63 71 API calls 3268 403b78 3267->3268 3270 403ba2 3269->3270 3271 403b6c 3270->3271 3272 403ba7 FreeLibrary GlobalFree 3270->3272 3271->3267 3272->3271 3272->3272 4014 405550 4015 405560 4014->4015 4016 405574 4014->4016 4018 405566 4015->4018 4019 4055bd 4015->4019 4017 40557c IsWindowVisible 4016->4017 4025 405593 4016->4025 4017->4019 4021 405589 4017->4021 4020 404522 SendMessageW 4018->4020 4022 4055c2 CallWindowProcW 4019->4022 4023 405570 4020->4023 4024 404e91 5 API calls 4021->4024 4022->4023 4024->4025 4025->4022 4026 404f11 4 API calls 4025->4026 4026->4019 4027 4016d1 4028 402dab 21 API calls 4027->4028 4029 4016d7 GetFullPathNameW 4028->4029 4030 4016f1 4029->4030 4031 401713 4029->4031 4030->4031 4034 4068b4 2 API calls 4030->4034 4032 401728 GetShortPathNameW 4031->4032 4033 402c2f 4031->4033 4032->4033 4035 401703 4034->4035 4035->4031 4037 406557 lstrcpynW 4035->4037 4037->4031 4038 401e53 GetDC 4039 402d89 21 API calls 4038->4039 4040 401e65 GetDeviceCaps MulDiv ReleaseDC 4039->4040 4041 402d89 21 API calls 4040->4041 4042 401e96 4041->4042 4043 406594 21 API calls 4042->4043 4044 401ed3 CreateFontIndirectW 4043->4044 4045 40263d 4044->4045 3616 402955 3617 402dab 21 API calls 3616->3617 3618 402961 3617->3618 3619 402977 3618->3619 3620 402dab 21 API calls 3618->3620 3621 406022 2 API calls 3619->3621 3620->3619 3622 40297d 3621->3622 3644 406047 GetFileAttributesW CreateFileW 3622->3644 3624 40298a 3625 402a40 3624->3625 3628 4029a5 GlobalAlloc 3624->3628 3629 402a28 3624->3629 3626 402a47 DeleteFileW 3625->3626 3627 402a5a 3625->3627 3626->3627 3628->3629 3630 4029be 3628->3630 3631 4032b9 35 API calls 3629->3631 3645 4034ea SetFilePointer 3630->3645 3633 402a35 CloseHandle 3631->3633 3633->3625 3634 4029c4 3635 4034d4 ReadFile 3634->3635 3636 4029cd GlobalAlloc 3635->3636 3637 402a11 3636->3637 3638 4029dd 3636->3638 3640 4060f9 WriteFile 3637->3640 3639 4032b9 35 API calls 3638->3639 3642 4029ea 3639->3642 3641 402a1d GlobalFree 3640->3641 3641->3629 3643 402a08 GlobalFree 3642->3643 3643->3637 3644->3624 3645->3634 3646 403fd7 3647 404150 3646->3647 3648 403fef 3646->3648 3650 404161 GetDlgItem GetDlgItem 3647->3650 3666 4041a1 3647->3666 3648->3647 3649 403ffb 3648->3649 3651 404006 SetWindowPos 3649->3651 3652 404019 3649->3652 3653 4044d6 22 API calls 3650->3653 3651->3652 3657 404022 ShowWindow 3652->3657 3658 404064 3652->3658 3654 40418b SetClassLongW 3653->3654 3659 40140b 2 API calls 3654->3659 3655 4041fb 3656 404522 SendMessageW 3655->3656 3663 40414b 3655->3663 3685 40420d 3656->3685 3664 404042 GetWindowLongW 3657->3664 3665 40410e 3657->3665 3660 404083 3658->3660 3661 40406c DestroyWindow 3658->3661 3659->3666 3668 404088 SetWindowLongW 3660->3668 3669 404099 3660->3669 3667 40445f 3661->3667 3662 401389 2 API calls 3670 4041d3 3662->3670 3664->3665 3672 40405b ShowWindow 3664->3672 3726 40453d 3665->3726 3666->3655 3666->3662 3667->3663 3677 404490 ShowWindow 3667->3677 3668->3663 3669->3665 3674 4040a5 GetDlgItem 3669->3674 3670->3655 3675 4041d7 SendMessageW 3670->3675 3672->3658 3673 404461 DestroyWindow KiUserCallbackDispatcher 3673->3667 3678 4040d3 3674->3678 3679 4040b6 SendMessageW IsWindowEnabled 3674->3679 3675->3663 3676 40140b 2 API calls 3676->3685 3677->3663 3681 4040e0 3678->3681 3683 404127 SendMessageW 3678->3683 3684 4040f3 3678->3684 3691 4040d8 3678->3691 3679->3663 3679->3678 3680 406594 21 API calls 3680->3685 3681->3683 3681->3691 3683->3665 3686 404110 3684->3686 3687 4040fb 3684->3687 3685->3663 3685->3673 3685->3676 3685->3680 3688 4044d6 22 API calls 3685->3688 3708 4043a1 DestroyWindow 3685->3708 3717 4044d6 3685->3717 3689 40140b 2 API calls 3686->3689 3690 40140b 2 API calls 3687->3690 3688->3685 3689->3691 3690->3691 3691->3665 3723 4044af 3691->3723 3693 404288 GetDlgItem 3694 4042a5 ShowWindow KiUserCallbackDispatcher 3693->3694 3695 40429d 3693->3695 3720 4044f8 KiUserCallbackDispatcher 3694->3720 3695->3694 3697 4042cf KiUserCallbackDispatcher 3702 4042e3 3697->3702 3698 4042e8 GetSystemMenu EnableMenuItem SendMessageW 3699 404318 SendMessageW 3698->3699 3698->3702 3699->3702 3701 403fb8 22 API calls 3701->3702 3702->3698 3702->3701 3721 40450b SendMessageW 3702->3721 3722 406557 lstrcpynW 3702->3722 3704 404347 lstrlenW 3705 406594 21 API calls 3704->3705 3706 40435d SetWindowTextW 3705->3706 3707 401389 2 API calls 3706->3707 3707->3685 3708->3667 3709 4043bb CreateDialogParamW 3708->3709 3709->3667 3710 4043ee 3709->3710 3711 4044d6 22 API calls 3710->3711 3712 4043f9 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3711->3712 3713 401389 2 API calls 3712->3713 3714 40443f 3713->3714 3714->3663 3715 404447 ShowWindow 3714->3715 3716 404522 SendMessageW 3715->3716 3716->3667 3718 406594 21 API calls 3717->3718 3719 4044e1 SetDlgItemTextW 3718->3719 3719->3693 3720->3697 3721->3702 3722->3704 3724 4044b6 3723->3724 3725 4044bc SendMessageW 3723->3725 3724->3725 3725->3665 3727 404555 GetWindowLongW 3726->3727 3737 404600 3726->3737 3728 40456a 3727->3728 3727->3737 3729 404597 GetSysColor 3728->3729 3730 40459a 3728->3730 3728->3737 3729->3730 3731 4045a0 SetTextColor 3730->3731 3732 4045aa SetBkMode 3730->3732 3731->3732 3733 4045c2 GetSysColor 3732->3733 3734 4045c8 3732->3734 3733->3734 3735 4045d9 3734->3735 3736 4045cf SetBkColor 3734->3736 3735->3737 3738 4045f3 CreateBrushIndirect 3735->3738 3739 4045ec DeleteObject 3735->3739 3736->3735 3737->3663 3738->3737 3739->3738 4046 4014d7 4047 402d89 21 API calls 4046->4047 4048 4014dd Sleep 4047->4048 4050 402c2f 4048->4050 4051 40195b 4052 402dab 21 API calls 4051->4052 4053 401962 lstrlenW 4052->4053 4054 40263d 4053->4054 3799 4020dd 3800 4021a1 3799->3800 3801 4020ef 3799->3801 3803 401423 28 API calls 3800->3803 3802 402dab 21 API calls 3801->3802 3804 4020f6 3802->3804 3810 4022fb 3803->3810 3805 402dab 21 API calls 3804->3805 3806 4020ff 3805->3806 3807 402115 LoadLibraryExW 3806->3807 3808 402107 GetModuleHandleW 3806->3808 3807->3800 3809 402126 3807->3809 3808->3807 3808->3809 3819 4069ba 3809->3819 3813 402170 3815 4055dc 28 API calls 3813->3815 3814 402137 3816 401423 28 API calls 3814->3816 3817 402147 3814->3817 3815->3817 3816->3817 3817->3810 3818 402193 FreeLibrary 3817->3818 3818->3810 3824 406579 WideCharToMultiByte 3819->3824 3821 4069d7 3822 402131 3821->3822 3823 4069de GetProcAddress 3821->3823 3822->3813 3822->3814 3823->3822 3824->3821 4055 402b5e 4056 402bb0 4055->4056 4057 402b65 4055->4057 4058 40694b 5 API calls 4056->4058 4060 402d89 21 API calls 4057->4060 4063 402bae 4057->4063 4059 402bb7 4058->4059 4061 402dab 21 API calls 4059->4061 4062 402b73 4060->4062 4064 402bc0 4061->4064 4065 402d89 21 API calls 4062->4065 4064->4063 4066 402bc4 IIDFromString 4064->4066 4069 402b7f 4065->4069 4066->4063 4067 402bd3 4066->4067 4067->4063 4073 406557 lstrcpynW 4067->4073 4072 40649e wsprintfW 4069->4072 4070 402bf0 CoTaskMemFree 4070->4063 4072->4063 4073->4070 3013 401761 3019 402dab 3013->3019 3017 40176f 3018 406076 2 API calls 3017->3018 3018->3017 3020 402db7 3019->3020 3021 406594 21 API calls 3020->3021 3023 402dd8 3021->3023 3022 401768 3025 406076 3022->3025 3023->3022 3024 406805 5 API calls 3023->3024 3024->3022 3026 406083 GetTickCount GetTempFileNameW 3025->3026 3027 4060bd 3026->3027 3028 4060b9 3026->3028 3027->3017 3028->3026 3028->3027 4074 401d62 4075 402d89 21 API calls 4074->4075 4076 401d73 SetWindowLongW 4075->4076 4077 402c2f 4076->4077 3029 401ee3 3037 402d89 3029->3037 3031 401ee9 3032 402d89 21 API calls 3031->3032 3033 401ef5 3032->3033 3034 401f01 ShowWindow 3033->3034 3035 401f0c EnableWindow 3033->3035 3036 402c2f 3034->3036 3035->3036 3038 406594 21 API calls 3037->3038 3039 402d9e 3038->3039 3039->3031 4078 4028e3 4079 4028eb 4078->4079 4080 4028ef FindNextFileW 4079->4080 4082 402901 4079->4082 4081 402948 4080->4081 4080->4082 4084 406557 lstrcpynW 4081->4084 4084->4082 4085 403be7 4086 403bf2 4085->4086 4087 403bf6 4086->4087 4088 403bf9 GlobalAlloc 4086->4088 4088->4087 4089 401568 4090 402ba9 4089->4090 4093 40649e wsprintfW 4090->4093 4092 402bae 4093->4092 4094 40196d 4095 402d89 21 API calls 4094->4095 4096 401974 4095->4096 4097 402d89 21 API calls 4096->4097 4098 401981 4097->4098 4099 402dab 21 API calls 4098->4099 4100 401998 lstrlenW 4099->4100 4102 4019a9 4100->4102 4101 4019ea 4102->4101 4106 406557 lstrcpynW 4102->4106 4104 4019da 4104->4101 4105 4019df lstrlenW 4104->4105 4105->4101 4106->4104 4107 40166f 4108 402dab 21 API calls 4107->4108 4109 401675 4108->4109 4110 4068b4 2 API calls 4109->4110 4111 40167b 4110->4111 4112 402af0 4113 402d89 21 API calls 4112->4113 4114 402af6 4113->4114 4115 406594 21 API calls 4114->4115 4116 402933 4114->4116 4115->4116 4117 4026f1 4118 402d89 21 API calls 4117->4118 4119 402700 4118->4119 4120 40274a ReadFile 4119->4120 4121 4060ca ReadFile 4119->4121 4122 40278a MultiByteToWideChar 4119->4122 4123 40283f 4119->4123 4124 406128 5 API calls 4119->4124 4126 4027b0 SetFilePointer MultiByteToWideChar 4119->4126 4127 402850 4119->4127 4129 40283d 4119->4129 4120->4119 4120->4129 4121->4119 4122->4119 4130 40649e wsprintfW 4123->4130 4124->4119 4126->4119 4128 402871 SetFilePointer 4127->4128 4127->4129 4128->4129 4130->4129 3575 401774 3576 402dab 21 API calls 3575->3576 3577 40177b 3576->3577 3578 4017a3 3577->3578 3579 40179b 3577->3579 3615 406557 lstrcpynW 3578->3615 3614 406557 lstrcpynW 3579->3614 3582 4017a1 3586 406805 5 API calls 3582->3586 3583 4017ae 3584 405e26 3 API calls 3583->3584 3585 4017b4 lstrcatW 3584->3585 3585->3582 3596 4017c0 3586->3596 3587 4068b4 2 API calls 3587->3596 3588 406022 2 API calls 3588->3596 3590 4017d2 CompareFileTime 3590->3596 3591 401892 3592 4055dc 28 API calls 3591->3592 3594 40189c 3592->3594 3593 4055dc 28 API calls 3595 40187e 3593->3595 3597 4032b9 35 API calls 3594->3597 3596->3587 3596->3588 3596->3590 3596->3591 3600 406594 21 API calls 3596->3600 3605 406557 lstrcpynW 3596->3605 3610 405bb7 MessageBoxIndirectW 3596->3610 3611 401869 3596->3611 3613 406047 GetFileAttributesW CreateFileW 3596->3613 3598 4018af 3597->3598 3599 4018c3 SetFileTime 3598->3599 3601 4018d5 FindCloseChangeNotification 3598->3601 3599->3601 3600->3596 3601->3595 3602 4018e6 3601->3602 3603 4018eb 3602->3603 3604 4018fe 3602->3604 3606 406594 21 API calls 3603->3606 3607 406594 21 API calls 3604->3607 3605->3596 3608 4018f3 lstrcatW 3606->3608 3609 401906 3607->3609 3608->3609 3612 405bb7 MessageBoxIndirectW 3609->3612 3610->3596 3611->3593 3611->3595 3612->3595 3613->3596 3614->3582 3615->3583 4131 4014f5 SetForegroundWindow 4132 402c2f 4131->4132 4133 401a77 4134 402d89 21 API calls 4133->4134 4135 401a80 4134->4135 4136 402d89 21 API calls 4135->4136 4137 401a25 4136->4137 4138 401578 4139 401591 4138->4139 4140 401588 ShowWindow 4138->4140 4141 402c2f 4139->4141 4142 40159f ShowWindow 4139->4142 4140->4139 4142->4141 4143 4023f9 4144 402dab 21 API calls 4143->4144 4145 402408 4144->4145 4146 402dab 21 API calls 4145->4146 4147 402411 4146->4147 4148 402dab 21 API calls 4147->4148 4149 40241b GetPrivateProfileStringW 4148->4149 4150 401ffb 4151 402dab 21 API calls 4150->4151 4152 402002 4151->4152 4153 4068b4 2 API calls 4152->4153 4154 402008 4153->4154 4156 402019 4154->4156 4157 40649e wsprintfW 4154->4157 4157->4156 4158 401b7c 4159 402dab 21 API calls 4158->4159 4160 401b83 4159->4160 4161 402d89 21 API calls 4160->4161 4162 401b8c wsprintfW 4161->4162 4163 402c2f 4162->4163 4164 401000 4165 401037 BeginPaint GetClientRect 4164->4165 4166 40100c DefWindowProcW 4164->4166 4168 4010f3 4165->4168 4171 401179 4166->4171 4169 401073 CreateBrushIndirect FillRect DeleteObject 4168->4169 4170 4010fc 4168->4170 4169->4168 4172 401102 CreateFontIndirectW 4170->4172 4173 401167 EndPaint 4170->4173 4172->4173 4174 401112 6 API calls 4172->4174 4173->4171 4174->4173 4175 404980 4176 404990 4175->4176 4177 4049b6 4175->4177 4178 4044d6 22 API calls 4176->4178 4179 40453d 8 API calls 4177->4179 4181 40499d SetDlgItemTextW 4178->4181 4180 4049c2 4179->4180 4181->4177 4182 401680 4183 402dab 21 API calls 4182->4183 4184 401687 4183->4184 4185 402dab 21 API calls 4184->4185 4186 401690 4185->4186 4187 402dab 21 API calls 4186->4187 4188 401699 MoveFileW 4187->4188 4189 4016ac 4188->4189 4195 4016a5 4188->4195 4191 4068b4 2 API calls 4189->4191 4192 4022fb 4189->4192 4190 401423 28 API calls 4190->4192 4193 4016bb 4191->4193 4193->4192 4194 406317 40 API calls 4193->4194 4194->4195 4195->4190 4196 401503 4197 401508 4196->4197 4199 401520 4196->4199 4198 402d89 21 API calls 4197->4198 4198->4199 4200 401a04 4201 402dab 21 API calls 4200->4201 4202 401a0b 4201->4202 4203 402dab 21 API calls 4202->4203 4204 401a14 4203->4204 4205 401a1b lstrcmpiW 4204->4205 4206 401a2d lstrcmpW 4204->4206 4207 401a21 4205->4207 4206->4207 4208 402304 4209 402dab 21 API calls 4208->4209 4210 40230a 4209->4210 4211 402dab 21 API calls 4210->4211 4212 402313 4211->4212 4213 402dab 21 API calls 4212->4213 4214 40231c 4213->4214 4215 4068b4 2 API calls 4214->4215 4216 402325 4215->4216 4217 402336 lstrlenW lstrlenW 4216->4217 4218 402329 4216->4218 4220 4055dc 28 API calls 4217->4220 4219 4055dc 28 API calls 4218->4219 4222 402331 4218->4222 4219->4222 4221 402374 SHFileOperationW 4220->4221 4221->4218 4221->4222 4223 401d86 4224 401d99 GetDlgItem 4223->4224 4225 401d8c 4223->4225 4227 401d93 4224->4227 4226 402d89 21 API calls 4225->4226 4226->4227 4228 401dda GetClientRect LoadImageW SendMessageW 4227->4228 4229 402dab 21 API calls 4227->4229 4231 401e38 4228->4231 4233 401e44 4228->4233 4229->4228 4232 401e3d DeleteObject 4231->4232 4231->4233 4232->4233 4234 402388 4235 40238f 4234->4235 4238 4023a2 4234->4238 4236 406594 21 API calls 4235->4236 4237 40239c 4236->4237 4239 405bb7 MessageBoxIndirectW 4237->4239 4239->4238 3259 402c0a SendMessageW 3260 402c24 InvalidateRect 3259->3260 3261 402c2f 3259->3261 3260->3261 4240 40460c lstrcpynW lstrlenW 3273 40248f 3274 402dab 21 API calls 3273->3274 3275 4024a1 3274->3275 3276 402dab 21 API calls 3275->3276 3277 4024ab 3276->3277 3290 402e3b 3277->3290 3280 402dab 21 API calls 3284 4024d9 lstrlenW 3280->3284 3281 4024e3 3282 4024ef 3281->3282 3285 402d89 21 API calls 3281->3285 3283 40250e RegSetValueExW 3282->3283 3294 4032b9 3282->3294 3287 402524 RegCloseKey 3283->3287 3284->3281 3285->3282 3289 402933 3287->3289 3291 402e56 3290->3291 3314 4063f2 3291->3314 3296 4032d2 3294->3296 3295 403300 3318 4034d4 3295->3318 3296->3295 3321 4034ea SetFilePointer 3296->3321 3300 40346d 3302 4034af 3300->3302 3307 403471 3300->3307 3301 40331d GetTickCount 3303 403457 3301->3303 3310 40336c 3301->3310 3304 4034d4 ReadFile 3302->3304 3303->3283 3304->3303 3305 4034d4 ReadFile 3305->3310 3306 4034d4 ReadFile 3306->3307 3307->3303 3307->3306 3308 4060f9 WriteFile 3307->3308 3308->3307 3309 4033c2 GetTickCount 3309->3310 3310->3303 3310->3305 3310->3309 3311 4033e7 MulDiv wsprintfW 3310->3311 3313 4060f9 WriteFile 3310->3313 3312 4055dc 28 API calls 3311->3312 3312->3310 3313->3310 3315 406401 3314->3315 3316 4024bb 3315->3316 3317 40640c RegCreateKeyExW 3315->3317 3316->3280 3316->3281 3316->3289 3317->3316 3319 4060ca ReadFile 3318->3319 3320 40330b 3319->3320 3320->3300 3320->3301 3320->3303 3321->3295 4241 402910 4242 402dab 21 API calls 4241->4242 4243 402917 FindFirstFileW 4242->4243 4244 40293f 4243->4244 4248 40292a 4243->4248 4249 40649e wsprintfW 4244->4249 4246 402948 4250 406557 lstrcpynW 4246->4250 4249->4246 4250->4248 4251 401911 4252 401948 4251->4252 4253 402dab 21 API calls 4252->4253 4254 40194d 4253->4254 4255 405c63 71 API calls 4254->4255 4256 401956 4255->4256 4257 401491 4258 4055dc 28 API calls 4257->4258 4259 401498 4258->4259 4260 401914 4261 402dab 21 API calls 4260->4261 4262 40191b 4261->4262 4263 405bb7 MessageBoxIndirectW 4262->4263 4264 401924 4263->4264 4265 404695 4267 4047c7 4265->4267 4268 4046ad 4265->4268 4266 404831 4269 4048fb 4266->4269 4270 40483b GetDlgItem 4266->4270 4267->4266 4267->4269 4274 404802 GetDlgItem SendMessageW 4267->4274 4271 4044d6 22 API calls 4268->4271 4276 40453d 8 API calls 4269->4276 4272 404855 4270->4272 4273 4048bc 4270->4273 4275 404714 4271->4275 4272->4273 4277 40487b SendMessageW LoadCursorW SetCursor 4272->4277 4273->4269 4278 4048ce 4273->4278 4298 4044f8 KiUserCallbackDispatcher 4274->4298 4280 4044d6 22 API calls 4275->4280 4287 4048f6 4276->4287 4299 404944 4277->4299 4282 4048e4 4278->4282 4283 4048d4 SendMessageW 4278->4283 4285 404721 CheckDlgButton 4280->4285 4282->4287 4288 4048ea SendMessageW 4282->4288 4283->4282 4284 40482c 4289 404920 SendMessageW 4284->4289 4296 4044f8 KiUserCallbackDispatcher 4285->4296 4288->4287 4289->4266 4291 40473f GetDlgItem 4297 40450b SendMessageW 4291->4297 4293 404755 SendMessageW 4294 404772 GetSysColor 4293->4294 4295 40477b SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4293->4295 4294->4295 4295->4287 4296->4291 4297->4293 4298->4284 4302 405b7d ShellExecuteExW 4299->4302 4301 4048aa LoadCursorW SetCursor 4301->4273 4302->4301 4303 402896 4304 40289d 4303->4304 4306 402bae 4303->4306 4305 402d89 21 API calls 4304->4305 4307 4028a4 4305->4307 4308 4028b3 SetFilePointer 4307->4308 4308->4306 4309 4028c3 4308->4309 4311 40649e wsprintfW 4309->4311 4311->4306 4312 401f17 4313 402dab 21 API calls 4312->4313 4314 401f1d 4313->4314 4315 402dab 21 API calls 4314->4315 4316 401f26 4315->4316 4317 402dab 21 API calls 4316->4317 4318 401f2f 4317->4318 4319 402dab 21 API calls 4318->4319 4320 401f38 4319->4320 4321 401423 28 API calls 4320->4321 4322 401f3f 4321->4322 4329 405b7d ShellExecuteExW 4322->4329 4324 401f87 4325 4069f6 5 API calls 4324->4325 4327 402933 4324->4327 4326 401fa4 FindCloseChangeNotification 4325->4326 4326->4327 4329->4324 4330 402f98 4331 402fc3 4330->4331 4332 402faa SetTimer 4330->4332 4333 403018 4331->4333 4334 402fdd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4331->4334 4332->4331 4334->4333 3750 40571b 3751 4058c5 3750->3751 3752 40573c GetDlgItem GetDlgItem GetDlgItem 3750->3752 3754 4058f6 3751->3754 3755 4058ce GetDlgItem CreateThread FindCloseChangeNotification 3751->3755 3795 40450b SendMessageW 3752->3795 3757 405921 3754->3757 3759 405946 3754->3759 3760 40590d ShowWindow ShowWindow 3754->3760 3755->3754 3798 4056af 5 API calls 3755->3798 3756 4057ac 3765 4057b3 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3756->3765 3758 405981 3757->3758 3762 405935 3757->3762 3763 40595b ShowWindow 3757->3763 3758->3759 3772 40598f SendMessageW 3758->3772 3764 40453d 8 API calls 3759->3764 3797 40450b SendMessageW 3760->3797 3766 4044af SendMessageW 3762->3766 3768 40597b 3763->3768 3769 40596d 3763->3769 3767 405954 3764->3767 3770 405821 3765->3770 3771 405805 SendMessageW SendMessageW 3765->3771 3766->3759 3777 4044af SendMessageW 3768->3777 3776 4055dc 28 API calls 3769->3776 3773 405834 3770->3773 3774 405826 SendMessageW 3770->3774 3771->3770 3772->3767 3775 4059a8 CreatePopupMenu 3772->3775 3779 4044d6 22 API calls 3773->3779 3774->3773 3778 406594 21 API calls 3775->3778 3776->3768 3777->3758 3780 4059b8 AppendMenuW 3778->3780 3781 405844 3779->3781 3782 4059d5 GetWindowRect 3780->3782 3783 4059e8 TrackPopupMenu 3780->3783 3784 405881 GetDlgItem SendMessageW 3781->3784 3785 40584d ShowWindow 3781->3785 3782->3783 3783->3767 3786 405a03 3783->3786 3784->3767 3789 4058a8 SendMessageW SendMessageW 3784->3789 3787 405870 3785->3787 3788 405863 ShowWindow 3785->3788 3790 405a1f SendMessageW 3786->3790 3796 40450b SendMessageW 3787->3796 3788->3787 3789->3767 3790->3790 3791 405a3c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3790->3791 3793 405a61 SendMessageW 3791->3793 3793->3793 3794 405a8a GlobalUnlock SetClipboardData CloseClipboard 3793->3794 3794->3767 3795->3756 3796->3784 3797->3757 4335 401d1c 4336 402d89 21 API calls 4335->4336 4337 401d22 IsWindow 4336->4337 4338 401a25 4337->4338 4339 404d1d 4340 404d49 4339->4340 4341 404d2d 4339->4341 4342 404d7c 4340->4342 4343 404d4f SHGetPathFromIDListW 4340->4343 4350 405b9b GetDlgItemTextW 4341->4350 4345 404d5f 4343->4345 4349 404d66 SendMessageW 4343->4349 4347 40140b 2 API calls 4345->4347 4346 404d3a SendMessageW 4346->4340 4347->4349 4349->4342 4350->4346 4351 40149e 4352 4014ac PostQuitMessage 4351->4352 4353 4023a2 4351->4353 4352->4353 2935 401ba0 2936 401bf1 2935->2936 2937 401bad 2935->2937 2938 401bf6 2936->2938 2939 401c1b GlobalAlloc 2936->2939 2943 401c36 2937->2943 2946 401bc4 2937->2946 2945 4023a2 2938->2945 2973 406557 lstrcpynW 2938->2973 2954 406594 2939->2954 2941 406594 21 API calls 2944 40239c 2941->2944 2943->2941 2943->2945 2974 405bb7 2944->2974 2971 406557 lstrcpynW 2946->2971 2947 401c08 GlobalFree 2947->2945 2949 401bd3 2972 406557 lstrcpynW 2949->2972 2952 401be2 2978 406557 lstrcpynW 2952->2978 2969 40659f 2954->2969 2955 4067e6 2956 4067ff 2955->2956 3001 406557 lstrcpynW 2955->3001 2956->2943 2958 4067b7 lstrlenW 2958->2969 2959 4066b0 GetSystemDirectoryW 2959->2969 2960 406594 15 API calls 2960->2958 2964 4066c6 GetWindowsDirectoryW 2964->2969 2965 406594 15 API calls 2965->2969 2966 406758 lstrcatW 2966->2969 2969->2955 2969->2958 2969->2959 2969->2960 2969->2964 2969->2965 2969->2966 2970 406728 SHGetPathFromIDListW CoTaskMemFree 2969->2970 2979 406425 2969->2979 2984 40694b GetModuleHandleA 2969->2984 2990 406805 2969->2990 2999 40649e wsprintfW 2969->2999 3000 406557 lstrcpynW 2969->3000 2970->2969 2971->2949 2972->2952 2973->2947 2975 405bcc 2974->2975 2976 405c18 2975->2976 2977 405be0 MessageBoxIndirectW 2975->2977 2976->2945 2977->2976 2978->2945 3002 4063c4 2979->3002 2982 406489 2982->2969 2983 406459 RegQueryValueExW RegCloseKey 2983->2982 2985 406971 GetProcAddress 2984->2985 2986 406967 2984->2986 2987 406980 2985->2987 3006 4068db GetSystemDirectoryW 2986->3006 2987->2969 2989 40696d 2989->2985 2989->2987 2996 406812 2990->2996 2991 40688d CharPrevW 2992 406888 2991->2992 2992->2991 2994 4068ae 2992->2994 2993 40687b CharNextW 2993->2992 2993->2996 2994->2969 2996->2992 2996->2993 2997 406867 CharNextW 2996->2997 2998 406876 CharNextW 2996->2998 3009 405e53 2996->3009 2997->2996 2998->2993 2999->2969 3000->2969 3001->2956 3003 4063d3 3002->3003 3004 4063d7 3003->3004 3005 4063dc RegOpenKeyExW 3003->3005 3004->2982 3004->2983 3005->3004 3007 4068fd wsprintfW LoadLibraryExW 3006->3007 3007->2989 3010 405e59 3009->3010 3011 405e6f 3010->3011 3012 405e60 CharNextW 3010->3012 3011->2996 3012->3010 4354 402621 4355 402dab 21 API calls 4354->4355 4356 402628 4355->4356 4359 406047 GetFileAttributesW CreateFileW 4356->4359 4358 402634 4359->4358 4360 4025a3 4361 402deb 21 API calls 4360->4361 4362 4025ad 4361->4362 4363 402d89 21 API calls 4362->4363 4364 4025b6 4363->4364 4365 402933 4364->4365 4366 4025d2 RegEnumKeyW 4364->4366 4367 4025de RegEnumValueW 4364->4367 4368 4025f3 RegCloseKey 4366->4368 4367->4368 4368->4365 4370 4015a8 4371 402dab 21 API calls 4370->4371 4372 4015af SetFileAttributesW 4371->4372 4373 4015c1 4372->4373 3233 401fa9 3234 402dab 21 API calls 3233->3234 3235 401faf 3234->3235 3236 4055dc 28 API calls 3235->3236 3237 401fb9 3236->3237 3246 405b3a CreateProcessW 3237->3246 3240 402933 3243 401fd4 3244 401fe2 FindCloseChangeNotification 3243->3244 3254 40649e wsprintfW 3243->3254 3244->3240 3247 401fbf 3246->3247 3248 405b6d CloseHandle 3246->3248 3247->3240 3247->3244 3249 4069f6 WaitForSingleObject 3247->3249 3248->3247 3250 406a10 3249->3250 3251 406a22 GetExitCodeProcess 3250->3251 3255 406987 3250->3255 3251->3243 3254->3244 3256 4069a4 PeekMessageW 3255->3256 3257 4069b4 WaitForSingleObject 3256->3257 3258 40699a DispatchMessageW 3256->3258 3257->3250 3258->3256 3322 40252f 3333 402deb 3322->3333 3325 402dab 21 API calls 3326 402542 3325->3326 3327 40254d RegQueryValueExW 3326->3327 3332 402933 3326->3332 3328 402573 RegCloseKey 3327->3328 3329 40256d 3327->3329 3328->3332 3329->3328 3338 40649e wsprintfW 3329->3338 3334 402dab 21 API calls 3333->3334 3335 402e02 3334->3335 3336 4063c4 RegOpenKeyExW 3335->3336 3337 402539 3336->3337 3337->3325 3338->3328 4374 40202f 4375 402dab 21 API calls 4374->4375 4376 402036 4375->4376 4377 40694b 5 API calls 4376->4377 4378 402045 4377->4378 4379 402061 GlobalAlloc 4378->4379 4382 4020d1 4378->4382 4380 402075 4379->4380 4379->4382 4381 40694b 5 API calls 4380->4381 4383 40207c 4381->4383 4384 40694b 5 API calls 4383->4384 4385 402086 4384->4385 4385->4382 4389 40649e wsprintfW 4385->4389 4387 4020bf 4390 40649e wsprintfW 4387->4390 4389->4387 4390->4382 4391 4021af 4392 402dab 21 API calls 4391->4392 4393 4021b6 4392->4393 4394 402dab 21 API calls 4393->4394 4395 4021c0 4394->4395 4396 402dab 21 API calls 4395->4396 4397 4021ca 4396->4397 4398 402dab 21 API calls 4397->4398 4399 4021d4 4398->4399 4400 402dab 21 API calls 4399->4400 4401 4021de 4400->4401 4402 40221d CoCreateInstance 4401->4402 4403 402dab 21 API calls 4401->4403 4404 40223c 4402->4404 4403->4402 4405 401423 28 API calls 4404->4405 4406 4022fb 4404->4406 4405->4406 3339 403532 SetErrorMode GetVersionExW 3340 403586 GetVersionExW 3339->3340 3341 4035be 3339->3341 3340->3341 3342 403615 3341->3342 3343 40694b 5 API calls 3341->3343 3344 4068db 3 API calls 3342->3344 3343->3342 3345 40362b lstrlenA 3344->3345 3345->3342 3346 40363b 3345->3346 3347 40694b 5 API calls 3346->3347 3348 403642 3347->3348 3349 40694b 5 API calls 3348->3349 3350 403649 3349->3350 3351 40694b 5 API calls 3350->3351 3355 403655 #17 OleInitialize SHGetFileInfoW 3351->3355 3354 4036a4 GetCommandLineW 3428 406557 lstrcpynW 3354->3428 3427 406557 lstrcpynW 3355->3427 3357 4036b6 3358 405e53 CharNextW 3357->3358 3359 4036dc CharNextW 3358->3359 3367 4036ee 3359->3367 3360 4037f0 3361 403804 GetTempPathW 3360->3361 3429 403501 3361->3429 3363 40381c 3364 403820 GetWindowsDirectoryW lstrcatW 3363->3364 3365 403876 DeleteFileW 3363->3365 3368 403501 12 API calls 3364->3368 3439 403082 GetTickCount GetModuleFileNameW 3365->3439 3366 405e53 CharNextW 3366->3367 3367->3360 3367->3366 3373 4037f2 3367->3373 3370 40383c 3368->3370 3370->3365 3372 403840 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3370->3372 3371 40388a 3374 403a7d ExitProcess OleUninitialize 3371->3374 3378 403931 3371->3378 3382 405e53 CharNextW 3371->3382 3375 403501 12 API calls 3372->3375 3523 406557 lstrcpynW 3373->3523 3376 403ab3 3374->3376 3377 403a8f 3374->3377 3380 40386e 3375->3380 3383 403b37 ExitProcess 3376->3383 3384 403abb GetCurrentProcess OpenProcessToken 3376->3384 3381 405bb7 MessageBoxIndirectW 3377->3381 3467 403c29 3378->3467 3380->3365 3380->3374 3390 403a9d ExitProcess 3381->3390 3395 4038a9 3382->3395 3386 403ad3 LookupPrivilegeValueW AdjustTokenPrivileges 3384->3386 3387 403b07 3384->3387 3386->3387 3391 40694b 5 API calls 3387->3391 3388 403941 3388->3374 3392 403b0e 3391->3392 3397 403b23 ExitWindowsEx 3392->3397 3400 403b30 3392->3400 3393 403907 3398 405f2e 18 API calls 3393->3398 3394 40394a 3396 405b22 5 API calls 3394->3396 3395->3393 3395->3394 3399 40394f lstrlenW 3396->3399 3397->3383 3397->3400 3401 403913 3398->3401 3526 406557 lstrcpynW 3399->3526 3528 40140b 3400->3528 3401->3374 3524 406557 lstrcpynW 3401->3524 3404 403969 3406 403981 3404->3406 3527 406557 lstrcpynW 3404->3527 3410 4039a7 wsprintfW 3406->3410 3424 4039d3 3406->3424 3407 403926 3525 406557 lstrcpynW 3407->3525 3411 406594 21 API calls 3410->3411 3411->3406 3412 405b05 2 API calls 3412->3424 3413 405aab 2 API calls 3413->3424 3414 4039e3 GetFileAttributesW 3416 4039ef DeleteFileW 3414->3416 3414->3424 3415 403a1d SetCurrentDirectoryW 3417 406317 40 API calls 3415->3417 3416->3424 3419 403a2c CopyFileW 3417->3419 3418 403a1b 3418->3374 3419->3418 3419->3424 3420 405c63 71 API calls 3420->3424 3421 406317 40 API calls 3421->3424 3422 406594 21 API calls 3422->3424 3423 405b3a 2 API calls 3423->3424 3424->3406 3424->3410 3424->3412 3424->3413 3424->3414 3424->3415 3424->3418 3424->3420 3424->3421 3424->3422 3424->3423 3425 403aa5 CloseHandle 3424->3425 3426 4068b4 2 API calls 3424->3426 3425->3418 3426->3424 3427->3354 3428->3357 3430 406805 5 API calls 3429->3430 3432 40350d 3430->3432 3431 403517 3431->3363 3432->3431 3433 405e26 3 API calls 3432->3433 3434 40351f 3433->3434 3435 405b05 2 API calls 3434->3435 3436 403525 3435->3436 3437 406076 2 API calls 3436->3437 3438 403530 3437->3438 3438->3363 3531 406047 GetFileAttributesW CreateFileW 3439->3531 3441 4030c2 3461 4030d2 3441->3461 3532 406557 lstrcpynW 3441->3532 3443 4030e8 3444 405e72 2 API calls 3443->3444 3445 4030ee 3444->3445 3533 406557 lstrcpynW 3445->3533 3447 4030f9 GetFileSize 3448 403110 3447->3448 3449 4031f3 3447->3449 3448->3449 3452 4034d4 ReadFile 3448->3452 3454 40325f 3448->3454 3448->3461 3463 40301e 6 API calls 3448->3463 3534 40301e 3449->3534 3451 4031fc 3453 40322c GlobalAlloc 3451->3453 3451->3461 3546 4034ea SetFilePointer 3451->3546 3452->3448 3545 4034ea SetFilePointer 3453->3545 3458 40301e 6 API calls 3454->3458 3457 403247 3460 4032b9 35 API calls 3457->3460 3458->3461 3459 403215 3462 4034d4 ReadFile 3459->3462 3465 403253 3460->3465 3461->3371 3464 403220 3462->3464 3463->3448 3464->3453 3464->3461 3465->3461 3466 403290 SetFilePointer 3465->3466 3466->3461 3468 40694b 5 API calls 3467->3468 3469 403c3d 3468->3469 3470 403c43 3469->3470 3471 403c55 3469->3471 3562 40649e wsprintfW 3470->3562 3472 406425 3 API calls 3471->3472 3473 403c85 3472->3473 3474 403ca4 lstrcatW 3473->3474 3477 406425 3 API calls 3473->3477 3476 403c53 3474->3476 3547 403eff 3476->3547 3477->3474 3480 405f2e 18 API calls 3481 403cd6 3480->3481 3482 403d6a 3481->3482 3485 406425 3 API calls 3481->3485 3483 405f2e 18 API calls 3482->3483 3484 403d70 3483->3484 3486 403d80 LoadImageW 3484->3486 3488 406594 21 API calls 3484->3488 3487 403d08 3485->3487 3489 403e26 3486->3489 3490 403da7 RegisterClassW 3486->3490 3487->3482 3491 403d29 lstrlenW 3487->3491 3494 405e53 CharNextW 3487->3494 3488->3486 3493 40140b 2 API calls 3489->3493 3492 403ddd SystemParametersInfoW CreateWindowExW 3490->3492 3522 403e30 3490->3522 3495 403d37 lstrcmpiW 3491->3495 3496 403d5d 3491->3496 3492->3489 3497 403e2c 3493->3497 3498 403d26 3494->3498 3495->3496 3499 403d47 GetFileAttributesW 3495->3499 3500 405e26 3 API calls 3496->3500 3502 403eff 22 API calls 3497->3502 3497->3522 3498->3491 3501 403d53 3499->3501 3503 403d63 3500->3503 3501->3496 3504 405e72 2 API calls 3501->3504 3505 403e3d 3502->3505 3563 406557 lstrcpynW 3503->3563 3504->3496 3507 403e49 ShowWindow 3505->3507 3508 403ecc 3505->3508 3510 4068db 3 API calls 3507->3510 3555 4056af OleInitialize 3508->3555 3512 403e61 3510->3512 3511 403ed2 3514 403ed6 3511->3514 3515 403eee 3511->3515 3513 403e6f GetClassInfoW 3512->3513 3516 4068db 3 API calls 3512->3516 3518 403e83 GetClassInfoW RegisterClassW 3513->3518 3519 403e99 DialogBoxParamW 3513->3519 3521 40140b 2 API calls 3514->3521 3514->3522 3517 40140b 2 API calls 3515->3517 3516->3513 3517->3522 3518->3519 3520 40140b 2 API calls 3519->3520 3520->3522 3521->3522 3522->3388 3523->3361 3524->3407 3525->3378 3526->3404 3527->3406 3529 401389 2 API calls 3528->3529 3530 401420 3529->3530 3530->3383 3531->3441 3532->3443 3533->3447 3535 403027 3534->3535 3536 40303f 3534->3536 3537 403030 DestroyWindow 3535->3537 3538 403037 3535->3538 3539 403047 3536->3539 3540 40304f GetTickCount 3536->3540 3537->3538 3538->3451 3543 406987 2 API calls 3539->3543 3541 403080 3540->3541 3542 40305d CreateDialogParamW ShowWindow 3540->3542 3541->3451 3542->3541 3544 40304d 3543->3544 3544->3451 3545->3457 3546->3459 3548 403f13 3547->3548 3564 40649e wsprintfW 3548->3564 3550 403f84 3565 403fb8 3550->3565 3552 403cb4 3552->3480 3553 403f89 3553->3552 3554 406594 21 API calls 3553->3554 3554->3553 3568 404522 3555->3568 3557 4056f9 3558 404522 SendMessageW 3557->3558 3559 40570b OleUninitialize 3558->3559 3559->3511 3561 4056d2 3561->3557 3571 401389 3561->3571 3562->3476 3563->3482 3564->3550 3566 406594 21 API calls 3565->3566 3567 403fc6 SetWindowTextW 3566->3567 3567->3553 3569 40453a 3568->3569 3570 40452b SendMessageW 3568->3570 3569->3561 3570->3569 3573 401390 3571->3573 3572 4013fe 3572->3561 3573->3572 3574 4013cb MulDiv SendMessageW 3573->3574 3574->3573 4407 401a35 4408 402dab 21 API calls 4407->4408 4409 401a3e ExpandEnvironmentStringsW 4408->4409 4410 401a52 4409->4410 4412 401a65 4409->4412 4411 401a57 lstrcmpW 4410->4411 4410->4412 4411->4412 3740 4023b7 3741 4023c5 3740->3741 3742 4023bf 3740->3742 3744 4023d3 3741->3744 3745 402dab 21 API calls 3741->3745 3743 402dab 21 API calls 3742->3743 3743->3741 3746 4023e1 3744->3746 3747 402dab 21 API calls 3744->3747 3745->3744 3748 402dab 21 API calls 3746->3748 3747->3746 3749 4023ea WritePrivateProfileStringW 3748->3749 4418 4014b8 4419 4014be 4418->4419 4420 401389 2 API calls 4419->4420 4421 4014c6 4420->4421 4422 402439 4423 402441 4422->4423 4424 40246c 4422->4424 4426 402deb 21 API calls 4423->4426 4425 402dab 21 API calls 4424->4425 4427 402473 4425->4427 4428 402448 4426->4428 4433 402e69 4427->4433 4430 402dab 21 API calls 4428->4430 4432 402480 4428->4432 4431 402459 RegDeleteValueW RegCloseKey 4430->4431 4431->4432 4434 402e76 4433->4434 4435 402e7d 4433->4435 4434->4432 4435->4434 4437 402eae 4435->4437 4438 4063c4 RegOpenKeyExW 4437->4438 4439 402edc 4438->4439 4440 402eec RegEnumValueW 4439->4440 4445 402f0f 4439->4445 4448 402f86 4439->4448 4441 402f76 RegCloseKey 4440->4441 4440->4445 4441->4448 4442 402f4b RegEnumKeyW 4443 402f54 RegCloseKey 4442->4443 4442->4445 4444 40694b 5 API calls 4443->4444 4446 402f64 4444->4446 4445->4441 4445->4442 4445->4443 4447 402eae 6 API calls 4445->4447 4446->4448 4449 402f68 RegDeleteKeyW 4446->4449 4447->4445 4448->4434 4449->4448 4450 40173a 4451 402dab 21 API calls 4450->4451 4452 401741 SearchPathW 4451->4452 4453 40175c 4452->4453 4454 401d3d 4455 402d89 21 API calls 4454->4455 4456 401d44 4455->4456 4457 402d89 21 API calls 4456->4457 4458 401d50 GetDlgItem 4457->4458 4459 40263d 4458->4459

            Executed Functions

            Function 00403532 Relevance: 88.0, APIs: 33, Strings: 17, Instructions: 464stringfilecomCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 403532-403584 SetErrorMode GetVersionExW 1 403586-4035b6 GetVersionExW 0->1 2 4035be-4035c3 0->2 1->2 3 4035c5 2->3 4 4035cb-40360d 2->4 3->4 5 403620 4->5 6 40360f-403617 call 40694b 4->6 7 403625-403639 call 4068db lstrlenA 5->7 6->5 12 403619 6->12 13 40363b-403657 call 40694b * 3 7->13 12->5 20 403668-4036cc #17 OleInitialize SHGetFileInfoW call 406557 GetCommandLineW call 406557 13->20 21 403659-40365f 13->21 28 4036d5-4036e9 call 405e53 CharNextW 20->28 29 4036ce-4036d0 20->29 21->20 26 403661 21->26 26->20 32 4037e4-4037ea 28->32 29->28 33 4037f0 32->33 34 4036ee-4036f4 32->34 37 403804-40381e GetTempPathW call 403501 33->37 35 4036f6-4036fb 34->35 36 4036fd-403704 34->36 35->35 35->36 39 403706-40370b 36->39 40 40370c-403710 36->40 44 403820-40383e GetWindowsDirectoryW lstrcatW call 403501 37->44 45 403876-403890 DeleteFileW call 403082 37->45 39->40 42 4037d1-4037e0 call 405e53 40->42 43 403716-40371c 40->43 42->32 61 4037e2-4037e3 42->61 47 403736-40376f 43->47 48 40371e-403725 43->48 44->45 64 403840-403870 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403501 44->64 66 403896-40389c 45->66 67 403a7d-403a8d ExitProcess OleUninitialize 45->67 49 403771-403776 47->49 50 40378c-4037c6 47->50 54 403727-40372a 48->54 55 40372c 48->55 49->50 56 403778-403780 49->56 58 4037c8-4037cc 50->58 59 4037ce-4037d0 50->59 54->47 54->55 55->47 62 403782-403785 56->62 63 403787 56->63 58->59 65 4037f2-4037ff call 406557 58->65 59->42 61->32 62->50 62->63 63->50 64->45 64->67 65->37 71 4038a2-4038ad call 405e53 66->71 72 403935-40393c call 403c29 66->72 69 403ab3-403ab9 67->69 70 403a8f-403a9f call 405bb7 ExitProcess 67->70 77 403b37-403b3f 69->77 78 403abb-403ad1 GetCurrentProcess OpenProcessToken 69->78 87 4038fb-403905 71->87 88 4038af-4038e4 71->88 82 403941-403945 72->82 83 403b41 77->83 84 403b45-403b49 ExitProcess 77->84 80 403ad3-403b01 LookupPrivilegeValueW AdjustTokenPrivileges 78->80 81 403b07-403b15 call 40694b 78->81 80->81 97 403b23-403b2e ExitWindowsEx 81->97 98 403b17-403b21 81->98 82->67 83->84 92 403907-403915 call 405f2e 87->92 93 40394a-403970 call 405b22 lstrlenW call 406557 87->93 90 4038e6-4038ea 88->90 94 4038f3-4038f7 90->94 95 4038ec-4038f1 90->95 92->67 107 40391b-403931 call 406557 * 2 92->107 110 403981-403999 93->110 111 403972-40397c call 406557 93->111 94->90 100 4038f9 94->100 95->94 95->100 97->77 102 403b30-403b32 call 40140b 97->102 98->97 98->102 100->87 102->77 107->72 114 40399e-4039a2 110->114 111->110 116 4039a7-4039d1 wsprintfW call 406594 114->116 120 4039d3-4039d8 call 405aab 116->120 121 4039da call 405b05 116->121 124 4039df-4039e1 120->124 121->124 126 4039e3-4039ed GetFileAttributesW 124->126 127 403a1d-403a3c SetCurrentDirectoryW call 406317 CopyFileW 124->127 128 403a0e-403a19 126->128 129 4039ef-4039f8 DeleteFileW 126->129 135 403a7b 127->135 136 403a3e-403a5f call 406317 call 406594 call 405b3a 127->136 128->114 132 403a1b 128->132 129->128 131 4039fa-403a0c call 405c63 129->131 131->116 131->128 132->67 135->67 144 403a61-403a6b 136->144 145 403aa5-403ab1 CloseHandle 136->145 144->135 146 403a6d-403a75 call 4068b4 144->146 145->135 146->116 146->135
            APIs
            • SetErrorMode.KERNELBASE ref: 00403555
            • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403580
            • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403593
            • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040362C
            • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403669
            • OleInitialize.OLE32(00000000), ref: 00403670
            • SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 0040368F
            • GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A4
            • CharNextW.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe",00000020,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036DD
            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403815
            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403826
            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403832
            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040384E
            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385F
            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403867
            • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387B
            • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403954
              • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
            • wsprintfW.USER32 ref: 004039B1
            • GetFileAttributesW.KERNEL32(00437800,C:\Users\user\AppData\Local\Temp\), ref: 004039E4
            • DeleteFileW.KERNEL32(00437800), ref: 004039F0
            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A1E
              • Part of subcall function 00406317: MoveFileExW.KERNEL32(?,?,00000005,00405E15,?,00000000,000000F1,?,?,?,?,?), ref: 00406321
            • CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,00437800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A34
              • Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
              • Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
              • Part of subcall function 004068B4: FindFirstFileW.KERNELBASE(74DF3420,0042FAB8,C:\,00405F77,C:\,C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
              • Part of subcall function 004068B4: FindClose.KERNEL32(00000000), ref: 004068CB
            • ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A7D
            • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A82
            • ExitProcess.KERNEL32 ref: 00403A9F
            • CloseHandle.KERNEL32(00000000,00438000,00438000,?,00437800,00000000), ref: 00403AA6
            • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AC2
            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC9
            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADE
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B01
            • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B26
            • ExitProcess.KERNEL32 ref: 00403B49
              • Part of subcall function 00405B05: CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: File$Process$Exit$CloseDirectory$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
            • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"$1033$C:\Program Files (x86)\IDmelon$C:\Program Files (x86)\IDmelon\FCP$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$error$~nsu%X.tmp
            • API String ID: 2017177436-2574745368
            • Opcode ID: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
            • Instruction ID: 6c1349364f4d22fadfcc29bbd5f82b0434b4f5ba6e08f6571c64e8404a3f48da
            • Opcode Fuzzy Hash: 2f58fbcc075b23529aa9588561da4342b8d2734b046618fffc698aa71994b29c
            • Instruction Fuzzy Hash: 64F10270604301ABD320AF659D45B2B7AE8EF8570AF10483EF581B22D1DB7DDA45CB6E
            Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 149 40571b-405736 150 4058c5-4058cc 149->150 151 40573c-405803 GetDlgItem * 3 call 40450b call 404e64 GetClientRect GetSystemMetrics SendMessageW * 2 149->151 153 4058f6-405903 150->153 154 4058ce-4058f0 GetDlgItem CreateThread FindCloseChangeNotification 150->154 173 405821-405824 151->173 174 405805-40581f SendMessageW * 2 151->174 156 405921-40592b 153->156 157 405905-40590b 153->157 154->153 158 405981-405985 156->158 159 40592d-405933 156->159 161 405946-40594f call 40453d 157->161 162 40590d-40591c ShowWindow * 2 call 40450b 157->162 158->161 168 405987-40598d 158->168 164 405935-405941 call 4044af 159->164 165 40595b-40596b ShowWindow 159->165 170 405954-405958 161->170 162->156 164->161 171 40597b-40597c call 4044af 165->171 172 40596d-405976 call 4055dc 165->172 168->161 175 40598f-4059a2 SendMessageW 168->175 171->158 172->171 176 405834-40584b call 4044d6 173->176 177 405826-405832 SendMessageW 173->177 174->173 178 405aa4-405aa6 175->178 179 4059a8-4059d3 CreatePopupMenu call 406594 AppendMenuW 175->179 188 405881-4058a2 GetDlgItem SendMessageW 176->188 189 40584d-405861 ShowWindow 176->189 177->176 178->170 186 4059d5-4059e5 GetWindowRect 179->186 187 4059e8-4059fd TrackPopupMenu 179->187 186->187 187->178 190 405a03-405a1a 187->190 188->178 193 4058a8-4058c0 SendMessageW * 2 188->193 191 405870 189->191 192 405863-40586e ShowWindow 189->192 194 405a1f-405a3a SendMessageW 190->194 195 405876-40587c call 40450b 191->195 192->195 193->178 194->194 196 405a3c-405a5f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 194->196 195->188 198 405a61-405a88 SendMessageW 196->198 198->198 199 405a8a-405a9e GlobalUnlock SetClipboardData CloseClipboard 198->199 199->178
            APIs
            • GetDlgItem.USER32(?,00000403), ref: 00405779
            • GetDlgItem.USER32(?,000003EE), ref: 00405788
            • GetClientRect.USER32(?,?), ref: 004057C5
            • GetSystemMetrics.USER32(00000002), ref: 004057CC
            • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057ED
            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FE
            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405811
            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581F
            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405832
            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405854
            • ShowWindow.USER32(?,00000008), ref: 00405868
            • GetDlgItem.USER32(?,000003EC), ref: 00405889
            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405899
            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058B2
            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BE
            • GetDlgItem.USER32(?,000003F8), ref: 00405797
              • Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
            • GetDlgItem.USER32(?,000003EC), ref: 004058DB
            • CreateThread.KERNELBASE(00000000,00000000,Function_000056AF,00000000), ref: 004058E9
            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004058F0
            • ShowWindow.USER32(00000000), ref: 00405914
            • ShowWindow.USER32(?,00000008), ref: 00405919
            • ShowWindow.USER32(00000008), ref: 00405963
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405997
            • CreatePopupMenu.USER32 ref: 004059A8
            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059BC
            • GetWindowRect.USER32(?,?), ref: 004059DC
            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F5
            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2D
            • OpenClipboard.USER32(00000000), ref: 00405A3D
            • EmptyClipboard.USER32 ref: 00405A43
            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4F
            • GlobalLock.KERNEL32(00000000), ref: 00405A59
            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6D
            • GlobalUnlock.KERNEL32(00000000), ref: 00405A8D
            • SetClipboardData.USER32(0000000D,00000000), ref: 00405A98
            • CloseClipboard.USER32 ref: 00405A9E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
            • String ID: {
            • API String ID: 4154960007-366298937
            • Opcode ID: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
            • Instruction ID: 234ab3d0ec1f6487b719ed7b99e1d6b4405f443d9e8d78e252fa94ab3ac4d3a1
            • Opcode Fuzzy Hash: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
            • Instruction Fuzzy Hash: 34B139B1900608FFDB11AF60DD89AAE7B79FB48355F00813AFA41BA1A0C7785A51DF58
            Function 00405C63 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 507 405c63-405c89 call 405f2e 510 405ca2-405ca9 507->510 511 405c8b-405c9d DeleteFileW 507->511 513 405cab-405cad 510->513 514 405cbc-405ccc call 406557 510->514 512 405e1f-405e23 511->512 515 405cb3-405cb6 513->515 516 405dcd-405dd2 513->516 520 405cdb-405cdc call 405e72 514->520 521 405cce-405cd9 lstrcatW 514->521 515->514 515->516 516->512 519 405dd4-405dd7 516->519 522 405de1-405de9 call 4068b4 519->522 523 405dd9-405ddf 519->523 524 405ce1-405ce5 520->524 521->524 522->512 530 405deb-405dff call 405e26 call 405c1b 522->530 523->512 527 405cf1-405cf7 lstrcatW 524->527 528 405ce7-405cef 524->528 531 405cfc-405d18 lstrlenW FindFirstFileW 527->531 528->527 528->531 547 405e01-405e04 530->547 548 405e17-405e1a call 4055dc 530->548 533 405dc2-405dc6 531->533 534 405d1e-405d26 531->534 533->516 538 405dc8 533->538 535 405d46-405d5a call 406557 534->535 536 405d28-405d30 534->536 549 405d71-405d7c call 405c1b 535->549 550 405d5c-405d64 535->550 539 405d32-405d3a 536->539 540 405da5-405db5 FindNextFileW 536->540 538->516 539->535 543 405d3c-405d44 539->543 540->534 546 405dbb-405dbc FindClose 540->546 543->535 543->540 546->533 547->523 551 405e06-405e15 call 4055dc call 406317 547->551 548->512 560 405d9d-405da0 call 4055dc 549->560 561 405d7e-405d81 549->561 550->540 552 405d66-405d6f call 405c63 550->552 551->512 552->540 560->540 564 405d83-405d93 call 4055dc call 406317 561->564 565 405d95-405d9b 561->565 564->540 565->540
            APIs
            • DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"), ref: 00405C8C
            • lstrcatW.KERNEL32(0042EA70,\*.*), ref: 00405CD4
            • lstrcatW.KERNEL32(?,0040A014), ref: 00405CF7
            • lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"), ref: 00405CFD
            • FindFirstFileW.KERNELBASE(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"), ref: 00405D0D
            • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAD
            • FindClose.KERNEL32(00000000), ref: 00405DBC
            Strings
            • pB, xrefs: 00405CBC
            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C70
            • \*.*, xrefs: 00405CCE
            • "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe", xrefs: 00405C6C
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
            • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"$C:\Users\user\AppData\Local\Temp\$\*.*$pB
            • API String ID: 2035342205-3564087900
            • Opcode ID: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
            • Instruction ID: 3df5019795aaf58f6817f8e3609a5bcb0d9fa216103f8ca083ea3247371bac5c
            • Opcode Fuzzy Hash: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
            • Instruction Fuzzy Hash: 2441B231400A14BADB21BB65DC8DAAF7678EF81714F24813BF801B11D1DB7C4A81DEAE
            Function 004068B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNELBASE(74DF3420,0042FAB8,C:\,00405F77,C:\,C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
            • FindClose.KERNEL32(00000000), ref: 004068CB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: Find$CloseFileFirst
            • String ID: C:\
            • API String ID: 2295610775-3404278061
            • Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
            • Instruction ID: 0f602bcf77736d61886636fd33b874369bd8b56ce32760b4adaf045605f9a717
            • Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
            • Instruction Fuzzy Hash: 24D012725161309BC2406738AD0C84B7B58AF15331751CA37F56BF21E0D7348C6387A9
            Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 200 403fd7-403fe9 201 404150-40415f 200->201 202 403fef-403ff5 200->202 204 404161-4041a9 GetDlgItem * 2 call 4044d6 SetClassLongW call 40140b 201->204 205 4041ae-4041c3 201->205 202->201 203 403ffb-404004 202->203 208 404006-404013 SetWindowPos 203->208 209 404019-404020 203->209 204->205 206 404203-404208 call 404522 205->206 207 4041c5-4041c8 205->207 222 40420d-404228 206->222 212 4041ca-4041d5 call 401389 207->212 213 4041fb-4041fd 207->213 208->209 215 404022-40403c ShowWindow 209->215 216 404064-40406a 209->216 212->213 238 4041d7-4041f6 SendMessageW 212->238 213->206 221 4044a3 213->221 223 404042-404055 GetWindowLongW 215->223 224 40413d-40414b call 40453d 215->224 218 404083-404086 216->218 219 40406c-40407e DestroyWindow 216->219 228 404088-404094 SetWindowLongW 218->228 229 404099-40409f 218->229 226 404480-404486 219->226 227 4044a5-4044ac 221->227 232 404231-404237 222->232 233 40422a-40422c call 40140b 222->233 223->224 234 40405b-40405e ShowWindow 223->234 224->227 226->221 241 404488-40448e 226->241 228->227 229->224 237 4040a5-4040b4 GetDlgItem 229->237 235 404461-40447a DestroyWindow KiUserCallbackDispatcher 232->235 236 40423d-404248 232->236 233->232 234->216 235->226 236->235 243 40424e-40429b call 406594 call 4044d6 * 3 GetDlgItem 236->243 244 4040d3-4040d6 237->244 245 4040b6-4040cd SendMessageW IsWindowEnabled 237->245 238->227 241->221 242 404490-404499 ShowWindow 241->242 242->221 272 4042a5-4042e1 ShowWindow KiUserCallbackDispatcher call 4044f8 KiUserCallbackDispatcher 243->272 273 40429d-4042a2 243->273 247 4040d8-4040d9 244->247 248 4040db-4040de 244->248 245->221 245->244 250 404109-40410e call 4044af 247->250 251 4040e0-4040e6 248->251 252 4040ec-4040f1 248->252 250->224 255 404127-404137 SendMessageW 251->255 256 4040e8-4040ea 251->256 252->255 257 4040f3-4040f9 252->257 255->224 256->250 260 404110-404119 call 40140b 257->260 261 4040fb-404101 call 40140b 257->261 260->224 270 40411b-404125 260->270 268 404107 261->268 268->250 270->268 276 4042e3-4042e4 272->276 277 4042e6 272->277 273->272 278 4042e8-404316 GetSystemMenu EnableMenuItem SendMessageW 276->278 277->278 279 404318-404329 SendMessageW 278->279 280 40432b 278->280 281 404331-404370 call 40450b call 403fb8 call 406557 lstrlenW call 406594 SetWindowTextW call 401389 279->281 280->281 281->222 292 404376-404378 281->292 292->222 293 40437e-404382 292->293 294 4043a1-4043b5 DestroyWindow 293->294 295 404384-40438a 293->295 294->226 297 4043bb-4043e8 CreateDialogParamW 294->297 295->221 296 404390-404396 295->296 296->222 298 40439c 296->298 297->226 299 4043ee-404445 call 4044d6 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 297->299 298->221 299->221 304 404447-40445a ShowWindow call 404522 299->304 306 40445f 304->306 306->226
            APIs
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404013
            • ShowWindow.USER32(?), ref: 00404033
            • GetWindowLongW.USER32(?,000000F0), ref: 00404045
            • ShowWindow.USER32(?,00000004), ref: 0040405E
            • DestroyWindow.USER32 ref: 00404072
            • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040408B
            • GetDlgItem.USER32(?,?), ref: 004040AA
            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BE
            • IsWindowEnabled.USER32(00000000), ref: 004040C5
            • GetDlgItem.USER32(?,00000001), ref: 00404170
            • GetDlgItem.USER32(?,00000002), ref: 0040417A
            • SetClassLongW.USER32(?,000000F2,?), ref: 00404194
            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E5
            • GetDlgItem.USER32(?,00000003), ref: 0040428B
            • ShowWindow.USER32(00000000,?), ref: 004042AC
            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042BE
            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042D9
            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EF
            • EnableMenuItem.USER32(00000000), ref: 004042F6
            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430E
            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404321
            • lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040434B
            • SetWindowTextW.USER32(?,0042CA68), ref: 0040435F
            • ShowWindow.USER32(?,0000000A), ref: 00404493
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: Window$Item$MessageSendShow$Long$CallbackDispatcherMenuUser$ClassDestroyEnableEnabledSystemTextlstrlen
            • String ID:
            • API String ID: 3964124867-0
            • Opcode ID: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
            • Instruction ID: 911e0a6aef898d83942fe666095560f38e6effa11f08765efd6836b1f10f2e9c
            • Opcode Fuzzy Hash: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
            • Instruction Fuzzy Hash: 29C1B0B1500204BBDB206F61EE89A2B3A68FB85756F01053EF781B51F0CB3958929B2D
            Function 00403C29 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 307 403c29-403c41 call 40694b 310 403c43-403c53 call 40649e 307->310 311 403c55-403c8c call 406425 307->311 320 403caf-403cd8 call 403eff call 405f2e 310->320 315 403ca4-403caa lstrcatW 311->315 316 403c8e-403c9f call 406425 311->316 315->320 316->315 325 403d6a-403d72 call 405f2e 320->325 326 403cde-403ce3 320->326 331 403d80-403da5 LoadImageW 325->331 332 403d74-403d7b call 406594 325->332 326->325 327 403ce9-403d03 call 406425 326->327 333 403d08-403d11 327->333 336 403e26-403e2e call 40140b 331->336 337 403da7-403dd7 RegisterClassW 331->337 332->331 333->325 334 403d13-403d17 333->334 338 403d29-403d35 lstrlenW 334->338 339 403d19-403d26 call 405e53 334->339 350 403e30-403e33 336->350 351 403e38-403e43 call 403eff 336->351 340 403ef5 337->340 341 403ddd-403e21 SystemParametersInfoW CreateWindowExW 337->341 345 403d37-403d45 lstrcmpiW 338->345 346 403d5d-403d65 call 405e26 call 406557 338->346 339->338 344 403ef7-403efe 340->344 341->336 345->346 349 403d47-403d51 GetFileAttributesW 345->349 346->325 353 403d53-403d55 349->353 354 403d57-403d58 call 405e72 349->354 350->344 360 403e49-403e63 ShowWindow call 4068db 351->360 361 403ecc-403ecd call 4056af 351->361 353->346 353->354 354->346 366 403e65-403e6a call 4068db 360->366 367 403e6f-403e81 GetClassInfoW 360->367 364 403ed2-403ed4 361->364 368 403ed6-403edc 364->368 369 403eee-403ef0 call 40140b 364->369 366->367 372 403e83-403e93 GetClassInfoW RegisterClassW 367->372 373 403e99-403ebc DialogBoxParamW call 40140b 367->373 368->350 374 403ee2-403ee9 call 40140b 368->374 369->340 372->373 377 403ec1-403eca call 403b79 373->377 374->350 377->344
            APIs
              • Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
              • Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978
            • lstrcatW.KERNEL32(1033,0042CA68), ref: 00403CAA
            • lstrlenW.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files (x86)\IDmelon,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,74DF3420), ref: 00403D2A
            • lstrcmpiW.KERNEL32(?,.exe,Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files (x86)\IDmelon,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D3D
            • GetFileAttributesW.KERNEL32(Remove folder: ), ref: 00403D48
            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files (x86)\IDmelon), ref: 00403D91
              • Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB
            • RegisterClassW.USER32(004336A0), ref: 00403DCE
            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE6
            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1B
            • ShowWindow.USER32(00000005,00000000), ref: 00403E51
            • GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E7D
            • GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403E8A
            • RegisterClassW.USER32(004336A0), ref: 00403E93
            • DialogBoxParamW.USER32(?,00000000,00403FD7,00000000), ref: 00403EB2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
            • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Program Files (x86)\IDmelon$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
            • API String ID: 1975747703-1190311780
            • Opcode ID: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
            • Instruction ID: b78af383561608ccb802af496d710159af2d94eef556b4765221653e5b422f1b
            • Opcode Fuzzy Hash: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
            • Instruction Fuzzy Hash: 9F61C270100640BED220AF66ED46F2B3A6CEB85B5AF50013FF945B62E2DB7C59418B6D
            Function 00403082 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 381 403082-4030d0 GetTickCount GetModuleFileNameW call 406047 384 4030d2-4030d7 381->384 385 4030dc-40310a call 406557 call 405e72 call 406557 GetFileSize 381->385 386 4032b2-4032b6 384->386 393 403110 385->393 394 4031f5-403203 call 40301e 385->394 396 403115-40312c 393->396 400 403205-403208 394->400 401 403258-40325d 394->401 398 403130-403139 call 4034d4 396->398 399 40312e 396->399 406 40325f-403267 call 40301e 398->406 407 40313f-403146 398->407 399->398 404 40320a-403222 call 4034ea call 4034d4 400->404 405 40322c-403256 GlobalAlloc call 4034ea call 4032b9 400->405 401->386 404->401 428 403224-40322a 404->428 405->401 432 403269-40327a 405->432 406->401 410 4031c2-4031c6 407->410 411 403148-40315c call 406002 407->411 418 4031d0-4031d6 410->418 419 4031c8-4031cf call 40301e 410->419 411->418 430 40315e-403165 411->430 423 4031e5-4031ed 418->423 424 4031d8-4031e2 call 406a38 418->424 419->418 423->396 431 4031f3 423->431 424->423 428->401 428->405 430->418 434 403167-40316e 430->434 431->394 435 403282-403287 432->435 436 40327c 432->436 434->418 437 403170-403177 434->437 438 403288-40328e 435->438 436->435 437->418 439 403179-403180 437->439 438->438 440 403290-4032ab SetFilePointer call 406002 438->440 439->418 442 403182-4031a2 439->442 443 4032b0 440->443 442->401 444 4031a8-4031ac 442->444 443->386 445 4031b4-4031bc 444->445 446 4031ae-4031b2 444->446 445->418 447 4031be-4031c0 445->447 446->431 446->445 447->418
            APIs
            • GetTickCount.KERNEL32 ref: 00403093
            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,00000400), ref: 004030AF
              • Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,80000000,00000003), ref: 0040604B
              • Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
            • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,80000000,00000003), ref: 004030FB
            • GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231
            Strings
            • Null, xrefs: 00403179
            • soft, xrefs: 00403170
            • C:\Users\user\Desktop, xrefs: 004030DD, 004030E2, 004030E8
            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403089
            • C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, xrefs: 00403099, 004030A8, 004030BC, 004030DC
            • Error launching installer, xrefs: 004030D2
            • "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe", xrefs: 00403088
            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258
            • Inst, xrefs: 00403167
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
            • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
            • API String ID: 2803837635-527983698
            • Opcode ID: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
            • Instruction ID: 68b8bf8592918c5e7f10339d86c9767fe938295b8d0ed8def850c2c8f1d184f5
            • Opcode Fuzzy Hash: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
            • Instruction Fuzzy Hash: 8251A071A00204ABDB20AF65DD85B9E7EACEB49356F10417BF900B62D1C77C9F408BAD
            Function 00406594 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 204stringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 448 406594-40659d 449 4065b0-4065ca 448->449 450 40659f-4065ae 448->450 451 4065d0-4065dc 449->451 452 4067da-4067e0 449->452 450->449 451->452 453 4065e2-4065e9 451->453 454 4067e6-4067f3 452->454 455 4065ee-4065fb 452->455 453->452 457 4067f5-4067fa call 406557 454->457 458 4067ff-406802 454->458 455->454 456 406601-40660a 455->456 459 406610-406653 456->459 460 4067c7 456->460 457->458 464 406659-406665 459->464 465 40676b-40676f 459->465 462 4067d5-4067d8 460->462 463 4067c9-4067d3 460->463 462->452 463->452 466 406667 464->466 467 40666f-406671 464->467 468 406771-406778 465->468 469 4067a3-4067a7 465->469 466->467 474 406673-406691 call 406425 467->474 475 4066ab-4066ae 467->475 472 406788-406794 call 406557 468->472 473 40677a-406786 call 40649e 468->473 470 4067b7-4067c5 lstrlenW 469->470 471 4067a9-4067b2 call 406594 469->471 470->452 471->470 482 406799-40679f 472->482 473->482 487 406696-406699 474->487 476 4066b0-4066bc GetSystemDirectoryW 475->476 477 4066c1-4066c4 475->477 483 40674e-406751 476->483 484 4066d6-4066da 477->484 485 4066c6-4066d2 GetWindowsDirectoryW 477->485 482->470 488 4067a1 482->488 489 406763-406769 call 406805 483->489 490 406753-406756 483->490 484->483 491 4066dc-4066fa 484->491 485->484 487->490 492 40669f-4066a6 call 406594 487->492 488->489 489->470 490->489 494 406758-40675e lstrcatW 490->494 496 4066fc-40670c 491->496 497 40670e-406726 call 40694b 491->497 492->483 494->489 496->497 503 406748-40674c 496->503 505 406728-40673b SHGetPathFromIDListW CoTaskMemFree 497->505 506 40673d-406746 497->506 503->483 505->503 505->506 506->491 506->503
            APIs
            • GetSystemDirectoryW.KERNEL32(Remove folder: ,00000400), ref: 004066B6
            • GetWindowsDirectoryW.KERNEL32(Remove folder: ,00000400,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,?,?,00000000,00000000,00566509,74DF23A0), ref: 004066CC
            • SHGetPathFromIDListW.SHELL32(00000000,Remove folder: ), ref: 0040672A
            • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406733
            • lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040675E
            • lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,?,?,00000000,00000000,00566509,74DF23A0), ref: 004067B8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
            • String ID: Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$error
            • API String ID: 4024019347-3884380995
            • Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
            • Instruction ID: fc62ecdfc612bfadb4c03fc2fb2820e4449372332e166df7cb208319b666a0da
            • Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
            • Instruction Fuzzy Hash: 7D612571A046009BD720AF24DD84B6A76E8EF95328F16053FF643B32D0DB7C9961875E
            Function 004032B9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 571 4032b9-4032d0 572 4032d2 571->572 573 4032d9-4032e2 571->573 572->573 574 4032e4 573->574 575 4032eb-4032f0 573->575 574->575 576 403300-40330d call 4034d4 575->576 577 4032f2-4032fb call 4034ea 575->577 581 4034c2 576->581 582 403313-403317 576->582 577->576 583 4034c4-4034c5 581->583 584 40346d-40346f 582->584 585 40331d-403366 GetTickCount 582->585 588 4034cd-4034d1 583->588 586 403471-403474 584->586 587 4034af-4034b2 584->587 589 4034ca 585->589 590 40336c-403374 585->590 586->589 593 403476 586->593 591 4034b4 587->591 592 4034b7-4034c0 call 4034d4 587->592 589->588 594 403376 590->594 595 403379-403387 call 4034d4 590->595 591->592 592->581 604 4034c7 592->604 597 403479-40347f 593->597 594->595 595->581 603 40338d-403396 595->603 601 403481 597->601 602 403483-403491 call 4034d4 597->602 601->602 602->581 608 403493-403498 call 4060f9 602->608 606 40339c-4033bc call 406aa6 603->606 604->589 613 4033c2-4033d5 GetTickCount 606->613 614 403465-403467 606->614 612 40349d-40349f 608->612 615 4034a1-4034ab 612->615 616 403469-40346b 612->616 617 403420-403422 613->617 618 4033d7-4033df 613->618 614->583 615->597 619 4034ad 615->619 616->583 622 403424-403428 617->622 623 403459-40345d 617->623 620 4033e1-4033e5 618->620 621 4033e7-403418 MulDiv wsprintfW call 4055dc 618->621 619->589 620->617 620->621 629 40341d 621->629 626 40342a-403431 call 4060f9 622->626 627 40343f-40344a 622->627 623->590 624 403463 623->624 624->589 632 403436-403438 626->632 628 40344d-403451 627->628 628->606 631 403457 628->631 629->617 631->589 632->616 633 40343a-40343d 632->633 633->628
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CountTick$wsprintf
            • String ID: eV$ *B$ A$ A$... %d%%
            • API String ID: 551687249-3945408467
            • Opcode ID: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
            • Instruction ID: 982be0e2f69b4341102b9ffd21d6361bbd2cc6e706b5ad6adcc0aeecd99e7a45
            • Opcode Fuzzy Hash: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
            • Instruction Fuzzy Hash: 1A516F71910219EBCB11CF65DA44B9E7FB8AF04756F10827BE814BB2D1C7789A40CB99
            Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 634 401774-401799 call 402dab call 405e9d 639 4017a3-4017b5 call 406557 call 405e26 lstrcatW 634->639 640 40179b-4017a1 call 406557 634->640 645 4017ba-4017bb call 406805 639->645 640->645 649 4017c0-4017c4 645->649 650 4017c6-4017d0 call 4068b4 649->650 651 4017f7-4017fa 649->651 659 4017e2-4017f4 650->659 660 4017d2-4017e0 CompareFileTime 650->660 653 401802-40181e call 406047 651->653 654 4017fc-4017fd call 406022 651->654 661 401820-401823 653->661 662 401892-4018bb call 4055dc call 4032b9 653->662 654->653 659->651 660->659 663 401874-40187e call 4055dc 661->663 664 401825-401863 call 406557 * 2 call 406594 call 406557 call 405bb7 661->664 676 4018c3-4018cf SetFileTime 662->676 677 4018bd-4018c1 662->677 674 401887-40188d 663->674 664->649 696 401869-40186a 664->696 678 402c38 674->678 680 4018d5-4018e0 FindCloseChangeNotification 676->680 677->676 677->680 684 402c3a-402c3e 678->684 681 4018e6-4018e9 680->681 682 402c2f-402c32 680->682 685 4018eb-4018fc call 406594 lstrcatW 681->685 686 4018fe-401901 call 406594 681->686 682->678 692 401906-4023a7 call 405bb7 685->692 686->692 692->682 692->684 696->674 698 40186c-40186d 696->698 698->663
            APIs
            • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B5
            • CompareFileTime.KERNEL32(-00000014,?,show,show,00000000,00000000,show,C:\Program Files (x86)\IDmelon\FCP,?,?,00000031), ref: 004017DA
              • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
              • Part of subcall function 004055DC: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,00000000,00566509,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
              • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,00000000,00566509,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
              • Part of subcall function 004055DC: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,0040341D), ref: 00405637
              • Part of subcall function 004055DC: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\), ref: 00405649
              • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
              • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
              • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
            • String ID: C:\Program Files (x86)\IDmelon\FCP$C:\Users\user\AppData\Local\Temp\nssC5E3.tmp$C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\InstallOptions.dll$show
            • API String ID: 1941528284-2934359271
            • Opcode ID: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
            • Instruction ID: f3bec3fd9c2ad120a03a9c06557e7274b723a0da437845685234e4033458a62e
            • Opcode Fuzzy Hash: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
            • Instruction Fuzzy Hash: 0B419471800108BACB11BFA5DD85DBE76B9EF45328B21423FF412B10E2DB3C8A519A2D
            Function 004055DC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 700 4055dc-4055f1 701 4055f7-405608 700->701 702 4056a8-4056ac 700->702 703 405613-40561f lstrlenW 701->703 704 40560a-40560e call 406594 701->704 705 405621-405631 lstrlenW 703->705 706 40563c-405640 703->706 704->703 705->702 708 405633-405637 lstrcatW 705->708 709 405642-405649 SetWindowTextW 706->709 710 40564f-405653 706->710 708->706 709->710 711 405655-405697 SendMessageW * 3 710->711 712 405699-40569b 710->712 711->712 712->702 713 40569d-4056a0 712->713 713->702
            APIs
            • lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,00000000,00566509,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
            • lstrlenW.KERNEL32(0040341D,Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,00000000,00566509,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
            • lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,0040341D), ref: 00405637
            • SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\), ref: 00405649
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
            • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: MessageSend$lstrlen$TextWindowlstrcat
            • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\
            • API String ID: 2531174081-3901438915
            • Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
            • Instruction ID: 906fe2e33ec339045028823105f1a28636d6cdc7c4a53a0106b9bb612f22f5f3
            • Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
            • Instruction Fuzzy Hash: 9121A171900158BACB119F65DD449CFBFB4EF45350F50843AF508B62A0C3794A50CFA8
            Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 714 402955-40296e call 402dab call 405e9d 719 402970-402972 call 402dab 714->719 720 402977-402990 call 406022 call 406047 714->720 719->720 726 402a40-402a45 720->726 727 402996-40299f 720->727 728 402a47-402a53 DeleteFileW 726->728 729 402a5a 726->729 730 4029a5-4029bc GlobalAlloc 727->730 731 402a28-402a30 call 4032b9 727->731 728->729 730->731 732 4029be-4029db call 4034ea call 4034d4 GlobalAlloc 730->732 735 402a35-402a3a CloseHandle 731->735 739 402a11-402a24 call 4060f9 GlobalFree 732->739 740 4029dd-4029e5 call 4032b9 732->740 735->726 739->731 743 4029ea 740->743 745 402a04-402a06 743->745 746 402a08-402a0b GlobalFree 745->746 747 4029ec-402a01 call 406002 745->747 746->739 747->745
            APIs
            • GlobalAlloc.KERNELBASE(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
            • GlobalFree.KERNEL32(?), ref: 00402A0B
            • GlobalFree.KERNELBASE(00000000), ref: 00402A1E
            • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: Global$AllocFree$CloseDeleteFileHandle
            • String ID:
            • API String ID: 2667972263-0
            • Opcode ID: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
            • Instruction ID: 9240dae09012554c896714223f9a1d047de53ad28ef79bac3653223f28d0231c
            • Opcode Fuzzy Hash: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
            • Instruction Fuzzy Hash: 3931AD71D00124BBCF21AFA5CE89D9E7E79AF49324F10423AF521762E1CB794D419BA8
            Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 750 4068db-4068fb GetSystemDirectoryW 751 4068fd 750->751 752 4068ff-406901 750->752 751->752 753 406912-406914 752->753 754 406903-40690c 752->754 756 406915-406948 wsprintfW LoadLibraryExW 753->756 754->753 755 40690e-406910 754->755 755->756
            APIs
            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
            • wsprintfW.USER32 ref: 0040692D
            • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406941
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: DirectoryLibraryLoadSystemwsprintf
            • String ID: %s%S.dll$UXTHEME
            • API String ID: 2200240437-1106614640
            • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
            • Instruction ID: a217f45d9ff01499786c61cea798a126a457230594f844882b590dd92c6ddc53
            • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
            • Instruction Fuzzy Hash: 69F0F671501219A6CF14BB68DD0DF9B376CAB40304F21447AA646F20E0EB789B69CBA8
            Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 757 401c48-401c68 call 402d89 * 2 762 401c74-401c78 757->762 763 401c6a-401c71 call 402dab 757->763 765 401c84-401c8a 762->765 766 401c7a-401c81 call 402dab 762->766 763->762 769 401cd8-401d02 call 402dab * 2 FindWindowExW 765->769 770 401c8c-401ca8 call 402d89 * 2 765->770 766->765 782 401d08 769->782 780 401cc8-401cd6 SendMessageW 770->780 781 401caa-401cc6 SendMessageTimeoutW 770->781 780->782 783 401d0b-401d0e 781->783 782->783 784 401d14 783->784 785 402c2f-402c3e 783->785 784->785
            APIs
            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: MessageSend$Timeout
            • String ID: !
            • API String ID: 1777923405-2657877971
            • Opcode ID: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
            • Instruction ID: 3d1946e732457e70d46414fe723373bc78a31951f468440fe5e33f287296c6aa
            • Opcode Fuzzy Hash: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
            • Instruction Fuzzy Hash: BC21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941DB98
            Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 788 40248f-4024c0 call 402dab * 2 call 402e3b 795 4024c6-4024d0 788->795 796 402c2f-402c3e 788->796 797 4024d2-4024df call 402dab lstrlenW 795->797 798 4024e3-4024e6 795->798 797->798 801 4024e8-4024f9 call 402d89 798->801 802 4024fa-4024fd 798->802 801->802 804 40250e-402522 RegSetValueExW 802->804 805 4024ff-402509 call 4032b9 802->805 810 402524 804->810 811 402527-402608 RegCloseKey 804->811 805->804 810->811 811->796 813 402933-40293a 811->813 813->796
            APIs
            • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nssC5E3.tmp,00000023,00000011,00000002), ref: 004024DA
            • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nssC5E3.tmp,00000000,00000011,00000002), ref: 0040251A
            • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nssC5E3.tmp,00000000,00000011,00000002), ref: 00402602
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CloseValuelstrlen
            • String ID: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp
            • API String ID: 2655323295-1965383324
            • Opcode ID: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
            • Instruction ID: e3d4462d3b771ebaa4f16124ca1672ddbf53c4078f16fd27a1e0ad00bfdc49f7
            • Opcode Fuzzy Hash: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
            • Instruction Fuzzy Hash: 8B117F31900118BEEB10EFA5DE59EAEBAB4EF54358F11443FF504B71C1D7B88E419A58
            Function 00405F2E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 814 405f2e-405f49 call 406557 call 405ed1 819 405f4b-405f4d 814->819 820 405f4f-405f5c call 406805 814->820 821 405fa7-405fa9 819->821 824 405f6c-405f70 820->824 825 405f5e-405f64 820->825 826 405f86-405f8f lstrlenW 824->826 825->819 827 405f66-405f6a 825->827 828 405f91-405fa5 call 405e26 GetFileAttributesW 826->828 829 405f72-405f79 call 4068b4 826->829 827->819 827->824 828->821 834 405f80-405f81 call 405e72 829->834 835 405f7b-405f7e 829->835 834->826 835->819 835->834
            APIs
              • Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564
              • Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"), ref: 00405EDF
              • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
              • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC
            • lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"), ref: 00405F87
            • GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F97
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CharNext$AttributesFilelstrcpynlstrlen
            • String ID: C:\$C:\Users\user\AppData\Local\Temp\
            • API String ID: 3248276644-3049482934
            • Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
            • Instruction ID: 0bce86d1d95a7c790b53086ee47358a3377499fb664fcb231eb74dc800c81f90
            • Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
            • Instruction Fuzzy Hash: 7AF0F43A105E1269D622733A5C09AAF1555CE86360B5A457BFC91B22C6CF3C8A42CCBE
            Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
            Download Yara Rule
            APIs
            • GetTickCount.KERNEL32 ref: 00406094
            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403530,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C), ref: 004060AF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CountFileNameTempTick
            • String ID: C:\Users\user\AppData\Local\Temp\$nsa
            • API String ID: 1716503409-678247507
            • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
            • Instruction ID: 86e06e500a6970b3bc5bd370241205c1b86a0a172d82c816bfbfc8c597d973d5
            • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
            • Instruction Fuzzy Hash: 65F09076B50204FBEB10CF69ED05F9EB7ACEB95750F11803AED05F7240E6B099548768
            Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"), ref: 00405EDF
              • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
              • Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC
            • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F
              • Part of subcall function 00405AAB: CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405AED
            • SetCurrentDirectoryW.KERNELBASE(?,C:\Program Files (x86)\IDmelon\FCP,?,00000000,000000F0), ref: 00401652
            Strings
            • C:\Program Files (x86)\IDmelon\FCP, xrefs: 00401645
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CharNext$Directory$AttributesCreateCurrentFile
            • String ID: C:\Program Files (x86)\IDmelon\FCP
            • API String ID: 1892508949-3348486767
            • Opcode ID: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
            • Instruction ID: 6fd3d265dcb44280b24f8e6f21651466162e19908bb00ba525d5af3adea1cd3c
            • Opcode Fuzzy Hash: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
            • Instruction Fuzzy Hash: F211E231404104ABCF206FA5CD0159F36B0EF04368B25493FE945B22F1DA3D4A81DA5E
            Function 00401F17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00405B7D: ShellExecuteExW.SHELL32(?), ref: 00405B8C
              • Part of subcall function 004069F6: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
              • Part of subcall function 004069F6: GetExitCodeProcess.KERNELBASE(?,?), ref: 00406A29
            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?), ref: 00401FF0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: ChangeCloseCodeExecuteExitFindNotificationObjectProcessShellSingleWait
            • String ID: @$C:\Program Files (x86)\IDmelon\FCP
            • API String ID: 4215836453-3369818710
            • Opcode ID: 89d337900e9320f3d95684fda7007bf5c26350ccfaa4596f3b29f985b3d04bce
            • Instruction ID: 66913655aa2032d7cc32b7d8541d21132be3f6ae7d0383c2f6415210fa0a2f56
            • Opcode Fuzzy Hash: 89d337900e9320f3d95684fda7007bf5c26350ccfaa4596f3b29f985b3d04bce
            • Instruction Fuzzy Hash: 11115B71E042189ADB50EFB9DA49B8DB6F0AF04308F20457FE105F72D2DBBC8945AB18
            Function 00406425 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
            Download Yara Rule
            APIs
            • RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,Remove folder: ,?,00000000,00406696,80000002), ref: 0040646B
            • RegCloseKey.KERNELBASE(?), ref: 00406476
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CloseQueryValue
            • String ID: Remove folder:
            • API String ID: 3356406503-1958208860
            • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
            • Instruction ID: 70129269225b3d2074805611e9e9ab3b6623f97616b55adb64abfcd2b3eb4ee3
            • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
            • Instruction Fuzzy Hash: 3F017172540209AADF21CF51CC05EDB3BA8EB54364F114439FD1596190D738D964DBA4
            Function 00403B94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • FreeLibrary.KERNELBASE(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403B6C,00403A82,?,?,00000008,0000000A,0000000C), ref: 00403BAE
            • GlobalFree.KERNEL32(00000000), ref: 00403BB5
            Strings
            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B94
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: Free$GlobalLibrary
            • String ID: C:\Users\user\AppData\Local\Temp\
            • API String ID: 1100898210-3081826266
            • Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
            • Instruction ID: cb28855b84c3abb27e6c937247341fa4f051846acd49e0d4b6103447305c23c4
            • Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
            • Instruction Fuzzy Hash: 5DE0C23362083097C6311F55EE04B1A7778AF89B2AF01402AEC407B2618B74AC538FCC
            Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402108
              • Part of subcall function 004055DC: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,00000000,00566509,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
              • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,00000000,00566509,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
              • Part of subcall function 004055DC: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,0040341D), ref: 00405637
              • Part of subcall function 004055DC: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\), ref: 00405649
              • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
              • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
              • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
            • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402119
            • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402196
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
            • String ID:
            • API String ID: 334405425-0
            • Opcode ID: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
            • Instruction ID: 3664ba2fa099400b069473e4dbd5787d756d46fb785c5e03f539e90392346bbf
            • Opcode Fuzzy Hash: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
            • Instruction Fuzzy Hash: C9219231904108BADF11AFA5CF49A9D7A71FF84358F20413FF201B91E1CBBD8982AA5D
            Function 00401BA0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
            Download Yara Rule
            APIs
            • GlobalFree.KERNEL32(00510190), ref: 00401C10
            • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C22
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: Global$AllocFree
            • String ID: show
            • API String ID: 3394109436-839833857
            • Opcode ID: b2bf5aa3fb98d5d7659b4efbfb09c2738223d3c1d5b8947c58a47baf3ffb3ed2
            • Instruction ID: 52bd34c5afe528d1e7f7705a0b64ffdd7bdb14472fd10e075fda9825736fe234
            • Opcode Fuzzy Hash: b2bf5aa3fb98d5d7659b4efbfb09c2738223d3c1d5b8947c58a47baf3ffb3ed2
            • Instruction Fuzzy Hash: B221F972900254E7D720BF98DD89E5E73B5AB04718711093FF552B76C0D7B8AC019B9D
            Function 00405C1B Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00406022: GetFileAttributesW.KERNELBASE(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
              • Part of subcall function 00406022: SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040603B
            • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405DFD), ref: 00405C36
            • DeleteFileW.KERNELBASE(?,?,?,00000000,00405DFD), ref: 00405C3E
            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C56
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: File$Attributes$DeleteDirectoryRemove
            • String ID:
            • API String ID: 1655745494-0
            • Opcode ID: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
            • Instruction ID: 2cd832b5149a82f614695d38d41b3aba95dfe4f26efc6ce9164d7e3db346642e
            • Opcode Fuzzy Hash: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
            • Instruction Fuzzy Hash: 9AE02B3110D7915AE32077705E0CB5F2AD8DF86324F05093AF492F10C0DB78488A8A7E
            Function 004069F6 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
            • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00406A1C
            • GetExitCodeProcess.KERNELBASE(?,?), ref: 00406A29
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: ObjectSingleWait$CodeExitProcess
            • String ID:
            • API String ID: 2567322000-0
            • Opcode ID: 17a38a5c847dd8245057c7588e6ed0bb749bee8eb0eab1a955a98d2ec77b2a61
            • Instruction ID: 7df20da1addfcb38db7f968568525e0055db05351d7e2d981a5b9d81d63ff89b
            • Opcode Fuzzy Hash: 17a38a5c847dd8245057c7588e6ed0bb749bee8eb0eab1a955a98d2ec77b2a61
            • Instruction Fuzzy Hash: 6BE09271600208BBDB00AB54DD01D9E7B6EDB85700F104032BA45BA190C6B19E62DEA4
            Function 004044AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000408,?,00000000,0040410E), ref: 004044CD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: x
            • API String ID: 3850602802-2363233923
            • Opcode ID: 940325285312ba596bb559440598d7c93f49923121e0d523c76edeea93f158b3
            • Instruction ID: e4beb0b61e00574a7040becb46ffa3e71e1b9d270ded7914af4e103d951df844
            • Opcode Fuzzy Hash: 940325285312ba596bb559440598d7c93f49923121e0d523c76edeea93f158b3
            • Instruction Fuzzy Hash: 49C012B1180200BADB106B80DE01F067BA0E7A4B02F11A43DF380240B487706462DB0C
            Function 0040252F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
            Download Yara Rule
            APIs
            • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402560
            • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nssC5E3.tmp,00000000,00000011,00000002), ref: 00402602
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CloseQueryValue
            • String ID:
            • API String ID: 3356406503-0
            • Opcode ID: de231594f5fd9ed2f3d170b787f0c7ae88dddfe38e809d01203d2a2c86ad2b9e
            • Instruction ID: fa4e9c421320e09d3f2bb14c05bc69cdd2f01bdd483ca55c6e8c3e2e171c6fbc
            • Opcode Fuzzy Hash: de231594f5fd9ed2f3d170b787f0c7ae88dddfe38e809d01203d2a2c86ad2b9e
            • Instruction Fuzzy Hash: 11116A71900219EBDB14DFA0DA989AEB7B4FF04349B20447FE406B62C0D7B85A45EB5E
            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
            Download Yara Rule
            APIs
            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
            • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
            • Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
            • Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
            • Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C
            Function 004056AF Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
            Download Yara Rule
            APIs
            • OleInitialize.OLE32(00000000), ref: 004056BF
              • Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534
            • OleUninitialize.OLE32(00000404,00000000), ref: 0040570B
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: InitializeMessageSendUninitialize
            • String ID:
            • API String ID: 2896919175-0
            • Opcode ID: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
            • Instruction ID: 02e921673ef7eca27cac182cfb7c492375eb89174892ab9280a6a273fd68093a
            • Opcode Fuzzy Hash: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
            • Instruction Fuzzy Hash: 62F0F0728006009BE7011794AE01B9773A4EBC5316F15543BFF89632A0CB3658018B5D
            Function 00405AAB Relevance: 3.0, APIs: 2, Instructions: 26COMMON
            Download Yara Rule
            APIs
            • CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405AED
            • GetLastError.KERNEL32 ref: 00405AFB
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CreateDirectoryErrorLast
            • String ID:
            • API String ID: 1375471231-0
            • Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
            • Instruction ID: ed7a645988c2e2a06802fdc928ba12763e2e88a5fcf473fdfb2f1107ef0c66eb
            • Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
            • Instruction Fuzzy Hash: 56F0F970D0060DDBDB00CFA4C5497DFBBB4AB04305F00812AD545B6281D7B95248CBA9
            Function 00401EE3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(00000000,00000000), ref: 00401F01
            • EnableWindow.USER32(00000000,00000000), ref: 00401F0C
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: Window$EnableShow
            • String ID:
            • API String ID: 1136574915-0
            • Opcode ID: 25d484baa04e9b6e4f62fc7871d61afe8f606dd1a39771946dafa5186f6494a1
            • Instruction ID: 5ff066b55785a601c9e0ac29068a23864f952070569c454aea33db173c3c2586
            • Opcode Fuzzy Hash: 25d484baa04e9b6e4f62fc7871d61afe8f606dd1a39771946dafa5186f6494a1
            • Instruction Fuzzy Hash: 29E09A369082048FE705EBA4AE494AEB3B4EB80325B200A7FE001F11C0CBB84C00966C
            Function 00405B3A Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
            • CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CloseCreateHandleProcess
            • String ID:
            • API String ID: 3712363035-0
            • Opcode ID: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
            • Instruction ID: b1032d8704f3223f2a9afbe03a7757fefc60a77e8ecf1711bb84520e71ece662
            • Opcode Fuzzy Hash: 6fd2602221babf1a8a9a6246b82f99e4ae13039f11edd6951af80fecf8f79ee2
            • Instruction Fuzzy Hash: 91E09AB4600219BFEB109B74AD06F7B767CE704604F408475BD15E2151D774A8158A78
            Function 0040694B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
            • GetProcAddress.KERNEL32(00000000,?), ref: 00406978
              • Part of subcall function 004068DB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
              • Part of subcall function 004068DB: wsprintfW.USER32 ref: 0040692D
              • Part of subcall function 004068DB: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406941
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
            • String ID:
            • API String ID: 2547128583-0
            • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
            • Instruction ID: ff64ee7455e026c1647d72c339307a336527f79dacb59e64982fca04d7429b22
            • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
            • Instruction Fuzzy Hash: 38E08673504210AFD61057705D04D27B3A89F85740302443EF946F2140DB34DC32ABA9
            Function 00402C0A Relevance: 3.0, APIs: 2, Instructions: 21windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000000B,?), ref: 00402C19
            • InvalidateRect.USER32(?), ref: 00402C29
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: InvalidateMessageRectSend
            • String ID:
            • API String ID: 909852535-0
            • Opcode ID: cfe8654151a7fb919b36f8ec236feca4529e6266032f4a9ef2e5c0ddbf65b270
            • Instruction ID: 6ec3fe71324e92017d20d312ec94b5ca5b3924548e9ea94678a24fca9ce03f75
            • Opcode Fuzzy Hash: cfe8654151a7fb919b36f8ec236feca4529e6266032f4a9ef2e5c0ddbf65b270
            • Instruction Fuzzy Hash: 88E0ECB2650108FFEB11DB94EE85DAEB7B9EB80355B00047EF101E1060D7745D95DB28
            Function 00406047 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
            Download Yara Rule
            APIs
            • GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,80000000,00000003), ref: 0040604B
            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: File$AttributesCreate
            • String ID:
            • API String ID: 415043291-0
            • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
            • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
            • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
            • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
            Function 00406022 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
            Download Yara Rule
            APIs
            • GetFileAttributesW.KERNELBASE(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
            • SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040603B
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: AttributesFile
            • String ID:
            • API String ID: 3188754299-0
            • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
            • Instruction ID: 97cbb32404f08d1f6fed837f871d2b37f55cf766f9720be9b575451f5cdabe77
            • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
            • Instruction Fuzzy Hash: A3D0C972504220AFC2102728AE0889BBB55EB542717028A35FCA9A22B0CB304CA68694
            Function 00403B4F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
            Download Yara Rule
            APIs
            • CloseHandle.KERNEL32(FFFFFFFF,00403A82,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B5A
            Strings
            • C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\, xrefs: 00403B6E
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CloseHandle
            • String ID: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\
            • API String ID: 2962429428-1225984099
            • Opcode ID: ae973bb0dca4e4815b90d97470301ae31a1ae4600fd43aa67c366af3984d4a62
            • Instruction ID: 69482a2579ef2b85c2ad9764c5c762c9eb4f19b2fcf4b87e51b14fafea8afdc0
            • Opcode Fuzzy Hash: ae973bb0dca4e4815b90d97470301ae31a1ae4600fd43aa67c366af3984d4a62
            • Instruction Fuzzy Hash: EDC0123090470496F1206F79AE8FA153A64574073DBA48726B0B8B10F3CB7C5659555D
            Function 00405B05 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
            Download Yara Rule
            APIs
            • CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
            • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B19
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CreateDirectoryErrorLast
            • String ID:
            • API String ID: 1375471231-0
            • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
            • Instruction ID: 8c4969e502f5bc4c8dfdefb7e9c2ba363b64d1215f12130c86bef4ebeef6f559
            • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
            • Instruction Fuzzy Hash: 19C08C30310902DACA802B209F087173960AB80340F158439A683E00B4CA30A065C92D
            Function 00401FA9 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 004055DC: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,00000000,00566509,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
              • Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,00000000,00566509,74DF23A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
              • Part of subcall function 004055DC: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,0040341D), ref: 00405637
              • Part of subcall function 004055DC: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\), ref: 00405649
              • Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
              • Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
              • Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697
              • Part of subcall function 00405B3A: CreateProcessW.KERNELBASE(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
              • Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70
            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?), ref: 00401FF0
              • Part of subcall function 004069F6: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A07
              • Part of subcall function 004069F6: GetExitCodeProcess.KERNELBASE(?,?), ref: 00406A29
              • Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: MessageSend$CloseProcesslstrlen$ChangeCodeCreateExitFindHandleNotificationObjectSingleTextWaitWindowlstrcatwsprintf
            • String ID:
            • API String ID: 1543427666-0
            • Opcode ID: f3bc0ec1b70cec7457a4bdbd95c89a475c59590d6f8743061159391c9333bea6
            • Instruction ID: 72ab4701d282d41bfb99937ccb951c9b3d992b5a19319da95f503844dddfcbd3
            • Opcode Fuzzy Hash: f3bc0ec1b70cec7457a4bdbd95c89a475c59590d6f8743061159391c9333bea6
            • Instruction Fuzzy Hash: EEF0F032804015ABCB20BBA199849DE72B5CF00318B21413FE102B21D1C77C0E42AA6E
            Function 004023B7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
            Download Yara Rule
            APIs
            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023EE
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: PrivateProfileStringWrite
            • String ID:
            • API String ID: 390214022-0
            • Opcode ID: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
            • Instruction ID: 95154b02373db31601182c66ccc42c3a1d246cd64da090b0d32e859a1de181fa
            • Opcode Fuzzy Hash: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
            • Instruction Fuzzy Hash: 7DE04F31900524BADB5036B15ECDDBE20685FC8318B14063FFA12B61C2D9FC0C43466D
            Function 004063F2 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
            Download Yara Rule
            APIs
            • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E5C,00000000,?,?), ref: 0040641B
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
            • Instruction ID: 64249f1610b479570df181ce2e9e182bf10c6facee3c5f7fb09e5bef7ea49c41
            • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
            • Instruction Fuzzy Hash: E6E0E672010109BFEF095F90DD4AD7B7B1DE708310F11492EF906D5051E6B5E9305674
            Function 004060CA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
            Download Yara Rule
            APIs
            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E7,00000000,00000000,0040330B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DE
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: FileRead
            • String ID:
            • API String ID: 2738559852-0
            • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
            • Instruction ID: a77d82ba430c16999eb1f2306cb11816df14181100402a9e04059793f1b3015d
            • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
            • Instruction Fuzzy Hash: 21E08632150219ABCF10DF948C00EEB3B9CFF04390F018436FD11E3040D630E92197A4
            Function 004060F9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
            Download Yara Rule
            APIs
            • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349D,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040610D
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: FileWrite
            • String ID:
            • API String ID: 3934441357-0
            • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
            • Instruction ID: 78408803ccc59d93ae5352641a5e7b8f709900c8df5e8e9e13d69f82a1dcf02f
            • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
            • Instruction Fuzzy Hash: 8FE08C3220021ABBCF109E908C00EEB3FACEB003A0F014432FA26E6050D670E83097A4
            Function 004063C4 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,00406452,?,?,?,?,Remove folder: ,?,00000000), ref: 004063E8
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: Open
            • String ID:
            • API String ID: 71445658-0
            • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
            • Instruction ID: e31b8ecfa4924c4a0859a1c58e61cb12282203f41ec30ad4fda9f6d7c72ae418
            • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
            • Instruction Fuzzy Hash: 68D0123200020DBBDF115E91ED01FAB3B1DAB08310F014426FE16E5091D776D570A764
            Function 004044D6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • SetDlgItemTextW.USER32(?,?,00000000), ref: 004044F0
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: ItemText
            • String ID:
            • API String ID: 3367045223-0
            • Opcode ID: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
            • Instruction ID: 7de84c17979d9acd04fe2f10fa0cd34772232dcf8a9dc4315206a1648baec08d
            • Opcode Fuzzy Hash: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
            • Instruction Fuzzy Hash: 96C08C31048300BFD242AB04CC42F0FB3E8EF9431AF00C42EB05CE00D2C638A8208A26
            Function 00404522 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
            • Instruction ID: 7d988476d572be30e71f68111afb2513933db934ea5b2002f3fecefde51a3b0c
            • Opcode Fuzzy Hash: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
            • Instruction Fuzzy Hash: ACC04C717402007BDA209F50AD49F07775467A0702F1494797341E51E0C674E550D61C
            Function 0040450B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
            • Instruction ID: 777369a795cbaa9bd4fd16da76cbada5404ff361b75e364c58eeef3f96c31ac9
            • Opcode Fuzzy Hash: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
            • Instruction Fuzzy Hash: 6BB09235181600AADA115B40DE09F867BA2E7A4701F029438B340640B0CBB210A0DB08
            Function 004034EA Relevance: 1.5, APIs: 1, Instructions: 6COMMON
            Download Yara Rule
            APIs
            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034F8
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: FilePointer
            • String ID:
            • API String ID: 973152223-0
            • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
            • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
            • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
            • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
            Function 004044F8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
            Download Yara Rule
            APIs
            • KiUserCallbackDispatcher.NTDLL(?,004042CF), ref: 00404502
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CallbackDispatcherUser
            • String ID:
            • API String ID: 2492992576-0
            • Opcode ID: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
            • Instruction ID: 186c68f4495094c0cebc3eb7279f68ffc90812dad8dfd9e689695b78415bb769
            • Opcode Fuzzy Hash: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
            • Instruction Fuzzy Hash: 43A00176544A04ABCE12EB50EF4990ABB62BBA4B01B618879A285514388B325921EB19

            Non-executed Functions

            Function 004049C7 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,000003FB), ref: 00404A16
            • SetWindowTextW.USER32(00000000,?), ref: 00404A40
            • SHBrowseForFolderW.SHELL32(?), ref: 00404AF1
            • CoTaskMemFree.OLE32(00000000), ref: 00404AFC
            • lstrcmpiW.KERNEL32(Remove folder: ,0042CA68,00000000,?,?), ref: 00404B2E
            • lstrcatW.KERNEL32(?,Remove folder: ), ref: 00404B3A
            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B4C
              • Part of subcall function 00405B9B: GetDlgItemTextW.USER32(?,?,00000400,00404B83), ref: 00405BAE
              • Part of subcall function 00406805: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
              • Part of subcall function 00406805: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
              • Part of subcall function 00406805: CharNextW.USER32(?,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
              • Part of subcall function 00406805: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F
            • GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C0F
            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C2A
              • Part of subcall function 00404D83: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
              • Part of subcall function 00404D83: wsprintfW.USER32 ref: 00404E2D
              • Part of subcall function 00404D83: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
            • String ID: A$C:\Program Files (x86)\IDmelon$Remove folder: $error
            • API String ID: 2624150263-719220190
            • Opcode ID: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
            • Instruction ID: 8a45afd3ee22384d80319c7ed67abe130e578f1d2b392c1e8909742cb30e522b
            • Opcode Fuzzy Hash: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
            • Instruction Fuzzy Hash: FCA192B1900208ABDB11EFA5DD45BAFB7B8EF84314F11803BF611B62D1D77C9A418B69
            Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
            Download Yara Rule
            APIs
            • CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E
            Strings
            • C:\Program Files (x86)\IDmelon\FCP, xrefs: 0040226E
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CreateInstance
            • String ID: C:\Program Files (x86)\IDmelon\FCP
            • API String ID: 542301482-3348486767
            • Opcode ID: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
            • Instruction ID: f0c409d0c9855dc16f3492d495f607d4fcaf843261c47ee8c1995525671fe781
            • Opcode Fuzzy Hash: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
            • Instruction Fuzzy Hash: 76411471A00208AFCB40DFE4C989EAD7BB5FF48308B20457AF515EB2D1DB799982CB54
            Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: FileFindFirst
            • String ID:
            • API String ID: 1974802433-0
            • Opcode ID: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
            • Instruction ID: 4f8030157269cd498ea314d5a86e386b0cfb994e1dea9c94a4400a3869289cfc
            • Opcode Fuzzy Hash: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
            • Instruction Fuzzy Hash: 17F08C71A04104AAD701EBE4EE499AEB378EF14324F60457BE102F31E0DBB85E159B2A
            Function 00406DC6 Relevance: .3, Instructions: 334COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
            • Instruction ID: a5eb8001d75a17d38d83411349fde439c8a9064fda1b18d7f978e280ae41e255
            • Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
            • Instruction Fuzzy Hash: ACE19C71A04709DFCB24CF58C880BAABBF1FF45305F15852EE496A72D1E378AA51CB05
            Function 0040759D Relevance: .3, Instructions: 300COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
            • Instruction ID: e409ec8ffb443055957628c835c79614664982182129ebc37b3e11cb9bcd83e5
            • Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
            • Instruction Fuzzy Hash: ECC14772E04219CBCF18CF68C4905EEBBB2BF98354F25866AD85677380D7346942CF95
            Function 00404F43 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,000003F9), ref: 00404F5B
            • GetDlgItem.USER32(?,00000408), ref: 00404F66
            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404FB0
            • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC7
            • SetWindowLongW.USER32(?,000000FC,00405550), ref: 00404FE0
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF4
            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405006
            • SendMessageW.USER32(?,00001109,00000002), ref: 0040501C
            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405028
            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040503A
            • DeleteObject.GDI32(00000000), ref: 0040503D
            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405068
            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405074
            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510F
            • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513F
              • Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519
            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405153
            • GetWindowLongW.USER32(?,000000F0), ref: 00405181
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518F
            • ShowWindow.USER32(?,00000005), ref: 0040519F
            • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040529A
            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FF
            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405314
            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405338
            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405358
            • ImageList_Destroy.COMCTL32(?), ref: 0040536D
            • GlobalFree.KERNEL32(?), ref: 0040537D
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F6
            • SendMessageW.USER32(?,00001102,?,?), ref: 0040549F
            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AE
            • InvalidateRect.USER32(?,00000000,00000001), ref: 004054D9
            • ShowWindow.USER32(?,00000000), ref: 00405527
            • GetDlgItem.USER32(?,000003FE), ref: 00405532
            • ShowWindow.USER32(00000000), ref: 00405539
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
            • String ID: $M$N
            • API String ID: 2564846305-813528018
            • Opcode ID: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
            • Instruction ID: 91097811874ce85ba3cc7540bcf7dd58db25a3d6f071223140e4d1ec27d7ea12
            • Opcode Fuzzy Hash: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
            • Instruction Fuzzy Hash: 6C029C70900608AFDF20DF94DD85AAF7BB5FB85314F10817AE611BA2E1D7798A41CF58
            Function 00404695 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
            Download Yara Rule
            APIs
            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404733
            • GetDlgItem.USER32(?,000003E8), ref: 00404747
            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404764
            • GetSysColor.USER32(?), ref: 00404775
            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404783
            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404791
            • lstrlenW.KERNEL32(?), ref: 00404796
            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A3
            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B8
            • GetDlgItem.USER32(?,0000040A), ref: 00404811
            • SendMessageW.USER32(00000000), ref: 00404818
            • GetDlgItem.USER32(?,000003E8), ref: 00404843
            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404886
            • LoadCursorW.USER32(00000000,00007F02), ref: 00404894
            • SetCursor.USER32(00000000), ref: 00404897
            • LoadCursorW.USER32(00000000,00007F00), ref: 004048B0
            • SetCursor.USER32(00000000), ref: 004048B3
            • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048E2
            • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
            • String ID: N$Remove folder:
            • API String ID: 3103080414-3051863454
            • Opcode ID: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
            • Instruction ID: 3ad42440e7936429012ccc374b67200ab01768f99e4ad58672f49272ac14a637
            • Opcode Fuzzy Hash: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
            • Instruction Fuzzy Hash: 2E6181B1900209BFDB10AF60DD85EAA7B69FB84315F00853AFA05B62D0C779A951DF98
            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
            Download Yara Rule
            APIs
            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
            • BeginPaint.USER32(?,?), ref: 00401047
            • GetClientRect.USER32(?,?), ref: 0040105B
            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
            • DeleteObject.GDI32(?), ref: 004010ED
            • CreateFontIndirectW.GDI32(?), ref: 00401105
            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
            • SelectObject.GDI32(00000000,?), ref: 00401140
            • DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
            • SelectObject.GDI32(00000000,00000000), ref: 00401160
            • DeleteObject.GDI32(?), ref: 00401165
            • EndPaint.USER32(?,?), ref: 0040116E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
            • String ID: F
            • API String ID: 941294808-1304234792
            • Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
            • Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
            • Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
            • Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4
            Function 0040619D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
            Download Yara Rule
            APIs
            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406338,?,?), ref: 004061D8
            • GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 004061E1
              • Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
              • Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE
            • GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061FE
            • wsprintfA.USER32 ref: 0040621C
            • GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406257
            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406266
            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629E
            • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F4
            • GlobalFree.KERNEL32(00000000), ref: 00406305
            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040630C
              • Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,80000000,00000003), ref: 0040604B
              • Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
            • String ID: %ls=%ls$[Rename]
            • API String ID: 2171350718-461813615
            • Opcode ID: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
            • Instruction ID: 2f157a22eecee44515c187ff3daf75b9e7e255f904fde787f0dd9ddf92a1116e
            • Opcode Fuzzy Hash: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
            • Instruction Fuzzy Hash: C9312271200315BBD2206B619D49F2B3A5CEF85718F16043EFD42FA2C2DB7D99258ABD
            Function 00406805 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
            Download Yara Rule
            APIs
            • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
            • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
            • CharNextW.USER32(?,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
            • CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F
            Strings
            • C:\Users\user\AppData\Local\Temp\, xrefs: 00406806
            • "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe", xrefs: 00406849
            • *?|<>/":, xrefs: 00406857
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: Char$Next$Prev
            • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
            • API String ID: 589700163-1209570706
            • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
            • Instruction ID: fa9c0ef9ae643832d728fa0671e6943ea0b093c18f887e6db6f7fe1f852dcfd9
            • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
            • Instruction Fuzzy Hash: F111932780221299DB303B148C40E7766E8AF54794F52C43FED8A722C0F77C4C9286AD
            Function 0040453D Relevance: 12.1, APIs: 8, Instructions: 68COMMON
            Download Yara Rule
            APIs
            • GetWindowLongW.USER32(?,000000EB), ref: 0040455A
            • GetSysColor.USER32(00000000), ref: 00404598
            • SetTextColor.GDI32(?,00000000), ref: 004045A4
            • SetBkMode.GDI32(?,?), ref: 004045B0
            • GetSysColor.USER32(?), ref: 004045C3
            • SetBkColor.GDI32(?,?), ref: 004045D3
            • DeleteObject.GDI32(?), ref: 004045ED
            • CreateBrushIndirect.GDI32(?), ref: 004045F7
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
            • String ID:
            • API String ID: 2320649405-0
            • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
            • Instruction ID: 069c4eaec478219780f05c004fc5973679282d3c2eb16bc8cec9dcb23997e36d
            • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
            • Instruction Fuzzy Hash: 592151B1500704ABCB20DF68DE08A5B7BF8AF41714B05892EEA96A22E0D739E944CF54
            Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
            Download Yara Rule
            APIs
            • ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
            • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1
              • Part of subcall function 00406128: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613E
            • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: File$Pointer$ByteCharMultiWide$Read
            • String ID: 9
            • API String ID: 163830602-2366072709
            • Opcode ID: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
            • Instruction ID: e892b7cb172a86a35cdf2d5061c859a119b49b65f2ae0b0c69c9b35c58dd84de
            • Opcode Fuzzy Hash: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
            • Instruction Fuzzy Hash: F151FB75D0411AABDF24DFD4CA85AAEBBB9FF04344F10817BE901B62D0D7B49D828B58
            Function 00404E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EAC
            • GetMessagePos.USER32 ref: 00404EB4
            • ScreenToClient.USER32(?,?), ref: 00404ECE
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EE0
            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F06
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: Message$Send$ClientScreen
            • String ID: f
            • API String ID: 41195575-1993550816
            • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
            • Instruction ID: eb967d7d92909976ed67768bbc6bf91133f1097352fa1b537f2083fc5134d3bd
            • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
            • Instruction Fuzzy Hash: AB019E71900219BADB00DB94DD81FFEBBBCAF95710F10412BFB11B61C0C7B4AA018BA4
            Function 00401E53 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(?), ref: 00401E56
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
            • MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
            • ReleaseDC.USER32(?,00000000), ref: 00401E89
            • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CapsCreateDeviceFontIndirectRelease
            • String ID: MS Shell Dlg
            • API String ID: 3808545654-76309092
            • Opcode ID: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
            • Instruction ID: a825ad976d3f878f3d1ae6f085165680ecf176d60430839047bda31eedf7821d
            • Opcode Fuzzy Hash: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
            • Instruction Fuzzy Hash: 62017571905240EFE7005BB4EE49BDD3FA4AB15301F10867AF541B61E2C7B904458BED
            Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
            Download Yara Rule
            APIs
            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
            • MulDiv.KERNEL32(028AE197,00000064,028AF3C8), ref: 00402FE1
            • wsprintfW.USER32 ref: 00402FF1
            • SetWindowTextW.USER32(?,?), ref: 00403001
            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013
            Strings
            • verifying installer: %d%%, xrefs: 00402FEB
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: Text$ItemTimerWindowwsprintf
            • String ID: verifying installer: %d%%
            • API String ID: 1451636040-82062127
            • Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
            • Instruction ID: b4a4546c530c1255e03538258eeb387f0310dfe45b0532776fb26864182fd6cc
            • Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
            • Instruction Fuzzy Hash: 8D014F71640208BBEF209F60DE49FEE3B79AB04344F108039FA02B91D0DBB99A559B59
            Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
            Download Yara Rule
            APIs
            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CloseEnum$DeleteValue
            • String ID:
            • API String ID: 1354259210-0
            • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
            • Instruction ID: 7c59605d0ca35e0e1f1170af87acd2d95b5481229a772e02f8b12e0d157fbf49
            • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
            • Instruction Fuzzy Hash: 2A216B7150010ABFDF119F90CE89EEF7B7DEB54398F100076B949B21E0D7B49E54AA68
            Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,?), ref: 00401D9F
            • GetClientRect.USER32(?,?), ref: 00401DEA
            • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
            • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
            • DeleteObject.GDI32(00000000), ref: 00401E3E
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
            • String ID:
            • API String ID: 1849352358-0
            • Opcode ID: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
            • Instruction ID: ff9804e90d7d2423da96771145ec8c84d1acc30631874d8c14b803c0354ed8c3
            • Opcode Fuzzy Hash: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
            • Instruction Fuzzy Hash: 73210772900119AFCB05DF98EE45AEEBBB5EF08314F14003AF945F62A0D7789D81DB98
            Function 00404D83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
            • wsprintfW.USER32 ref: 00404E2D
            • SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: ItemTextlstrlenwsprintf
            • String ID: %u.%u%s%s
            • API String ID: 3540041739-3551169577
            • Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
            • Instruction ID: 0fe25742dfe6cfa92c38baccc724587d3b65f537d6828788df476db8ac6fa50e
            • Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
            • Instruction Fuzzy Hash: B111EB336042283BDB109A6DAC45E9E329CDF85374F250237FA65F71D1E978DC2282E8
            Function 00405ED1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
            Download Yara Rule
            APIs
            • CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe"), ref: 00405EDF
            • CharNextW.USER32(00000000), ref: 00405EE4
            • CharNextW.USER32(00000000), ref: 00405EFC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CharNext
            • String ID: C:\
            • API String ID: 3213498283-3404278061
            • Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
            • Instruction ID: 143c5bdbadb979d876a68ad22b5e9fde56015454fa81a7c55dbcd1e73dec783f
            • Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
            • Instruction Fuzzy Hash: 03F09072D04A2395DB317B649C45B7756BCEB587A0B54843BE601F72C0DBBC48818ADA
            Function 00405E26 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E2C
            • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E36
            • lstrcatW.KERNEL32(?,0040A014), ref: 00405E48
            Strings
            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E26
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CharPrevlstrcatlstrlen
            • String ID: C:\Users\user\AppData\Local\Temp\
            • API String ID: 2659869361-3081826266
            • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
            • Instruction ID: dcb1dcffde27bcde4b46a4bd7655c85b8e924b1ae314dab144fc932f30a80b76
            • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
            • Instruction Fuzzy Hash: 9DD0A731501534BAC212AB54AD04DDF62AC9F46344381443BF141B30A5C77C5D51D7FD
            Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\InstallOptions.dll), ref: 0040269A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: lstrlen
            • String ID: C:\Users\user\AppData\Local\Temp\nssC5E3.tmp$C:\Users\user\AppData\Local\Temp\nssC5E3.tmp\InstallOptions.dll
            • API String ID: 1659193697-3036514136
            • Opcode ID: 8f503f056602079ae9f30a52096cd2433ded43a0881ed6245ce1ccacdc846449
            • Instruction ID: 71653ae2733df7adc71dfdbaa34589fb2472b89c06e6b839d1f3baa03dac964a
            • Opcode Fuzzy Hash: 8f503f056602079ae9f30a52096cd2433ded43a0881ed6245ce1ccacdc846449
            • Instruction Fuzzy Hash: E011E772A40205BBCB00ABB19E56AAE7671AF50748F21443FF402B71C1EAFD4891565E
            Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
            • GetTickCount.KERNEL32 ref: 0040304F
            • CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
            • ShowWindow.USER32(00000000,00000005), ref: 0040307A
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: Window$CountCreateDestroyDialogParamShowTick
            • String ID:
            • API String ID: 2102729457-0
            • Opcode ID: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
            • Instruction ID: 9291db8f65f8f9a8906298ccab22143765a9ea5c3e1cf5a275661437a5304794
            • Opcode Fuzzy Hash: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
            • Instruction Fuzzy Hash: 22F08970602A21AFC6306F50FE09A9B7F68FB45B52B51053AF445B11ACCB345C91CB9D
            Function 00405550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            • IsWindowVisible.USER32(?), ref: 0040557F
            • CallWindowProcW.USER32(?,?,?,?), ref: 004055D0
              • Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: Window$CallMessageProcSendVisible
            • String ID:
            • API String ID: 3748168415-3916222277
            • Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
            • Instruction ID: 994decb8795c597c60d879b60f38f30bda4d2919c1ffc13ce94f3a2918c86729
            • Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
            • Instruction Fuzzy Hash: 1C01717120060CBFEF219F11DD84A9B3B67EB84794F144037FA41761D5C7398D529A6D
            Function 00405E72 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,80000000,00000003), ref: 00405E78
            • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe,80000000,00000003), ref: 00405E88
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: CharPrevlstrlen
            • String ID: C:\Users\user\Desktop
            • API String ID: 2709904686-224404859
            • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
            • Instruction ID: c6f1eefeac9f22653a6718740f6635ad40246fc98af2d22d27e4b5974eb8f820
            • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
            • Instruction Fuzzy Hash: E1D0A7B3400930EEC312AB04EC04DAF73ACEF123007868827F980A7165D7785D81C6EC
            Function 00405FAC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD4
            • CharNextA.USER32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE5
            • lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE
            Memory Dump Source
            • Source File: 00000000.00000002.1882971033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1882942517.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1882999138.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883028898.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1883215959.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
            Similarity
            • API ID: lstrlen$CharNextlstrcmpi
            • String ID:
            • API String ID: 190613189-0
            • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
            • Instruction ID: e9567a821587a5f0376c4e2be66d4cfc8c6f540c5076303c4651ac02cb4e93c6
            • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
            • Instruction Fuzzy Hash: E1F09631105519FFC7029FA5DE00D9FBBA8EF05350B2540B9F840F7250D678DE01AB69

            Executed Functions

            Function 00703BC3 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 311fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 516 703bc3-703c50 call 72f670 * 2 GetFileAttributesW 521 703c52-703c6d GetLastError 516->521 522 703c84-703c87 516->522 521->522 523 703c6f-703c70 521->523 524 703fd3 522->524 525 703c8d-703c90 522->525 526 703c75-703c7f call 7037d3 523->526 527 703fd8-703fe1 524->527 528 703c92-703ca5 SetFileAttributesW 525->528 529 703cc9-703cd0 525->529 532 703fea-703ff1 526->532 531 703fe3-703fe4 FindClose 527->531 527->532 528->529 533 703ca7-703cc7 GetLastError 528->533 534 703cd2-703cd9 529->534 535 703cdf-703ce7 529->535 531->532 540 703ff3-703ff9 call 7454ef 532->540 541 703ffe-704010 call 72de36 532->541 533->526 534->535 536 703f57 534->536 537 703d24-703d3f call 702d79 535->537 538 703ce9-703cfd GetTempPathW 535->538 546 703f5d-703f6b RemoveDirectoryW 536->546 537->532 552 703d45-703d61 FindFirstFileW 537->552 538->537 542 703cff-703d1f GetLastError 538->542 540->541 542->526 546->527 549 703f6d-703f83 GetLastError 546->549 550 703f85-703f87 549->550 551 703f9f-703fa1 549->551 553 703fa3-703fa9 550->553 554 703f89-703f9b MoveFileExW 550->554 551->527 551->553 555 703d63-703d7e GetLastError 552->555 556 703d88-703d92 552->556 558 703ef9-703f03 call 7037d3 553->558 554->553 557 703f9d 554->557 555->556 559 703d94-703d9d 556->559 560 703db9-703ddf call 702d79 556->560 557->551 558->527 562 703da3-703daa 559->562 563 703ebc-703ecc FindNextFileW 559->563 560->527 570 703de5-703df2 560->570 562->560 568 703dac-703db3 562->568 565 703f4c-703f51 GetLastError 563->565 566 703ece-703ed4 563->566 571 703f53-703f55 565->571 572 703fae-703fce GetLastError 565->572 566->556 568->560 568->563 573 703e21-703e28 570->573 574 703df4-703df6 570->574 571->546 572->558 576 703eb6 573->576 577 703e2e-703e30 573->577 574->573 575 703df8-703e08 call 702b2e 574->575 575->527 584 703e0e-703e17 call 703bc3 575->584 576->563 579 703e32-703e45 SetFileAttributesW 577->579 580 703e4b-703e59 DeleteFileW 577->580 579->580 582 703ed9-703ef4 GetLastError 579->582 580->576 583 703e5b-703e5d 580->583 582->558 585 703e63-703e80 GetTempFileNameW 583->585 586 703f2a-703f4a GetLastError 583->586 590 703e1c 584->590 588 703e86-703ea3 MoveFileExW 585->588 589 703f08-703f28 GetLastError 585->589 586->558 591 703ea5-703eac 588->591 592 703eae 588->592 589->558 590->576 593 703eb4 MoveFileExW 591->593 592->593 593->576
            APIs
            • GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00703C3F
            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00703C52
            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 00703C9D
            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00703CA7
            • GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 00703CF5
            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00703CFF
            • FindFirstFileW.KERNELBASE(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 00703D52
            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00703D63
            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 00703E3D
            • DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,00000001,00000000,?), ref: 00703E51
            • GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 00703E78
            • MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 00703E9B
            • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00703EB4
            • FindNextFileW.KERNELBASE(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 00703EC4
            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00703ED9
            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00703F08
            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00703F2A
            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00703F4C
            • RemoveDirectoryW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00703F63
            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00703F6D
            • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00703F93
            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00703FAE
            • FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 00703FE4
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
            • String ID: *.*$DEL$dirutil.cpp
            • API String ID: 1544372074-1252831301
            • Opcode ID: 2f2831c6e7f7c0f1ac279bc9cea51c641b00452b382e384bcd3e3ae2fe9c93bc
            • Instruction ID: 86a2f3cc63bd4458153c0b76d7b14c54dce80e739ce3cc5ce10da965b487f9bf
            • Opcode Fuzzy Hash: 2f2831c6e7f7c0f1ac279bc9cea51c641b00452b382e384bcd3e3ae2fe9c93bc
            • Instruction Fuzzy Hash: 8AB1A976E00239EAEB309A758C44BA6B6FDAF44750F0143A5ED09F71D0D7799E90CBA0
            Function 00701070 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 77fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 007033D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,007010DD,?,00000000), ref: 007033F8
            • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 007010F6
              • Part of subcall function 00701174: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0070111A,cabinet.dll,00000009,?,?,00000000), ref: 00701185
              • Part of subcall function 00701174: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,0070111A,cabinet.dll,00000009,?,?,00000000), ref: 00701190
              • Part of subcall function 00701174: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0070119E
              • Part of subcall function 00701174: GetLastError.KERNEL32(?,?,?,?,0070111A,cabinet.dll,00000009,?,?,00000000), ref: 007011B9
              • Part of subcall function 00701174: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 007011C1
              • Part of subcall function 00701174: GetLastError.KERNEL32(?,?,?,?,0070111A,cabinet.dll,00000009,?,?,00000000), ref: 007011D6
            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,0074B4C0,?,cabinet.dll,00000009,?,?,00000000), ref: 00701131
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AddressErrorFileLastModuleProc$ChangeCloseCreateFindHandleHeapInformationNameNotification
            • String ID: cabinet.dll$clbcatq.dll$comres.dll$feclient.dll$version.dll$wininet.dll
            • API String ID: 2670336470-2453154497
            • Opcode ID: 8cd34d5626bb98c135e112a236c18af6ac17ed88927bc3da13448b1dc4745f7b
            • Instruction ID: 16b35ae70f5d36053fec5a295e24ff7329f767f1b2c9e9718e0063b714bf403c
            • Opcode Fuzzy Hash: 8cd34d5626bb98c135e112a236c18af6ac17ed88927bc3da13448b1dc4745f7b
            • Instruction Fuzzy Hash: 3421357190025CEBDB109FA9DC49BEEBBF8EF45724F504229E910B72D1D7789904CBA4
            Function 00719EB7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 51COMMON
            Download Yara Rule
            Strings
            • Failed to calculate working folder to ensure it exists., xrefs: 00719ED4
            • =Sp, xrefs: 00719EB7
            • Failed to copy working folder., xrefs: 00719F12
            • Failed create working folder., xrefs: 00719EEA
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CurrentDirectoryErrorLastProcessWindows
            • String ID: =Sp$Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
            • API String ID: 3841436932-965143519
            • Opcode ID: b7bf975f49ade4b6f4bc6b278658b77a3ec3522ba140c0676acdf6a7df1abbcb
            • Instruction ID: 9a582614f4278f9969756aca6686bcf7dd19dcbe4466596fd6ea757fd3eea2d0
            • Opcode Fuzzy Hash: b7bf975f49ade4b6f4bc6b278658b77a3ec3522ba140c0676acdf6a7df1abbcb
            • Instruction Fuzzy Hash: 0801D832D0452CF78B225B58CC15CEF7A78DF807217104165FE00B6251DB798E42A6D0
            Function 00734812 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(00000000,?,007347E8,00000000,00767CF8,0000000C,0073493F,00000000,00000002,00000000), ref: 00734833
            • TerminateProcess.KERNEL32(00000000,?,007347E8,00000000,00767CF8,0000000C,0073493F,00000000,00000002,00000000), ref: 0073483A
            • ExitProcess.KERNEL32 ref: 0073484C
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Process$CurrentExitTerminate
            • String ID:
            • API String ID: 1703294689-0
            • Opcode ID: c343bd5ac55e0973d071b7db6eb03ac5e47d4574d1119dd002db109aafd51a5c
            • Instruction ID: 65b0eec8cb50c6caab5287d8fb53f73f48cfc094a7789bdeffbc82240797c969
            • Opcode Fuzzy Hash: c343bd5ac55e0973d071b7db6eb03ac5e47d4574d1119dd002db109aafd51a5c
            • Instruction Fuzzy Hash: 25E01231000288AFDF016F60DC09A9A3B29BB42341F048025F8048A222CB39EC42DA88
            Function 007038D4 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(?,000001C7,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038E5
            • RtlAllocateHeap.NTDLL(00000000,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038EC
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Heap$AllocateProcess
            • String ID:
            • API String ID: 1357844191-0
            • Opcode ID: b8029ed080adb7eafb07ce2816a4bb609b4bd0aec1d9413e358d506749d9ea26
            • Instruction ID: 56bb6e90b31f92d481ee6a71e696a96fbd3d07fa30f6c02524ebe6266e5a0359
            • Opcode Fuzzy Hash: b8029ed080adb7eafb07ce2816a4bb609b4bd0aec1d9413e358d506749d9ea26
            • Instruction Fuzzy Hash: A7C012361A020CAB8B006FFCEC0EC9A3BACAB29602700C402B905C2110DB3CE8148B64
            Function 0070F86E Relevance: 115.9, APIs: 3, Strings: 63, Instructions: 445COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 70f86e-70f8a4 call 74388a 3 70f8a6-70f8b3 call 74012f 0->3 4 70f8b8-70f8d1 call 7431c7 0->4 9 70fda0-70fda5 3->9 10 70f8d3-70f8d8 4->10 11 70f8dd-70f8f2 call 7431c7 4->11 12 70fda7-70fda9 9->12 13 70fdad-70fdb2 9->13 14 70fd97-70fd9e call 74012f 10->14 23 70f8f4-70f8f9 11->23 24 70f8fe-70f90b call 70e936 11->24 12->13 17 70fdb4-70fdb6 13->17 18 70fdba-70fdbf 13->18 26 70fd9f 14->26 17->18 21 70fdc1-70fdc3 18->21 22 70fdc7-70fdcb 18->22 21->22 27 70fdd5-70fddc 22->27 28 70fdcd-70fdd0 call 7454ef 22->28 23->14 31 70f917-70f92c call 7431c7 24->31 32 70f90d-70f912 24->32 26->9 28->27 35 70f938-70f94a call 744b5a 31->35 36 70f92e-70f933 31->36 32->14 39 70f959-70f96e call 7431c7 35->39 40 70f94c-70f954 35->40 36->14 46 70f970-70f975 39->46 47 70f97a-70f98f call 7431c7 39->47 41 70fc23-70fc2c call 74012f 40->41 41->26 46->14 50 70f991-70f996 47->50 51 70f99b-70f9ad call 7433db 47->51 50->14 54 70f9b9-70f9cf call 74388a 51->54 55 70f9af-70f9b4 51->55 58 70f9d5-70f9d7 54->58 59 70fc7e-70fc98 call 70ebb2 54->59 55->14 60 70f9e3-70f9f8 call 7433db 58->60 61 70f9d9-70f9de 58->61 66 70fca4-70fcbc call 74388a 59->66 67 70fc9a-70fc9f 59->67 69 70fa04-70fa19 call 7431c7 60->69 70 70f9fa-70f9ff 60->70 61->14 74 70fcc2-70fcc4 66->74 75 70fd86-70fd87 call 70efe5 66->75 67->14 76 70fa29-70fa3e call 7431c7 69->76 77 70fa1b-70fa1d 69->77 70->14 78 70fcd0-70fcee call 7431c7 74->78 79 70fcc6-70fccb 74->79 84 70fd8c-70fd90 75->84 88 70fa40-70fa42 76->88 89 70fa4e-70fa63 call 7431c7 76->89 77->76 81 70fa1f-70fa24 77->81 90 70fcf0-70fcf5 78->90 91 70fcfa-70fd12 call 7431c7 78->91 79->14 81->14 84->26 87 70fd92 84->87 87->14 88->89 92 70fa44-70fa49 88->92 99 70fa73-70fa88 call 7431c7 89->99 100 70fa65-70fa67 89->100 90->14 97 70fd14-70fd16 91->97 98 70fd1f-70fd37 call 7431c7 91->98 92->14 97->98 102 70fd18-70fd1d 97->102 107 70fd44-70fd5c call 7431c7 98->107 108 70fd39-70fd3b 98->108 109 70fa98-70faad call 7431c7 99->109 110 70fa8a-70fa8c 99->110 100->99 103 70fa69-70fa6e 100->103 102->14 103->14 117 70fd65-70fd7d call 7431c7 107->117 118 70fd5e-70fd63 107->118 108->107 111 70fd3d-70fd42 108->111 119 70fabd-70fad2 call 7431c7 109->119 120 70faaf-70fab1 109->120 110->109 112 70fa8e-70fa93 110->112 111->14 112->14 117->75 126 70fd7f-70fd84 117->126 118->14 127 70fae2-70faf7 call 7431c7 119->127 128 70fad4-70fad6 119->128 120->119 122 70fab3-70fab8 120->122 122->14 126->14 132 70fb07-70fb1c call 7431c7 127->132 133 70faf9-70fafb 127->133 128->127 129 70fad8-70fadd 128->129 129->14 137 70fb2c-70fb44 call 7431c7 132->137 138 70fb1e-70fb20 132->138 133->132 134 70fafd-70fb02 133->134 134->14 142 70fb54-70fb6c call 7431c7 137->142 143 70fb46-70fb48 137->143 138->137 139 70fb22-70fb27 138->139 139->14 147 70fb7c-70fb91 call 7431c7 142->147 148 70fb6e-70fb70 142->148 143->142 144 70fb4a-70fb4f 143->144 144->14 152 70fc31-70fc33 147->152 153 70fb97-70fbb4 CompareStringW 147->153 148->147 149 70fb72-70fb77 148->149 149->14 154 70fc35-70fc3c 152->154 155 70fc3e-70fc40 152->155 156 70fbb6-70fbbc 153->156 157 70fbbe-70fbd3 CompareStringW 153->157 154->155 158 70fc42-70fc47 155->158 159 70fc4c-70fc64 call 7433db 155->159 160 70fbff-70fc04 156->160 161 70fbe1-70fbf6 CompareStringW 157->161 162 70fbd5-70fbdf 157->162 158->14 159->59 168 70fc66-70fc68 159->168 160->155 164 70fc06-70fc1e call 7037d3 161->164 165 70fbf8 161->165 162->160 164->41 165->160 170 70fc74 168->170 171 70fc6a-70fc6f 168->171 170->59 171->14
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID:
            • String ID: =Sp$AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$clbcatq.dll$registration.cpp$yes
            • API String ID: 0-1360119259
            • Opcode ID: a78d346aa2b8833a486088111aa877edb862d2d07813a6dda6be4036ef9608a4
            • Instruction ID: ebce643db17225b0489142e947fe097fb503f38e6d996333bc3b6f80ffcff9d8
            • Opcode Fuzzy Hash: a78d346aa2b8833a486088111aa877edb862d2d07813a6dda6be4036ef9608a4
            • Instruction Fuzzy Hash: C3E1B5B2F44B69FACB3196A0CC52FED7AA4AB00722F514375FD14B69D0D7AC6D0496C0
            Function 0070B389 Relevance: 93.3, APIs: 24, Strings: 29, Instructions: 565fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 172 70b389-70b3fd call 72f670 * 2 177 70b435-70b450 SetFilePointerEx 172->177 178 70b3ff-70b42a GetLastError call 7037d3 172->178 179 70b452-70b482 GetLastError call 7037d3 177->179 180 70b484-70b49e ReadFile 177->180 190 70b42f-70b430 178->190 179->190 183 70b4a0-70b4d0 GetLastError call 7037d3 180->183 184 70b4d5-70b4dc 180->184 183->190 188 70b4e2-70b4eb 184->188 189 70bad3-70bae7 call 7037d3 184->189 188->189 193 70b4f1-70b501 SetFilePointerEx 188->193 199 70baec 189->199 194 70baed-70baf3 call 74012f 190->194 197 70b503-70b52e GetLastError call 7037d3 193->197 198 70b538-70b550 ReadFile 193->198 207 70baf4-70bb06 call 72de36 194->207 197->198 202 70b552-70b57d GetLastError call 7037d3 198->202 203 70b587-70b58e 198->203 199->194 202->203 205 70b594-70b59e 203->205 206 70bab8-70bad1 call 7037d3 203->206 205->206 210 70b5a4-70b5c7 SetFilePointerEx 205->210 206->199 214 70b5c9-70b5f4 GetLastError call 7037d3 210->214 215 70b5fe-70b616 ReadFile 210->215 214->215 218 70b618-70b643 GetLastError call 7037d3 215->218 219 70b64d-70b665 ReadFile 215->219 218->219 220 70b667-70b692 GetLastError call 7037d3 219->220 221 70b69c-70b6b7 SetFilePointerEx 219->221 220->221 225 70b6f1-70b710 ReadFile 221->225 226 70b6b9-70b6e7 GetLastError call 7037d3 221->226 230 70b716-70b718 225->230 231 70ba79-70baad GetLastError call 7037d3 225->231 226->225 234 70b719-70b720 230->234 239 70baae-70bab6 call 74012f 231->239 236 70ba54-70ba71 call 7037d3 234->236 237 70b726-70b732 234->237 250 70ba76-70ba77 236->250 240 70b734-70b73b 237->240 241 70b73d-70b746 237->241 239->207 240->241 244 70b780-70b787 240->244 245 70ba17-70ba2e call 7037d3 241->245 246 70b74c-70b772 ReadFile 241->246 248 70b7b0-70b7c7 call 7038d4 244->248 249 70b789-70b7ab call 7037d3 244->249 258 70ba33-70ba39 call 74012f 245->258 246->231 247 70b778-70b77e 246->247 247->234 259 70b7c9-70b7e6 call 7037d3 248->259 260 70b7eb-70b800 SetFilePointerEx 248->260 249->250 250->239 270 70ba3f-70ba40 258->270 259->194 263 70b840-70b865 ReadFile 260->263 264 70b802-70b830 GetLastError call 7037d3 260->264 266 70b867-70b89a GetLastError call 7037d3 263->266 267 70b89c-70b8a8 263->267 281 70b835-70b83b call 74012f 264->281 266->281 273 70b8aa-70b8c6 call 7037d3 267->273 274 70b8cb-70b8cf 267->274 271 70ba41-70ba43 270->271 271->207 276 70ba49-70ba4f call 703999 271->276 273->258 279 70b8d1-70b905 call 7037d3 call 74012f 274->279 280 70b90a-70b91d call 7448cb 274->280 276->207 279->271 291 70b929-70b933 280->291 292 70b91f-70b924 280->292 281->270 294 70b935-70b93b 291->294 295 70b93d-70b945 291->295 292->281 297 70b956-70b9b6 call 7038d4 294->297 298 70b951-70b954 295->298 299 70b947-70b94f 295->299 302 70b9b8-70b9d4 call 7037d3 297->302 303 70b9da-70b9fb call 72f0f0 call 70b106 297->303 298->297 299->297 302->303 303->271 310 70b9fd-70ba0d call 7037d3 303->310 310->245
            APIs
            • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0070B3FF
            • SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0070B44C
            • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0070B452
            • ReadFile.KERNELBASE(00000000,\CpH,00000040,?,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0070B49A
            • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0070B4A0
            • SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0070B4FD
            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0070B503
            • ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0070B54C
            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0070B552
            • SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0070B5C3
            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0070B5C9
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast$File$Pointer$Read
            • String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$\CpH$burn$section.cpp
            • API String ID: 2600052162-2484438258
            • Opcode ID: bb3b6bdcc85ec42ed1de5fed0c2327788c08bf9e18f73029813cd44f13712ce1
            • Instruction ID: b09819d2884ac7f7592b9f2ad5ae52f3c2ca575d5eb8821357a442b484f175ab
            • Opcode Fuzzy Hash: bb3b6bdcc85ec42ed1de5fed0c2327788c08bf9e18f73029813cd44f13712ce1
            • Instruction Fuzzy Hash: 7512B2B1B40325EBEB209A64CC85FAB76E8EB44710F014265FD09FB2D1D7789E40CBA5
            Function 0070CCB6 Relevance: 82.6, APIs: 3, Strings: 44, Instructions: 366COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 313 70ccb6-70cce2 call 743803 316 70cce4 313->316 317 70ccf6-70cd07 313->317 318 70cce9-70ccf1 call 74012f 316->318 322 70cd10-70cd15 317->322 323 70cd09-70cd0e 317->323 324 70d04b-70d050 318->324 322->324 325 70cd1b-70cd2e call 7038d4 322->325 323->318 326 70d052-70d054 324->326 327 70d058-70d05d 324->327 332 70cd30-70cd4f call 7037d3 call 74012f 325->332 333 70cd54-70cd61 325->333 326->327 329 70d065-70d069 327->329 330 70d05f-70d061 327->330 334 70d073-70d079 329->334 335 70d06b-70d06e call 7454ef 329->335 330->329 344 70d04a 332->344 338 70d047 333->338 339 70cd67-70cd69 333->339 335->334 341 70d049 338->341 340 70cd6c-70cd82 call 743760 339->340 348 70d121 340->348 349 70cd88-70cd9a call 7431c7 340->349 341->344 344->324 350 70d126-70d12e call 74012f 348->350 355 70cda0-70cdac call 7431c7 349->355 356 70d11a-70d11f 349->356 350->341 358 70cdb1-70cdb5 355->358 356->350 359 70d113-70d118 358->359 360 70cdbb-70cdd0 call 7431c7 358->360 359->350 363 70cdd6-70cdf1 CompareStringW 360->363 364 70d10c-70d111 360->364 365 70cdf3-70cdfa 363->365 366 70cdfc-70ce11 CompareStringW 363->366 364->350 367 70ce3a-70ce3e 365->367 368 70ce13-70ce16 366->368 369 70ce18-70ce2d CompareStringW 366->369 372 70ce40-70ce59 call 7431c7 367->372 373 70ce82-70ce9b call 7433db 367->373 368->367 370 70d0f1-70d0f9 369->370 371 70ce33 369->371 376 70d0fe-70d107 call 74012f 370->376 371->367 380 70ce61-70ce63 372->380 381 70ce5b-70ce5f 372->381 382 70cea5-70cebe call 7431c7 373->382 383 70ce9d-70ce9f 373->383 376->341 386 70d086-70d08b 380->386 387 70ce69-70ce7c call 70c0a9 380->387 381->373 381->380 391 70cec0-70cec4 382->391 392 70cec6-70cec8 382->392 383->382 388 70d090-70d095 383->388 386->350 387->373 396 70d07c-70d084 387->396 388->350 391->392 394 70cece-70cee7 call 7431c7 391->394 392->394 395 70d0ea-70d0ef 392->395 399 70cee9-70ceed 394->399 400 70ceef-70cef1 394->400 395->350 396->376 399->400 401 70cef7-70cf10 call 7431c7 399->401 400->401 402 70d0e3-70d0e8 400->402 405 70cf32-70cf4b call 7431c7 401->405 406 70cf12-70cf14 401->406 402->350 412 70cf4d-70cf4f 405->412 413 70cf6f-70cf88 call 7431c7 405->413 408 70d0a4-70d0a9 406->408 409 70cf1a-70cf2c call 702a22 406->409 408->350 409->405 415 70d09a-70d09f 409->415 416 70d0b2-70d0b7 412->416 417 70cf55-70cf69 call 70200b 412->417 422 70cf8a-70cf8c 413->422 423 70cfac-70cfc1 call 7431c7 413->423 415->350 416->350 417->413 424 70d0ab-70d0b0 417->424 425 70d0c0-70d0c5 422->425 426 70cf92-70cfa6 call 70200b 422->426 430 70cfc7-70cfdb call 70200b 423->430 431 70d0dc-70d0e1 423->431 424->350 425->350 426->423 434 70d0b9-70d0be 426->434 436 70cfe1-70cffa call 7431c7 430->436 437 70d0d5-70d0da 430->437 431->350 434->350 440 70cffc-70cffe 436->440 441 70d01d-70d022 436->441 437->350 442 70d004-70d017 call 70c780 440->442 443 70d0ce-70d0d3 440->443 444 70d024-70d02a 441->444 445 70d02e-70d041 441->445 442->441 449 70d0c7-70d0cc 442->449 443->350 444->445 445->338 445->340 449->350
            APIs
              • Part of subcall function 007038D4: GetProcessHeap.KERNEL32(?,000001C7,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038E5
              • Part of subcall function 007038D4: RtlAllocateHeap.NTDLL(00000000,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038EC
            • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,comres.dll,00000000,0074CA64,?,00000000), ref: 0070CDEC
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Heap$AllocateCompareProcessString
            • String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$cabinet.dll$comres.dll$download$embedded$external$feclient.dll$payload.cpp$version.dll$wininet.dll
            • API String ID: 1171520630-1636398752
            • Opcode ID: 94ae7996f11385ef041418d8b35ed3a872e627122618ee3a29205a84895a5cdd
            • Instruction ID: becdec82b088e5aff069814b0464213b7a67e1d8d1e20935521e76d8cff3c522
            • Opcode Fuzzy Hash: 94ae7996f11385ef041418d8b35ed3a872e627122618ee3a29205a84895a5cdd
            • Instruction Fuzzy Hash: 1CC1D4B2E41729FBCB229BA0CC45EAEB6E4AB04720F114365F904BB1D0D77DAE11D791
            Function 00720A77 Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 288synchronizationCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 450 720a77-720a90 SetEvent 451 720a92-720ac5 GetLastError call 7037d3 450->451 452 720aca-720ad6 WaitForSingleObject 450->452 460 720e25-720e26 call 74012f 451->460 454 720b10-720b1b ResetEvent 452->454 455 720ad8-720b0b GetLastError call 7037d3 452->455 458 720b55-720b5b 454->458 459 720b1d-720b50 GetLastError call 7037d3 454->459 455->460 463 720b96-720baf call 7021bc 458->463 464 720b5d-720b60 458->464 459->460 470 720e2b-720e2c 460->470 476 720bb1-720bc5 call 74012f 463->476 477 720bca-720bd5 SetEvent 463->477 468 720b62-720b87 call 7037d3 call 74012f 464->468 469 720b8c-720b91 464->469 468->470 471 720e2d-720e2f 469->471 470->471 475 720e30-720e40 471->475 476->471 480 720c00-720c0c WaitForSingleObject 477->480 481 720bd7-720bf6 GetLastError 477->481 484 720c37-720c42 ResetEvent 480->484 485 720c0e-720c2d GetLastError 480->485 481->480 486 720c44-720c63 GetLastError 484->486 487 720c6d-720c74 484->487 485->484 486->487 488 720ce3-720d05 CreateFileW 487->488 489 720c76-720c79 487->489 490 720d42-720d57 SetFilePointerEx 488->490 491 720d07-720d38 GetLastError call 7037d3 488->491 492 720ca0-720ca7 call 7038d4 489->492 493 720c7b-720c7e 489->493 497 720d91-720d9c SetEndOfFile 490->497 498 720d59-720d8c GetLastError call 7037d3 490->498 491->490 505 720cac-720cb1 492->505 495 720c80-720c83 493->495 496 720c99-720c9b 493->496 495->469 501 720c89-720c8f 495->501 496->475 503 720dd3-720df0 SetFilePointerEx 497->503 504 720d9e-720dd1 GetLastError call 7037d3 497->504 498->460 501->496 503->471 510 720df2-720e20 GetLastError call 7037d3 503->510 504->460 508 720cd2-720cde 505->508 509 720cb3-720ccd call 7037d3 505->509 508->471 509->460 510->460
            APIs
            • SetEvent.KERNEL32(?,?,?,?,00000000,00000000,?,00720621,?,?), ref: 00720A85
            • GetLastError.KERNEL32(?,?,?,00000000,00000000,?,00720621,?,?), ref: 00720A92
            • WaitForSingleObject.KERNEL32(?,?,?,?,?,00000000,00000000,?,00720621,?,?), ref: 00720ACE
            • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,00720621,?,?), ref: 00720AD8
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast$EventObjectSingleWait
            • String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
            • API String ID: 3600396749-2104912459
            • Opcode ID: 9755f16b7c522a59a612a102f51bf515c99dc56ddbb4f814a3f4f030e1ff1f9b
            • Instruction ID: 6ec3b8f9a949d0d839670b78a651881e63125e208cd8582f98404c6d3aa55b8f
            • Opcode Fuzzy Hash: 9755f16b7c522a59a612a102f51bf515c99dc56ddbb4f814a3f4f030e1ff1f9b
            • Instruction Fuzzy Hash: 879134B6B40335FBE7206A799D49BA739D4FF04711F018326BE05EA5A1E3ACCC0086E5
            Function 0070508D Relevance: 44.1, APIs: 5, Strings: 20, Instructions: 322COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 594 70508d-70513b call 72f670 * 2 GetModuleHandleW call 7403f0 call 7405a2 call 701209 605 705151-705162 call 7041d2 594->605 606 70513d 594->606 612 705164-705169 605->612 613 70516b-705187 call 705525 CoInitializeEx 605->613 607 705142-70514c call 74012f 606->607 614 7053cc-7053d3 607->614 612->607 622 705190-70519c call 73fbad 613->622 623 705189-70518e 613->623 616 7053e0-7053e2 614->616 617 7053d5-7053db call 7454ef 614->617 620 7053e4-7053eb 616->620 621 705407-705425 call 70d723 call 71a6d0 call 71a91e 616->621 617->616 620->621 625 7053ed-705402 call 74041b 620->625 643 705453-705466 call 704e9c 621->643 644 705427-70542f 621->644 630 7051b0-7051bf call 740cd1 622->630 631 70519e 622->631 623->607 625->621 641 7051c1-7051c6 630->641 642 7051c8-7051d7 call 7429b3 630->642 634 7051a3-7051ab call 74012f 631->634 634->614 641->634 651 7051e0-7051ef call 74343b 642->651 652 7051d9-7051de 642->652 655 705468 call 743911 643->655 656 70546d-705474 643->656 644->643 646 705431-705434 644->646 646->643 649 705436-705451 call 71416a call 70550f 646->649 649->643 663 7051f1-7051f6 651->663 664 7051f8-705217 GetVersionExW 651->664 652->634 655->656 657 705476 call 742dd0 656->657 658 70547b-705482 656->658 657->658 665 705484 call 741317 658->665 666 705489-705490 658->666 663->634 668 705251-705296 call 7033d7 call 70550f 664->668 669 705219-70524c GetLastError call 7037d3 664->669 665->666 671 705492 call 73fcbc 666->671 672 705497-705499 666->672 692 705298-7052a3 call 7454ef 668->692 693 7052a9-7052b9 call 717337 668->693 669->634 671->672 677 7054a1-7054a8 672->677 678 70549b CoUninitialize 672->678 681 7054e3-7054ec call 74000b 677->681 682 7054aa-7054ac 677->682 678->677 690 7054f3-70550c call 7406f5 call 72de36 681->690 691 7054ee call 7044e9 681->691 685 7054b2-7054b8 682->685 686 7054ae-7054b0 682->686 689 7054ba-7054d3 call 713c30 call 70550f 685->689 686->689 689->681 708 7054d5-7054e2 call 70550f 689->708 691->690 692->693 704 7052c5-7052ce 693->704 705 7052bb 693->705 709 7052d4-7052d7 704->709 710 705396-7053a3 call 704c33 704->710 705->704 708->681 714 7052dd-7052e0 709->714 715 70536e-70538a call 7049df 709->715 716 7053a8-7053ac 710->716 718 7052e2-7052e5 714->718 719 705346-705362 call 7047e9 714->719 721 7053b8-7053ca 715->721 731 70538c 715->731 716->721 722 7053ae 716->722 724 7052e7-7052ea 718->724 725 70531e-70533a call 704982 718->725 719->721 733 705364 719->733 721->614 722->721 729 7052fb-70530e call 704b80 724->729 730 7052ec-7052f1 724->730 725->721 735 70533c 725->735 729->721 737 705314 729->737 730->729 731->710 733->715 735->719 737->725
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 0070510F
              • Part of subcall function 007403F0: InitializeCriticalSection.KERNEL32(0076B60C,?,0070511B,00000000,?,?,?,?,?,?), ref: 00740407
              • Part of subcall function 00701209: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00705137,00000000,?), ref: 00701247
              • Part of subcall function 00701209: GetLastError.KERNEL32(?,?,?,00705137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00701251
            • CoInitializeEx.OLE32(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 0070517D
              • Part of subcall function 00740CD1: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00740CF2
            • GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 0070520F
            • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00705219
            • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0070549B
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
            • String ID: 3.10.4.4718$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$Setup$_Failed$engine.cpp$txt
            • API String ID: 3262001429-867073019
            • Opcode ID: a6f3fae5db58da954da35b1b68fcaa03b505532abb5473be22f967ffaf973f01
            • Instruction ID: 7acb0fa3459e0e2f5f4fa922ce69ae20bc351239f2e2cf41e6c2297e944883f0
            • Opcode Fuzzy Hash: a6f3fae5db58da954da35b1b68fcaa03b505532abb5473be22f967ffaf973f01
            • Instruction Fuzzy Hash: 39B194B1D4062DEBDB329F64CC4ABEF76E8AF04711F000295F909A6281D77C9E909F91
            Function 00704C33 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 219COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 843 704c33-704c7b call 72f670 call 7033d7 848 704c7d-704c8a call 74012f 843->848 849 704c8f-704c99 call 7196f2 843->849 854 704e2b-704e35 848->854 855 704ca2-704cb1 call 7196f8 849->855 856 704c9b-704ca0 849->856 858 704e40-704e44 854->858 859 704e37-704e3c CloseHandle 854->859 861 704cb6-704cba 855->861 860 704cd7-704cf2 call 701f20 856->860 863 704e46-704e4b CloseHandle 858->863 864 704e4f-704e53 858->864 859->858 873 704cf4-704cf9 860->873 874 704cfb-704d0f call 716859 860->874 865 704cd1-704cd4 861->865 866 704cbc 861->866 863->864 868 704e55-704e5a CloseHandle 864->868 869 704e5e-704e60 864->869 865->860 872 704cc1-704ccc call 74012f 866->872 868->869 870 704e62-704e63 CloseHandle 869->870 871 704e65-704e79 call 702793 * 2 869->871 870->871 889 704e83-704e87 871->889 890 704e7b-704e7e call 7454ef 871->890 872->854 873->872 882 704d11 874->882 883 704d29-704d3d call 716915 874->883 886 704d16 882->886 892 704d46-704d61 call 701f62 883->892 893 704d3f-704d44 883->893 887 704d1b-704d24 call 74012f 886->887 900 704e28 887->900 895 704e91-704e99 889->895 896 704e89-704e8c call 7454ef 889->896 890->889 902 704d63-704d68 892->902 903 704d6d-704d86 call 701f62 892->903 893->886 896->895 900->854 902->872 906 704d92-704dbe CreateProcessW 903->906 907 704d88-704d8d 903->907 908 704dc0-704df6 GetLastError call 7037d3 906->908 909 704dfb-704e11 call 740917 906->909 907->872 908->887 913 704e16-704e1a 909->913 913->854 914 704e1c-704e23 call 74012f 913->914 914->900
            APIs
              • Part of subcall function 007033D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,007010DD,?,00000000), ref: 007033F8
            • CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00704E3A
            • CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00704E49
            • CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00704E58
            • CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00704E63
            Strings
            • %ls %ls, xrefs: 00704D4F
            • Failed to append original command line., xrefs: 00704D63
            • Failed to allocate parameters for unelevated process., xrefs: 00704CF4
            • Failed to launch clean room process: %ls, xrefs: 00704DF1
            • burn.filehandle.attached, xrefs: 00704D11
            • Failed to get path for current process., xrefs: 00704C7D
            • burn.filehandle.self, xrefs: 00704D3F
            • burn.clean.room, xrefs: 00704CD8
            • "%ls" %ls, xrefs: 00704D74
            • engine.cpp, xrefs: 00704DE4
            • Failed to allocate full command-line., xrefs: 00704D88
            • Failed to append %ls, xrefs: 00704D16
            • D, xrefs: 00704DA3
            • Failed to cache to clean room., xrefs: 00704CBC
            • -%ls="%ls", xrefs: 00704CE0
            • Failed to wait for clean room process: %ls, xrefs: 00704E1D
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseHandle$FileModuleName
            • String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$engine.cpp
            • API String ID: 3884789274-2391192076
            • Opcode ID: af1b8fb52093dcc02522ca7fb3ab18ce1b31f72f72ab7018d9f306672673f010
            • Instruction ID: 3202063576995c7d40c42365192b2a32d9503da940908a87780371047490e89b
            • Opcode Fuzzy Hash: af1b8fb52093dcc02522ca7fb3ab18ce1b31f72f72ab7018d9f306672673f010
            • Instruction Fuzzy Hash: 147164B1D01229FBDF219AA4CC859EFBBB8EF04720F104255FA14B6191D7789E419BE1
            Function 00717337 Relevance: 35.3, APIs: 1, Strings: 19, Instructions: 277COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 916 717337-71737c call 72f670 call 707503 921 717388-717399 call 70c2a1 916->921 922 71737e-717383 916->922 928 7173a5-7173b6 call 70c108 921->928 929 71739b-7173a0 921->929 923 717602-717609 call 74012f 922->923 930 71760a-71760f 923->930 935 7173c2-7173d7 call 70c362 928->935 936 7173b8-7173bd 928->936 929->923 933 717611-717612 call 7454ef 930->933 934 717617-71761b 930->934 933->934 938 717625-71762a 934->938 939 71761d-717620 call 7454ef 934->939 947 7173e3-7173f3 call 72bdc9 935->947 948 7173d9-7173de 935->948 936->923 942 717632-71763f call 70c055 938->942 943 71762c-71762d call 7454ef 938->943 939->938 951 717641-717644 call 7454ef 942->951 952 717649-71764d 942->952 943->942 960 7173f5-7173fa 947->960 961 7173ff-717472 call 715a35 947->961 948->923 951->952 954 717657-71765b 952->954 955 71764f-717652 call 7454ef 952->955 958 717665-71766d 954->958 959 71765d-717660 call 703999 954->959 955->954 959->958 960->923 965 717474-717479 961->965 966 71747e-7174a6 call 70550f GetCurrentProcess call 74076c 961->966 965->923 970 7174ab-7174c2 call 708152 966->970 973 7174c4-7174d7 call 74012f 970->973 974 7174dc-7174e1 970->974 973->930 976 7174e3-7174f5 call 7080f6 974->976 977 71753d-717542 974->977 988 717501-717511 call 703446 976->988 989 7174f7-7174fc 976->989 978 717562-71756b 977->978 979 717544-717556 call 7080f6 977->979 983 717577-71758b call 71a307 978->983 984 71756d-717570 978->984 979->978 991 717558-71755d 979->991 995 717594 983->995 996 71758d-717592 983->996 984->983 987 717572-717575 984->987 987->983 992 71759a-71759d 987->992 1000 717513-717518 988->1000 1001 71751d-717531 call 7080f6 988->1001 989->923 991->923 997 7175a4-7175ba call 70d497 992->997 998 71759f-7175a2 992->998 995->992 996->923 1006 7175c3-7175db call 70cabe 997->1006 1007 7175bc-7175c1 997->1007 998->930 998->997 1000->923 1001->977 1008 717533-717538 1001->1008 1011 7175e4-7175fb call 70c7df 1006->1011 1012 7175dd-7175e2 1006->1012 1007->923 1008->923 1011->930 1015 7175fd 1011->1015 1012->923 1015->923
            Strings
            • Failed to open manifest stream., xrefs: 007173B8
            • WixBundleSourceProcessFolder, xrefs: 00717522
            • Failed to load manifest., xrefs: 007173F5
            • Failed to parse command line., xrefs: 00717474
            • Failed to overwrite the %ls built-in variable., xrefs: 007174C9
            • Failed to open attached UX container., xrefs: 0071739B
            • Failed to initialize variables., xrefs: 0071737E
            • Failed to set source process folder variable., xrefs: 00717533
            • Failed to load catalog files., xrefs: 007175FD
            • Failed to get source process folder from path., xrefs: 00717513
            • WixBundleSourceProcessPath, xrefs: 007174E6
            • Failed to set original source variable., xrefs: 00717558
            • Failed to extract bootstrapper application payloads., xrefs: 007175DD
            • WixBundleOriginalSource, xrefs: 00717547
            • Failed to get manifest stream from container., xrefs: 007173D9
            • Failed to set source process path variable., xrefs: 007174F7
            • Failed to initialize internal cache functionality., xrefs: 0071758D
            • WixBundleElevated, xrefs: 007174B3, 007174C4
            • Failed to get unique temporary folder for bootstrapper application., xrefs: 007175BC
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalInitializeSection
            • String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath
            • API String ID: 32694325-252221001
            • Opcode ID: c4f89694e72d0542ec910593004a69d819d6258ccb04e73525c4670f0ee919b0
            • Instruction ID: 7868bba19f3c77d727a46a4fa5272905f4d624ab8204d28b6fb63b961046c3d4
            • Opcode Fuzzy Hash: c4f89694e72d0542ec910593004a69d819d6258ccb04e73525c4670f0ee919b0
            • Instruction Fuzzy Hash: FD9197B2944619FBCB169BA8CC45EEEB7BCBF04711F004226F911E7181D778AA94D7E0
            Function 007184C4 Relevance: 33.5, APIs: 9, Strings: 10, Instructions: 205fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1016 7184c4-718512 CreateFileW 1017 718514-718553 GetLastError call 7037d3 call 74012f 1016->1017 1018 718558-718568 call 7447d3 1016->1018 1029 7186fc-71870e call 72de36 1017->1029 1024 718580-718594 call 743db5 1018->1024 1025 71856a-71857b call 74012f 1018->1025 1033 718596-7185aa call 74012f 1024->1033 1034 7185af-7185b4 1024->1034 1032 7186f5-7186f6 FindCloseChangeNotification 1025->1032 1032->1029 1033->1032 1034->1032 1036 7185ba-7185c9 SetFilePointerEx 1034->1036 1039 718603-718613 call 744cee 1036->1039 1040 7185cb-7185fe GetLastError call 7037d3 1036->1040 1047 718615-71861a 1039->1047 1048 71861f-718630 SetFilePointerEx 1039->1048 1046 7186ed-7186f4 call 74012f 1040->1046 1046->1032 1047->1046 1049 718632-718665 GetLastError call 7037d3 1048->1049 1050 71866a-71867a call 744cee 1048->1050 1049->1046 1050->1047 1057 71867c-71868c call 744cee 1050->1057 1057->1047 1060 71868e-71869f SetFilePointerEx 1057->1060 1061 7186a1-7186d4 GetLastError call 7037d3 1060->1061 1062 7186d6-7186dd call 744cee 1060->1062 1061->1046 1066 7186e2-7186e6 1062->1066 1066->1032 1067 7186e8 1066->1067 1067->1046
            APIs
            • CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,00704CB6,?,?,00000000,00704CB6,00000000), ref: 00718507
            • GetLastError.KERNEL32 ref: 00718514
            • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,0074B4F0,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007186F6
            Strings
            • Failed to seek to checksum in exe header., xrefs: 007185F9
            • Failed to seek to original data in exe burn section header., xrefs: 007186CF
            • cabinet.dll, xrefs: 0071866F
            • Failed to update signature offset., xrefs: 00718615
            • cache.cpp, xrefs: 00718538, 007185EF, 00718656, 007186C5
            • Failed to seek to signature table in exe header., xrefs: 00718660
            • Failed to copy engine from: %ls to: %ls, xrefs: 0071859C
            • Failed to zero out original data offset., xrefs: 007186E8
            • Failed to seek to beginning of engine file: %ls, xrefs: 0071856D
            • Failed to create engine file at path: %ls, xrefs: 00718545
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ChangeCloseCreateErrorFileFindLastNotification
            • String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp
            • API String ID: 4091947256-3133501642
            • Opcode ID: bdbe608c94f2d86a362f7b9063e8dccfba2f62be1157423e785ebe4f48e9713c
            • Instruction ID: b5b653daa8c154a83fa39e0d1747c8cda5b53a1c3e76197083e14e05706fb411
            • Opcode Fuzzy Hash: bdbe608c94f2d86a362f7b9063e8dccfba2f62be1157423e785ebe4f48e9713c
            • Instruction Fuzzy Hash: B651C7B2A40225BBE7515A7C9C4AFFB36A8EB04711F010125FE01F71D1EB6CCC0096EA
            Function 00707503 Relevance: 33.4, APIs: 1, Strings: 21, Instructions: 378COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1068 707503-707dc0 InitializeCriticalSection 1069 707dc3-707de0 call 705530 1068->1069 1072 707de2-707de9 1069->1072 1073 707ded-707dfb call 74012f 1069->1073 1072->1069 1075 707deb 1072->1075 1077 707dfe-707e10 call 72de36 1073->1077 1075->1077
            APIs
            • InitializeCriticalSection.KERNEL32(00717378,007052B5,00000000,0070533D), ref: 00707523
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalInitializeSection
            • String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleVersion
            • API String ID: 32694325-826827252
            • Opcode ID: 6b167b6122c1efa859bc3b13dea3901717e308b644b1e9e2f09002bd6b54aec9
            • Instruction ID: 7cb08c7ed5379f33b6edc4e4c885f90674cfedc642bded99cfe8f9309fdb9df7
            • Opcode Fuzzy Hash: 6b167b6122c1efa859bc3b13dea3901717e308b644b1e9e2f09002bd6b54aec9
            • Instruction Fuzzy Hash: A2322EF0D163798BDBA5CF5989487DDBAF8BB49B04F5081EAE10CA6251D7B40B84CF84
            Function 007180AE Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 151COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1080 7180ae-7180f7 call 72f670 1083 718270-71827d call 7021a5 1080->1083 1084 7180fd-71810b GetCurrentProcess call 74076c 1080->1084 1091 71828c-71829e call 72de36 1083->1091 1092 71827f 1083->1092 1088 718110-71811d 1084->1088 1089 718123-718132 GetWindowsDirectoryW 1088->1089 1090 7181ab-7181b9 GetTempPathW 1088->1090 1093 718134-718167 GetLastError call 7037d3 1089->1093 1094 71816c-71817d call 70338f 1089->1094 1096 7181f3-718205 UuidCreate 1090->1096 1097 7181bb-7181ee GetLastError call 7037d3 1090->1097 1098 718284-71828b call 74012f 1092->1098 1093->1098 1114 718189-71819f call 7036b4 1094->1114 1115 71817f-718184 1094->1115 1100 718207-71820c 1096->1100 1101 71820e-718223 StringFromGUID2 1096->1101 1097->1098 1098->1091 1100->1098 1107 718241-718262 call 701f20 1101->1107 1108 718225-71823f call 7037d3 1101->1108 1119 718264-718269 1107->1119 1120 71826b 1107->1120 1108->1098 1114->1096 1122 7181a1-7181a6 1114->1122 1115->1098 1119->1098 1120->1083 1122->1098
            APIs
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00705381), ref: 00718104
              • Part of subcall function 0074076C: OpenProcessToken.ADVAPI32(?,00000008,?,007052B5,00000000,?,?,?,?,?,?,?,007174AB,00000000), ref: 0074078A
              • Part of subcall function 0074076C: GetLastError.KERNEL32(?,?,?,?,?,?,?,007174AB,00000000), ref: 00740794
              • Part of subcall function 0074076C: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,007174AB,00000000), ref: 0074081D
            • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 0071812A
            • GetLastError.KERNEL32 ref: 00718134
            • GetTempPathW.KERNEL32(00000104,?,00000000), ref: 007181B1
            • GetLastError.KERNEL32 ref: 007181BB
            Strings
            • Failed to ensure windows path for working folder ended in backslash., xrefs: 0071817F
            • Failed to get windows path for working folder., xrefs: 00718162
            • Failed to create working folder guid., xrefs: 00718207
            • Failed to append bundle id on to temp path for working folder., xrefs: 00718264
            • Failed to concat Temp directory on windows path for working folder., xrefs: 007181A1
            • cache.cpp, xrefs: 00718158, 007181DF, 00718230
            • Failed to get temp path for working folder., xrefs: 007181E9
            • Failed to copy working folder path., xrefs: 0071827F
            • Failed to convert working folder guid into string., xrefs: 0071823A
            • %ls%ls\, xrefs: 0071824C
            • Temp\, xrefs: 00718189
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast$Process$ChangeCloseCurrentDirectoryFindNotificationOpenPathTempTokenWindows
            • String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
            • API String ID: 58964441-819636856
            • Opcode ID: f8c92796b971791cc23a0ac58025653ee25040f8ce770dee08ea95f68ac6e616
            • Instruction ID: c32d5d73085b99b53a6c44557f763db365dd3ee5796994fa861708ac38cbdbc7
            • Opcode Fuzzy Hash: f8c92796b971791cc23a0ac58025653ee25040f8ce770dee08ea95f68ac6e616
            • Instruction Fuzzy Hash: 2D41E9B2B40728B7DBA196A88C4AFE672ECAB00711F004155FD05F7180EB7C9D4846A6
            Function 00720E43 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 210COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1123 720e43-720e6f CoInitializeEx 1124 720e83-720ece call 73f364 1123->1124 1125 720e71-720e7e call 74012f 1123->1125 1131 720ed0-720ef3 call 7037d3 call 74012f 1124->1131 1132 720ef8-720f1a call 73f374 1124->1132 1130 7210df-7210f1 call 72de36 1125->1130 1148 7210d8-7210d9 CoUninitialize 1131->1148 1140 720fd3-720fde SetEvent 1132->1140 1141 720f20-720f28 1132->1141 1142 720fe0-721009 GetLastError call 7037d3 1140->1142 1143 72101b-721029 WaitForSingleObject 1140->1143 1145 7210d0-7210d3 call 73f384 1141->1145 1146 720f2e-720f34 1141->1146 1165 72100e-721016 call 74012f 1142->1165 1150 72105b-721066 ResetEvent 1143->1150 1151 72102b-721059 GetLastError call 7037d3 1143->1151 1145->1148 1146->1145 1152 720f3a-720f42 1146->1152 1148->1130 1155 72109b-7210a1 1150->1155 1156 721068-721096 GetLastError call 7037d3 1150->1156 1151->1165 1153 720f44-720f46 1152->1153 1154 720fbb-720fce call 74012f 1152->1154 1159 720f58-720f5b 1153->1159 1160 720f48-720f56 1153->1160 1154->1145 1163 7210a3-7210a6 1155->1163 1164 7210cb 1155->1164 1156->1165 1168 720fb5 1159->1168 1169 720f5d 1159->1169 1167 720fb7-720fb9 1160->1167 1172 7210c7-7210c9 1163->1172 1173 7210a8-7210c2 call 7037d3 1163->1173 1164->1145 1165->1145 1167->1140 1167->1154 1168->1167 1175 720f72-720f77 1169->1175 1176 720fa3-720fa8 1169->1176 1177 720f80-720f85 1169->1177 1178 720fb1-720fb3 1169->1178 1179 720f87-720f8c 1169->1179 1180 720f64-720f69 1169->1180 1181 720f95-720f9a 1169->1181 1182 720faa-720faf 1169->1182 1183 720f6b-720f70 1169->1183 1184 720f79-720f7e 1169->1184 1185 720f8e-720f93 1169->1185 1186 720f9c-720fa1 1169->1186 1172->1145 1173->1165 1175->1154 1176->1154 1177->1154 1178->1154 1179->1154 1180->1154 1181->1154 1182->1154 1183->1154 1184->1154 1185->1154 1186->1154
            APIs
            • CoInitializeEx.OLE32(00000000,00000000), ref: 00720E65
            • CoUninitialize.OLE32 ref: 007210D9
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: InitializeUninitialize
            • String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
            • API String ID: 3442037557-1168358783
            • Opcode ID: c80b75db7e554f09f21f547f0c8a6195df37b632f829298cd8c26bde343fad9c
            • Instruction ID: 40d7f953817a1cba497cdd93d2128910eb172092edae27a110e57ae6efb64d44
            • Opcode Fuzzy Hash: c80b75db7e554f09f21f547f0c8a6195df37b632f829298cd8c26bde343fad9c
            • Instruction Fuzzy Hash: 41515CB6E80371E7D7301665AD45EAB7664EB44721F224335FC02BB281D7ADCC409AF6
            Function 007041D2 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158stringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1190 7041d2-704229 InitializeCriticalSection * 2 call 714b0e * 2 1195 70434d-704357 call 70b389 1190->1195 1196 70422f 1190->1196 1201 70435c-704360 1195->1201 1197 704235-704242 1196->1197 1199 704340-704347 1197->1199 1200 704248-704274 lstrlenW * 2 CompareStringW 1197->1200 1199->1195 1199->1197 1202 7042c6-7042f2 lstrlenW * 2 CompareStringW 1200->1202 1203 704276-704299 lstrlenW 1200->1203 1204 704362-70436e call 74012f 1201->1204 1205 70436f-704377 1201->1205 1202->1199 1206 7042f4-704317 lstrlenW 1202->1206 1207 704385-70439a call 7037d3 1203->1207 1208 70429f-7042a4 1203->1208 1204->1205 1211 7043b1-7043cb call 7037d3 1206->1211 1212 70431d-704322 1206->1212 1219 70439f-7043a6 1207->1219 1208->1207 1213 7042aa-7042ba call 7029dc 1208->1213 1211->1219 1212->1211 1216 704328-704338 call 7029dc 1212->1216 1225 7042c0 1213->1225 1226 70437a-704383 1213->1226 1216->1226 1228 70433a 1216->1228 1223 7043a7-7043af call 74012f 1219->1223 1223->1205 1225->1202 1226->1223 1228->1199
            APIs
            • InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,0070515E,?,?,00000000,?,?), ref: 007041FE
            • InitializeCriticalSection.KERNEL32(000000D0,?,?,0070515E,?,?,00000000,?,?), ref: 00704207
            • lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,0070515E,?,?,00000000,?,?), ref: 0070424D
            • lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,0070515E,?,?,00000000,?,?), ref: 00704257
            • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,0070515E,?,?,00000000,?,?), ref: 0070426B
            • lstrlenW.KERNEL32(burn.filehandle.attached,?,?,0070515E,?,?,00000000,?,?), ref: 0070427B
            • lstrlenW.KERNEL32(burn.filehandle.self,?,?,0070515E,?,?,00000000,?,?), ref: 007042CB
            • lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,0070515E,?,?,00000000,?,?), ref: 007042D5
            • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,0070515E,?,?,00000000,?,?), ref: 007042E9
            • lstrlenW.KERNEL32(burn.filehandle.self,?,?,0070515E,?,?,00000000,?,?), ref: 007042F9
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: lstrlen$CompareCriticalInitializeSectionString
            • String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
            • API String ID: 3039292287-3209860532
            • Opcode ID: 890eb25de1da693977c51c196bfba182606077549e24e602db3dd81c9f35de3e
            • Instruction ID: c645dc99686d92cf58157c2af9837c7d3a52901f09bceb1f4989b7ef3dbd4c32
            • Opcode Fuzzy Hash: 890eb25de1da693977c51c196bfba182606077549e24e602db3dd81c9f35de3e
            • Instruction Fuzzy Hash: 765173B1A40219FEC7249B69DC8AF9AB7ACEB05760F004216F618E7290D778FD50C7A4
            Function 007429B3 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 86libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1230 7429b3-7429d3 call 7037ea 1233 742af2-742af6 1230->1233 1234 7429d9-7429e7 call 744932 1230->1234 1236 742b00-742b06 1233->1236 1237 742af8-742afb call 7454ef 1233->1237 1238 7429ec-742af1 GetProcAddress * 7 1234->1238 1237->1236 1238->1233
            APIs
              • Part of subcall function 007037EA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00703829
              • Part of subcall function 007037EA: GetLastError.KERNEL32 ref: 00703833
              • Part of subcall function 00744932: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 0074495A
            • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 007429FD
            • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00742A20
            • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00742A43
            • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00742A66
            • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00742A89
            • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00742AAC
            • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00742ACF
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AddressProc$ErrorLast$DirectorySystem
            • String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
            • API String ID: 2510051996-1735120554
            • Opcode ID: 297f3844de9709d3147b2b17e716ce5dd1f25cde68cc5635e7d3a9a8605ab232
            • Instruction ID: cd2293786c1adcbd043f46460c3d1c45c2b401364c8d4fd6bf8e7605a93a2515
            • Opcode Fuzzy Hash: 297f3844de9709d3147b2b17e716ce5dd1f25cde68cc5635e7d3a9a8605ab232
            • Instruction Fuzzy Hash: D631E9B0641308EFDB18DF25EC52A293BA5F746700781856EE407D22B0EBFD9990DF58
            Function 00742F23 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152libraryloadercomCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,007434DF,00000000,?,00000000), ref: 00742F3D
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0072BDED,?,007052FD,?,00000000,?), ref: 00742F49
            • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00742F89
            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00742F95
            • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 00742FA0
            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00742FAA
            • CoCreateInstance.OLE32(0076B6C8,00000000,00000001,0074B808,?,?,?,?,?,?,?,?,?,?,?,0072BDED), ref: 00742FE5
            • ExitProcess.KERNEL32 ref: 00743094
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
            • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
            • API String ID: 2124981135-499589564
            • Opcode ID: 2b27afa5cad003d34e33e6c7553e86545d79e2e7866bc3d1864fa9c975572c09
            • Instruction ID: c881204ba630e44b17b9468367b07fa9b8678ae29901a00ddb31b3d8d39a1916
            • Opcode Fuzzy Hash: 2b27afa5cad003d34e33e6c7553e86545d79e2e7866bc3d1864fa9c975572c09
            • Instruction Fuzzy Hash: D041DE31A00315ABDB20DFA8C844FAEB7B5EF45710F514269FD06EB261DB79DE418B90
            Function 0070C129 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 128fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,0070C319,007052FD,?,?,0070533D), ref: 0070C170
            • GetLastError.KERNEL32(?,0070C319,007052FD,?,?,0070533D,0070533D,00000000,?,00000000), ref: 0070C181
            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,0070C319,007052FD,?,?,0070533D,0070533D,00000000,?), ref: 0070C1D0
            • GetCurrentProcess.KERNEL32(000000FF,00000000,?,0070C319,007052FD,?,?,0070533D,0070533D,00000000,?,00000000), ref: 0070C1D6
            • DuplicateHandle.KERNELBASE(00000000,?,0070C319,007052FD,?,?,0070533D,0070533D,00000000,?,00000000), ref: 0070C1D9
            • GetLastError.KERNEL32(?,0070C319,007052FD,?,?,0070533D,0070533D,00000000,?,00000000), ref: 0070C1E3
            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0070C319,007052FD,?,?,0070533D,0070533D,00000000,?,00000000), ref: 0070C235
            • GetLastError.KERNEL32(?,0070C319,007052FD,?,?,0070533D,0070533D,00000000,?,00000000), ref: 0070C23F
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
            • String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$feclient.dll
            • API String ID: 2619879409-3424827722
            • Opcode ID: 4374a22868a044a060c858245f868b9817e16aac88f85f962ef75242ed9a9db4
            • Instruction ID: 179412db1f053936d696ef686a2bbeb0f60dbfe0ad24c6ee0ddc9ee2a3091213
            • Opcode Fuzzy Hash: 4374a22868a044a060c858245f868b9817e16aac88f85f962ef75242ed9a9db4
            • Instruction Fuzzy Hash: C041B276240305EBEB219F69DC89E573BE9FB85750F118229FD08DB291DB39C801DBA0
            Function 00721484 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 103COMMON
            Download Yara Rule
            APIs
            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,0070C285,?,00000000,?,0070C319), ref: 007214BB
            • GetLastError.KERNEL32(?,0070C285,?,00000000,?,0070C319,007052FD,?,?,0070533D,0070533D,00000000,?,00000000), ref: 007214C4
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CreateErrorEventLast
            • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
            • API String ID: 545576003-938279966
            • Opcode ID: 0905f08fe14bf3a4eb4d28ec47226c87638bba1f0a618ef1a943c6c4c23cba3f
            • Instruction ID: 198203c35052bece4c8f8c44e3166b1c7603f7238f15e7db135f80fc36135528
            • Opcode Fuzzy Hash: 0905f08fe14bf3a4eb4d28ec47226c87638bba1f0a618ef1a943c6c4c23cba3f
            • Instruction Fuzzy Hash: 3D2129B2A40739FAF32126796C45FA729ECFB547A0F014322BC05E7180E79CDD0085E6
            Function 0073FBAD Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 74libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 0073FBD5
            • GetProcAddress.KERNEL32(SystemFunction041), ref: 0073FBE7
            • GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 0073FC2A
            • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0073FC3E
            • GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 0073FC76
            • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0073FC8A
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AddressProc$ErrorLast
            • String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$cryputil.cpp
            • API String ID: 4214558900-3191127217
            • Opcode ID: c1a39e2b4605c37c830288ea4a0d0fade29cdb8a6d993c26402049c4e7c1595f
            • Instruction ID: 21108636d49808e1382b21a3fee71796ee7f2e655e3530b0e17b99a39ddeab8d
            • Opcode Fuzzy Hash: c1a39e2b4605c37c830288ea4a0d0fade29cdb8a6d993c26402049c4e7c1595f
            • Instruction Fuzzy Hash: 3021CFB5E81325DBE7215B669D04B5279D4AB02790F054131EC03E6173E7ACDC51DEE4
            Function 00720627 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103fileCOMMON
            Download Yara Rule
            APIs
            • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 00720657
            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0072066F
            • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 00720674
            • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00720677
            • GetLastError.KERNEL32(?,?), ref: 00720681
            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 007206F0
            • GetLastError.KERNEL32(?,?), ref: 007206FD
            Strings
            • <the>.cab, xrefs: 00720650
            • Failed to open cabinet file: %hs, xrefs: 0072072E
            • Failed to add virtual file pointer for cab container., xrefs: 007206D6
            • cabextract.cpp, xrefs: 007206A5, 00720721
            • Failed to duplicate handle to cab container., xrefs: 007206AF
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
            • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
            • API String ID: 3030546534-3446344238
            • Opcode ID: b3039632db35bfa0ddca60eed1ae4b48f6dda7e364368ccbc60ecf4208205ab8
            • Instruction ID: cb9e34bfc10d578f7d86b4e360dda03634d6fe1dc170850195aa39c6518e9f50
            • Opcode Fuzzy Hash: b3039632db35bfa0ddca60eed1ae4b48f6dda7e364368ccbc60ecf4208205ab8
            • Instruction Fuzzy Hash: 0E31E4B6A41338FBEB205BA99C48E9B7EACEF05760F004226FD04F7150D7789D108AE5
            Function 00716859 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 68COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,00704D0B,?,?), ref: 00716879
            • GetCurrentProcess.KERNEL32(?,00000000,?,?,00704D0B,?,?), ref: 0071687F
            • DuplicateHandle.KERNELBASE(00000000,?,?,00704D0B,?,?), ref: 00716882
            • GetLastError.KERNEL32(?,?,00704D0B,?,?), ref: 0071688C
            • CloseHandle.KERNEL32(000000FF,?,00704D0B,?,?), ref: 00716905
            Strings
            • Failed to duplicate file handle for attached container., xrefs: 007168BA
            • burn.filehandle.attached, xrefs: 007168D2
            • core.cpp, xrefs: 007168B0
            • %ls -%ls=%u, xrefs: 007168D9
            • Failed to append the file handle to the command line., xrefs: 007168ED
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CurrentHandleProcess$CloseDuplicateErrorLast
            • String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$core.cpp
            • API String ID: 4224961946-4196573879
            • Opcode ID: bb5829d7915e7a612f4670f45b8b20d32139f9c118701f9c1e3d5702e72234ad
            • Instruction ID: 1e3de7cfe92dd287f623e44d0cf3d1d353b9cbb0e1a1db1b0248826bdd25c34c
            • Opcode Fuzzy Hash: bb5829d7915e7a612f4670f45b8b20d32139f9c118701f9c1e3d5702e72234ad
            • Instruction Fuzzy Hash: 6811B471A01319FBDB10ABBC9D09A9E7BACAF05730F104216FD10E71E0D7799D009690
            Function 00716915 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 0071694B
            • CloseHandle.KERNEL32(00000000), ref: 007169BB
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseCreateFileHandle
            • String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
            • API String ID: 3498533004-3263533295
            • Opcode ID: be6fcabb1a76ad9e83514152e153cd33177d7b66b89a93e4b35fff1664de999b
            • Instruction ID: 3db3e589f99222545e44a685f22cfa94f3edc5a50de5e831859671594434ac2e
            • Opcode Fuzzy Hash: be6fcabb1a76ad9e83514152e153cd33177d7b66b89a93e4b35fff1664de999b
            • Instruction Fuzzy Hash: E811E272600614BBCB205A6C9C09FDF7BACDB46B31F010368FD24AB2E1D7B8B95486D1
            Function 0074076C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
            Download Yara Rule
            APIs
            • OpenProcessToken.ADVAPI32(?,00000008,?,007052B5,00000000,?,?,?,?,?,?,?,007174AB,00000000), ref: 0074078A
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,007174AB,00000000), ref: 00740794
            • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,007174AB,00000000), ref: 007407C6
            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,007174AB,00000000), ref: 0074081D
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Token$ChangeCloseErrorFindInformationLastNotificationOpenProcess
            • String ID: procutil.cpp
            • API String ID: 2387526074-1178289305
            • Opcode ID: fc4bf777f1a5c24bd30a6337a26874e260b1735bb6b6b24df0915e9117c6f885
            • Instruction ID: 14605b963929b4db8891faed37bf82bad49493acb6bdf01a5280f5fe3f1a79ac
            • Opcode Fuzzy Hash: fc4bf777f1a5c24bd30a6337a26874e260b1735bb6b6b24df0915e9117c6f885
            • Instruction Fuzzy Hash: 0F21D875D00228EBDB20AF998D44A9EBBFCEF54711F118166EE15E7160D3348E00DBD0
            Function 0074343B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 0074344A
            • InterlockedIncrement.KERNEL32(0076B6D8), ref: 00743467
            • CLSIDFromProgID.OLE32(Msxml2.DOMDocument,0076B6C8,?,?,?,?,?,?), ref: 00743482
            • CLSIDFromProgID.OLE32(MSXML.DOMDocument,0076B6C8,?,?,?,?,?,?), ref: 0074348E
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: FromProg$IncrementInitializeInterlocked
            • String ID: MSXML.DOMDocument$Msxml2.DOMDocument
            • API String ID: 2109125048-2356320334
            • Opcode ID: ca60502a626601cb9cf013a5cbfbd76edd957a2e831adb1b58596f9f3150a52f
            • Instruction ID: bd9d550a899f6c6e1b8bf215dbbb9ac97af91bf64e6683fdbe4bd0b0c5a52782
            • Opcode Fuzzy Hash: ca60502a626601cb9cf013a5cbfbd76edd957a2e831adb1b58596f9f3150a52f
            • Instruction Fuzzy Hash: 8CF0A0607442B557D7224BBAEC0DF672E64AF83F64B104029EC0AD11A4D3ACC9818AA4
            Function 00744932 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 0074495A
            • GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00744989
            • GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 007449B3
            • GetLastError.KERNEL32(00000000,0074B790,?,?,?,00000000,00000000,00000000), ref: 007449F4
            • GlobalFree.KERNEL32(00000000), ref: 00744A28
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast$Global$AllocFree
            • String ID: fileutil.cpp
            • API String ID: 1145190524-2967768451
            • Opcode ID: 43aa7eac31ee54b35718e629550abb3454952eed0eb0ab7f4d09a8c273515e35
            • Instruction ID: 1379f0ad4abeebf05c36fc95cfdc985a8ce977b0a5ef1703eb9477ce3840d3d3
            • Opcode Fuzzy Hash: 43aa7eac31ee54b35718e629550abb3454952eed0eb0ab7f4d09a8c273515e35
            • Instruction Fuzzy Hash: 5021D779A40329EBD7119BA58C45AABFBACEF85361F118216FD05E7250D738DD00E6E0
            Function 007207E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON
            Download Yara Rule
            APIs
            • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 0072088A
            • GetLastError.KERNEL32(?,?,?), ref: 00720894
            Strings
            • Failed to move file pointer 0x%x bytes., xrefs: 007208C5
            • cabextract.cpp, xrefs: 007208B8
            • Invalid seek type., xrefs: 00720820
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFileLastPointer
            • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
            • API String ID: 2976181284-417918914
            • Opcode ID: cbd4127e11d3bd61ed48e0e216213789e90aff6a50f46f08e123d57d92c15ca7
            • Instruction ID: 1dfc45b10e11bb766e6266fe4880af4cb3e46a2e2afc74a48c516c5703655e5f
            • Opcode Fuzzy Hash: cbd4127e11d3bd61ed48e0e216213789e90aff6a50f46f08e123d57d92c15ca7
            • Instruction Fuzzy Hash: 64318375A00629FFDB04DFA9DC849AAB7B9FB04710B008229FD15A7651D778ED10CBE1
            Function 007431C7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84memoryCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 007431DD
            • SysAllocString.OLEAUT32(?), ref: 007431F9
            • VariantClear.OLEAUT32(?), ref: 00743280
            • SysFreeString.OLEAUT32(00000000), ref: 0074328B
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: StringVariant$AllocClearFreeInit
            • String ID: xmlutil.cpp
            • API String ID: 760788290-1270936966
            • Opcode ID: e7c1b50bb727c2480cce8b94424177ac59b87b0a4590e69af84a3fff7809881e
            • Instruction ID: 7c6e66e9e18552fd8f25b38dd166c87e3fe1400076ef78986d5a51381fddbe6a
            • Opcode Fuzzy Hash: e7c1b50bb727c2480cce8b94424177ac59b87b0a4590e69af84a3fff7809881e
            • Instruction Fuzzy Hash: F821A336900219EFCB14DFA8C848EAE7BB9FF45721F154158F909AB210CB79DE01CB90
            Function 00704013 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
            Download Yara Rule
            APIs
            • CreateDirectoryW.KERNELBASE(0070533D,007053B5,00000000,00000000,?,00719EE4,00000000,00000000,0070533D,00000000,007052B5,00000000,?,=Sp,0070D4AC,=Sp), ref: 00704021
            • GetLastError.KERNEL32(?,00719EE4,00000000,00000000,0070533D,00000000,007052B5,00000000,?,=Sp,0070D4AC,=Sp,00000000,00000000), ref: 0070402F
            • CreateDirectoryW.KERNEL32(0070533D,007053B5,00705381,?,00719EE4,00000000,00000000,0070533D,00000000,007052B5,00000000,?,=Sp,0070D4AC,=Sp,00000000), ref: 00704097
            • GetLastError.KERNEL32(?,00719EE4,00000000,00000000,0070533D,00000000,007052B5,00000000,?,=Sp,0070D4AC,=Sp,00000000,00000000), ref: 007040A1
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CreateDirectoryErrorLast
            • String ID: dirutil.cpp
            • API String ID: 1375471231-2193988115
            • Opcode ID: 45ccf29863a5805a107710d383e912d07c178b9ff800734baa095fc322680a0d
            • Instruction ID: b86e7d211aaaf982ae9013ef6d2e500141434db9dbffc5234a768c915747413c
            • Opcode Fuzzy Hash: 45ccf29863a5805a107710d383e912d07c178b9ff800734baa095fc322680a0d
            • Instruction Fuzzy Hash: 9511D2AA600225E6EB311AA14C44B3BB6D8DF51B60F1083A6FF05FB1D0D76CCC0192E5
            Function 00740917 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54synchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,00704E16,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 00740927
            • GetLastError.KERNEL32(?,?,00704E16,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00740935
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLastObjectSingleWait
            • String ID: procutil.cpp
            • API String ID: 1211598281-1178289305
            • Opcode ID: 67b463dc5dc715a85d733ae04116e8ff73ec4f5f475cf67c0d55af96534bc863
            • Instruction ID: a9c783cd1d2582732c1460778eb6ad7bcfcf3a381816f387984a9682c771bfed
            • Opcode Fuzzy Hash: 67b463dc5dc715a85d733ae04116e8ff73ec4f5f475cf67c0d55af96534bc863
            • Instruction Fuzzy Hash: 5C11A176E00325EBEB209FA58C087AB7AE4EF05360F118226FE15E7291D3789D10D6E5
            Function 0072074E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0072114F: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,0072077D,?,?,?), ref: 00721177
              • Part of subcall function 0072114F: GetLastError.KERNEL32(?,0072077D,?,?,?), ref: 00721181
            • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 0072078B
            • GetLastError.KERNEL32 ref: 00720795
            Strings
            • Failed to read during cabinet extraction., xrefs: 007207C3
            • cabextract.cpp, xrefs: 007207B9
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFileLast$PointerRead
            • String ID: Failed to read during cabinet extraction.$cabextract.cpp
            • API String ID: 2170121939-2426083571
            • Opcode ID: e8459724d1ffe4f52419e248b3de466429b00ce00fae20c33ee591bcf2849adf
            • Instruction ID: fd7fbe1fa55ebb7706c9af6208e49a00d3c0ee8a0dfdccd77f1d220104136eb1
            • Opcode Fuzzy Hash: e8459724d1ffe4f52419e248b3de466429b00ce00fae20c33ee591bcf2849adf
            • Instruction Fuzzy Hash: 1B01A572600228FBDB109FA8DC04E9A7BA9FF09760F014229FD09E7650D7359E109BD4
            Function 0072114F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
            Download Yara Rule
            APIs
            • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,0072077D,?,?,?), ref: 00721177
            • GetLastError.KERNEL32(?,0072077D,?,?,?), ref: 00721181
            Strings
            • Failed to move to virtual file pointer., xrefs: 007211AF
            • cabextract.cpp, xrefs: 007211A5
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFileLastPointer
            • String ID: Failed to move to virtual file pointer.$cabextract.cpp
            • API String ID: 2976181284-3005670968
            • Opcode ID: 76290e66bfe553747cfa91da601bd12ea83d230617b4aa8b267a5e9ce87b3ec1
            • Instruction ID: e169ccf7ba611dbe4b62064b86584d4ebdb869c300e0a1945a97b5d5490f3f8b
            • Opcode Fuzzy Hash: 76290e66bfe553747cfa91da601bd12ea83d230617b4aa8b267a5e9ce87b3ec1
            • Instruction Fuzzy Hash: A901F236600239FBD7215AA6AC08E87BFA9FF117A1B00822AFE0896150D739DC20C6D4
            Function 00743DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101fileCOMMON
            Download Yara Rule
            APIs
            • ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00743E5E
            • GetLastError.KERNEL32 ref: 00743EC1
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFileLastRead
            • String ID: fileutil.cpp
            • API String ID: 1948546556-2967768451
            • Opcode ID: a12f6f6c18d6a44a92d7ddb7690bb1359492cec8cb3bb492766b3da957f724fc
            • Instruction ID: d5dab6a4e5c41c808b53e180b91753c276e69ac655c3374e05fa0ba399b85965
            • Opcode Fuzzy Hash: a12f6f6c18d6a44a92d7ddb7690bb1359492cec8cb3bb492766b3da957f724fc
            • Instruction Fuzzy Hash: D9414F75E01279DBEB21CE54C8407EAB7B4EF48751F0081AAA949E7240D7B99EC49B90
            Function 0070501B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00701104,?,?,00000000), ref: 0070503A
            • CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00701104,?,?,00000000), ref: 0070506A
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CompareStringlstrlen
            • String ID: burn.clean.room
            • API String ID: 1433953587-3055529264
            • Opcode ID: 31258b929e62d7802fd8fa2759bbb9985c2a1b36a629291fef29b50ca39c6d6a
            • Instruction ID: f0f868b3c581329715b1e01d432b7d9598da983291f7bf0b2f27b3a2dffe7df0
            • Opcode Fuzzy Hash: 31258b929e62d7802fd8fa2759bbb9985c2a1b36a629291fef29b50ca39c6d6a
            • Instruction Fuzzy Hash: A701A276600625EEC7204BA89884D7BB7ACFB04754710C217F546D2650D3B8AC44CEE5
            Function 00744CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
            Download Yara Rule
            APIs
            • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00743E85,?,?,?), ref: 00744D12
            • GetLastError.KERNEL32(?,?,00743E85,?,?,?), ref: 00744D1C
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFileLastWrite
            • String ID: fileutil.cpp
            • API String ID: 442123175-2967768451
            • Opcode ID: 4f755055458a1786e973884983e905fb0e88d6b5e1b32fef917a643adf75563a
            • Instruction ID: 0ccf85c021c25e026880e06c0f7cdcb5b9cf9e5f5b23b05dcd39a4e126a3e010
            • Opcode Fuzzy Hash: 4f755055458a1786e973884983e905fb0e88d6b5e1b32fef917a643adf75563a
            • Instruction Fuzzy Hash: 0CF08172B01229BBD7109E9ACD45F9BB7ADFB44761F004216FD05D7040E734ED009AE0
            Function 007447D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
            Download Yara Rule
            APIs
            • SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00718564,00000000,00000000,00000000,00000000,00000000), ref: 007447EB
            • GetLastError.KERNEL32(?,?,?,00718564,00000000,00000000,00000000,00000000,00000000), ref: 007447F5
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFileLastPointer
            • String ID: fileutil.cpp
            • API String ID: 2976181284-2967768451
            • Opcode ID: dd395bc5aee4137c1b5d85c726779b9cdb0c0016d89d246379a27caf97e0fb7b
            • Instruction ID: 68df64297bf839b4bd89d6155b6985c50fb1b3eece426eb9507266fc36e2a8aa
            • Opcode Fuzzy Hash: dd395bc5aee4137c1b5d85c726779b9cdb0c0016d89d246379a27caf97e0fb7b
            • Instruction Fuzzy Hash: B4F06D75A00219AB9B108F958C08EAB7BACEB04751B018119BD0597260D735DC10D6E4
            Function 007037EA Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON
            Download Yara Rule
            APIs
            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00703829
            • GetLastError.KERNEL32 ref: 00703833
            • LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 0070389B
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: DirectoryErrorLastLibraryLoadSystem
            • String ID:
            • API String ID: 1230559179-0
            • Opcode ID: a297b20c47e93f906fb915d87d84d4f778663252470b6722c4a731b626659ad2
            • Instruction ID: e06428c06cd6155c42f4c40b5241bee0cbd6d0cd762ac48105a1e3ec6e5fc13f
            • Opcode Fuzzy Hash: a297b20c47e93f906fb915d87d84d4f778663252470b6722c4a731b626659ad2
            • Instruction Fuzzy Hash: 8E219BB6D01329E7EB209B649C49F9A77EC9B05720F1142B5FE05E72C1E778DE4486A0
            Function 00703999 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00703B34,00000000,?,00701472,00000000,80004005,00000000,80004005,00000000,000001C7,?,007013B7), ref: 007039A3
            • RtlFreeHeap.NTDLL(00000000,?,00703B34,00000000,?,00701472,00000000,80004005,00000000,80004005,00000000,000001C7,?,007013B7,000001C7,00000100), ref: 007039AA
            • GetLastError.KERNEL32(?,00703B34,00000000,?,00701472,00000000,80004005,00000000,80004005,00000000,000001C7,?,007013B7,000001C7,00000100,?), ref: 007039B4
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Heap$ErrorFreeLastProcess
            • String ID:
            • API String ID: 406640338-0
            • Opcode ID: 3440f2b5251de846bb871da62ea0fb124602ac05fbf000ce7d0e548d304164d5
            • Instruction ID: 5e959e052be66a31385b433030d98e0ea0d503e61fa130c41006700f3501b143
            • Opcode Fuzzy Hash: 3440f2b5251de846bb871da62ea0fb124602ac05fbf000ce7d0e548d304164d5
            • Instruction Fuzzy Hash: A9D012366002386787202BFA5C0C697BE9CEF065A27018122FD09D2110E729CC10C6E8
            Function 00740E3F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00745699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00740E52
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Open
            • String ID: regutil.cpp
            • API String ID: 71445658-955085611
            • Opcode ID: d472bd6a45f22d829b795fe597487a0c958888465e1e1c88f759e5883a7bac97
            • Instruction ID: 9aad72d76547254256ec2c34c03d9aba9a6ee712c880302a172bdb8e77b81dec
            • Opcode Fuzzy Hash: d472bd6a45f22d829b795fe597487a0c958888465e1e1c88f759e5883a7bac97
            • Instruction Fuzzy Hash: 04F0A772701235ABDF2459568C04BA77DC5DF456A0F118524FE49DA150D37ACC2092D0
            Function 00743499 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 007434CE
              • Part of subcall function 00742F23: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,007434DF,00000000,?,00000000), ref: 00742F3D
              • Part of subcall function 00742F23: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0072BDED,?,007052FD,?,00000000,?), ref: 00742F49
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorHandleInitLastModuleVariant
            • String ID:
            • API String ID: 52713655-0
            • Opcode ID: 9e3e9cf4419e3362e9c4d04888525883e6e0c0ad1867ddfb5d91834f8977f03c
            • Instruction ID: be32f05f9a05179c96570e0ea572314073c9fe50093026361b0394f79284ac34
            • Opcode Fuzzy Hash: 9e3e9cf4419e3362e9c4d04888525883e6e0c0ad1867ddfb5d91834f8977f03c
            • Instruction Fuzzy Hash: EB311976E006299BCB11DFA8C884AEEF7F8EF08710F01456AED15EB211D7759E148BA4
            Function 00745728 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON
            Download Yara Rule
            APIs
            • RegCloseKey.ADVAPI32(80070490,00000000,80070490,0076AAA0,00000000,80070490,00000000,?,0071890E,WiX\Burn,PackageCache,00000000,0076AAA0,00000000,00000000,80070490), ref: 00745782
              • Part of subcall function 00740F6E: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00740FE4
              • Part of subcall function 00740F6E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 0074101F
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: QueryValue$Close
            • String ID:
            • API String ID: 1979452859-0
            • Opcode ID: babfad91d1480ad9bc5aa95a14ebafd3a9ae0eca325b8f18565fa93b22ed29d3
            • Instruction ID: 13e88ff913e93b90a6fbd6280ecf1cc8e43997bcce4bf278883960b87c7db107
            • Opcode Fuzzy Hash: babfad91d1480ad9bc5aa95a14ebafd3a9ae0eca325b8f18565fa93b22ed29d3
            • Instruction Fuzzy Hash: AE11C236800529EBCF23AFA4DC859AEB769EB14321B154239ED016B112C3395D50EAD0
            Function 007034C5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,007189CA,0000001C,80070490,00000000,00000000,80070490), ref: 007034E5
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: FolderPath
            • String ID:
            • API String ID: 1514166925-0
            • Opcode ID: e032531896b4b552f3ff396f4d13cb5cd4f9079dce6baa1e83b0ce76f189483a
            • Instruction ID: 1fba5d68407bb51dfb0082cc429574352ca9e22a3efd5d4e1470b87ff2d161dc
            • Opcode Fuzzy Hash: e032531896b4b552f3ff396f4d13cb5cd4f9079dce6baa1e83b0ce76f189483a
            • Instruction Fuzzy Hash: 1FE01276201225FBE6022E629C09DEB7BDCDF067607048151BE40DA041E769E91096B4
            Function 00742DD0 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
            Download Yara Rule
            APIs
            • FreeLibrary.KERNELBASE(00000000,00000000,0070547B,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00742DDD
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: FreeLibrary
            • String ID:
            • API String ID: 3664257935-0
            • Opcode ID: 0ac067daf7c38623e606862e29357b75e15fbc5add56ad00fe40ca941bde17e9
            • Instruction ID: 4d2df956ab15bd15fba8df48c2e6cf07185fa31c944dd5dabfdbbdc43dfd3690
            • Opcode Fuzzy Hash: 0ac067daf7c38623e606862e29357b75e15fbc5add56ad00fe40ca941bde17e9
            • Instruction Fuzzy Hash: 65E0F6B592A379DA8B108F59FD445527BB8B70AB40311865BF402C2270C3F884A18FA8
            Function 0073F37A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • ___delayLoadHelper2@8.DELAYIMP ref: 0073F35B
              • Part of subcall function 00749814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00749891
              • Part of subcall function 00749814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007498A2
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
            • String ID:
            • API String ID: 1269201914-0
            • Opcode ID: 5a39ebfca9d8b6d244611f5c1e6573bf361c5e0be8e557e88fa256d2e4734e45
            • Instruction ID: 90a2b205e3b6b7b6c9dd371220658d87b240410029e8cc4c6cb96250c5ce1919
            • Opcode Fuzzy Hash: 5a39ebfca9d8b6d244611f5c1e6573bf361c5e0be8e557e88fa256d2e4734e45
            • Instruction Fuzzy Hash: 9CB012E1658601FC328853181C07C37024CC1C1F20334C63AF906C1041E88C1C480033
            Function 0073F36A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • ___delayLoadHelper2@8.DELAYIMP ref: 0073F35B
              • Part of subcall function 00749814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00749891
              • Part of subcall function 00749814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007498A2
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
            • String ID:
            • API String ID: 1269201914-0
            • Opcode ID: 13dce69aeace2f532a26d49fcbfa9aa3f5b965460b2a3b2f055b4eebd0ba9a37
            • Instruction ID: 6416e034cd204f06d0f7a2dcb59acd8a004f2489f7bd14c86fd7df4aa989aea1
            • Opcode Fuzzy Hash: 13dce69aeace2f532a26d49fcbfa9aa3f5b965460b2a3b2f055b4eebd0ba9a37
            • Instruction Fuzzy Hash: B6B012E1658501FD328457181D07C37024CC1C1F20334C53AF906C1041E88C1C090433
            Function 0073F349 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • ___delayLoadHelper2@8.DELAYIMP ref: 0073F35B
              • Part of subcall function 00749814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00749891
              • Part of subcall function 00749814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007498A2
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
            • String ID:
            • API String ID: 1269201914-0
            • Opcode ID: 0612f050ca90914dbf55b7d11a9e267b62f460e38500a7c58eccd33d0405e5a7
            • Instruction ID: 648ea4cf09c74c3981fbab2741c6253c5209378317c54b2d3b2c5fc813e94d73
            • Opcode Fuzzy Hash: 0612f050ca90914dbf55b7d11a9e267b62f460e38500a7c58eccd33d0405e5a7
            • Instruction Fuzzy Hash: 95B012E2658501FC324413146C07C37030CC1C1F24334C53AFE02D0041E88C2D0C0033
            Function 007494F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • ___delayLoadHelper2@8.DELAYIMP ref: 007494E7
              • Part of subcall function 00749814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00749891
              • Part of subcall function 00749814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007498A2
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
            • String ID:
            • API String ID: 1269201914-0
            • Opcode ID: 49402e8032de4c3689f8bf2e15a773010a565a859e4c1f4184e297c58f2e5ed8
            • Instruction ID: 715368a5f6e19faeb241b1a13758b0b4d2eff809b0ba21b7fb9f1523e66f896c
            • Opcode Fuzzy Hash: 49402e8032de4c3689f8bf2e15a773010a565a859e4c1f4184e297c58f2e5ed8
            • Instruction Fuzzy Hash: F9B012C52A8502FC32D4661C5C07C37010CC1C0F10330C73ABF02C2080E94C2C090433
            Function 007494D5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • ___delayLoadHelper2@8.DELAYIMP ref: 007494E7
              • Part of subcall function 00749814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00749891
              • Part of subcall function 00749814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007498A2
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
            • String ID:
            • API String ID: 1269201914-0
            • Opcode ID: d438d34a0064533c819451cf5362229f44e5cbc3f0b3b6c9a585a2c75ead63d7
            • Instruction ID: 6963bc39f8f6dcc72a22f6eb8aac6bd295ec3782fdef4bba66c78850f01e6c44
            • Opcode Fuzzy Hash: d438d34a0064533c819451cf5362229f44e5cbc3f0b3b6c9a585a2c75ead63d7
            • Instruction Fuzzy Hash: 0EB012C52A8601FC3394261C5C47C37010CD6C0F10330C73ABB02F1080A94C1C050433
            Function 00749506 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • ___delayLoadHelper2@8.DELAYIMP ref: 007494E7
              • Part of subcall function 00749814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00749891
              • Part of subcall function 00749814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007498A2
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
            • String ID:
            • API String ID: 1269201914-0
            • Opcode ID: 61c40f61be95d860a4f08ed93784a2ea5bc87ed27bc2835a6dcb1bcacbdc8fff
            • Instruction ID: 911785c4178a45775f698c222a153abca372b7564b00611e4993db74033f4be7
            • Opcode Fuzzy Hash: 61c40f61be95d860a4f08ed93784a2ea5bc87ed27bc2835a6dcb1bcacbdc8fff
            • Instruction Fuzzy Hash: FBB012C52A8701FC32D4665C6E07C37010CC5C0F10330873ABB02E2080E94C1C060833
            Function 007014B2 Relevance: 1.3, APIs: 1, Instructions: 54stringCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,007021B8,?,00000000,?,00000000,?,007038BD,00000000,?,00000104), ref: 007014E4
              • Part of subcall function 00703B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,007021DC,000001C7,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 00703B59
              • Part of subcall function 00703B51: HeapSize.KERNEL32(00000000,?,007021DC,000001C7,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 00703B60
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Heap$ProcessSizelstrlen
            • String ID:
            • API String ID: 3492610842-0
            • Opcode ID: 74bebcc7c3e34bd57745fc48d1c8b7977dec3c139acceb892dd5ed83f27dc8a6
            • Instruction ID: 66f977b27cc6a2231d3e23aeb66f4c622fa3d86eb08c00af1373a90a2f5ffb54
            • Opcode Fuzzy Hash: 74bebcc7c3e34bd57745fc48d1c8b7977dec3c139acceb892dd5ed83f27dc8a6
            • Instruction Fuzzy Hash: CB01F537200218EFCF215E54CC84F9A77E9AF81764F618325FA259B1E1D739EC109690

            Non-executed Functions

            Function 007415CB Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 320COMMON
            Download Yara Rule
            APIs
            • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0074166B
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00741675
            • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 007416C2
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 007416C8
            • CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 00741702
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00741708
            • CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 00741748
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0074174E
            • CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 0074178E
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00741794
            • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 007417D4
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 007417DA
            • SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 007418BD
            • LocalFree.KERNEL32(?), ref: 007419DC
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast$CreateKnownWell$DescriptorEntriesFreeInitializeLocalSecurity
            • String ID: srputil.cpp
            • API String ID: 3627156773-4105181634
            • Opcode ID: 64c0355bbe6a27f963926001ef8c1541464ff45a95ea23a7b804c4d928e42209
            • Instruction ID: 91e6a16cf999fcb04f1e8564f678f540da3f40a1b8b064bf93eaac7512c9e475
            • Opcode Fuzzy Hash: 64c0355bbe6a27f963926001ef8c1541464ff45a95ea23a7b804c4d928e42209
            • Instruction Fuzzy Hash: F0B17A76D4132CABEB209BA58D44BEB76FCEF09741F0141A6FD09F7150E7749E808AA4
            Function 0072C0FA Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 364COMMON
            Download Yara Rule
            Strings
            • Failed to copy filename for pseudo bundle., xrefs: 0072C1DF
            • Failed to copy cache id for pseudo bundle., xrefs: 0072C327
            • Failed to copy key for pseudo bundle payload., xrefs: 0072C1BB
            • Failed to append relation type to repair arguments for related bundle package, xrefs: 0072C3B9
            • Failed to copy display name for pseudo bundle., xrefs: 0072C4F2
            • Failed to allocate memory for pseudo bundle payload hash., xrefs: 0072C275
            • Failed to copy repair arguments for related bundle package, xrefs: 0072C398
            • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 0072C186
            • Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 0072C14D
            • Failed to append relation type to install arguments for related bundle package, xrefs: 0072C371
            • pseudobundle.cpp, xrefs: 0072C141, 0072C17A, 0072C269, 0072C475
            • -%ls, xrefs: 0072C114
            • Failed to copy key for pseudo bundle., xrefs: 0072C30A
            • Failed to copy local source path for pseudo bundle., xrefs: 0072C203
            • Failed to copy version for pseudo bundle., xrefs: 0072C4D0
            • Failed to copy download source for pseudo bundle., xrefs: 0072C231
            • Failed to copy install arguments for related bundle package, xrefs: 0072C34C
            • Failed to copy uninstall arguments for related bundle package, xrefs: 0072C3EB
            • Failed to append relation type to uninstall arguments for related bundle package, xrefs: 0072C40C
            • Failed to allocate memory for dependency providers., xrefs: 0072C481
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Heap$AllocateProcess
            • String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
            • API String ID: 1357844191-2832335422
            • Opcode ID: cf58aa1101df23565b94d4f467fe5252668ca4d8aa5a762e195871bbb545b29a
            • Instruction ID: 1238b7fca4139f8539085bdcd091a72cb469e4fdf456df44fb290ed8794e85e8
            • Opcode Fuzzy Hash: cf58aa1101df23565b94d4f467fe5252668ca4d8aa5a762e195871bbb545b29a
            • Instruction Fuzzy Hash: EAC1A3B2A00666FBEB16DF68DC55E6F76E8BF18710B004225FD05EB241DB78EC109791
            Function 007169CC Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 358synchronizationCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0070D39D: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00716E4B,000000B8,00000000,?,00000000,75C0B390), ref: 0070D3AC
              • Part of subcall function 0070D39D: InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 0070D3BB
              • Part of subcall function 0070D39D: LeaveCriticalSection.KERNEL32(000000D0,?,00716E4B,000000B8,00000000,?,00000000,75C0B390), ref: 0070D3D0
            • ReleaseMutex.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000000), ref: 00716D9A
            • CloseHandle.KERNEL32(00000000), ref: 00716DA3
            • CloseHandle.KERNEL32(@Gp,?,00000000,?,00000000,00000001,00000000), ref: 00716DC0
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseCriticalHandleSection$CompareEnterExchangeInterlockedLeaveMutexRelease
            • String ID: @Gp$Another per-machine setup is already executing.$Another per-user setup is already executing.$Engine cannot start apply because it is busy with another action.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$core.cpp
            • API String ID: 322611130-2870728509
            • Opcode ID: 2344048d3dacb9114f138c5c29ec009a5f4ce725e6854edaa3bff26d333a187c
            • Instruction ID: 45e26b315bf77af179516cbabd2f93e61f6e39651a46101150eb703f8b793587
            • Opcode Fuzzy Hash: 2344048d3dacb9114f138c5c29ec009a5f4ce725e6854edaa3bff26d333a187c
            • Instruction Fuzzy Hash: 95C1B5B1A0161AEBDF159FA8D845BEEB7B8FF04315F00422AF515A6180DB78AD94CBD0
            Function 007044E9 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 137COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 00704512
            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00704519
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00704523
            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00704573
            • GetLastError.KERNEL32 ref: 0070457D
            • CloseHandle.KERNEL32(?), ref: 00704677
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLastProcess$CloseCurrentHandleLookupOpenPrivilegeTokenValue
            • String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$engine.cpp
            • API String ID: 4232854991-1583736410
            • Opcode ID: 0ce78297d2eb03bc3f4605c95142cdfd739439c37c1be668a987bd7fba8523ba
            • Instruction ID: 58d417f45ee6b86146c609b525fae1638bcb2baceef9c441e370fb9990ac4904
            • Opcode Fuzzy Hash: 0ce78297d2eb03bc3f4605c95142cdfd739439c37c1be668a987bd7fba8523ba
            • Instruction Fuzzy Hash: 8B41D8B6A40329FBE7205BB99C49B7B76ECEB01751F014226FE05F61E0E76D8D0086E5
            Function 00714CE8 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 161pipeCOMMON
            Download Yara Rule
            APIs
            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 00714D16
            • GetLastError.KERNEL32(?,00000000,?,?,0070442A,?), ref: 00714D1F
            • CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,0070442A,?), ref: 00714DC0
            • GetLastError.KERNEL32(?,0070442A,?), ref: 00714DCD
            • CloseHandle.KERNEL32(00000000,pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,0070442A,?), ref: 00714E93
            • LocalFree.KERNEL32(00000000,?,0070442A,?), ref: 00714EC1
            Strings
            • pipe.cpp, xrefs: 00714D43, 00714DF1, 00714E77
            • Failed to allocate full name of cache pipe: %ls, xrefs: 00714E2A
            • \\.\pipe\%ls, xrefs: 00714D77
            • Failed to allocate full name of pipe: %ls, xrefs: 00714D8D
            • Failed to create the security descriptor for the connection event and pipe., xrefs: 00714D4D
            • Failed to create pipe: %ls, xrefs: 00714DFE, 00714E84
            • \\.\pipe\%ls.Cache, xrefs: 00714E14
            • D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 00714D11
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: DescriptorErrorLastSecurity$CloseConvertCreateFreeHandleLocalNamedPipeString
            • String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
            • API String ID: 3065245045-3253666091
            • Opcode ID: a2abba9504422bec7e4421d50d57cbbdd9e7fee3276a159dc5abc127de0f1a81
            • Instruction ID: 5ec5178cd729d45b877fc57322a6b900de0e0b6838889fa1365118bb60d9cf11
            • Opcode Fuzzy Hash: a2abba9504422bec7e4421d50d57cbbdd9e7fee3276a159dc5abc127de0f1a81
            • Instruction Fuzzy Hash: 9451B575E40315FBEB219BA8DC46BDEB7B4EF04711F104125FD00B61D0D3B99E849A91
            Function 0073F961 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 167encryptionCOMMON
            Download Yara Rule
            APIs
            • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,00719CFF,00000003,000007D0,00000003,?,000007D0,00000000,000007D0), ref: 0073F9C6
            • GetLastError.KERNEL32 ref: 0073F9D0
            • CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 0073FA0D
            • GetLastError.KERNEL32 ref: 0073FA17
            • CryptDestroyHash.ADVAPI32(00000000), ref: 0073FAC9
            • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0073FAE0
            • GetLastError.KERNEL32 ref: 0073FAFB
            • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 0073FB33
            • GetLastError.KERNEL32 ref: 0073FB3D
            • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 0073FB76
            • GetLastError.KERNEL32 ref: 0073FB84
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CryptErrorLast$Hash$Context$AcquireCreateDestroyFileParamPointerRelease
            • String ID: cryputil.cpp
            • API String ID: 1716956426-2185294990
            • Opcode ID: b8cfa099ee30ac1c37a0e1c480caacfb5a344ff73594f56eae9f7068aa373e56
            • Instruction ID: 7a3c91671e5746d552a4b8d677ec25c428c553f0d3942210e32b9699bd8b4043
            • Opcode Fuzzy Hash: b8cfa099ee30ac1c37a0e1c480caacfb5a344ff73594f56eae9f7068aa373e56
            • Instruction Fuzzy Hash: F5517876E40364ABFB319A758C04BE776E8EB09781F018176FE4DE6160D7788D80DAE4
            Function 00719C99 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 181COMMON
            Download Yara Rule
            Strings
            • moving, xrefs: 00719E2C, 00719E34
            • Failed to transfer working path to unverified path for payload: %ls., xrefs: 00719D9F
            • Failed to concat complete cached path., xrefs: 00719CEF
            • Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 00719DC6
            • copying, xrefs: 00719E27
            • Failed to reset permissions on unverified cached payload: %ls, xrefs: 00719DEC
            • Failed to move verified file to complete payload path: %ls, xrefs: 00719E68
            • Failed to get cached path for package with cache id: %ls, xrefs: 00719CC3
            • Failed to create unverified path., xrefs: 00719D69
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID:
            • String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
            • API String ID: 0-1289240508
            • Opcode ID: cd7c5781415c8069d2ad977a5ec338e9b50519078d44d9893502cc8192e11812
            • Instruction ID: 42d12fd55966f17bfe87372304f21da19f67cd191d97093378db60f3c11142c2
            • Opcode Fuzzy Hash: cd7c5781415c8069d2ad977a5ec338e9b50519078d44d9893502cc8192e11812
            • Instruction Fuzzy Hash: D5519E32940119FBDF226BA8CC16FDEBA76AF04710F104155FA00761A1E77A9EA5BB81
            Function 0073FDC2 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 130threadtimeCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(0076B60C,00000000,?,?,?,?,00721014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 0073FDF0
            • GetCurrentProcessId.KERNEL32(00000000,?,00721014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 0073FE00
            • GetCurrentThreadId.KERNEL32 ref: 0073FE09
            • GetLocalTime.KERNEL32(8007139F,?,00721014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 0073FE1F
            • LeaveCriticalSection.KERNEL32(0076B60C,?,00000000,00000000,0000FDE9), ref: 0073FF12
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
            • String ID: $cv$%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls$(cv$,cv$0cv$0cv
            • API String ID: 296830338-1263783696
            • Opcode ID: 8ddaa85fa430d9dd06a0cc59efe88e2eaf930427d96492fdb7c371874721419c
            • Instruction ID: 98ed93227ff7aff8df23f2af2d832f6c189a412694936bd6b3adb396caa50746
            • Opcode Fuzzy Hash: 8ddaa85fa430d9dd06a0cc59efe88e2eaf930427d96492fdb7c371874721419c
            • Instruction Fuzzy Hash: ED417F72D01219EBEB209BA4DC45ABEB7F9AB09751F504036F902E2261D73C8D80CBA1
            Function 00706184 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 147COMMON
            Download Yara Rule
            APIs
            • GetVersionExW.KERNEL32(0000011C), ref: 007061D2
            • GetLastError.KERNEL32 ref: 007061DC
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLastVersion
            • String ID: Failed to get OS info.$Failed to set variant value.$variable.cpp
            • API String ID: 305913169-1971907631
            • Opcode ID: 2c2062534e56e1444b3c222a74d16a6cd0236cd5e1f1e9b765cbf864478ae79d
            • Instruction ID: 2a8b809c8eee9ea13bb530956a6246d7a6fcfa148489b1bdd53da811175fec37
            • Opcode Fuzzy Hash: 2c2062534e56e1444b3c222a74d16a6cd0236cd5e1f1e9b765cbf864478ae79d
            • Instruction Fuzzy Hash: BF418871E04228EBDB209BA9CC55EEB7BF8EB89710F10429AF505E7180D7789E51CB94
            Function 0071993E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108filestringCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,?,?,*.*,?,?,?,00000000,.unverified,?), ref: 007199ED
            • lstrlenW.KERNEL32(?), ref: 00719A14
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00719A74
            • FindClose.KERNEL32(00000000), ref: 00719A7F
              • Part of subcall function 00703BC3: GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00703C3F
              • Part of subcall function 00703BC3: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00703C52
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
            • String ID: *.*$.unverified
            • API String ID: 457978746-2528915496
            • Opcode ID: 23344a0d00b6a82f44cac60529f5bcfb55a793a5d8b3c76e1d4f5a4e0dd30a1f
            • Instruction ID: bcf40e824a309738d632e8e176ed35f68e7426c9d967b9f9b6ef5a4599e31622
            • Opcode Fuzzy Hash: 23344a0d00b6a82f44cac60529f5bcfb55a793a5d8b3c76e1d4f5a4e0dd30a1f
            • Instruction Fuzzy Hash: CA41947190056CEEDF20AB68DC5DBEAB7B8AF44701F0041A1E608E50E0EB789EC9DF14
            Function 00748733 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 79timeCOMMON
            Download Yara Rule
            APIs
            • GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 00748788
            • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 0074879A
            Strings
            • %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 007487E3
            • %04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 00748771
            • feclient.dll, xrefs: 00748762
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Time$InformationLocalSpecificSystemZone
            • String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$feclient.dll
            • API String ID: 1772835396-197647302
            • Opcode ID: c681a28f8fb5c607ef1451005d425835fad74ede12a79db72a3be8bc9f9ea03d
            • Instruction ID: c025abff96f791557e7de675d01101f651fcd0bfbd37a874be0315fda57a81de
            • Opcode Fuzzy Hash: c681a28f8fb5c607ef1451005d425835fad74ede12a79db72a3be8bc9f9ea03d
            • Instruction Fuzzy Hash: 472128A6900128FAD720DB9A9C05FBBB3FCEB48B01F10455AF945E2080E77CAE80D770
            Function 007060BA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLastNameUser
            • String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
            • API String ID: 2054405381-1522884404
            • Opcode ID: 8f50e139f1de70a96b6f86a4c5e86c2f759c221aeade3f070e787f0d4ef6182d
            • Instruction ID: 4cd8145145c5d24ba8b28adaf33dcb95b026ed30ba1f34b9bb4ab39785b2b3d8
            • Opcode Fuzzy Hash: 8f50e139f1de70a96b6f86a4c5e86c2f759c221aeade3f070e787f0d4ef6182d
            • Instruction Fuzzy Hash: 8E01D671A0133DEBD721AB64DC09AAB77ECEB00720F004266F815E7181EB7C9E1496E1
            Function 0073FD20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59windowCOMMON
            Download Yara Rule
            APIs
            • FormatMessageW.KERNEL32(00000900,?,00000000,00000000,00000000,00000000,?,00000000,?,?,007403EC,?,00000000,?,?,00000001), ref: 0073FD3F
            • GetLastError.KERNEL32(?,007403EC,?,00000000,?,?,00000001,?,00705523,?,?,00000000,?,?,0070528D,00000002), ref: 0073FD4B
            • LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,007403EC,?,00000000,?,?,00000001,?,00705523,?,?), ref: 0073FDB3
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFormatFreeLastLocalMessage
            • String ID: logutil.cpp
            • API String ID: 1365068426-3545173039
            • Opcode ID: 70e205b091b5fb0790c7d830d159a8bf694a6d43c2ee7ace12ec866f1518de55
            • Instruction ID: 908f27bd21967e23cfb8352e3fa11188ff1df626cc6b888a79c884d06f485ecb
            • Opcode Fuzzy Hash: 70e205b091b5fb0790c7d830d159a8bf694a6d43c2ee7ace12ec866f1518de55
            • Instruction Fuzzy Hash: 0A11BF35B10219FBEB21AF90CD19EEF7B68EF54751F01402AFD0196161D7348E20D7A1
            Function 00726945 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39COMMON
            Download Yara Rule
            APIs
            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,007268EF,00000000,00000003), ref: 0072695C
            • GetLastError.KERNEL32(?,007268EF,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,00726CE1,?), ref: 00726966
            Strings
            • Failed to set service start type., xrefs: 00726994
            • msuengine.cpp, xrefs: 0072698A
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ChangeConfigErrorLastService
            • String ID: Failed to set service start type.$msuengine.cpp
            • API String ID: 1456623077-1628545019
            • Opcode ID: 4c29ef0bc57eb25a38cb3b2a843ae4d094b0271f44860cb222329ab6c5684f34
            • Instruction ID: 3f8f73a5e34ca7a043529ba34c615f9b15b8bb7fbe7ef6604d9a9ef449908a98
            • Opcode Fuzzy Hash: 4c29ef0bc57eb25a38cb3b2a843ae4d094b0271f44860cb222329ab6c5684f34
            • Instruction Fuzzy Hash: 7BF0E532704334B7AB3026A96C09E8B7EC8DF027B1B114326FD28E61E0DB298C0082E5
            Function 00733BB0 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00733CA8
            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00733CB2
            • UnhandledExceptionFilter.KERNEL32(80003CDD,?,?,?,?,?,?), ref: 00733CBF
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled$DebuggerPresent
            • String ID:
            • API String ID: 3906539128-0
            • Opcode ID: 5a8fc3a734abaf9ff4c56a81421f9d34d26446a012ffd4ba6d504050e59afc9c
            • Instruction ID: 9eb4ed0357cdeed09c5204152801573c6269f1ff6ec8aa5c52b28dac4a2798cf
            • Opcode Fuzzy Hash: 5a8fc3a734abaf9ff4c56a81421f9d34d26446a012ffd4ba6d504050e59afc9c
            • Instruction Fuzzy Hash: 9031B375901228ABCB21DF64D98979DBBB8FF08710F5041EAE40CA7251E7749F858F54
            Function 0074393B Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00743AC9: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,0074396A,?), ref: 00743B3A
            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0074398E
            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0074399F
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AllocateCheckCloseInitializeMembershipToken
            • String ID:
            • API String ID: 2114926846-0
            • Opcode ID: 104195ad7a4c4fed97b3f88524f1745b8c3149ac71c3d996a3bd90176a4a8479
            • Instruction ID: 9287d1a6dec8e953d5f43dded02bc3289a5d158668e35a32d0df79b030db7010
            • Opcode Fuzzy Hash: 104195ad7a4c4fed97b3f88524f1745b8c3149ac71c3d996a3bd90176a4a8479
            • Instruction Fuzzy Hash: D9118E7090021AEFDB10DFA5CC84ABFB7B8FF08304F50482EE559A6181E7B8AA44CB55
            Function 0072E773 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(Function_0002E77F,0072DEF8), ref: 0072E778
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 1059120ec7c030f825b4a24ac3f5907e9f1cec7b3fce07721451d5ba0aecf1df
            • Instruction ID: 00cc933e279301c2c9829a6516dbb5f4981178bcdd444930de700e4b65f1e1f9
            • Opcode Fuzzy Hash: 1059120ec7c030f825b4a24ac3f5907e9f1cec7b3fce07721451d5ba0aecf1df
            • Instruction Fuzzy Hash:
            Function 0070FE26 Relevance: 81.0, APIs: 1, Strings: 45, Instructions: 476registryCOMMON
            Download Yara Rule
            APIs
            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000,?,?,?), ref: 00710409
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Close
            • String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.10.4.4718$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EngineVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString
            • API String ID: 3535843008-3978993339
            • Opcode ID: ce7e9f12770ccab76453abc65b1fe22a9e86db7fdcd5bd1f8a87fd70263c080e
            • Instruction ID: 111ae05c31b41569aa3d05cbff013bbfb5bf5aaefbab2a61399f20fc6ba4c1d4
            • Opcode Fuzzy Hash: ce7e9f12770ccab76453abc65b1fe22a9e86db7fdcd5bd1f8a87fd70263c080e
            • Instruction Fuzzy Hash: 8FF1C371A40A26FBCB226A58CC46BED7A64BF04721F100225FD10B66D1D7FDEDE4A6C0
            Function 0070834D Relevance: 61.6, APIs: 5, Strings: 30, Instructions: 331COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(?,?,00000000,80070490,?,?,?,?,?,?,?,=Sp,0072BF87,?,?,?), ref: 0070837E
            • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,=Sp,0072BF87,?,?,?,?,=Sp,Chain), ref: 007086DB
            Strings
            • Initializing hidden variable '%ls', xrefs: 00708548
            • Attempt to set built-in variable value: %ls, xrefs: 0070869F
            • Invalid value for @Type: %ls, xrefs: 0070864F
            • Failed to set value of variable: %ls, xrefs: 0070867E
            • Failed to set variant value., xrefs: 00708666
            • version, xrefs: 00708503
            • Failed to set variant encryption, xrefs: 00708674
            • Initializing version variable '%ls' to value '%ls', xrefs: 0070852A
            • Failed to get @Value., xrefs: 0070866D
            • Persisted, xrefs: 00708421
            • Failed to change variant type., xrefs: 007086B1
            • Failed to get @Hidden., xrefs: 007086BF
            • Hidden, xrefs: 00708406
            • Failed to get @Id., xrefs: 007086C6
            • Failed to insert variable '%ls'., xrefs: 0070859D
            • Failed to get @Type., xrefs: 0070865F
            • Initializing numeric variable '%ls' to value '%ls', xrefs: 007084B9
            • Failed to find variable value '%ls'., xrefs: 007086A9
            • string, xrefs: 007084CE
            • Failed to get @Persisted., xrefs: 007086B8
            • Initializing string variable '%ls' to value '%ls', xrefs: 007084F1
            • Failed to select variable nodes., xrefs: 0070839B
            • variable.cpp, xrefs: 00708690
            • Type, xrefs: 0070847A
            • Value, xrefs: 0070843C
            • Failed to get next node., xrefs: 007086CD
            • Variable, xrefs: 00708388
            • numeric, xrefs: 00708493
            • =Sp, xrefs: 0070834D
            • Failed to get variable node count., xrefs: 007083B8
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave
            • String ID: =Sp$Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
            • API String ID: 3168844106-572110452
            • Opcode ID: 2d419ac3e49d13083aa1314fbd226d8eca750509a3a91d941175d3c2f3a24ec2
            • Instruction ID: 6289daadbcf860cb80645ff5010180259f6de2a2e34530fc0966ec628aade17b
            • Opcode Fuzzy Hash: 2d419ac3e49d13083aa1314fbd226d8eca750509a3a91d941175d3c2f3a24ec2
            • Instruction Fuzzy Hash: 2CB124B2D01218FBCB52DB94CC49EAEBBB4AF04720F114355F544B62D2CB7D9E109B92
            Function 00726A85 Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 377COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,0071BBCA,00000007,?,?,?), ref: 00726AD9
              • Part of subcall function 007409BB: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00705D8F,00000000), ref: 007409CF
              • Part of subcall function 007409BB: GetProcAddress.KERNEL32(00000000), ref: 007409D6
              • Part of subcall function 007409BB: GetLastError.KERNEL32(?,?,?,00705D8F,00000000), ref: 007409ED
            • CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 00726EC9
            • CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 00726EDD
            Strings
            • Failed to format MSU uninstall command., xrefs: 00726C42
            • Bootstrapper application aborted during MSU progress., xrefs: 00726E0D
            • msuengine.cpp, xrefs: 00726D46, 00726DDB, 00726E03
            • Failed to determine WOW64 status., xrefs: 00726AEB
            • "%ls" "%ls" /quiet /norestart, xrefs: 00726C01
            • Failed to format MSU install command., xrefs: 00726C15
            • Failed to ensure WU service was enabled to install MSU package., xrefs: 00726CE7
            • Failed to get cached path for package: %ls, xrefs: 00726BB5
            • wusa.exe, xrefs: 00726B59
            • Failed to get action arguments for MSU package., xrefs: 00726B8F
            • WixBundleExecutePackageCacheFolder, xrefs: 00726BC4, 00726EF5
            • Failed to append log path to MSU command-line., xrefs: 00726C8D
            • Failed to get process exit code., xrefs: 00726DE5
            • Failed to build MSU path., xrefs: 00726BEE
            • D, xrefs: 00726CF4
            • /log:, xrefs: 00726C5B
            • SysNative\, xrefs: 00726B23
            • Failed to wait for executable to complete: %ls, xrefs: 00726E58
            • Failed to append log switch to MSU command-line., xrefs: 00726C6F
            • Failed to find System32 directory., xrefs: 00726B4E
            • Failed to append SysNative directory., xrefs: 00726B36
            • Failed to CreateProcess on path: %ls, xrefs: 00726D53
            • 2, xrefs: 00726D6C
            • Failed to allocate WUSA.exe path., xrefs: 00726B6C
            • Failed to find Windows directory., xrefs: 00726B18
            • "%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 00726C2E
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
            • String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$WixBundleExecutePackageCacheFolder$msuengine.cpp$wusa.exe
            • API String ID: 1400713077-4261965642
            • Opcode ID: 2d585d2a3d5be3238c4a8c273bf57169c0f8984a351a59ab41c5066ea2aa6e14
            • Instruction ID: d63871c30647412660dc107294c6210383d00693a9bf250327d742d3f5908359
            • Opcode Fuzzy Hash: 2d585d2a3d5be3238c4a8c273bf57169c0f8984a351a59ab41c5066ea2aa6e14
            • Instruction Fuzzy Hash: FED184B5A00329EFDF219FE4DC85AEE7AB8BF04705F104026FA01A2191D7BD9D449B51
            Function 007152E3 Relevance: 51.0, APIs: 17, Strings: 12, Instructions: 222filepipesleepCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,?,00000000,?,0074B4F0,?,00000000,?,0070442A,?,0074B4F0), ref: 00715304
            • GetCurrentProcessId.KERNEL32(?,0070442A,?,0074B4F0), ref: 0071530F
            • SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,0070442A,?,0074B4F0), ref: 00715346
            • ConnectNamedPipe.KERNEL32(?,00000000,?,0070442A,?,0074B4F0), ref: 0071535B
            • GetLastError.KERNEL32(?,0070442A,?,0074B4F0), ref: 00715365
            • Sleep.KERNEL32(00000064,?,0070442A,?,0074B4F0), ref: 00715396
            • SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,0070442A,?,0074B4F0), ref: 007153B9
            • WriteFile.KERNEL32(?,0074B4F0,00000004,00000000,00000000,?,0070442A,?,0074B4F0), ref: 007153D4
            • WriteFile.KERNEL32(?,*Dp,0074B4F0,00000000,00000000,?,0070442A,?,0074B4F0), ref: 007153EF
            • WriteFile.KERNEL32(?,comres.dll,00000004,feclient.dll,00000000,?,0070442A,?,0074B4F0), ref: 0071540A
            • ReadFile.KERNEL32(?,wininet.dll,00000004,feclient.dll,00000000,?,0070442A,?,0074B4F0), ref: 00715425
            • GetLastError.KERNEL32(?,0070442A,?,0074B4F0), ref: 0071547D
            • GetLastError.KERNEL32(?,0070442A,?,0074B4F0), ref: 007154B1
            • GetLastError.KERNEL32(?,0070442A,?,0074B4F0), ref: 007154E5
            • GetLastError.KERNEL32(?,0070442A,?,0074B4F0), ref: 0071557B
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
            • String ID: *Dp$Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$comres.dll$feclient.dll$pipe.cpp$wininet.dll
            • API String ID: 2944378912-1412458403
            • Opcode ID: afabb27c2d3d8d07ee5c5dafc062f2da07a8d732f29aa965a29b6dd12dc554d1
            • Instruction ID: 2141c6ba04dec8113ee21685ff390fdbfbc67105327f55b1bbd5746d492c0934
            • Opcode Fuzzy Hash: afabb27c2d3d8d07ee5c5dafc062f2da07a8d732f29aa965a29b6dd12dc554d1
            • Instruction Fuzzy Hash: 5F61F4B6E40729EBE7109AB98C85BEAB6E9AF44741F114125BD01F70D0E7BCCE4086E5
            Function 007472F4 Relevance: 45.8, APIs: 13, Strings: 13, Instructions: 340COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 007038D4: GetProcessHeap.KERNEL32(?,000001C7,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038E5
              • Part of subcall function 007038D4: RtlAllocateHeap.NTDLL(00000000,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038EC
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 00747407
            • SysFreeString.OLEAUT32(00000000), ref: 007475D0
            • SysFreeString.OLEAUT32(00000000), ref: 0074766D
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: String$FreeHeap$AllocateCompareProcess
            • String ID: ($@$atomutil.cpp$author$category$entry$generator$icon$link$logo$subtitle$title$updated
            • API String ID: 1555028553-2592408802
            • Opcode ID: 488a9ba5b2a1cd3cea1338772dccd684c6b2d176ede4d3ad4371c3a9b510acb9
            • Instruction ID: 2e0a30bf9647c9e1519c1b8362adb0f61ab96a08c1ed5be7c435dd6bcf301e85
            • Opcode Fuzzy Hash: 488a9ba5b2a1cd3cea1338772dccd684c6b2d176ede4d3ad4371c3a9b510acb9
            • Instruction Fuzzy Hash: 7AB1F271908616FBCB149B68CC81FAEBB79AF01730F614354F921AA2D1C778EE10DB91
            Function 0070A311 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299registryCOMMON
            Download Yara Rule
            APIs
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0070A356
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0070A37C
            • RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 0070A666
            Strings
            • Failed to query registry key value size., xrefs: 0070A454
            • RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 0070A63E
            • Failed to open registry key., xrefs: 0070A3E9
            • Unsupported registry key value type. Type = '%u', xrefs: 0070A506
            • Failed to change value type., xrefs: 0070A60D
            • Failed to format value string., xrefs: 0070A387
            • Failed to allocate string buffer., xrefs: 0070A565
            • Failed to allocate memory registry value., xrefs: 0070A487
            • Failed to query registry key value., xrefs: 0070A4D8
            • Failed to read registry value., xrefs: 0070A5F4
            • Failed to set variable., xrefs: 0070A629
            • Failed to format key string., xrefs: 0070A361
            • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0070A418
            • Failed to clear variable., xrefs: 0070A3D4
            • Failed to get expand environment string., xrefs: 0070A5DB
            • Registry key not found. Key = '%ls', xrefs: 0070A3B0
            • search.cpp, xrefs: 0070A44A, 0070A47D, 0070A4CE, 0070A5D1
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Open@16$Close
            • String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
            • API String ID: 2348241696-3124384294
            • Opcode ID: e1ff9e812508c6ff454a52ae8d6aad6c98ef3c8d21bbad607282485cdaaeccca
            • Instruction ID: 85713a3973b86f89dba4cf7221773cf8a11d5ed8ee5e87185c8ae9b1c40f86db
            • Opcode Fuzzy Hash: e1ff9e812508c6ff454a52ae8d6aad6c98ef3c8d21bbad607282485cdaaeccca
            • Instruction Fuzzy Hash: 0DA1A5B2D40729FBDF119AA4CC45EAE7AF9BF04310F148265F904B61D0D77E9E1097A2
            Function 00746FB7 Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 298COMMON
            Download Yara Rule
            APIs
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,00763C78,000000FF,?,?,?), ref: 0074707E
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 007470A3
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 007470C3
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 007470DF
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 00747107
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 00747123
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 0074715C
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 00747195
              • Part of subcall function 00746BF6: SysFreeString.OLEAUT32(00000000), ref: 00746D2F
              • Part of subcall function 00746BF6: SysFreeString.OLEAUT32(00000000), ref: 00746D71
            • SysFreeString.OLEAUT32(00000000), ref: 00747219
            • SysFreeString.OLEAUT32(00000000), ref: 007472C9
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: String$Compare$Free
            • String ID: ($atomutil.cpp$author$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$published$summary$title$updated$version.dll
            • API String ID: 318886736-5681115
            • Opcode ID: 1029bcbd1a43a58cc3dc9b8a3bcd10ebc71fd1fa24292e556b168d583c1e6046
            • Instruction ID: e11e15205af1aeec84194d5dfe3d2477aad8cbe85fad7d8c3a859e25c04b6d84
            • Opcode Fuzzy Hash: 1029bcbd1a43a58cc3dc9b8a3bcd10ebc71fd1fa24292e556b168d583c1e6046
            • Instruction Fuzzy Hash: 24A1AF71948216FBCB259BA4CC41FADB778BB05730F204355F921A61D1D7B8EE50DB90
            Function 0072D22C Relevance: 44.0, APIs: 10, Strings: 15, Instructions: 276processCOMMON
            Download Yara Rule
            APIs
            • UuidCreate.RPCRT4(?), ref: 0072D2A7
            • StringFromGUID2.OLE32(?,?,00000027), ref: 0072D2D0
            • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?), ref: 0072D3BC
            • GetLastError.KERNEL32(?,?,?,?), ref: 0072D3C6
            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 0072D45B
            • GetExitCodeProcess.KERNEL32(?,?), ref: 0072D485
            • GetLastError.KERNEL32(?,?,?,?), ref: 0072D493
            • GetLastError.KERNEL32(?,?,?,?), ref: 0072D4CB
              • Part of subcall function 0072D12C: WaitForSingleObject.KERNEL32(?,000000FF,74DF30B0,00000000,?,?,?,?,0072D439,?), ref: 0072D145
              • Part of subcall function 0072D12C: ReleaseMutex.KERNEL32(?,?,?,?,0072D439,?), ref: 0072D161
              • Part of subcall function 0072D12C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0072D1A4
              • Part of subcall function 0072D12C: ReleaseMutex.KERNEL32(?), ref: 0072D1BB
              • Part of subcall function 0072D12C: SetEvent.KERNEL32(?), ref: 0072D1C4
            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 0072D580
            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 0072D598
            Strings
            • Failed to create netfx chainer guid., xrefs: 0072D2B4
            • NetFxEvent.%ls, xrefs: 0072D31F
            • Failed to get netfx return code., xrefs: 0072D4C1
            • D, xrefs: 0072D3A1
            • Failed to allocate netfx chainer arguments., xrefs: 0072D387
            • Failed to create netfx chainer., xrefs: 0072D352
            • Failed to allocate section name., xrefs: 0072D311
            • %ls /pipe %ls, xrefs: 0072D373
            • Failed to CreateProcess on path: %ls, xrefs: 0072D3F5
            • Failed to convert netfx chainer guid into string., xrefs: 0072D2EF
            • NetFxChainer.cpp, xrefs: 0072D2E5, 0072D3EA, 0072D4B7, 0072D4EF
            • Failed to wait for netfx chainer process to complete, xrefs: 0072D4F9
            • NetFxSection.%ls, xrefs: 0072D2FD
            • Failed to process netfx chainer message., xrefs: 0072D43F
            • Failed to allocate event name., xrefs: 0072D333
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLastWait$CloseCreateHandleMutexObjectProcessReleaseSingle$CodeEventExitFromMultipleObjectsStringUuid
            • String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
            • API String ID: 2531618940-1825855094
            • Opcode ID: d9ab8102eec5b78a9e256ad38619d5147f00e7555cd1b1f2d8ee09c86b2adc60
            • Instruction ID: 316c32bf951fa3eb9e71558661dbef11629579bf4f26b0cd883ab7fa79157715
            • Opcode Fuzzy Hash: d9ab8102eec5b78a9e256ad38619d5147f00e7555cd1b1f2d8ee09c86b2adc60
            • Instruction Fuzzy Hash: 50A18E71D40328EBEB309BA4DC49BAEB7B8AF08310F11416AE909F7151D7799E448FA1
            Function 0070567D Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 476stringCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(000002C0,00000100,00000100,00000000,00000000,?,007099BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 007056A2
            • lstrlenW.KERNEL32(00000000,?,007099BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 007056AC
            • _wcschr.LIBVCRUNTIME ref: 007058B4
            • LeaveCriticalSection.KERNEL32(000002C0,00000000,00000000,00000000,00000000,00000000,00000001,?,007099BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0), ref: 00705B56
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave_wcschrlstrlen
            • String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
            • API String ID: 1026845265-2050445661
            • Opcode ID: aa1ac4ce4c16edbf9c6776dbcebf4591941adee41b6ef7ee72e20ef70bba506e
            • Instruction ID: 0f344a9f14c50cb95015830e2232aa928656b2502b3771d61007de1397de23d3
            • Opcode Fuzzy Hash: aa1ac4ce4c16edbf9c6776dbcebf4591941adee41b6ef7ee72e20ef70bba506e
            • Instruction Fuzzy Hash: 6EF194B2D00619EBDB219FA4C845AAF7BE9EB04750F158229FD05A72C0D77C9E019FA1
            Function 0072CC24 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 235synchronizationCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 007038D4: GetProcessHeap.KERNEL32(?,000001C7,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038E5
              • Part of subcall function 007038D4: RtlAllocateHeap.NTDLL(00000000,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038EC
            • CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,0072D34C,?,?,?), ref: 0072CC6A
            • GetLastError.KERNEL32(?,?,0072D34C,?,?,?), ref: 0072CC77
            • ReleaseMutex.KERNEL32(?), ref: 0072CEDF
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
            • String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$NetFxChainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
            • API String ID: 3944734951-2991465304
            • Opcode ID: 4fdf1222277416f2b54162f4e3d6c4c5f4121be2354cab081070540936b5d868
            • Instruction ID: e2e4a20469135ba859cbfb28dd621f05de564c12efeab7dfbb9e9dcf54cbc013
            • Opcode Fuzzy Hash: 4fdf1222277416f2b54162f4e3d6c4c5f4121be2354cab081070540936b5d868
            • Instruction Fuzzy Hash: B171D1B6A40721FFD3229B699C49F5B7AE8BF15350F028226FD09A7290D778CD00C6E5
            Function 0070E936 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 231COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 007431C7: VariantInit.OLEAUT32(?), ref: 007431DD
              • Part of subcall function 007431C7: SysAllocString.OLEAUT32(?), ref: 007431F9
              • Part of subcall function 007431C7: VariantClear.OLEAUT32(?), ref: 00743280
              • Part of subcall function 007431C7: SysFreeString.OLEAUT32(00000000), ref: 0074328B
            • CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,0074CA64,?,?,Action,?,?,?,00000000,?), ref: 0070EA07
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 0070EA51
            Strings
            • Upgrade, xrefs: 0070EA44
            • Addon, xrefs: 0070EA8E
            • cabinet.dll, xrefs: 0070EAAE
            • Failed to resize Patch code array in registration, xrefs: 0070EB37
            • Failed to get RelatedBundle element count., xrefs: 0070E98B
            • comres.dll, xrefs: 0070EA1A
            • Failed to get RelatedBundle nodes, xrefs: 0070E966
            • Detect, xrefs: 0070E9F8
            • Failed to resize Addon code array in registration, xrefs: 0070EB30
            • Patch, xrefs: 0070EAD1
            • version.dll, xrefs: 0070EA64
            • Failed to resize Detect code array in registration, xrefs: 0070EB22
            • RelatedBundle, xrefs: 0070E944
            • Failed to get next RelatedBundle element., xrefs: 0070EB64
            • Failed to get @Action., xrefs: 0070EB5D
            • Action, xrefs: 0070E9C4
            • Failed to get @Id., xrefs: 0070EB56
            • Invalid value for @Action: %ls, xrefs: 0070EB46
            • Failed to resize Upgrade code array in registration, xrefs: 0070EB29
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: String$CompareVariant$AllocClearFreeInit
            • String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
            • API String ID: 702752599-259800149
            • Opcode ID: 3e54fe27c9cc352f84ea1bb9bab9f806da7d0df81d91c96adb420a165f050766
            • Instruction ID: 49a805c6b62502d0fea12f5a097e6fc7f6a19cf7aa7b90dcb59894a1cbe1c397
            • Opcode Fuzzy Hash: 3e54fe27c9cc352f84ea1bb9bab9f806da7d0df81d91c96adb420a165f050766
            • Instruction Fuzzy Hash: 7471A0B1A4562AFBCB10DA54CC41EAEB7B4FF04722F204758F916A76C1D778AE10DB90
            Function 00708E48 Relevance: 37.2, APIs: 8, Strings: 13, Instructions: 433COMMON
            Download Yara Rule
            APIs
            • GetStringTypeW.KERNEL32(00000001,560074DB,00000001,?,00709801,?,00000000,00000000), ref: 00708E8D
            Strings
            • -, xrefs: 00708FF1
            • Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 007090AF
            • Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 007092C8
            • Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 0070910C
            • NOT, xrefs: 007091A7
            • Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 0070928D
            • AND, xrefs: 00709187
            • Failed to set symbol value., xrefs: 00708F35
            • condition.cpp, xrefs: 00708F5C, 00709027, 0070909C, 007090F9, 0070923A, 0070927A, 007092B5
            • Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 00708F6F
            • @, xrefs: 00708E93
            • Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 0070924D
            • Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 0070903A
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: StringType
            • String ID: -$@$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$condition.cpp
            • API String ID: 4177115715-3640792234
            • Opcode ID: b4e6e5173d8a2f4570117396d4657154d896c3d8ab6046a0dd355ee4cc0aa979
            • Instruction ID: 26162c2256779e7945cec0409f1df02dceb5744bc49462cc6d7098c71fa314d7
            • Opcode Fuzzy Hash: b4e6e5173d8a2f4570117396d4657154d896c3d8ab6046a0dd355ee4cc0aa979
            • Instruction Fuzzy Hash: 92E1E2B5640205EBDB218F54CC89BBABBE5FB05710F144286FA459E2C6C7BDCE81DB90
            Function 007225AF Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: StringVariant$AllocClearFreeInit
            • String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
            • API String ID: 760788290-1911311241
            • Opcode ID: 94acb9ed8c1f56a80188e3701d3885f1cdc685ee48c6089dce302a873d3b9db4
            • Instruction ID: cc8dd550c7b36265e5c9d9fbf76b08a9977d2c71ee1fb25df0987e2b9bd05d8e
            • Opcode Fuzzy Hash: 94acb9ed8c1f56a80188e3701d3885f1cdc685ee48c6089dce302a873d3b9db4
            • Instruction Fuzzy Hash: DA41FAB2A88775B6C72551609C47FEA756CAB10B31F200321FE14B67D2C7ECED0592D1
            Function 00721970 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 212COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 007038D4: GetProcessHeap.KERNEL32(?,000001C7,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038E5
              • Part of subcall function 007038D4: RtlAllocateHeap.NTDLL(00000000,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038EC
            • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 00721A77
            • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 00721A95
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CompareHeapString$AllocateProcess
            • String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$error$exeengine.cpp$forceReboot$scheduleReboot$success
            • API String ID: 2664528157-1714101571
            • Opcode ID: 4d22f7f1a9ee0bb1d0adae205843fdf09a333cd51a21804ddea39caff1549058
            • Instruction ID: 44b82296527495e6929cee08fc292b078d2df869657155f7fc1c1c5ef5a90053
            • Opcode Fuzzy Hash: 4d22f7f1a9ee0bb1d0adae205843fdf09a333cd51a21804ddea39caff1549058
            • Instruction Fuzzy Hash: 5261D1B5A0522AFBCB109B64DC45EAEBBB4FF50720F608259F814BB2D1D7799E00D790
            Function 007144E7 Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 181fileCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,007149FE,0074B4D8,?,feclient.dll,00000000,?,?), ref: 007144FE
            • ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,007149FE,0074B4D8,?,feclient.dll,00000000,?,?), ref: 0071451F
            • GetLastError.KERNEL32(?,007149FE,0074B4D8,?,feclient.dll,00000000,?,?), ref: 00714525
            • WriteFile.KERNEL32(feclient.dll,?,00000004,007149FE,00000000,?,007149FE,0074B4D8,?,feclient.dll,00000000,?,?), ref: 0071468E
            • GetLastError.KERNEL32(?,007149FE,0074B4D8,?,feclient.dll,00000000,?,?), ref: 00714698
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFileLast$CurrentProcessReadWrite
            • String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$feclient.dll$pipe.cpp
            • API String ID: 3008747291-1888336950
            • Opcode ID: 0ee839722fd0813006d71942be2748740f7cc1300c9b5a5f087e4a4706519f54
            • Instruction ID: 64943acfac61fa46d205ba464f7878d9093967c6709df68c34bd099778c0caff
            • Opcode Fuzzy Hash: 0ee839722fd0813006d71942be2748740f7cc1300c9b5a5f087e4a4706519f54
            • Instruction Fuzzy Hash: 2551F0B6A40315FBE7209AA88C86FEB76ECAB05B11F114216FE01F61D0D77C8E4496E5
            Function 0070F09D Relevance: 33.4, APIs: 3, Strings: 16, Instructions: 180registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 007439CD: GetVersionExW.KERNEL32(?,?,00000000,?), ref: 00743A1A
            • RegCloseKey.ADVAPI32(00000000,?,00020006,00020006,00000000,?,?,00000002,00000000,?,00000000,00000001,00000002), ref: 0070F2CB
              • Part of subcall function 00741344: RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,0070F11A,00000005,Resume,?,?,?,00000002,00000000), ref: 00741359
            Strings
            • Failed to write resume command line value., xrefs: 0070F1EA
            • registration.cpp, xrefs: 0070F250, 0070F29D
            • BundleResumeCommandLine, xrefs: 0070F1D5, 0070F267
            • Failed to write run key value., xrefs: 0070F1C8
            • Failed to delete resume command line value., xrefs: 0070F2A7
            • Failed to write Installed value., xrefs: 0070F143
            • Failed to create run key., xrefs: 0070F1AA
            • Failed to delete run key value., xrefs: 0070F25A
            • Resume, xrefs: 0070F10F
            • Failed to write Resume value., xrefs: 0070F120
            • Installed, xrefs: 0070F132
            • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 0070F0FA
            • burn.runonce, xrefs: 0070F167
            • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 0070F0AE
            • "%ls" /%ls, xrefs: 0070F172
            • Failed to format resume command line for RunOnce., xrefs: 0070F186
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseValueVersion
            • String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$burn.runonce$registration.cpp
            • API String ID: 2348918689-3140388177
            • Opcode ID: 8cd0f715632e626b64dbe73f4ff8010c40ea85c8e3e71d88aa3c2adfa1fec1db
            • Instruction ID: 5f1577857dd1957bb4cf7df18afb2312d7e7d544918308c3682406765285a703
            • Opcode Fuzzy Hash: 8cd0f715632e626b64dbe73f4ff8010c40ea85c8e3e71d88aa3c2adfa1fec1db
            • Instruction Fuzzy Hash: 5151ED76A80229FBCB21AAA4CC46BEE7AE4BF04751F000235FD00F6591D7BDDD549AD0
            Function 00747FEC Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 309COMMON
            Download Yara Rule
            APIs
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,00000000,000002C0), ref: 00748019
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 00748034
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 007480D7
            • CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,00000018,0074B508,00000000), ref: 00748116
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 00748169
            • CompareStringW.KERNEL32(0000007F,00000000,0074B508,000000FF,true,000000FF), ref: 00748187
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 007481BF
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 00748303
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CompareString
            • String ID: application$apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
            • API String ID: 1825529933-3037633208
            • Opcode ID: 1a0c251c5ef65d798467d2c2ae4890f0a402f61bd3d82ce606e65e789c6bec50
            • Instruction ID: b1fa2b12b05c479aa30f9358dde8063f09a3de3eefa08c34d7fbeaed75684b42
            • Opcode Fuzzy Hash: 1a0c251c5ef65d798467d2c2ae4890f0a402f61bd3d82ce606e65e789c6bec50
            • Instruction Fuzzy Hash: B8B1AC7290420AEBDBA08F54CC85F5E77B6BB04730F218619F929EB2D1DB78E840CB01
            Function 0071E177 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 144registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0071E05E: LoadBitmapW.USER32(?,00000001), ref: 0071E094
              • Part of subcall function 0071E05E: GetLastError.KERNEL32 ref: 0071E0A0
            • LoadCursorW.USER32(00000000,00007F00), ref: 0071E1D8
            • RegisterClassW.USER32(?), ref: 0071E1EC
            • GetLastError.KERNEL32 ref: 0071E1F7
            • UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 0071E2FC
            • DeleteObject.GDI32(00000000), ref: 0071E30B
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
            • String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
            • API String ID: 164797020-2188509422
            • Opcode ID: ed04ec5f4576d7693b95ad7510be326c4befb7f937c7152d0289d57348c9d0cf
            • Instruction ID: 853fe9ed152ea09ac0466c4b0cf3ad8e0e99cea012019bd3bf094567acb1ab28
            • Opcode Fuzzy Hash: ed04ec5f4576d7693b95ad7510be326c4befb7f937c7152d0289d57348c9d0cf
            • Instruction Fuzzy Hash: 43419E76A00619FFEB119BE8DC49AEEB7B9FF09300F104126FE05E61A0D7789D4487A5
            Function 00729BB3 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 230threadCOMMON
            Download Yara Rule
            APIs
            • WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,00000000,?,0072BA53,00000001), ref: 00729C18
            • GetLastError.KERNEL32(?,0072BA53,00000001), ref: 00729D88
            • GetExitCodeThread.KERNEL32(00000001,00000000,?,0072BA53,00000001), ref: 00729DC8
            • GetLastError.KERNEL32(?,0072BA53,00000001), ref: 00729DD2
            Strings
            • Cache thread exited unexpectedly., xrefs: 00729E14
            • Failed to execute dependency action., xrefs: 00729D08
            • Failed to get cache thread exit code., xrefs: 00729E03
            • apply.cpp, xrefs: 00729DAC, 00729DF6
            • Failed to execute package provider registration action., xrefs: 00729CE9
            • Failed to execute MSU package., xrefs: 00729CCD
            • Invalid execute action., xrefs: 00729E23
            • Failed to execute EXE package., xrefs: 00729C4F
            • Failed to execute compatible package action., xrefs: 00729D45
            • Failed to execute MSI package., xrefs: 00729C78
            • Failed to load compatible package on per-machine package., xrefs: 00729D2E
            • Failed to execute MSP package., xrefs: 00729C9D
            • Failed to wait for cache check-point., xrefs: 00729DB9
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
            • String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
            • API String ID: 3703294532-2662572847
            • Opcode ID: 946b5c0f597a1e99a80a136f2c8cb71ab7553a4c33ea35edfdca7e9d0a8812f0
            • Instruction ID: 01c17980ed43250fd0f69af0e602af84f9111d90a1c69c40669f7aabf4bd9366
            • Opcode Fuzzy Hash: 946b5c0f597a1e99a80a136f2c8cb71ab7553a4c33ea35edfdca7e9d0a8812f0
            • Instruction Fuzzy Hash: 07716CB1E01229FFDB14DF64D945ABEB7F8EB08710F15416AFE05E7280D2789E019BA0
            Function 0072CA34 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 173processCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcessId.KERNEL32(74DE8FB0,00000002,00000000), ref: 0072CA40
              • Part of subcall function 00714B96: UuidCreate.RPCRT4(?), ref: 00714BC9
            • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,08000000,00000000,00000000,?,007221A5,?,?,00000000,?,?,?), ref: 0072CB1E
            • GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 0072CB28
            • GetProcessId.KERNEL32(007221A5,?,?,00000000,?,?,?,?), ref: 0072CB60
              • Part of subcall function 007152E3: lstrlenW.KERNEL32(?,?,00000000,?,0074B4F0,?,00000000,?,0070442A,?,0074B4F0), ref: 00715304
              • Part of subcall function 007152E3: GetCurrentProcessId.KERNEL32(?,0070442A,?,0074B4F0), ref: 0071530F
              • Part of subcall function 007152E3: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,0070442A,?,0074B4F0), ref: 00715346
              • Part of subcall function 007152E3: ConnectNamedPipe.KERNEL32(?,00000000,?,0070442A,?,0074B4F0), ref: 0071535B
              • Part of subcall function 007152E3: GetLastError.KERNEL32(?,0070442A,?,0074B4F0), ref: 00715365
              • Part of subcall function 007152E3: Sleep.KERNEL32(00000064,?,0070442A,?,0074B4F0), ref: 00715396
              • Part of subcall function 007152E3: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,0070442A,?,0074B4F0), ref: 007153B9
              • Part of subcall function 007152E3: WriteFile.KERNEL32(?,0074B4F0,00000004,00000000,00000000,?,0070442A,?,0074B4F0), ref: 007153D4
              • Part of subcall function 007152E3: WriteFile.KERNEL32(?,*Dp,0074B4F0,00000000,00000000,?,0070442A,?,0074B4F0), ref: 007153EF
              • Part of subcall function 007152E3: WriteFile.KERNEL32(?,comres.dll,00000004,feclient.dll,00000000,?,0070442A,?,0074B4F0), ref: 0071540A
              • Part of subcall function 00740917: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,00704E16,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 00740927
              • Part of subcall function 00740917: GetLastError.KERNEL32(?,?,00704E16,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00740935
            • CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,0072C992,?,?,?,?,?,00000000,?,?,?,?), ref: 0072CBE4
            • CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,0072C992,?,?,?,?,?,00000000,?,?,?,?), ref: 0072CBF3
            • CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,0072C992,?,?,?,?,?,00000000,?,?,?), ref: 0072CC0A
            Strings
            • burn.embedded, xrefs: 0072CADB
            • embedded.cpp, xrefs: 0072CB49
            • %ls -%ls %ls %ls %u, xrefs: 0072CAE3
            • Failed to create embedded pipe name and client token., xrefs: 0072CAA3
            • Failed to allocate embedded command., xrefs: 0072CAF7
            • Failed to wait for embedded process to connect to pipe., xrefs: 0072CB82
            • Failed to process messages from embedded message., xrefs: 0072CBA7
            • Failed to create embedded process at path: %ls, xrefs: 0072CB56
            • Failed to wait for embedded executable: %ls, xrefs: 0072CBC7
            • Failed to create embedded pipe., xrefs: 0072CACA
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
            • String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$embedded.cpp
            • API String ID: 875070380-3803182736
            • Opcode ID: 6c4611e2ea27a66a0cad79b5844f2c3cce11a7ea5b88479f9fefdc7e34743fcb
            • Instruction ID: 17e831b8be384d450db597580c6e67837ca49b1776757ac21a9992eed6f32ed0
            • Opcode Fuzzy Hash: 6c4611e2ea27a66a0cad79b5844f2c3cce11a7ea5b88479f9fefdc7e34743fcb
            • Instruction Fuzzy Hash: 07516EB2D4022DFBDF12EBA4DC06FDEBAB8AF14710F104122FA01B6190D7789A419BD0
            Function 00709F2B Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 216COMMON
            Download Yara Rule
            APIs
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00709FA3
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Open@16
            • String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
            • API String ID: 3613110473-2134270738
            • Opcode ID: b8667f29e8eccd23274c00a7f5cf63ff8d256def61604f3b6e0ba7467f44a22b
            • Instruction ID: 5ed937f20e0a4b4d654ab4abde86f2b0aba054ba243bb7c9f548497b90df95ef
            • Opcode Fuzzy Hash: b8667f29e8eccd23274c00a7f5cf63ff8d256def61604f3b6e0ba7467f44a22b
            • Instruction Fuzzy Hash: AD61C172D4021DFBCB119AA8C949DEE7BF9EB44310F204365F600BA292D37A9E409792
            Function 007476A1 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 210COMMON
            Download Yara Rule
            APIs
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 00747703
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 00747727
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 00747746
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 0074777D
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 00747798
            • SysFreeString.OLEAUT32(00000000), ref: 007477C3
            • SysFreeString.OLEAUT32(00000000), ref: 00747842
            • SysFreeString.OLEAUT32(00000000), ref: 0074788E
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: String$Compare$Free
            • String ID: comres.dll$feclient.dll$href$length$rel$title$type$version.dll
            • API String ID: 318886736-4053816464
            • Opcode ID: a012ee3a1927425a352df9e68cb0a10dd61954f60fd3d59c1351538b0ef6d45f
            • Instruction ID: 14b91ab46f633eaa5468a3613a4a15a0e82392af38b5eb2e5584bd1464519dd4
            • Opcode Fuzzy Hash: a012ee3a1927425a352df9e68cb0a10dd61954f60fd3d59c1351538b0ef6d45f
            • Instruction Fuzzy Hash: 3B715035904119FFCF19DBA4CC88EAEBB78EF04720F2142A5E925A7190D7399E04DB90
            Function 0072DC0D Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 204stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,?,00729751,75C08550,?,?,00000000,?,?,?,00000001,00000000,?), ref: 0072DC28
            Strings
            • Invalid BITS engine URL: %ls, xrefs: 0072DC4A
            • Failed to complete BITS job., xrefs: 0072DDD2
            • Failed to create BITS job., xrefs: 0072DCB7
            • Failed to initialize BITS job callback., xrefs: 0072DD49
            • Failed to copy download URL., xrefs: 0072DC6F
            • Failed to create BITS job callback., xrefs: 0072DD3B
            • Failed to set callback interface for BITS job., xrefs: 0072DD60
            • bitsengine.cpp, xrefs: 0072DC3E, 0072DD31
            • Falied to start BITS job., xrefs: 0072DDE0
            • Failed to add file to BITS job., xrefs: 0072DCF5
            • Failed to download BITS job., xrefs: 0072DDBF
            • Failed while waiting for BITS download., xrefs: 0072DDD9
            • Failed to set credentials for BITS job., xrefs: 0072DCD6
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: lstrlen
            • String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS engine URL: %ls$bitsengine.cpp
            • API String ID: 1659193697-2382896028
            • Opcode ID: adb0f3b09c7269d6cbfe6af260d736aa0e6a0eab266953eda139dbf56409418e
            • Instruction ID: 29c37be7dc72be159b8c0e88591ce207030c4aa2156ac78c2916ae7718721ad8
            • Opcode Fuzzy Hash: adb0f3b09c7269d6cbfe6af260d736aa0e6a0eab266953eda139dbf56409418e
            • Instruction Fuzzy Hash: AF61A175A00735EBCB219F94E889E6E7BB4EF08B60B11415AFC05AB251E778DD00EBD1
            Function 0070EBB2 Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 173COMMON
            Download Yara Rule
            APIs
            • SysFreeString.OLEAUT32(?), ref: 0070ED40
              • Part of subcall function 007038D4: GetProcessHeap.KERNEL32(?,000001C7,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038E5
              • Part of subcall function 007038D4: RtlAllocateHeap.NTDLL(00000000,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038EC
            • SysFreeString.OLEAUT32(?), ref: 0070ECF8
            Strings
            • registration.cpp, xrefs: 0070EC35
            • Filename, xrefs: 0070EC73
            • SoftwareTag, xrefs: 0070EBC1
            • Failed to allocate memory for software tag structs., xrefs: 0070EC3F
            • Failed to convert SoftwareTag text to UTF-8, xrefs: 0070ED75
            • Regid, xrefs: 0070EC8E
            • Failed to get @Regid., xrefs: 0070ED93
            • Path, xrefs: 0070ECA6
            • Failed to get @Path., xrefs: 0070ED89
            • Failed to select software tag nodes., xrefs: 0070EBE2
            • Failed to get software tag count., xrefs: 0070EC07
            • Failed to get next node., xrefs: 0070EDA7
            • Failed to get SoftwareTag text., xrefs: 0070ED7F
            • Failed to get @Filename., xrefs: 0070ED9D
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: FreeHeapString$AllocateProcess
            • String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$registration.cpp
            • API String ID: 336948655-1068704183
            • Opcode ID: 0e68b40552fec224e12b8a72655382d5ea0551b7aebab0a941fbb354c965e5f4
            • Instruction ID: 0d6e5421b41d96de03886971756b12fddec26fb955d76132c35bc9bee8ab074c
            • Opcode Fuzzy Hash: 0e68b40552fec224e12b8a72655382d5ea0551b7aebab0a941fbb354c965e5f4
            • Instruction Fuzzy Hash: CF51B4B5B01319FBDB119F54C895EAEBBE8EF00711F504A69F805AB280DB78EE009790
            Function 00714933 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 155sleepfileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 0071498D
            • GetLastError.KERNEL32 ref: 0071499B
            • Sleep.KERNEL32(00000064), ref: 007149BF
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CreateErrorFileLastSleep
            • String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$feclient.dll$pipe.cpp
            • API String ID: 408151869-3212458075
            • Opcode ID: 34f122a595af634f6f9c950dcb029c98d06ce32bc59e681087c887932bf95788
            • Instruction ID: 5c905e1cdf430301a637e820b4f3b53154ddaae2d656b9465d81689aa5754dd3
            • Opcode Fuzzy Hash: 34f122a595af634f6f9c950dcb029c98d06ce32bc59e681087c887932bf95788
            • Instruction Fuzzy Hash: 7C412776D80721FBDB215BA88C06BDB76A8AF00761F118221FD14F61D0D7BC9E9096D8
            Function 00747E36 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 153stringCOMMON
            Download Yara Rule
            APIs
            • CompareStringW.KERNEL32(0000007F,00000000,0074B468,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,00000000,?,00748320,00000001,?), ref: 00747E56
            • CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,00748320,00000001,?), ref: 00747E71
            • CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,00748320,00000001,?), ref: 00747E8C
            • CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,00748320,00000001,?), ref: 00747EF8
            • CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,00748320,00000001,?), ref: 00747F1C
            • CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,00748320,00000001,?), ref: 00747F40
            • CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,00748320,00000001,?), ref: 00747F60
            • lstrlenW.KERNEL32(006C0064,?,00748320,00000001,?), ref: 00747F7B
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CompareString$lstrlen
            • String ID: algorithm$apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$name$sha1$sha256
            • API String ID: 1657112622-2180710652
            • Opcode ID: 2f3fcd239a3bc6765ee4dc0ceefb8cb9daa7717b5f00fce7813db2841b6e022e
            • Instruction ID: 16e97fd23f4f9b76e81ef92713fa3814c350369dd990c4203a34d80ac23042a3
            • Opcode Fuzzy Hash: 2f3fcd239a3bc6765ee4dc0ceefb8cb9daa7717b5f00fce7813db2841b6e022e
            • Instruction Fuzzy Hash: AD519F7164C222FBDB244F54CC86F267B61AB15730F208355FA39AE6E5C7A8EC81C790
            Function 0070F410 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 152registryCOMMON
            Download Yara Rule
            APIs
            • RegCloseKey.ADVAPI32(00000000,00000000,00710348,InstallerVersion,InstallerVersion,00000000,00710348,InstallerName,InstallerName,00000000,00710348,Date,InstalledDate,00000000,00710348,LogonUser), ref: 0070F5BE
              • Part of subcall function 00741392: RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0070F1C2,00000000,?,00020006), ref: 007413C5
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseValue
            • String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
            • API String ID: 3132538880-2703781546
            • Opcode ID: 8243b8501f2ace20c9eb83e87fa0f40fb37560d4ca266c04f52572915fb7f70f
            • Instruction ID: 6d5a573a2f0a0ce014f249fce7552cd1a58d1f7cf1fc105fd83d74e5353ed300
            • Opcode Fuzzy Hash: 8243b8501f2ace20c9eb83e87fa0f40fb37560d4ca266c04f52572915fb7f70f
            • Instruction Fuzzy Hash: 0241DA72A42669FBCB335A50CC06EAE7AA5AB01721F114370FD00B76D1D7BC9E25A6D0
            Function 0072678F Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 150serviceCOMMON
            Download Yara Rule
            APIs
            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,?,?,?,?,00726CE1,?), ref: 007267C8
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00726CE1,?,?,?), ref: 007267D5
            • OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,00726CE1,?,?,?), ref: 0072681D
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00726CE1,?,?,?), ref: 00726829
            • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,00726CE1,?,?,?), ref: 00726863
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00726CE1,?,?,?), ref: 0072686D
            • CloseServiceHandle.ADVAPI32(00000000), ref: 00726924
            • CloseServiceHandle.ADVAPI32(?), ref: 0072692E
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
            • String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$msuengine.cpp$wuauserv$lr
            • API String ID: 971853308-4248397621
            • Opcode ID: 05b50ea6f96b386ef7141aa6908ff8267e764f0b70494a8a1a08510809d3f698
            • Instruction ID: 819f0789cabc9c00ddbe11cba048edbcff4b4815cb93bd145307629dab484c6e
            • Opcode Fuzzy Hash: 05b50ea6f96b386ef7141aa6908ff8267e764f0b70494a8a1a08510809d3f698
            • Instruction Fuzzy Hash: 6941A6B5F00324EBEB30ABB99C45AAE76E8EB48751F11452AFD05F7250DB7CDC4486A0
            Function 0071E563 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 135registryCOMMON
            Download Yara Rule
            APIs
            • TlsSetValue.KERNEL32(?,?), ref: 0071E5AE
            • RegisterClassW.USER32(?), ref: 0071E5DA
            • GetLastError.KERNEL32 ref: 0071E5E5
            • CreateWindowExW.USER32(00000080,00759CC4,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 0071E64C
            • GetLastError.KERNEL32 ref: 0071E656
            • UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 0071E6F4
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
            • String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
            • API String ID: 213125376-288575659
            • Opcode ID: 03773132e5eabf680b90c3447ed3a9c7f793829456241533475e26391448697c
            • Instruction ID: 607bf86c6a194cd1668a4c2d84100fd252575ee65b8b01361f0504faa7cb9ffc
            • Opcode Fuzzy Hash: 03773132e5eabf680b90c3447ed3a9c7f793829456241533475e26391448697c
            • Instruction Fuzzy Hash: EF41A076A00214EBDB209FB9DC48ADABEE8FF09750F108126FD09E6190D779DD50CBA5
            Function 0072C517 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 272COMMON
            Download Yara Rule
            Strings
            • Failed to copy uninstall arguments for passthrough bundle package, xrefs: 0072C84F
            • Failed to copy download source for passthrough pseudo bundle., xrefs: 0072C732
            • Failed to allocate memory for pseudo bundle payload hash., xrefs: 0072C750
            • Failed to copy related arguments for passthrough bundle package, xrefs: 0072C825
            • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 0072C78A
            • Failed to copy install arguments for passthrough bundle package, xrefs: 0072C805
            • Failed to copy cache id for passthrough pseudo bundle., xrefs: 0072C7A8
            • pseudobundle.cpp, xrefs: 0072C54B, 0072C744, 0072C77E
            • Failed to copy local source path for passthrough pseudo bundle., xrefs: 0072C75A
            • Failed to recreate command-line arguments., xrefs: 0072C7E6
            • Failed to copy key for passthrough pseudo bundle payload., xrefs: 0072C768
            • Failed to copy filename for passthrough pseudo bundle., xrefs: 0072C761
            • Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 0072C557
            • Failed to copy key for passthrough pseudo bundle., xrefs: 0072C72B
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Heap$AllocateProcess
            • String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
            • API String ID: 1357844191-115096447
            • Opcode ID: c02ea037716d6bfe64ee80b957570020db5cd392164cfb84cfcb9250c21d020f
            • Instruction ID: 4e3670a6ff992256ccb0cc039864e9b817d5f3f04de93b2110e9239742887aba
            • Opcode Fuzzy Hash: c02ea037716d6bfe64ee80b957570020db5cd392164cfb84cfcb9250c21d020f
            • Instruction Fuzzy Hash: 01B15B75A00615EFDB12DF24C885F9AB7E5BF18710F108269FD149B392C779E811DB90
            Function 0070BB30 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 189processCOMMON
            Download Yara Rule
            APIs
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0070BB82
            • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 0070BC8F
            • GetLastError.KERNEL32(?,?,?,?), ref: 0070BC99
            • WaitForInputIdle.USER32(?,?), ref: 0070BCED
            • CloseHandle.KERNEL32(?,?,?), ref: 0070BD38
            • CloseHandle.KERNEL32(?,?,?), ref: 0070BD45
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseHandle$CreateErrorIdleInputLastOpen@16ProcessWait
            • String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$approvedexe.cpp
            • API String ID: 155678114-2737401750
            • Opcode ID: 57cf48ec54b7e80cba9a8a544067ea5c9d3538459db7b3c91867a83bd956b72f
            • Instruction ID: 2018ac1524baf043f1a24b4f2e02ba37bf5ed59257f95238557197c1e451ee6b
            • Opcode Fuzzy Hash: 57cf48ec54b7e80cba9a8a544067ea5c9d3538459db7b3c91867a83bd956b72f
            • Instruction Fuzzy Hash: A4515F72D0061AFBDF119FA4CC45DAEBBB9FF04300F104666FA04B6191D779AE509BA1
            Function 0070B106 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 136COMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,0070B9F7,00000008,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0070B10E
            • GetLastError.KERNEL32(?,0070B9F7,00000008,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0070B11A
            • _memcmp.LIBVCRUNTIME ref: 0070B1C2
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorHandleLastModule_memcmp
            • String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$section.cpp
            • API String ID: 3888311042-926796631
            • Opcode ID: 799eb8ef47d8f93c3a63a65b8f2b5b8e3c7b0f5c28c2446f88371a2a9e1a4a30
            • Instruction ID: 470a66bcb803c5ce095d8467c9ceb5994fd3fe06d5899ff38b4851c4e1a038f8
            • Opcode Fuzzy Hash: 799eb8ef47d8f93c3a63a65b8f2b5b8e3c7b0f5c28c2446f88371a2a9e1a4a30
            • Instruction Fuzzy Hash: 0C4116B6780324E7D7205A55DC86F6B22E5BB80B31F254229F9026F5C1D7BCCA0187E6
            Function 0070A17D Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON
            Download Yara Rule
            APIs
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0070A1A8
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0070A204
            • RegQueryValueExW.ADVAPI32(000002C0,00000000,00000000,000002C0,00000000,00000000,000002C0,?,00000000,00000000,?,00000000,00000101,000002C0,000002C0,?), ref: 0070A226
            • RegCloseKey.ADVAPI32(00000000,00000000,00000000,000002C0,00000100,00000000,000002C0), ref: 0070A300
            Strings
            • Failed to query registry key value., xrefs: 0070A265
            • Failed to set variable., xrefs: 0070A2B8
            • Failed to format key string., xrefs: 0070A1B3
            • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0070A275
            • Registry key not found. Key = '%ls', xrefs: 0070A291
            • search.cpp, xrefs: 0070A25B
            • Failed to format value string., xrefs: 0070A20F
            • Failed to open registry key. Key = '%ls', xrefs: 0070A2C2
            • RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 0070A2D8
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Open@16$CloseQueryValue
            • String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
            • API String ID: 2702208347-46557908
            • Opcode ID: 60f54605ed8e41d918b349a0413b6e8c01ec4aae30fdd4bace860a27bca9bff3
            • Instruction ID: 2dfefcecda106dc8ae9833924c2b969acbb2979dfef5b1f9ebcdb536db6f1274
            • Opcode Fuzzy Hash: 60f54605ed8e41d918b349a0413b6e8c01ec4aae30fdd4bace860a27bca9bff3
            • Instruction Fuzzy Hash: D741C572E40318FBDF216BA4CC0AFAE7AA9FF44720F114265FD04A91D1D77A9E109692
            Function 007067E5 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 131libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 00706835
            • GetLastError.KERNEL32 ref: 0070683F
            • GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 00706882
            • GetLastError.KERNEL32 ref: 0070688C
            • FreeLibrary.KERNEL32(00000000,00000000,?), ref: 0070699D
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
            • String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$ntdll$variable.cpp
            • API String ID: 3057421322-109962352
            • Opcode ID: b64b6f8fa2ed77b590251a656943aebf4b4f35db1aa75c879e7a01892a379600
            • Instruction ID: 3f51743d45570be521a1ffa18bde7627bb08f3b7d5b256bf570cb99336881e9f
            • Opcode Fuzzy Hash: b64b6f8fa2ed77b590251a656943aebf4b4f35db1aa75c879e7a01892a379600
            • Instruction Fuzzy Hash: 5341C5B5D01238DBDB319B658C597EAB6F4EB08710F00429AF948F61D0D77CDE50CA95
            Function 007047E9 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 128memorysynchronizationCOMMON
            Download Yara Rule
            APIs
            • TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,0070535E,?,?,?,?), ref: 0070481A
            • GetLastError.KERNEL32(?,?,?,0070535E,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0070482B
            • ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00704968
            • CloseHandle.KERNEL32(?,?,?,?,0070535E,?,?,?,?,?,?,?,?,?,?,?), ref: 00704971
            Strings
            • Failed to set elevated pipe into thread local storage for logging., xrefs: 007048A2
            • engine.cpp, xrefs: 0070484F, 00704898
            • Failed to pump messages from parent process., xrefs: 0070493C
            • Failed to create the message window., xrefs: 007048C6
            • comres.dll, xrefs: 007048D7
            • Failed to connect to unelevated process., xrefs: 00704810
            • Failed to allocate thread local storage for logging., xrefs: 00704859
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AllocCloseErrorHandleLastMutexRelease
            • String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$comres.dll$engine.cpp
            • API String ID: 687263955-1790235126
            • Opcode ID: e1cdbbab6bb92abdd77bdbc642262cc5bc839ac810f2c61cdda434ffd032fb30
            • Instruction ID: b5fbb71c54cd71dbb6f11309ddec35847ddaa3f3dea524a73bb60fe6faf6d1c6
            • Opcode Fuzzy Hash: e1cdbbab6bb92abdd77bdbc642262cc5bc839ac810f2c61cdda434ffd032fb30
            • Instruction Fuzzy Hash: 5B4183B2A00619FADB119BB4CC89EDBB6ECFF45710F004326FB15E2190DB78AD5096E5
            Function 00712DDC Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 303COMMON
            Download Yara Rule
            Strings
            • Failed to copy ancestors and self to related bundle ancestors., xrefs: 00712EF6
            • Failed to lookup the bundle ID in the ancestors dictionary., xrefs: 007130F0
            • plan.cpp, xrefs: 0071311D
            • Failed to create dictionary from ancestors array., xrefs: 00712E46
            • Unexpected relation type encountered during plan: %d, xrefs: 007130FE
            • UX aborted plan related bundle., xrefs: 00713127
            • feclient.dll, xrefs: 007130BB
            • %ls;%ls, xrefs: 00712EDE
            • Failed to copy self to related bundle ancestors., xrefs: 0071312E
            • Failed to add the package provider key "%ls" to the planned list., xrefs: 00713107
            • Failed to create string array from ancestors., xrefs: 00712E1A
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID:
            • String ID: %ls;%ls$Failed to add the package provider key "%ls" to the planned list.$Failed to copy ancestors and self to related bundle ancestors.$Failed to copy self to related bundle ancestors.$Failed to create dictionary from ancestors array.$Failed to create string array from ancestors.$Failed to lookup the bundle ID in the ancestors dictionary.$UX aborted plan related bundle.$Unexpected relation type encountered during plan: %d$feclient.dll$plan.cpp
            • API String ID: 0-2617413419
            • Opcode ID: bdf8400a075e4448d6dffb5884f2981349a40469593283879f7e40b33dea0b0d
            • Instruction ID: 7222ae768e669cfe1d802dbf0442acad05a61b165e95fb781136b2c01f032700
            • Opcode Fuzzy Hash: bdf8400a075e4448d6dffb5884f2981349a40469593283879f7e40b33dea0b0d
            • Instruction Fuzzy Hash: E8B1D57190061AFFCB15DF68CC45AEABBB6FF09310F104165E804AB291D7399EE2DB90
            Function 00707E7C Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 214COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,000000B9,00000002,?,00000000,00000000), ref: 00707E99
            • LeaveCriticalSection.KERNEL32(?,?,?), ref: 007080C1
            Strings
            • Failed to write variable count., xrefs: 00707EB4
            • Failed to get numeric., xrefs: 00708093
            • Failed to write variable name., xrefs: 007080A8
            • Failed to write included flag., xrefs: 007080AF
            • Failed to write variable value as number., xrefs: 0070806B
            • Failed to write literal flag., xrefs: 0070809A
            • feclient.dll, xrefs: 00707F74, 00707FCA, 0070800B
            • Failed to write variable value type., xrefs: 007080A1
            • Failed to get string., xrefs: 0070808C
            • Unsupported variable type., xrefs: 0070807E
            • Failed to write variable value as string., xrefs: 00708085
            • Failed to get version., xrefs: 00708072
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave
            • String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
            • API String ID: 3168844106-2118673349
            • Opcode ID: 0d55f38edcf79ff977b83cf2da71b734307d1b7d9f87b1741821dc1836624677
            • Instruction ID: d4c767fa4d880473696683355aaf911015af3c5558aa80c95cebef1f3f6929fb
            • Opcode Fuzzy Hash: 0d55f38edcf79ff977b83cf2da71b734307d1b7d9f87b1741821dc1836624677
            • Instruction Fuzzy Hash: 8561C372D0161AEBCB629E64C944BAE7BE5BF04360F104351FA40672D1CB3CDD58DBA2
            Function 00746BF6 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 166COMMON
            Download Yara Rule
            APIs
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,74DEDFD0,?,00747172,?,?), ref: 00746C4C
            • SysFreeString.OLEAUT32(00000000), ref: 00746CB7
            • SysFreeString.OLEAUT32(00000000), ref: 00746D2F
            • SysFreeString.OLEAUT32(00000000), ref: 00746D71
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: String$Free$Compare
            • String ID: feclient.dll$label$rqt$rqt$scheme$term
            • API String ID: 1324494773-2213487745
            • Opcode ID: 336952c2c03904ae82bee9613f48fb5a7c8872f8085060190720dea760701400
            • Instruction ID: 6702bef3f2ba1054d09aca4806b06822983604eed921228fbb23683b3f31a912
            • Opcode Fuzzy Hash: 336952c2c03904ae82bee9613f48fb5a7c8872f8085060190720dea760701400
            • Instruction Fuzzy Hash: 8F515D75E00219FBCF15CBA4CC84FAEBBB8EF05721F204295E511AB1A0D739AE40DB51
            Function 007139FD Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 128COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?,?,00000000,0074B4F0), ref: 00713A51
            • GetLastError.KERNEL32(?,00000000,0074B4F0), ref: 00713A5B
            • GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,0074B4F0), ref: 00713AC4
            • ProcessIdToSessionId.KERNEL32(00000000,?,00000000,0074B4F0), ref: 00713ACB
            Strings
            • %u\, xrefs: 00713AE5
            • Failed to get temp folder., xrefs: 00713A89
            • Failed to copy temp folder., xrefs: 00713B7A
            • Failed to get length of session id string., xrefs: 00713B1D
            • Failed to get length of temp folder., xrefs: 00713AB5
            • Failed to format session id as a string., xrefs: 00713AF9
            • logging.cpp, xrefs: 00713A7F
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Process$CurrentErrorLastPathSessionTemp
            • String ID: %u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$logging.cpp
            • API String ID: 1726527325-1016737523
            • Opcode ID: 6a84207afbf5ff3170661b246e740fded72cd3421c6d9ddf9bdc8c2f9eb45a9a
            • Instruction ID: b3bb9678fba71eb83563850492f75111d1a5cf563fa07c8b1491db6913ef8137
            • Opcode Fuzzy Hash: 6a84207afbf5ff3170661b246e740fded72cd3421c6d9ddf9bdc8c2f9eb45a9a
            • Instruction Fuzzy Hash: 564193B698023DABDB209A649C4DEDA77B8EB14710F104295FD08B6191E7789F848BD4
            Function 007401F0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 123COMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000001,00000000,00000000), ref: 00740234
            • GetComputerNameW.KERNEL32(?,?), ref: 0074028C
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Name$ComputerFileModule
            • String ID: --- logging level: %hs ---$8bv$=== Logging started: %ls ===$@bv$Computer : %ls$Executable: %ls v%d.%d.%d.%d$Hbv$Tbv$\bv$dbv
            • API String ID: 2577110986-1767976018
            • Opcode ID: 03901e1ae0eaa8badd02d6e9c8afbe61b1bf1f4350a9a1865a965bcbaf205680
            • Instruction ID: b7b81044f1bdb2e76713e15b664b3aab447bec7f6620f4ed218f14ca7006b155
            • Opcode Fuzzy Hash: 03901e1ae0eaa8badd02d6e9c8afbe61b1bf1f4350a9a1865a965bcbaf205680
            • Instruction Fuzzy Hash: FF4159F190011CABCB109F64DC899AA77BCEB55300F4041F9FA0AE7141D7789E858FA5
            Function 007195AC Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 122fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,0071A63D,?,00000000,?,?,0072B049), ref: 007195C7
            • GetLastError.KERNEL32(?,0071A63D,?,00000000,?,?,0072B049,?,00000000,?,00000000,?,?,0072B049,?), ref: 007195D7
            • CloseHandle.KERNEL32(?,0072B049,00000001,00000003,000007D0,?,?,0072B049,?), ref: 007196E4
            Strings
            • %ls payload from working path '%ls' to path '%ls', xrefs: 0071968F
            • Failed to verify payload signature: %ls, xrefs: 00719632
            • Failed to open payload in working path: %ls, xrefs: 00719606
            • Moving, xrefs: 00719686, 0071968E
            • Failed to copy %ls to %ls, xrefs: 007196D2
            • Copying, xrefs: 00719679
            • cache.cpp, xrefs: 007195FB
            • Failed to move %ls to %ls, xrefs: 007196BC
            • Failed to verify payload hash: %ls, xrefs: 0071966F
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseCreateErrorFileHandleLast
            • String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
            • API String ID: 2528220319-1604654059
            • Opcode ID: dbd3de50b9b40d6ba256c3df6af7e23cf6f461c01b55b241f4b83b5592b457bc
            • Instruction ID: 678e7b88f6a1369428a4ea8a359aa0bede350111f941504b2e49dc768229d674
            • Opcode Fuzzy Hash: dbd3de50b9b40d6ba256c3df6af7e23cf6f461c01b55b241f4b83b5592b457bc
            • Instruction Fuzzy Hash: D13126B1A40628BBE7211A299C1AFEB396CDF41B61F010219FE04BB2D0D7ADDD41D5F5
            Function 00721341 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 80synchronizationCOMMON
            Download Yara Rule
            APIs
            • SetEvent.KERNEL32(0074B468,=Sp,00000000,?,0070C06D,=Sp,007052B5,00000000,?,0071763B,?,00705565,00705371,00705371,00000000,?), ref: 0072135E
            • GetLastError.KERNEL32(?,0070C06D,=Sp,007052B5,00000000,?,0071763B,?,00705565,00705371,00705371,00000000,?,00705381,FFF9E89D,00705381), ref: 00721368
            • WaitForSingleObject.KERNEL32(0074B478,000000FF,?,0070C06D,=Sp,007052B5,00000000,?,0071763B,?,00705565,00705371,00705371,00000000,?,00705381), ref: 007213A2
            • GetLastError.KERNEL32(?,0070C06D,=Sp,007052B5,00000000,?,0071763B,?,00705565,00705371,00705371,00000000,?,00705381,FFF9E89D,00705381), ref: 007213AC
            • CloseHandle.KERNEL32(00000000,00705381,=Sp,00000000,?,0070C06D,=Sp,007052B5,00000000,?,0071763B,?,00705565,00705371,00705371,00000000), ref: 007213F7
            • CloseHandle.KERNEL32(00000000,00705381,=Sp,00000000,?,0070C06D,=Sp,007052B5,00000000,?,0071763B,?,00705565,00705371,00705371,00000000), ref: 00721406
            • CloseHandle.KERNEL32(00000000,00705381,=Sp,00000000,?,0070C06D,=Sp,007052B5,00000000,?,0071763B,?,00705565,00705371,00705371,00000000), ref: 00721415
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseHandle$ErrorLast$EventObjectSingleWait
            • String ID: =Sp$=Sp$Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
            • API String ID: 1206859064-1751260127
            • Opcode ID: 789e0e3adb5a9580e63a2417412cb5fb50a8df47f06943f2b11643de4fdc05d7
            • Instruction ID: d27943eae462c4b6f9c920dc52c36d66f2c5bfc87cfd573af3cbde185158bab4
            • Opcode Fuzzy Hash: 789e0e3adb5a9580e63a2417412cb5fb50a8df47f06943f2b11643de4fdc05d7
            • Instruction Fuzzy Hash: C1212736200710EBE731AB3ADC48B5776F6FF84312F01462DE54A918A0D77DE844DA25
            Function 00706C5D Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 167COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(00000001,?,00000000,0070533D,00000000,00000001), ref: 00706C6E
              • Part of subcall function 007055B6: CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,00000007,0070648B,0070648B,?,0070554A,?,?,00000000), ref: 007055F2
              • Part of subcall function 007055B6: GetLastError.KERNEL32(?,0070554A,?,?,00000000,?,00000000,0070648B,?,00707DDC,?,?,?,?,?), ref: 00705621
            • LeaveCriticalSection.KERNEL32(00000001,?,00000001), ref: 00706E02
            Strings
            • Setting hidden variable '%ls', xrefs: 00706D2C
            • Setting string variable '%ls' to value '%ls', xrefs: 00706D96
            • Attempt to set built-in variable value: %ls, xrefs: 00706CFC
            • Failed to set value of variable: %ls, xrefs: 00706DEA
            • Unsetting variable '%ls', xrefs: 00706DBE
            • Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00706D79
            • Setting numeric variable '%ls' to value %lld, xrefs: 00706DA3
            • Failed to insert variable '%ls'., xrefs: 00706CB3
            • Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00706E14
            • variable.cpp, xrefs: 00706CF1
            • Failed to find variable value '%ls'., xrefs: 00706C89
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalSection$CompareEnterErrorLastLeaveString
            • String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
            • API String ID: 2716280545-445000439
            • Opcode ID: 8c9508f5ba2820ab26f1fbe0ee957db2e99af5bab8d1010df11121d3768de44d
            • Instruction ID: 88912dc7a718014301a3983d30f65a033a0bc5072c525ecb360f67d81db27554
            • Opcode Fuzzy Hash: 8c9508f5ba2820ab26f1fbe0ee957db2e99af5bab8d1010df11121d3768de44d
            • Instruction Fuzzy Hash: 0C51D1B1B00215EBDB309E14CD9AF6B7AE9EB95710F110229F8459A2C1D37CED70CAE1
            Function 007049DF Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(?), ref: 00704B5E
            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00704B6F
            Strings
            • Failed to set layout directory variable to value provided from command-line., xrefs: 00704B00
            • Failed to set action variables., xrefs: 00704ABE
            • Failed to check global conditions, xrefs: 00704A43
            • Failed to create the message window., xrefs: 00704A92
            • WixBundleLayoutDirectory, xrefs: 00704AEF
            • Failed while running , xrefs: 00704B24
            • Failed to set registration variables., xrefs: 00704AD8
            • Failed to open log., xrefs: 00704A12
            • Failed to query registration., xrefs: 00704AA8
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: MessagePostWindow
            • String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
            • API String ID: 3618638489-3051724725
            • Opcode ID: 0a46ce2de253214c8ee733f08962b45066752978adcbe81b566bbaf6cf30daca
            • Instruction ID: ca137821a49637bdc7725a2d4dd559d1be8b9e2d9d92a0fa925b4817a5569480
            • Opcode Fuzzy Hash: 0a46ce2de253214c8ee733f08962b45066752978adcbe81b566bbaf6cf30daca
            • Instruction Fuzzy Hash: D041B3F1B4062AFADB269A64CC49FBAB6ACFF00750F004325BA04A65D0DB6CED5097D0
            Function 0070CABE Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 144COMMON
            Download Yara Rule
            APIs
            • CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,?,000000FF,00705381,?,007052B5,00000000,00705381,FFF9E89D,00705381,007053B5,0070533D,?), ref: 0070CB15
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CompareString
            • String ID: =Sp$=Sp$Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
            • API String ID: 1825529933-3818765536
            • Opcode ID: 61d96a255b724a6dcdac30e0cae1c9d7f07b56f6131159b1e551079fcd05ad04
            • Instruction ID: 9f1cac8f5d27dba14311324b7af88b2891af64e13742267527ad5346d808a69d
            • Opcode Fuzzy Hash: 61d96a255b724a6dcdac30e0cae1c9d7f07b56f6131159b1e551079fcd05ad04
            • Instruction Fuzzy Hash: CE41E4B1E00219EBDF26DF44CD8696EB7F5AF00710F108369E905AB2D1D7789D40DBA0
            Function 0071EDFE Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 124COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 007038D4: GetProcessHeap.KERNEL32(?,000001C7,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038E5
              • Part of subcall function 007038D4: RtlAllocateHeap.NTDLL(00000000,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038EC
            • EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 0071EE1B
            • LeaveCriticalSection.KERNEL32(?), ref: 0071EF48
            Strings
            • UX requested unknown approved exe with id: %ls, xrefs: 0071EE7B
            • EngineForApplication.cpp, xrefs: 0071EF29
            • Failed to post launch approved exe message., xrefs: 0071EF33
            • Engine is active, cannot change engine state., xrefs: 0071EE36
            • Failed to copy the arguments., xrefs: 0071EEDA
            • Failed to copy the id., xrefs: 0071EEAD
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalHeapSection$AllocateEnterLeaveProcess
            • String ID: Engine is active, cannot change engine state.$EngineForApplication.cpp$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls
            • API String ID: 1367039788-528931743
            • Opcode ID: a0403d268f395214a0b50632bba6cf1beb3f85e65e13dfef080e56b6bcbbda71
            • Instruction ID: 9de9bc6dda54edb28b7bcc72be6449332c6a0cfcfbea8748d9e3bbd6a062a5ba
            • Opcode Fuzzy Hash: a0403d268f395214a0b50632bba6cf1beb3f85e65e13dfef080e56b6bcbbda71
            • Instruction Fuzzy Hash: B231D276A40225EBEB119F28DC49EAB77E8EF04720B018225FD04EB291D778DD4497E0
            Function 00719496 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 101fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,0071A5CE,?,00000000,?,?,0072B041), ref: 007194B1
            • GetLastError.KERNEL32(?,0071A5CE,?,00000000,?,?,0072B041,?,00000000,?,00000000,?,?,0072B041,?), ref: 007194BF
            • CloseHandle.KERNEL32(?,0072B041,00000001,00000003,000007D0,?,?,0072B041,?), ref: 0071959E
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseCreateErrorFileHandleLast
            • String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
            • API String ID: 2528220319-1187406825
            • Opcode ID: 578a748825613106fa93e3003e455e6943685f6eda334a980faec952bf875930
            • Instruction ID: 3085bb1406b604f3368b22434fc5db34a85bf3bae6d591391a23b78fbd1c4950
            • Opcode Fuzzy Hash: 578a748825613106fa93e3003e455e6943685f6eda334a980faec952bf875930
            • Instruction Fuzzy Hash: AE214CB1B80728BBE72219285C4AFEB365DDF51B21F000118FE05BA2C0D7ADDD61D5E5
            Function 00706E5A Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00706E89
            • LeaveCriticalSection.KERNEL32(?), ref: 00707095
            Strings
            • Failed to read variable value as number., xrefs: 0070704F
            • Failed to set variable., xrefs: 00707069
            • Failed to read variable name., xrefs: 0070707E
            • Failed to read variable included flag., xrefs: 00707085
            • Failed to set variable value., xrefs: 00707048
            • Failed to read variable value type., xrefs: 00707077
            • Failed to read variable literal flag., xrefs: 00707070
            • Failed to read variable value as string., xrefs: 00707062
            • Unsupported variable type., xrefs: 0070705B
            • Failed to read variable count., xrefs: 00706EA9
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave
            • String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
            • API String ID: 3168844106-528957463
            • Opcode ID: d2bfc34f5022e68f4990a23d6d8cb0614e337ff287557c6e6d5d1cf6287180a6
            • Instruction ID: 0fa43cc08cce5634e053e7978a249f25825621ee52f142837ef2f80a43959738
            • Opcode Fuzzy Hash: d2bfc34f5022e68f4990a23d6d8cb0614e337ff287557c6e6d5d1cf6287180a6
            • Instruction Fuzzy Hash: 32718F72D0521EEBDB25DEA4DC05EAEBBF8EB04750F104322F900A6191D739EE11DBA0
            Function 00712A60 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 298COMMON
            Download Yara Rule
            APIs
            • CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,002C002B,000000FF,?,00000000,?,wininet.dll,?,0074B4F0,?,?,?,00000000), ref: 00712ACD
            Strings
            • wininet.dll, xrefs: 00712D1E
            • Failed to check for remaining dependents during planning., xrefs: 00712C73
            • Failed to add registration action for dependent related bundle., xrefs: 00712DD5
            • Failed to create the string dictionary., xrefs: 00712B06
            • Failed to add dependent bundle provider key to ignore dependents., xrefs: 00712C37
            • Failed to add self-dependent to ignore dependents., xrefs: 00712B51
            • Failed to add dependents ignored from command-line., xrefs: 00712B82
            • Failed to add registration action for self dependent., xrefs: 00712D9E
            • Failed to allocate registration action., xrefs: 00712B36
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CompareString
            • String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$wininet.dll
            • API String ID: 1825529933-1397997145
            • Opcode ID: 8929267880e20ff1bfc521636d4639285428b712603582e4c0a7cbd7b691c5f9
            • Instruction ID: dec641ec5db69525d06754311db793f37da6d6558c47ca544072f58b1929fcf0
            • Opcode Fuzzy Hash: 8929267880e20ff1bfc521636d4639285428b712603582e4c0a7cbd7b691c5f9
            • Instruction Fuzzy Hash: 3CB19F70A00626EFCB65DF58D841BEE7BB1FF44710F008169F9049A292E778D9A2DBD1
            Function 007443A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 247fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 00744425
            • GetLastError.KERNEL32 ref: 0074443B
            • GetFileSizeEx.KERNEL32(00000000,?), ref: 00744486
            • GetLastError.KERNEL32 ref: 00744490
            • CloseHandle.KERNEL32(?), ref: 00744650
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFileLast$CloseCreateHandleSize
            • String ID: fileutil.cpp
            • API String ID: 3555958901-2967768451
            • Opcode ID: f1a12dd9c5b6d17c201b950c321eb1b904f1640bea70074276e67b7f24c1e836
            • Instruction ID: 7ad3cd6a1125b1b599cbbb2dccb18c7ca2ab22172e80f2295ad32d86d484ce95
            • Opcode Fuzzy Hash: f1a12dd9c5b6d17c201b950c321eb1b904f1640bea70074276e67b7f24c1e836
            • Instruction Fuzzy Hash: DA711671A00255EBEF21CE698C48B7B76E8EF40760F12422AFD15EB290D77CCD10AB95
            Function 00714B96 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 122COMMON
            Download Yara Rule
            APIs
            • UuidCreate.RPCRT4(?), ref: 00714BC9
            • StringFromGUID2.OLE32(?,?,00000027), ref: 00714BF8
            • UuidCreate.RPCRT4(?), ref: 00714C43
            • StringFromGUID2.OLE32(?,?,00000027), ref: 00714C6F
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CreateFromStringUuid
            • String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$pipe.cpp
            • API String ID: 4041566446-2510341293
            • Opcode ID: a8af23922ad6dddb063d69594d254ba8ad8c7a742d5c50cf0dab76ad0b44c393
            • Instruction ID: a1b09c64e486249ece84c58814380489d4adee7ae76c9ef9da2885f84502a084
            • Opcode Fuzzy Hash: a8af23922ad6dddb063d69594d254ba8ad8c7a742d5c50cf0dab76ad0b44c393
            • Instruction Fuzzy Hash: 404186B2D05318EBDB20DFE9C945EDEB7F8AB44715F204126E905BB280D7789985CBA0
            Function 00705F14 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 105timeCOMMON
            Download Yara Rule
            APIs
            • GetSystemTime.KERNEL32(?), ref: 00705F3F
            • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 00705F53
            • GetLastError.KERNEL32 ref: 00705F65
            • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 00705FB8
            • GetLastError.KERNEL32 ref: 00705FC2
            Strings
            • Failed to get the Date., xrefs: 00705FE6
            • Failed to get the required buffer length for the Date., xrefs: 00705F89
            • Failed to set variant value., xrefs: 00705FFF
            • variable.cpp, xrefs: 00705F7F, 00705FDC
            • Failed to allocate the buffer for the Date., xrefs: 00705FA0
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: DateErrorFormatLast$SystemTime
            • String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
            • API String ID: 2700948981-3682088697
            • Opcode ID: 13ce1ace519b02b3395514ed87ed8dd4f392e9f17fb930af25aa2103afb9c357
            • Instruction ID: a39779aa851fcbde6e1775a078f386625a0afdeeb11e8cbf972e74fdab64a297
            • Opcode Fuzzy Hash: 13ce1ace519b02b3395514ed87ed8dd4f392e9f17fb930af25aa2103afb9c357
            • Instruction Fuzzy Hash: 4031AB75A40719FBD721ABE5DC45EAF76E8EB04710F114126FA01F71D0EB7C9D0086A5
            Function 0071E82A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 99threadCOMMON
            Download Yara Rule
            APIs
            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00705386,?,?), ref: 0071E84A
            • GetLastError.KERNEL32(?,00705386,?,?), ref: 0071E857
            • CreateThread.KERNEL32(00000000,00000000,0071E563,?,00000000,00000000), ref: 0071E8B0
            • GetLastError.KERNEL32(?,00705386,?,?), ref: 0071E8BD
            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,00705386,?,?), ref: 0071E8F8
            • CloseHandle.KERNEL32(00000000,?,00705386,?,?), ref: 0071E917
            • CloseHandle.KERNEL32(?,?,00705386,?,?), ref: 0071E924
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
            • String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
            • API String ID: 2351989216-3599963359
            • Opcode ID: f167159870f9235c33a046b289e7d7e99bbdc1d75d75835354afe555e57bcde4
            • Instruction ID: 1eef2ae8ae542f6cb0f2e4606e51c42e4ef31a5f523c930b1a02e2c41f230548
            • Opcode Fuzzy Hash: f167159870f9235c33a046b289e7d7e99bbdc1d75d75835354afe555e57bcde4
            • Instruction Fuzzy Hash: 533121B5E40219FBEB109FAD9D85AEFBAECEB08351F114126ED05F3190D7749E408AA1
            Function 0071E3F4 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 95threadCOMMON
            Download Yara Rule
            APIs
            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,00705386,?,?), ref: 0071E415
            • GetLastError.KERNEL32(?,?,00705386,?,?), ref: 0071E422
            • CreateThread.KERNEL32(00000000,00000000,0071E177,00000000,00000000,00000000), ref: 0071E481
            • GetLastError.KERNEL32(?,?,00705386,?,?), ref: 0071E48E
            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00705386,?,?), ref: 0071E4C9
            • CloseHandle.KERNEL32(?,?,?,00705386,?,?), ref: 0071E4DD
            • CloseHandle.KERNEL32(?,?,?,00705386,?,?), ref: 0071E4EA
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
            • String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
            • API String ID: 2351989216-1977201954
            • Opcode ID: 33c59be734407b4cf8602df61b2373e5b0b939be8f53e8a8f696d66a4e132333
            • Instruction ID: d8d197d558d1517aee2f6915aa18952d90e8d9490495194cf86e04b721b7bc30
            • Opcode Fuzzy Hash: 33c59be734407b4cf8602df61b2373e5b0b939be8f53e8a8f696d66a4e132333
            • Instruction Fuzzy Hash: B7317EB5D00219FAEB109BA99C45AEFBBF8EB45711F10812AFD14F2190D7788E40CAA5
            Function 00721224 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88threadCOMMON
            Download Yara Rule
            APIs
            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,74DF2F60,?,?,007052FD,007052B5,00000000,0070533D), ref: 00721249
            • GetLastError.KERNEL32 ref: 0072125C
            • GetExitCodeThread.KERNEL32(0074B478,?), ref: 0072129E
            • GetLastError.KERNEL32 ref: 007212AC
            • ResetEvent.KERNEL32(0074B450), ref: 007212E7
            • GetLastError.KERNEL32 ref: 007212F1
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
            • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
            • API String ID: 2979751695-3400260300
            • Opcode ID: 3a68eab9b6fc286fedd55fcfc3424103149936e1b76bb38cc943dbeaddc016d7
            • Instruction ID: ec24fbbdd94f18a191a1cfa3d2938001b1e418a29dd5c8112a717de999549c3b
            • Opcode Fuzzy Hash: 3a68eab9b6fc286fedd55fcfc3424103149936e1b76bb38cc943dbeaddc016d7
            • Instruction Fuzzy Hash: 8321E3B4700304FFEB149B799D45ABE76F8FB14301F40422FB846D61A0E778DE009A55
            Function 0070D5C0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 61libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryW.KERNEL32(?,00000000,?,007046F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00705386,?,?), ref: 0070D5CD
            • GetLastError.KERNEL32(?,007046F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00705386,?,?), ref: 0070D5DA
            • GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 0070D612
            • GetLastError.KERNEL32(?,007046F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00705386,?,?), ref: 0070D61E
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast$AddressLibraryLoadProc
            • String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp$wininet.dll
            • API String ID: 1866314245-1140179540
            • Opcode ID: c18ec9e60158b8dcd10106d8bd857ecdf69fa3489ea9fde0b5fa248bf1b10007
            • Instruction ID: 6d6b11153136aeb094f518667a87d8097081bca806569edddf97fa5f9c90149f
            • Opcode Fuzzy Hash: c18ec9e60158b8dcd10106d8bd857ecdf69fa3489ea9fde0b5fa248bf1b10007
            • Instruction Fuzzy Hash: 6511E976A40721EBEB315AA99C05F5736D8EF05791F01422AFD09E71D0E72DCC0086D5
            Function 007191F7 Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 223COMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 00719297
            • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 007192BB
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast
            • String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$cache.cpp
            • API String ID: 1452528299-4263581490
            • Opcode ID: c2bfec0797c9f9952c1bff9a52ef8e9cb074c26fececd6213c8c063126092c1a
            • Instruction ID: 3359fdd3a3483b3f724750719b5ee19b407ce95c51429ee2c40988c002bb9fa4
            • Opcode Fuzzy Hash: c2bfec0797c9f9952c1bff9a52ef8e9cb074c26fececd6213c8c063126092c1a
            • Instruction Fuzzy Hash: D27187B1D00269EAEB11DBA8CC45BEFB7F8AB08710F114125ED14F7291E7789D458BA0
            Function 00713E47 Relevance: 16.7, APIs: 1, Strings: 10, Instructions: 220sleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00713955: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00713E61,feclient.dll,?,00000000,?,?,?,00704A0C), ref: 007139F1
            • Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00704A0C,?,?,0074B478,?,00000001,00000000,00000000), ref: 00713EF8
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseSleep
            • String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$feclient.dll$log
            • API String ID: 2834455192-908643386
            • Opcode ID: f9bc6d406bd803140347e7d4a6ac22b4f8b7f01d240e0b1c51c72c37fee8eb02
            • Instruction ID: cc512060a7c079e4080cb79fbf0206558f6e670c4a0f9dd847a9d0f7d66d7be2
            • Opcode Fuzzy Hash: f9bc6d406bd803140347e7d4a6ac22b4f8b7f01d240e0b1c51c72c37fee8eb02
            • Instruction Fuzzy Hash: F161D2B1A00215FBDB219B7CCC4ABBA76A8EF04350B044269F901DB1D1E7BDEED49791
            Function 0071E31B Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON
            Download Yara Rule
            APIs
            • GetWindowLongW.USER32(?,000000EB), ref: 0071E326
            • DefWindowProcW.USER32(?,00000082,?,?), ref: 0071E364
            • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0071E371
            • SetWindowLongW.USER32(?,000000EB,?), ref: 0071E380
            • DefWindowProcW.USER32(?,?,?,?), ref: 0071E38E
            • CreateCompatibleDC.GDI32(?), ref: 0071E39A
            • SelectObject.GDI32(00000000,00000000), ref: 0071E3AB
            • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0071E3CD
            • SelectObject.GDI32(00000000,00000000), ref: 0071E3D5
            • DeleteDC.GDI32(00000000), ref: 0071E3D8
            • PostQuitMessage.USER32(00000000), ref: 0071E3E6
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
            • String ID:
            • API String ID: 409979828-0
            • Opcode ID: 2c2b1d85c8f9ba6174aeb9eeeabd67faf836f7a67e68b0c255316c26910ac9ab
            • Instruction ID: e75bca64765f90b7ec36709ade3c639db2e3e3b2aad26829a88fccdff7aa76fe
            • Opcode Fuzzy Hash: 2c2b1d85c8f9ba6174aeb9eeeabd67faf836f7a67e68b0c255316c26910ac9ab
            • Instruction Fuzzy Hash: 89218C36104108BFCB255FB9DC4CEBB3FA9EB4A721B158519FA26971B0D7398C10EB61
            Function 00719F36 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 220COMMON
            Download Yara Rule
            Strings
            • Failed to copy source path., xrefs: 0071A113
            • WixBundleOriginalSource, xrefs: 00719FB3
            • WixBundleLastUsedSource, xrefs: 00719F9D
            • Failed to get bundle layout directory property., xrefs: 0071A083
            • WixBundleLayoutDirectory, xrefs: 0071A068
            • Failed to get current process directory., xrefs: 00719FEF
            • Failed to combine last source with source., xrefs: 0071A00C
            • Failed to combine layout source with source., xrefs: 0071A0A0
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Find$CloseFileFirstlstrlen
            • String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
            • API String ID: 2767606509-3003062821
            • Opcode ID: 0d17c61ddc3216cfb858e0fbd13e50b492d0c724a38212d9b58191c6ada37020
            • Instruction ID: c63b089dcd5e5224487caa6ba9c73649958a1d39991d4721de565dc4b5be1bd6
            • Opcode Fuzzy Hash: 0d17c61ddc3216cfb858e0fbd13e50b492d0c724a38212d9b58191c6ada37020
            • Instruction Fuzzy Hash: FC716E71D01219FBDF15DFA8C845AFEB7B9AF08310F11012AF901B7291E7799D819B61
            Function 00703083 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 206COMMON
            Download Yara Rule
            APIs
            • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000040,00000000,00000000), ref: 007030C7
            • GetLastError.KERNEL32 ref: 007030D1
            • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00703129
            • GetLastError.KERNEL32 ref: 00703133
            • GetFullPathNameW.KERNEL32(00000000,00000040,00000000,00000000,00000000,00000040,00000000,00000000), ref: 007031EC
            • GetLastError.KERNEL32 ref: 007031F6
            • GetFullPathNameW.KERNEL32(00000000,00000007,00000000,00000000,00000000,00000007), ref: 0070324D
            • GetLastError.KERNEL32 ref: 00703257
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
            • String ID: pathutil.cpp
            • API String ID: 1547313835-741606033
            • Opcode ID: 77fb891a87aac3678970bc47b07fec40605cfe3a2355db5331f0e20a5d3a2a86
            • Instruction ID: f2657b70f03480c060e8ede154a643c7eecee3b2b916c5021c384d640015b74e
            • Opcode Fuzzy Hash: 77fb891a87aac3678970bc47b07fec40605cfe3a2355db5331f0e20a5d3a2a86
            • Instruction Fuzzy Hash: DE61A636E00629EBDF219AB98C49BAE76EDEF48751F114366ED05E7190E738CF009790
            Function 00702DE0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 198sleepfiletimeCOMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?,00000001,00000000,00000000), ref: 00702E7A
            • GetLastError.KERNEL32 ref: 00702E84
            • GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00702F1F
            • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00702FAD
            • GetLastError.KERNEL32 ref: 00702FBA
            • Sleep.KERNEL32(00000064), ref: 00702FCC
            • CloseHandle.KERNEL32(?), ref: 0070302C
            Strings
            • %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00702F7D
            • pathutil.cpp, xrefs: 00702EA8
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
            • String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
            • API String ID: 3480017824-1101990113
            • Opcode ID: 0fb386a43c8cc0dd3baf478ef730cd9c3ef4f5cbc0bb05b23e6b1e93042c8847
            • Instruction ID: 0b8f9c4fb272507b5cdf97bba2fdc3e3cfe9efd6434351fe345090dd0382715c
            • Opcode Fuzzy Hash: 0fb386a43c8cc0dd3baf478ef730cd9c3ef4f5cbc0bb05b23e6b1e93042c8847
            • Instruction Fuzzy Hash: 11714476941229EBDB309BA4DC4CBAAB3FDAB08750F0042A5F905E61D1D778DE818F60
            Function 00704690 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON
            Download Yara Rule
            APIs
            • PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 007046B5
            • GetCurrentThreadId.KERNEL32 ref: 007046BB
              • Part of subcall function 0071FC51: new.LIBCMT ref: 0071FC58
            • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00704749
            Strings
            • wininet.dll, xrefs: 007046E8
            • Unexpected return value from message pump., xrefs: 0070479F
            • engine.cpp, xrefs: 00704795
            • Failed to start bootstrapper application., xrefs: 00704717
            • Failed to load UX., xrefs: 007046FE
            • Failed to create engine for UX., xrefs: 007046D5
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Message$CurrentPeekThread
            • String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
            • API String ID: 673430819-2573580774
            • Opcode ID: 1c5a83267d01e5426b77c3eed7ecddfe870129849b9f9bfabb8417d1979b1f04
            • Instruction ID: d1fa30d8f65e5738f44ec6cce72e32232463b7f82bfca2c56a3aaab87eeb6133
            • Opcode Fuzzy Hash: 1c5a83267d01e5426b77c3eed7ecddfe870129849b9f9bfabb8417d1979b1f04
            • Instruction Fuzzy Hash: A44182B1600219FFE7159AA4CC89EBAB7ECEF05314F104229FA05E71D0EB38ED5497A1
            Function 00718CB5 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 127COMMON
            Download Yara Rule
            APIs
            • LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 00718E01
            Strings
            • Failed to allocate access for SYSTEM group to path: %ls, xrefs: 00718D29
            • Failed to allocate access for Users group to path: %ls, xrefs: 00718D6B
            • cache.cpp, xrefs: 00718DAC
            • Failed to create ACL to secure cache path: %ls, xrefs: 00718DB7
            • Failed to secure cache path: %ls, xrefs: 00718DE4
            • Failed to allocate access for Everyone group to path: %ls, xrefs: 00718D4A
            • Failed to allocate access for Administrators group to path: %ls, xrefs: 00718D08
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: FreeLocal
            • String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$cache.cpp
            • API String ID: 2826327444-4113288589
            • Opcode ID: 5faec29a008f8fb9c2f7978daa968ded31b61ab06e89b8533a676f42dc482e4e
            • Instruction ID: 54cc8c6415e5c4d8b15da83e89ff168e15480884ae017625dbb4e081acbb49ec
            • Opcode Fuzzy Hash: 5faec29a008f8fb9c2f7978daa968ded31b61ab06e89b8533a676f42dc482e4e
            • Instruction Fuzzy Hash: 14410771B40329B7DB7196689C45FEB7A6CEF14B10F004165FD04BA1C1DEA89D88D7A2
            Function 00729A57 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 125COMMON
            Download Yara Rule
            APIs
            • SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,0072ADE5,?,00000001,00000000), ref: 00729AE1
            • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,0072ADE5,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 00729AEB
            • CopyFileExW.KERNEL32(00000000,00000000,0072993C,00000000,00000020,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00729B39
            • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,0072ADE5,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 00729B68
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFileLast$AttributesCopy
            • String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$copy
            • API String ID: 1969131206-836986073
            • Opcode ID: 42ce6f70b9e6242d9497196c82370718f7a8ff4f8ea09c3ff54016924b1640d5
            • Instruction ID: 1e4058cd2ff214ad49a321b575a99aa182d627e7192bd13338bd2add77d494f1
            • Opcode Fuzzy Hash: 42ce6f70b9e6242d9497196c82370718f7a8ff4f8ea09c3ff54016924b1640d5
            • Instruction Fuzzy Hash: 7C3103B1B40325FBEB109A65AC85EABB3ADEF01751F148129BD09E6191E768DE00C6E1
            Function 00746ACD Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 116COMMON
            Download Yara Rule
            APIs
            • CompareStringW.KERNEL32(0000007F,00000000,74DEDFD0,000000FF,name,000000FF,74DEDFD0,?,74DEDFD0,?,74DEDFD0), ref: 00746B2B
            • CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,email,000000FF), ref: 00746B48
            • SysFreeString.OLEAUT32(00000000), ref: 00746B86
            • SysFreeString.OLEAUT32(00000000), ref: 00746BCD
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: String$CompareFree
            • String ID: 9qt$email$name$uri
            • API String ID: 3589242889-2451388175
            • Opcode ID: 23ba09d7623bc4b3cacc87a3d28f0d3357d41719def1ef22a060089b47955445
            • Instruction ID: bd8ab5297037c59d66405b47099def3eaa5985b9816c1acd14e7ad02ecf54df5
            • Opcode Fuzzy Hash: 23ba09d7623bc4b3cacc87a3d28f0d3357d41719def1ef22a060089b47955445
            • Instruction Fuzzy Hash: A7414DB5A04219BBCB11DBA4CC45FAEB7B5EF05720F2042A5E921EB290CB359E44DB91
            Function 0071E05E Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103windowCOMMON
            Download Yara Rule
            APIs
            • LoadBitmapW.USER32(?,00000001), ref: 0071E094
            • GetLastError.KERNEL32 ref: 0071E0A0
            • GetObjectW.GDI32(00000000,00000018,?), ref: 0071E0E7
            • GetCursorPos.USER32(?), ref: 0071E108
            • MonitorFromPoint.USER32(?,?,00000002), ref: 0071E11A
            • GetMonitorInfoW.USER32(00000000,?), ref: 0071E130
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
            • String ID: ($Failed to load splash screen bitmap.$splashscreen.cpp
            • API String ID: 2342928100-598475503
            • Opcode ID: 3b105aa196e26b0a89fb07886fd8ea73c0e0c1c9c934ca88f1282036ac7f9563
            • Instruction ID: 46d4a27c39a333f95aa2d314327d1fc8a27b4704ead7f24a3017abfa31a3c568
            • Opcode Fuzzy Hash: 3b105aa196e26b0a89fb07886fd8ea73c0e0c1c9c934ca88f1282036ac7f9563
            • Instruction Fuzzy Hash: F1313075A00219EFDB10DFB9D949A9EBBF5EB08711F14C119ED04EB290DB74D905CB60
            Function 0070C7DF Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 97fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0070CC57: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,0070E336,000000FF,00000000,00000000,0070E336,?,?,0070DADD,?,?,?,?), ref: 0070CC82
            • CreateFileW.KERNEL32(E90074BA,80000000,00000005,00000000,00000003,08000000,00000000,007052BD,0074B450,00000000,007053B5,04680A79,?,007052B5,00000000,00705381), ref: 0070C84F
            • GetLastError.KERNEL32(?,?,?,007175F7,00705565,00705371,00705371,00000000,?,00705381,FFF9E89D,00705381,007053B5,0070533D,?,0070533D), ref: 0070C894
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CompareCreateErrorFileLastString
            • String ID: =Sp$=Sp$Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$catalog.cpp
            • API String ID: 1774366664-4055661830
            • Opcode ID: 365a57868f88bf9c3899f72cc7ca5cd3ada3107975a79b25799735dfa5ce2752
            • Instruction ID: dafa7a1d3f68de5b9d9995a030eca599531648f9a6ef0e49e9097471a26208e1
            • Opcode Fuzzy Hash: 365a57868f88bf9c3899f72cc7ca5cd3ada3107975a79b25799735dfa5ce2752
            • Instruction Fuzzy Hash: A931B371940615FFD7129B64CC45F5ABBE4EB04710F118329F908EB2D0E778AD509BD4
            Function 007064B6 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 93COMMON
            Download Yara Rule
            APIs
            • GetSystemWow64DirectoryW.KERNEL32(?,00000104), ref: 007064F7
            • GetLastError.KERNEL32 ref: 00706505
            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00706546
            • GetLastError.KERNEL32 ref: 00706550
            Strings
            • Failed to get 32-bit system folder., xrefs: 0070653F
            • Failed to get 64-bit system folder., xrefs: 0070657E
            • Failed to set system folder variant value., xrefs: 007065BE
            • Failed to backslash terminate system folder., xrefs: 007065A2
            • variable.cpp, xrefs: 00706535, 00706574
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: DirectoryErrorLastSystem$Wow64
            • String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
            • API String ID: 2634638900-1590374846
            • Opcode ID: 8a35ff5bf374c0599d3c8337ee69d74820267074b735b37840da710a47e0e4dd
            • Instruction ID: 8bd2c92e9a64054c77d7e8a22aa730fb14dbee741af09b0398001d5f52550f4d
            • Opcode Fuzzy Hash: 8a35ff5bf374c0599d3c8337ee69d74820267074b735b37840da710a47e0e4dd
            • Instruction Fuzzy Hash: EF21E9B1A41338EBEB2057A59C59B6A72EC9F01760F114269FC09F71C0E76CCD1485E1
            Function 00714ED2 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 84COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcessId.KERNEL32(?,00000000,?,?,0074B4F0), ref: 00714EDB
            • GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 00714F79
            • CloseHandle.KERNEL32(00000000), ref: 00714F92
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Process$CloseCurrentHandle
            • String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
            • API String ID: 2815245435-1352204306
            • Opcode ID: 48790cb8768064b25a328fbfd8c53838c9a04c10c0da8f0e0692df1646435462
            • Instruction ID: 825e52da9715202f159703cc77a33363c310f2a6603b4d75af10526d7d7c6858
            • Opcode Fuzzy Hash: 48790cb8768064b25a328fbfd8c53838c9a04c10c0da8f0e0692df1646435462
            • Instruction Fuzzy Hash: 28215CB5D00219FFCF019F98CC458EEBBB8FF04355F14816AF904A2290D7799E91AB90
            Function 0070671C Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 74libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 00706746
            • GetProcAddress.KERNEL32(00000000), ref: 0070674D
            • GetLastError.KERNEL32 ref: 00706757
            Strings
            • Failed to get msi.dll version info., xrefs: 0070679F
            • Failed to set variant value., xrefs: 007067C3
            • DllGetVersion, xrefs: 00706738
            • msi, xrefs: 0070673D
            • variable.cpp, xrefs: 0070677B
            • Failed to find DllGetVersion entry point in msi.dll., xrefs: 00706785
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AddressErrorHandleLastModuleProc
            • String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$msi$variable.cpp
            • API String ID: 4275029093-842451892
            • Opcode ID: cf526a977a217c7f81b96824eb991bebf5cc6b7825983037d17bddb177e065e4
            • Instruction ID: 8330c4ffb512dbd0b1083f482fd2ac66df6ff21c75bba24d8d2280b1b11d349f
            • Opcode Fuzzy Hash: cf526a977a217c7f81b96824eb991bebf5cc6b7825983037d17bddb177e065e4
            • Instruction Fuzzy Hash: 1C11D6B1A40724EAE721ABB8DC45A7F76E8DB04B21F004519FD05F7190DB7CDC0482E5
            Function 00701174 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53libraryloadermemoryCOMMON
            Download Yara Rule
            APIs
            • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0070111A,cabinet.dll,00000009,?,?,00000000), ref: 00701185
            • GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,0070111A,cabinet.dll,00000009,?,?,00000000), ref: 00701190
            • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0070119E
            • GetLastError.KERNEL32(?,?,?,?,0070111A,cabinet.dll,00000009,?,?,00000000), ref: 007011B9
            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 007011C1
            • GetLastError.KERNEL32(?,?,?,?,0070111A,cabinet.dll,00000009,?,?,00000000), ref: 007011D6
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AddressErrorLastProc$HandleHeapInformationModule
            • String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
            • API String ID: 3104334766-1824683568
            • Opcode ID: 3af9a2782962751ea5feaa5b7d217abbbe4b166ebb93c9feb62c98ca7f9be117
            • Instruction ID: c57e754ee8bc07f7aca19a683f1ec1ab5ff8f1b6f2a05873ae09f23a49bf5207
            • Opcode Fuzzy Hash: 3af9a2782962751ea5feaa5b7d217abbbe4b166ebb93c9feb62c98ca7f9be117
            • Instruction Fuzzy Hash: A901B175600219FBC7206BA69C49D6FBBACFF41792B408116FE15D2190DB78DE00CBB0
            Function 0071F3E6 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 155COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(?), ref: 0071F3FB
            • LeaveCriticalSection.KERNEL32(?), ref: 0071F576
            Strings
            • UX requested unknown payload with id: %ls, xrefs: 0071F450
            • UX denied while trying to set download URL on embedded payload: %ls, xrefs: 0071F466
            • Failed to set download URL., xrefs: 0071F4D5
            • Engine is active, cannot change engine state., xrefs: 0071F415
            • UX did not provide container or payload id., xrefs: 0071F565
            • Failed to set download user., xrefs: 0071F4FE
            • UX requested unknown container with id: %ls, xrefs: 0071F4A0
            • Failed to set download password., xrefs: 0071F524
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave
            • String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
            • API String ID: 3168844106-2615595102
            • Opcode ID: 2c970e6a386e60f51293aedbf426bef8d0d6fb91e9972c577c3d58a70025377d
            • Instruction ID: aa9b5234b373481db84dd7f8d70e045b34e55a7e736daef0ce51191ca82c3306
            • Opcode Fuzzy Hash: 2c970e6a386e60f51293aedbf426bef8d0d6fb91e9972c577c3d58a70025377d
            • Instruction Fuzzy Hash: 3B41C472900615FBDB119F2CC809AEA77A9AF40721F158235ED05AB2C1E77CDE90C7A1
            Function 0071A998 Relevance: 15.1, APIs: 2, Strings: 8, Instructions: 138COMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,000000FF,00AAC56B,?,007052B5,00000000,=Sp), ref: 0071AA90
            • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,000000FF,00AAC56B,?,007052B5,00000000,=Sp), ref: 0071AAD4
            Strings
            • =Sp, xrefs: 0071A9AB
            • Failed to get provider state from authenticode certificate., xrefs: 0071AABE
            • cache.cpp, xrefs: 0071AA66, 0071AAB4, 0071AAF8
            • Failed to verify expected payload against actual certificate chain., xrefs: 0071AB1A
            • =Sp, xrefs: 0071A9A8
            • qSpqSp, xrefs: 0071A9B1
            • Failed authenticode verification of payload: %ls, xrefs: 0071AA71
            • Failed to get signer chain from authenticode certificate., xrefs: 0071AB02
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast
            • String ID: =Sp$=Sp$Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$cache.cpp$qSpqSp
            • API String ID: 1452528299-3802046109
            • Opcode ID: 5235f002efcc8820311baf0384ae72423a8e18aa00429d4dbef7c52f5e7a49de
            • Instruction ID: 8eebfadf2ee4b44de513398573866a74b0cd3a97cfde39fb9d48eb39328162ef
            • Opcode Fuzzy Hash: 5235f002efcc8820311baf0384ae72423a8e18aa00429d4dbef7c52f5e7a49de
            • Instruction Fuzzy Hash: 234185B1E00268BBEB109BA9DD45BDFBAF8EF08350F00012AFD05F7191E778994486A5
            Function 00745916 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194filememoryCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000000,000000FF,?,00000000,00000000), ref: 00745955
            • GetLastError.KERNEL32 ref: 00745963
            • VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 007459A4
            • GetLastError.KERNEL32 ref: 007459B1
            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00745B26
            • CloseHandle.KERNEL32(?), ref: 00745B35
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
            • String ID: GET$dlutil.cpp
            • API String ID: 2028584396-3303425918
            • Opcode ID: d2258c829be38815db1ad201075ad86d4fda114e5f66c767e741200be704a9fb
            • Instruction ID: 75ed9583f5afcdc6cfc011478948656fc6846429022e1b797040feef149d0f97
            • Opcode Fuzzy Hash: d2258c829be38815db1ad201075ad86d4fda114e5f66c767e741200be704a9fb
            • Instruction Fuzzy Hash: 68615C76A00619EBDF11DFA4CC84BAE7BB9FF08360F118216FD15B6251E778E8408B94
            Function 00710AAE Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 182COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00710E7E: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,00710ACD,?,00000000,?,00000000,00000000), ref: 00710EAD
            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 00710C51
            • GetLastError.KERNEL32 ref: 00710C5E
            Strings
            • Failed to create syncpoint event., xrefs: 00710C8C
            • Failed to append payload cache action., xrefs: 00710C08
            • plan.cpp, xrefs: 00710C82
            • Failed to append rollback cache action., xrefs: 00710B2D
            • Failed to append cache action., xrefs: 00710BA8
            • Failed to append package start action., xrefs: 00710AF3
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CompareCreateErrorEventLastString
            • String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$plan.cpp
            • API String ID: 801187047-2489563283
            • Opcode ID: 1ec1150d4c7072e22f1dc9c7123a14825e9397e6bbcb6611e1a4d3c1ded6865a
            • Instruction ID: 4b6d97beaca7e4d882414cebac04f8ff86f781b7e9cab96a1ee952de8b55b872
            • Opcode Fuzzy Hash: 1ec1150d4c7072e22f1dc9c7123a14825e9397e6bbcb6611e1a4d3c1ded6865a
            • Instruction Fuzzy Hash: 846181B5500704EFDB11DF68C884AEAB7F9FF84314F21845AE8159B251EBB4EE81DB90
            Function 00709DB4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 147COMMON
            Download Yara Rule
            APIs
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00709DDA
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00709DFF
            Strings
            • MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 00709EF3
            • Failed to format product code string., xrefs: 00709E0A
            • Failed to set variable., xrefs: 00709EE3
            • Failed to get component path: %d, xrefs: 00709E63
            • Failed to format component id string., xrefs: 00709DE5
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Open@16
            • String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
            • API String ID: 3613110473-1671347822
            • Opcode ID: 749ac3bf564af74ffe714d03480a5bb956717d23ab8750f6d0e52312841fdb30
            • Instruction ID: 56fb5924367e58b44b9af32093b54c34b3db59dbadc5828914afec6a6febc017
            • Opcode Fuzzy Hash: 749ac3bf564af74ffe714d03480a5bb956717d23ab8750f6d0e52312841fdb30
            • Instruction Fuzzy Hash: 4041E473900215FACB25DA68CC4AEBEB6E9EF04320F244B66F311E11D3D7399E50D692
            Function 0071D01A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 117threadCOMMON
            Download Yara Rule
            APIs
            • CreateThread.KERNEL32(00000000,00000000,0071AB3C,?,00000000,00000000), ref: 0071D0B8
            • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0071D0C4
            • CloseHandle.KERNEL32(00000000,00000000,?,?,0071C59C,00000001,?,?,?,?,?,00000000,00000000,?,?,?), ref: 0071D145
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseCreateErrorHandleLastThread
            • String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$LDp$^Sp$elevation.cpp
            • API String ID: 747004058-4203438278
            • Opcode ID: e934f65d2e2de10e69b4d8c05592febd36099c1e6e2837365b40342c85f7650b
            • Instruction ID: 554ffcb135156133f2cb081dff3c846add288a1a322a50b71ab723a383010b6f
            • Opcode Fuzzy Hash: e934f65d2e2de10e69b4d8c05592febd36099c1e6e2837365b40342c85f7650b
            • Instruction Fuzzy Hash: 3941D7B5D01218AF9B15DFA9D8859EEBBF8EF08310F10412AF908E7340D7749D418F94
            Function 0071473A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 115fileCOMMON
            Download Yara Rule
            APIs
            • ReadFile.KERNEL32(00000000,?,00000008,?,00000000,?,00000000,00000000,?,00000000,@Gp,?,?,00000000,?,00000000), ref: 00714765
            • GetLastError.KERNEL32 ref: 00714772
            • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 0071481B
            • GetLastError.KERNEL32 ref: 00714825
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFileLastRead
            • String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$pipe.cpp
            • API String ID: 1948546556-3912962418
            • Opcode ID: 9ad3b61f8f09b4eaa2a92bf316375bfc192fbd594e6543e441810a9d9f712fe1
            • Instruction ID: 06bb3e84a99f7a54c272c8689c3d311bd8d8f1ff1fe4daa22c501025673173f6
            • Opcode Fuzzy Hash: 9ad3b61f8f09b4eaa2a92bf316375bfc192fbd594e6543e441810a9d9f712fe1
            • Instruction Fuzzy Hash: 0031C775A40229FBDB109FA9DC45BEAB7A8EB05752F108126F804E61D0D77CDE8487D1
            Function 0070F2DC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 109stringCOMMON
            Download Yara Rule
            APIs
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0070F315
              • Part of subcall function 00704013: CreateDirectoryW.KERNELBASE(0070533D,007053B5,00000000,00000000,?,00719EE4,00000000,00000000,0070533D,00000000,007052B5,00000000,?,=Sp,0070D4AC,=Sp), ref: 00704021
              • Part of subcall function 00704013: GetLastError.KERNEL32(?,00719EE4,00000000,00000000,0070533D,00000000,007052B5,00000000,?,=Sp,0070D4AC,=Sp,00000000,00000000), ref: 0070402F
            • lstrlenA.KERNEL32(0074B4F0,00000000,00000094,00000000,00000094,?,?,00710328,swidtag,00000094,?,0074B508,00710328,00000000,?,00000000), ref: 0070F368
              • Part of subcall function 00744C67: CreateFileW.KERNEL32(0074B4F0,40000000,00000001,00000000,00000002,00000080,00000000,00710328,00000000,?,0070F37F,?,00000080,0074B4F0,00000000), ref: 00744C7F
              • Part of subcall function 00744C67: GetLastError.KERNEL32(?,0070F37F,?,00000080,0074B4F0,00000000,?,00710328,?,00000094,?,?,?,?,?,00000000), ref: 00744C8C
            Strings
            • Failed to allocate regid folder path., xrefs: 0070F3C7
            • Failed to create regid folder: %ls, xrefs: 0070F3B0
            • swidtag, xrefs: 0070F328
            • Failed to allocate regid file path., xrefs: 0070F3C0
            • Failed to write tag xml to file: %ls, xrefs: 0070F3A6
            • Failed to format tag folder path., xrefs: 0070F3CE
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
            • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$swidtag
            • API String ID: 904508749-1201533908
            • Opcode ID: ba834c052c75cee469373f5baaca6d53cfce977daede87881aba44aa5da0c70c
            • Instruction ID: 29e954de628c3872d6627b86619a99b6cdd0a00c6d861835a28e647f0aaa5cc3
            • Opcode Fuzzy Hash: ba834c052c75cee469373f5baaca6d53cfce977daede87881aba44aa5da0c70c
            • Instruction Fuzzy Hash: 0B318072D01219FFCB219E94DC45B9DFBF4AF04721F108276F900AA6D1E7B99E50AB90
            Function 007151E9 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90synchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,00705386,00000000,00000000,?,00000000), ref: 00715292
            • GetLastError.KERNEL32(?,?,?,00704B5B,?,?,00000000,?,?,?,?,?,?,0074B490,?,?), ref: 0071529D
            Strings
            • Failed to post terminate message to child process., xrefs: 0071527D
            • pipe.cpp, xrefs: 007152C1
            • Failed to post terminate message to child process cache thread., xrefs: 00715261
            • Failed to write exit code to message buffer., xrefs: 0071520D
            • Failed to wait for child process exit., xrefs: 007152CB
            • Failed to write restart to message buffer., xrefs: 00715235
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLastObjectSingleWait
            • String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
            • API String ID: 1211598281-2161881128
            • Opcode ID: 70ea9178c7d46a8fbbe62b08b8517bb1581e977839fd663f62d9c2980a839008
            • Instruction ID: 3925b9297fd53ff0fa6e2b33b1c7005764200a63fcf453a97497b7f26e65c6c8
            • Opcode Fuzzy Hash: 70ea9178c7d46a8fbbe62b08b8517bb1581e977839fd663f62d9c2980a839008
            • Instruction Fuzzy Hash: 6321D2B3940A29FBDB165BA89C05EDE7BA8FB40361F110316F900B61D0D77C9E90A6E0
            Function 00718E92 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 88fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,00719CFF,00000003,000007D0,00000003,?,000007D0), ref: 00718EAC
            • GetLastError.KERNEL32(?,00719CFF,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000000,-00000004), ref: 00718EB9
            • CloseHandle.KERNEL32(00000000,?,00719CFF,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000000), ref: 00718F80
            Strings
            • cache.cpp, xrefs: 00718EEF
            • Failed to open payload at path: %ls, xrefs: 00718EFC
            • Failed to verify catalog signature of payload: %ls, xrefs: 00718F47
            • Failed to verify signature of payload: %ls, xrefs: 00718F28
            • Failed to verify hash of payload: %ls, xrefs: 00718F6B
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseCreateErrorFileHandleLast
            • String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
            • API String ID: 2528220319-2757871984
            • Opcode ID: f326f36da8dcc18d36184e3b927d0fd4d27988c4117cdc6ca403bfac877f6318
            • Instruction ID: 8d179147de9536999acb2cbb2c423430f5d04700b60baebd0b3383e5846aae0e
            • Opcode Fuzzy Hash: f326f36da8dcc18d36184e3b927d0fd4d27988c4117cdc6ca403bfac877f6318
            • Instruction Fuzzy Hash: CE212436640624BAD7622A6C8C4AFDA7A1EBF01771F144211FD10761E0DB7D9CE2EAD2
            Function 007069B8 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 86COMMON
            Download Yara Rule
            APIs
            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00706A03
            • GetLastError.KERNEL32 ref: 00706A0D
            • GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 00706A51
            • GetLastError.KERNEL32 ref: 00706A5B
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast$DirectoryNamePathVolumeWindows
            • String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$variable.cpp
            • API String ID: 124030351-4026719079
            • Opcode ID: 89f61856369e53105bf4bec1a5987b594a3355ecd07cff9d4a2872b4f7e0b316
            • Instruction ID: ac87cdd28ee409a6c22cd5585ff014f4cc9b32861106c82043b1173df045c345
            • Opcode Fuzzy Hash: 89f61856369e53105bf4bec1a5987b594a3355ecd07cff9d4a2872b4f7e0b316
            • Instruction Fuzzy Hash: E821B5B6F40328EAE720A6649C49FAB72ECDB45710F018266FD05F7181E77C9D4086E5
            Function 00709B3F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 86COMMON
            Download Yara Rule
            APIs
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00709B5A
            • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 00709B72
            • GetLastError.KERNEL32 ref: 00709B81
            Strings
            • Failed to set variable., xrefs: 00709C07
            • File search: %ls, did not find path: %ls, xrefs: 00709BD5
            • search.cpp, xrefs: 00709BB3
            • Failed to format variable string., xrefs: 00709B65
            • Failed get to file attributes. '%ls', xrefs: 00709BC0
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AttributesErrorFileLastOpen@16
            • String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
            • API String ID: 1811509786-2053429945
            • Opcode ID: c62bfb011729250c28e199a5cc423b7f3062ffb9f695f7d399c70f6cc431ef63
            • Instruction ID: a154c3f4840bed938ad345886a9a5c8c54d1f701f28e8b0f94e8a80272bfa989
            • Opcode Fuzzy Hash: c62bfb011729250c28e199a5cc423b7f3062ffb9f695f7d399c70f6cc431ef63
            • Instruction Fuzzy Hash: FC21F772E40218FBDB116AB49D46A6EB7E9EF15320F204316FA00A51D2E7789D50D6E1
            Function 0071AB3C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
            Download Yara Rule
            APIs
            • TlsSetValue.KERNEL32(?,?), ref: 0071AB53
            • GetLastError.KERNEL32 ref: 0071AB5D
            • CoInitializeEx.OLE32(00000000,00000000), ref: 0071AB9C
            • CoUninitialize.OLE32(?,0071C4F4,?,?), ref: 0071ABD9
            Strings
            • Failed to set elevated cache pipe into thread local storage for logging., xrefs: 0071AB8B
            • Failed to pump messages in child process., xrefs: 0071ABC7
            • Failed to initialize COM., xrefs: 0071ABA8
            • elevation.cpp, xrefs: 0071AB81
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorInitializeLastUninitializeValue
            • String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$elevation.cpp
            • API String ID: 876858697-113251691
            • Opcode ID: 35fbf752dcc39aa1b5b3d1fcd61460a1659d79749d504d2dcacfb1b0a5d54421
            • Instruction ID: 0e25350bdf90cccd302ff1c9b0719178b9fa3550ad378a1597108209707fa8d5
            • Opcode Fuzzy Hash: 35fbf752dcc39aa1b5b3d1fcd61460a1659d79749d504d2dcacfb1b0a5d54421
            • Instruction Fuzzy Hash: 801136B290A274FB97211B6D9C09DDFBA9CEF05B21B004116FC00F3290EB7C9C4096D6
            Function 00705BF0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 54registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00740E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00745699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00740E52
            • RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00705C77
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseOpen
            • String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
            • API String ID: 47109696-3209209246
            • Opcode ID: 791689d726f97cf7860e2a7f7a42d3be0e14f66972353cedd69702658edb5bf7
            • Instruction ID: f2870a41b957d7aaff54bee9f9bae0bade156ea198cc647869cc76f0580cffdd
            • Opcode Fuzzy Hash: 791689d726f97cf7860e2a7f7a42d3be0e14f66972353cedd69702658edb5bf7
            • Instruction Fuzzy Hash: 4C01F572B4062DF7DB226A54DD0AE9F77A8DB00B60F10436AF900B6291D77C8E10E6E0
            Function 00736A76 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: __alldvrm$_strrchr
            • String ID: &.s$&.s$&.s
            • API String ID: 1036877536-504008137
            • Opcode ID: f3a74c95afe91129e83f4a200ae329e72b68e1b987d16e4549aa364eb4fd1ab8
            • Instruction ID: 5f209d5512cc3e88adb0e7e046dd97dec9bbcd704f5e7c01aad958505adb4600
            • Opcode Fuzzy Hash: f3a74c95afe91129e83f4a200ae329e72b68e1b987d16e4549aa364eb4fd1ab8
            • Instruction Fuzzy Hash: 16A13772A10386AFFB25CF28C8917AEBBE5EF51350F24816DD5859B283D73C9941CB60
            Function 0072A024 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 172COMMON
            Download Yara Rule
            APIs
            • SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,00000001,00000000,?), ref: 0072A0F1
            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 0072A0FB
            Strings
            • download, xrefs: 0072A0BB
            • :, xrefs: 0072A174
            • apply.cpp, xrefs: 0072A11F
            • Failed attempt to download URL: '%ls' to: '%ls', xrefs: 0072A1D8
            • Failed to clear readonly bit on payload destination path: %ls, xrefs: 0072A12A
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AttributesErrorFileLast
            • String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
            • API String ID: 1799206407-1905830404
            • Opcode ID: b3f8a7345cdbdf6a5b5d860a2a14493fd04365bd754c36d46113cee9686a73ed
            • Instruction ID: f8b6f7889415337f54637c5f94b63a95bfedaa42bdedd9c176e67ab0a796ee7c
            • Opcode Fuzzy Hash: b3f8a7345cdbdf6a5b5d860a2a14493fd04365bd754c36d46113cee9686a73ed
            • Instruction Fuzzy Hash: 45518F71A00229FFDB21DFA8D844EAAB7B5FF04710F108069E905EB251E379DE50CB92
            Function 00746DA8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 159COMMON
            Download Yara Rule
            APIs
            • CompareStringW.KERNEL32(0000007F,00000000,74DEDFD0,000000FF,type,000000FF,?,74DEDFD0,74DEDFD0,74DEDFD0), ref: 00746DFE
            • SysFreeString.OLEAUT32(00000000), ref: 00746E49
            • SysFreeString.OLEAUT32(00000000), ref: 00746EC5
            • SysFreeString.OLEAUT32(00000000), ref: 00746F11
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: String$Free$Compare
            • String ID: type$url
            • API String ID: 1324494773-1247773906
            • Opcode ID: 13ef57dde5a48d4791fa548898c80e57aff98b8247baa0f8c7adbf9f12dd7aa7
            • Instruction ID: 4a79347aa245d763886724de4c8cf900a88bd1216aa7375b13e797b06615e7f4
            • Opcode Fuzzy Hash: 13ef57dde5a48d4791fa548898c80e57aff98b8247baa0f8c7adbf9f12dd7aa7
            • Instruction Fuzzy Hash: CA515C75901229FFCF15DFA4C848EAEBBB8AF05721F1042A9E811EB1A0D739DE44DB51
            Function 0074837F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 156COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 007038D4: GetProcessHeap.KERNEL32(?,000001C7,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038E5
              • Part of subcall function 007038D4: RtlAllocateHeap.NTDLL(00000000,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038EC
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000000,?,?,00728E1F,000002C0,00000100), ref: 007483AD
            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,00728E1F,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 007483C8
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CompareHeapString$AllocateProcess
            • String ID: application$apuputil.cpp$http://appsyndication.org/2006/appsyn$type
            • API String ID: 2664528157-4206478990
            • Opcode ID: ce69da7386197b889bcb923c78b840af4f9a90c77e0c91eb4afa1be327729208
            • Instruction ID: f14e8bba39597113d1e9fa465c0c7a1b4ccf707c3d05e5eac766a7df8db4b1c9
            • Opcode Fuzzy Hash: ce69da7386197b889bcb923c78b840af4f9a90c77e0c91eb4afa1be327729208
            • Instruction Fuzzy Hash: 5951A371A04309EBDBA19F58CC85F2EB7A5EB04760F208214F965EB2D1DB78ED40DB11
            Function 0074635A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 152fileCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 007463B7
            • DeleteFileW.KERNEL32(00000000,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 007464AE
            • CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 007464BD
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseDeleteErrorFileHandleLast
            • String ID: Burn$DownloadTimeout$WiX\Burn$dlutil.cpp
            • API String ID: 3522763407-1704223933
            • Opcode ID: c971277c8270ce8392e259e6360140bd99f9ef591384e5ba1ff00da91be6f349
            • Instruction ID: 81a2b306fa0a0188d3af3226635a762d2327d0705dae7bf67a9ca0a162e94591
            • Opcode Fuzzy Hash: c971277c8270ce8392e259e6360140bd99f9ef591384e5ba1ff00da91be6f349
            • Instruction Fuzzy Hash: BF516976D00219FBDF129FA8CC45EEEBBB8EF09710F008155FA14E6190E7389A50DBA1
            Function 00719080 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON
            Download Yara Rule
            APIs
            • _memcmp.LIBVCRUNTIME ref: 0071910E
              • Part of subcall function 00745587: GetLastError.KERNEL32(?,?,00719133,3BF4468B,00000003,00000000,?), ref: 007455A6
            • _memcmp.LIBVCRUNTIME ref: 00719148
            • GetLastError.KERNEL32 ref: 007191C2
            Strings
            • Failed to get certificate public key identifier., xrefs: 007191F0
            • cache.cpp, xrefs: 007191E6
            • Failed to read certificate thumbprint., xrefs: 007191B6
            • Failed to find expected public key in certificate chain., xrefs: 00719183
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast_memcmp
            • String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp
            • API String ID: 3428363238-3408201827
            • Opcode ID: c146d88db1798626beb67f82ad2e535e7d37948a4f7d6445e9f995868ccf16de
            • Instruction ID: 0dd1e62b6a4a5f5b71363176477aaaf8a7ba0935aa25a15a940a6ce1a09b3c39
            • Opcode Fuzzy Hash: c146d88db1798626beb67f82ad2e535e7d37948a4f7d6445e9f995868ccf16de
            • Instruction Fuzzy Hash: E9417471E0021AFFDB10DBA9D855AEAB3F9AB08710F004125FA05E7291D778ED85DBA4
            Function 00710419 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 133registryCOMMON
            Download Yara Rule
            APIs
            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,?,00000000,?), ref: 0071054A
            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,?,00000000,?), ref: 00710559
              • Part of subcall function 00740AD5: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,00710491,?,00000000,00020006), ref: 00740AFA
            Strings
            • Failed to delete registration key: %ls, xrefs: 007104F8
            • Failed to write volatile reboot required registry key., xrefs: 00710495
            • %ls.RebootRequired, xrefs: 00710467
            • Failed to update resume mode., xrefs: 0071052E
            • Failed to open registration key., xrefs: 00710591
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Close$Create
            • String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.
            • API String ID: 359002179-2517785395
            • Opcode ID: 3df3114285254b58bd939ad69ebc1684dd79c5880bfff80b1827afe478a461cd
            • Instruction ID: c2644f4966cd798a9d8ad0004d7a68ab9224f37c9518959491e3a3bbc2c88a07
            • Opcode Fuzzy Hash: 3df3114285254b58bd939ad69ebc1684dd79c5880bfff80b1827afe478a461cd
            • Instruction Fuzzy Hash: 5B419371900318FBDF22AEA8DC06EEF77B6EF40311F144429FA4561091D7B99AE0EB91
            Function 0074143C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 123stringregistryCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,00000000,00000000,BundleUpgradeCode,?,00020006,00000000,?,?,?,00000001), ref: 00741479
            • lstrlenW.KERNEL32(?,00000000,00000000,?,00000000,00000001,00000000,00000000,BundleUpgradeCode,?,00020006,00000000,?,?,?,00000001), ref: 007414F1
            • lstrlenW.KERNEL32(?,?,?,?,00000001), ref: 007414FD
            • RegSetValueExW.ADVAPI32(00020006,?,00000000,00000007,00000000,?,00000000,?,?,00000000,00000001,00000000,00000000,BundleUpgradeCode,?,00020006), ref: 0074153D
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: lstrlen$Value
            • String ID: @dv$BundleUpgradeCode$regutil.cpp
            • API String ID: 198323757-740213262
            • Opcode ID: 4b854d5c58faa95b219f95d2f260c8be9a6f03eb7a5df1a061be2156ea0d1e05
            • Instruction ID: 377e330300864cc729971bdb316f56ef037405b98149ed38726e081f53cd7a4e
            • Opcode Fuzzy Hash: 4b854d5c58faa95b219f95d2f260c8be9a6f03eb7a5df1a061be2156ea0d1e05
            • Instruction Fuzzy Hash: DA41B672E00226EFCB21EFA8C844AAEBBB9AF44710F514169FD05A7251D774DD518B90
            Function 0070F69D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON
            Download Yara Rule
            APIs
            • RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0070F7CD
            • RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0070F7DA
            Strings
            • Resume, xrefs: 0070F741
            • Failed to read Resume value., xrefs: 0070F763
            • %ls.RebootRequired, xrefs: 0070F6BA
            • Failed to open registration key., xrefs: 0070F736
            • Failed to format pending restart registry key to read., xrefs: 0070F6D1
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Close
            • String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
            • API String ID: 3535843008-3890505273
            • Opcode ID: ad5356a6748a8acc33593f5203c82d05153762d393c54aefe46c3d8e7393f3ea
            • Instruction ID: 504e6f783df7a13bd4d21341359bf3374f162d8835db7869e0cc9a88adcb7c98
            • Opcode Fuzzy Hash: ad5356a6748a8acc33593f5203c82d05153762d393c54aefe46c3d8e7393f3ea
            • Instruction Fuzzy Hash: B641A776900118EFCB219F94CC40AEDBBF5FF11310F955276E804AB690C3799E50DB81
            Function 0071A7FA Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 111COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID:
            • String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
            • API String ID: 0-660234312
            • Opcode ID: 44db8a27b6be25a964c45226c36ee3e9c51c5d2ce10ae823bf484a1f5d380653
            • Instruction ID: 9bda9006e238a2c9f3399610f7430f00f00b70246b9fd54e417bb95796af6220
            • Opcode Fuzzy Hash: 44db8a27b6be25a964c45226c36ee3e9c51c5d2ce10ae823bf484a1f5d380653
            • Instruction Fuzzy Hash: 2831A532D01229FBDF229A98CC45EEEB779AB00730F114265F920B71D1EB799E819791
            Function 0072D677 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106comCOMMON
            Download Yara Rule
            APIs
            • CoCreateInstance.OLE32(00760A84,00000000,00000017,00760A94,?,?,00000000,00000000,?,?,?,?,?,0072DCAE,00000000,00000000), ref: 0072D6AF
            Strings
            • Failed to set notification flags for BITS job., xrefs: 0072D701
            • Failed to set BITS job to foreground., xrefs: 0072D730
            • WixBurn, xrefs: 0072D6DA
            • Failed to create IBackgroundCopyManager., xrefs: 0072D6BB
            • Failed to create BITS job., xrefs: 0072D6E9
            • Failed to set progress timeout., xrefs: 0072D719
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CreateInstance
            • String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
            • API String ID: 542301482-468763447
            • Opcode ID: c9e420ba558fe9b99d2d0efa92ed9d857bdf4c6989f5fc66078f185f8a94dc23
            • Instruction ID: 86f14fbf468c15bf6990d0f5ae0cb248a7cad9fe6e4999aab56f80d8328b3949
            • Opcode Fuzzy Hash: c9e420ba558fe9b99d2d0efa92ed9d857bdf4c6989f5fc66078f185f8a94dc23
            • Instruction Fuzzy Hash: 13318371B40226AFD725CFA8D855E7FBBB4EF48750B104159E906EB350DA78AC018BD1
            Function 00745C68 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 98fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 00745CB2
            • GetLastError.KERNEL32 ref: 00745CBF
            • ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 00745D06
            • CloseHandle.KERNEL32(00000000,dlutil.cpp,000000C8,00000000), ref: 00745D6E
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: File$CloseCreateErrorHandleLastRead
            • String ID: %ls.R$dlutil.cpp
            • API String ID: 2136311172-657863730
            • Opcode ID: bc5dbbfc64a7b67e4dd47e66bf90754b713a950d2630f599a8b12407a24c65c3
            • Instruction ID: 65f1442475cf832e42aaf865953919bbc278a8fc0a237a4f40f60ef6c4179dbb
            • Opcode Fuzzy Hash: bc5dbbfc64a7b67e4dd47e66bf90754b713a950d2630f599a8b12407a24c65c3
            • Instruction Fuzzy Hash: DF31F872A00714AFEB208F68CC89B6A77E8EF05721F11421AFD05EB1D1D7789D008BA5
            Function 0072D12C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92synchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,000000FF,74DF30B0,00000000,?,?,?,?,0072D439,?), ref: 0072D145
            • ReleaseMutex.KERNEL32(?,?,?,?,0072D439,?), ref: 0072D161
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0072D1A4
            • ReleaseMutex.KERNEL32(?), ref: 0072D1BB
            • SetEvent.KERNEL32(?), ref: 0072D1C4
            Strings
            • Failed to send files in use message from netfx chainer., xrefs: 0072D20A
            • Failed to get message from netfx chainer., xrefs: 0072D1E5
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: MutexObjectReleaseSingleWait$Event
            • String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
            • API String ID: 2608678126-3424578679
            • Opcode ID: 608fc2445507419d3e0d167f0df12eb8b25dc42485de840e3c97cb59ebdea869
            • Instruction ID: 90b17b476787cf3e57662afedfaef9a2842966758da644c3610e9259aaa2fd0e
            • Opcode Fuzzy Hash: 608fc2445507419d3e0d167f0df12eb8b25dc42485de840e3c97cb59ebdea869
            • Instruction Fuzzy Hash: 9431E931900659EFCB229FA4DC08EAFBBF9FF45320F108666F515A61A1C779DD109B90
            Function 0074082D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89processCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 0074089A
            • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 007408A4
            • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 007408ED
            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 007408FA
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseHandle$CreateErrorLastProcess
            • String ID: "%ls" %ls$D$procutil.cpp
            • API String ID: 161867955-2732225242
            • Opcode ID: f99d207e8684bfad8b0d23fccc3284cff9839217dd1a52fdb318e73c5188a129
            • Instruction ID: 97659ea51c106bfbd0a47283fcb49c993024c2e2bba912e44628695cee24ed48
            • Opcode Fuzzy Hash: f99d207e8684bfad8b0d23fccc3284cff9839217dd1a52fdb318e73c5188a129
            • Instruction Fuzzy Hash: 5F214D75D0021EEFDB10DFE8CE809AEB7B9EF04311F104126EA05B6161D7789E009BE1
            Function 00709A6D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON
            Download Yara Rule
            APIs
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00709A86
            • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,0070A7A9,00000100,000002C0,000002C0,00000100), ref: 00709AA6
            • GetLastError.KERNEL32(?,0070A7A9,00000100,000002C0,000002C0,00000100), ref: 00709AB1
            Strings
            • Failed while searching directory search: %ls, for path: %ls, xrefs: 00709B06
            • Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 00709B1C
            • Failed to format variable string., xrefs: 00709A91
            • Failed to set directory search path variable., xrefs: 00709AE1
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AttributesErrorFileLastOpen@16
            • String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
            • API String ID: 1811509786-2966038646
            • Opcode ID: 9f0466d4d5bcd95dd874eb696524555bc7e5fe613745d246eaa859932e2ff37d
            • Instruction ID: 6c0a30151ff833c2c236001f2fb08df0c0f4974e98b3a40dd3c6aac84fca8ccc
            • Opcode Fuzzy Hash: 9f0466d4d5bcd95dd874eb696524555bc7e5fe613745d246eaa859932e2ff37d
            • Instruction Fuzzy Hash: C511C3B2A40128FBCB1266A4DD06E9EBAA5EF14330F214355FE04761E2D73E5E10E6D6
            Function 00709C39 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 71COMMON
            Download Yara Rule
            APIs
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00709C52
            • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,0070A781,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 00709C72
            • GetLastError.KERNEL32(?,0070A781,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00709C7D
            Strings
            • File search: %ls, did not find path: %ls, xrefs: 00709CE0
            • Failed to set variable to file search path., xrefs: 00709CD4
            • Failed to format variable string., xrefs: 00709C5D
            • Failed while searching file search: %ls, for path: %ls, xrefs: 00709CAA
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AttributesErrorFileLastOpen@16
            • String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
            • API String ID: 1811509786-3425311760
            • Opcode ID: c426005d86c190834b4e55ffeb528f8145831aaf815e25e8c170bfd52423fd14
            • Instruction ID: 1c6fff23ccee186c557d64aabe941ed68797511d9c9a904e283dd98536d91db9
            • Opcode Fuzzy Hash: c426005d86c190834b4e55ffeb528f8145831aaf815e25e8c170bfd52423fd14
            • Instruction Fuzzy Hash: C811D832D40124F7DB1226B48D46A9EB6E5AF10730F214355FE00761E2D73D9D10B7E5
            Function 0071444C Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 007038D4: GetProcessHeap.KERNEL32(?,000001C7,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038E5
              • Part of subcall function 007038D4: RtlAllocateHeap.NTDLL(00000000,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038EC
            • _memcpy_s.LIBCMT ref: 0071449E
            • _memcpy_s.LIBCMT ref: 007144B1
            • _memcpy_s.LIBCMT ref: 007144CC
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: _memcpy_s$Heap$AllocateProcess
            • String ID: @Gp$Failed to allocate memory for message.$feclient.dll$pipe.cpp
            • API String ID: 886498622-153355977
            • Opcode ID: 006f36ee4bf777c5388ecea07cc587708c3489b92bb8e3a3bdec8f672b2d5561
            • Instruction ID: 5393e4a278b02b36da912263f404a72d25b187669effceeb31427a71638242d2
            • Opcode Fuzzy Hash: 006f36ee4bf777c5388ecea07cc587708c3489b92bb8e3a3bdec8f672b2d5561
            • Instruction Fuzzy Hash: 611151B260035DEBDB019E94DC86DDBB3ACEF14714B00452AFA059B191EBB8DA54C7E1
            Function 0071CCF4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53synchronizationthreadCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,0071D134,00000000,?,?,0071C59C,00000001,?,?,?,?,?), ref: 0071CD06
            • GetLastError.KERNEL32(?,?,0071D134,00000000,?,?,0071C59C,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0071CD10
            • GetExitCodeThread.KERNEL32(00000001,?,?,?,0071D134,00000000,?,?,0071C59C,00000001,?,?,?,?,?,00000000), ref: 0071CD4C
            • GetLastError.KERNEL32(?,?,0071D134,00000000,?,?,0071C59C,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0071CD56
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast$CodeExitObjectSingleThreadWait
            • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$elevation.cpp
            • API String ID: 3686190907-1954264426
            • Opcode ID: 90c76f8155bb1890123e589f6dd6f5c2f2212c36b1e13e3de9884226322a75f2
            • Instruction ID: 6bedb65da48c14eee287fc1e4f5e6a83deb93d3b41ea495d7efebfd7b12a5eb3
            • Opcode Fuzzy Hash: 90c76f8155bb1890123e589f6dd6f5c2f2212c36b1e13e3de9884226322a75f2
            • Instruction Fuzzy Hash: BC016D76B40334ABEB216BBDAC0ABDB79D8DF04791F414126FD05E6090E7ACCE0081E9
            Function 007167B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52synchronizationthreadCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,00716CFB,@Gp,?,00000000,?,00000000,00000001), ref: 007167BD
            • GetLastError.KERNEL32(?,00716CFB,@Gp,?,00000000,?,00000000,00000001), ref: 007167C7
            • GetExitCodeThread.KERNEL32(00000001,00000000,?,00716CFB,@Gp,?,00000000,?,00000000,00000001), ref: 00716806
            • GetLastError.KERNEL32(?,00716CFB,@Gp,?,00000000,?,00000000,00000001), ref: 00716810
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast$CodeExitObjectSingleThreadWait
            • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
            • API String ID: 3686190907-2546940223
            • Opcode ID: e22034402a9dde7f0c30b248db0b5301df8021a69484c0277e14e22728371865
            • Instruction ID: 352f15b2bf953af1e2c27dff9161ec00cfcf2f9dd040b2fd74a82cab287f0983
            • Opcode Fuzzy Hash: e22034402a9dde7f0c30b248db0b5301df8021a69484c0277e14e22728371865
            • Instruction Fuzzy Hash: 0C015E70340308FBEB089B65DD56BBE76E5EB00711F10412EBD06D51E0EB7DDE40A558
            Function 0071F586 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 118COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(?), ref: 0071F59B
            • LeaveCriticalSection.KERNEL32(?), ref: 0071F6A8
            Strings
            • UX requested unknown payload with id: %ls, xrefs: 0071F607
            • Failed to set source path for container., xrefs: 0071F68D
            • Failed to set source path for payload., xrefs: 0071F637
            • UX denied while trying to set source on embedded payload: %ls, xrefs: 0071F61D
            • Engine is active, cannot change engine state., xrefs: 0071F5B5
            • UX requested unknown container with id: %ls, xrefs: 0071F667
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave
            • String ID: Engine is active, cannot change engine state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
            • API String ID: 3168844106-4121889706
            • Opcode ID: ccdc0980e0d4ecd7f4e7c2794e379ce743db318892fbe1cd23f9f860faf4fbb8
            • Instruction ID: dccc63eb380f18e292118cff356514260722d99c99e7771cf3ff1d4f320d3138
            • Opcode Fuzzy Hash: ccdc0980e0d4ecd7f4e7c2794e379ce743db318892fbe1cd23f9f860faf4fbb8
            • Instruction Fuzzy Hash: 3431E572A50615FB8B118B5CCC09DDA73A8EF54721B15826AFC04E72D0DB7CDD8097A1
            Function 007070D4 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 99stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(00000000), ref: 007070E7
            Strings
            • Failed to allocate buffer for escaped string., xrefs: 007070FE
            • [\%c], xrefs: 00707146
            • []{}, xrefs: 00707111
            • Failed to copy string., xrefs: 0070719B
            • Failed to append escape sequence., xrefs: 0070717A
            • Failed to format escape sequence., xrefs: 00707181
            • Failed to append characters., xrefs: 00707173
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: lstrlen
            • String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
            • API String ID: 1659193697-3250950999
            • Opcode ID: 37156dfbce0390578d1f1f5a8afd4d0febecafdcc953e451e2f9a044556ab988
            • Instruction ID: edb1ecf756ee38ba15c6679d87f5a0ca3f1f687f5c1f89f511c55c51dfe102c2
            • Opcode Fuzzy Hash: 37156dfbce0390578d1f1f5a8afd4d0febecafdcc953e451e2f9a044556ab988
            • Instruction Fuzzy Hash: CE21E973D4922DFADB165794CC06BAE76E99B40721F600356F900B61C1DB7CBE40E294
            Function 007259B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 207COMMON
            Download Yara Rule
            APIs
            • CompareStringW.KERNEL32(00000000,00000000,0074B4F0,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,0072659B,?,00000001,?,0074B490), ref: 00725A19
            Strings
            • Failed grow array of ordered patches., xrefs: 00725AB2
            • Failed to copy target product code., xrefs: 00725B4C
            • Failed to insert execute action., xrefs: 00725A6E
            • feclient.dll, xrefs: 00725A0F, 00725B39
            • Failed to plan action for target product., xrefs: 00725AC4
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CompareString
            • String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
            • API String ID: 1825529933-3477540455
            • Opcode ID: b3ef1dee8ee711d294001c5ab72f3597b6945247eae1c9bc603336a7950f3aa7
            • Instruction ID: 2abe4fda4c06ab087adab56b2caae0c1791b7b607e5a67098e206f523a6bc447
            • Opcode Fuzzy Hash: b3ef1dee8ee711d294001c5ab72f3597b6945247eae1c9bc603336a7950f3aa7
            • Instruction Fuzzy Hash: 488113B560076ADFCB14CF58D881AAA7BB4FF08324B15866AEC159B352D738EC51CF90
            Function 00729039 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 171COMMON
            Download Yara Rule
            APIs
            • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,00716F20,000000B8,0000001C,00000100), ref: 00729068
            • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,0074B4A8,000000FF,?,?,?,00716F20,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 00729101
            Strings
            • Failed to initialize update bundle., xrefs: 007291A9
            • BA aborted detect forward compatible bundle., xrefs: 0072916D
            • comres.dll, xrefs: 00729187
            • detect.cpp, xrefs: 00729163
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CompareString
            • String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$comres.dll$detect.cpp
            • API String ID: 1825529933-439563586
            • Opcode ID: 7bd49b72184b3b1088d474e23ef6524caf4924a12a72e760f8761b419efc4336
            • Instruction ID: c1e80fad769ac6926ca73b8b9dd6baf4ec43e14f8d87df896e3b00f74c35779a
            • Opcode Fuzzy Hash: 7bd49b72184b3b1088d474e23ef6524caf4924a12a72e760f8761b419efc4336
            • Instruction Fuzzy Hash: 6451017160022AFFDB199F74DC85EAAB7AAFF05320F144268FA18DA190D735DC60CB90
            Function 0073C9BD Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
            Download Yara Rule
            APIs
            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0073D132,?,00000000,?,00000000,00000000), ref: 0073C9FF
            • __fassign.LIBCMT ref: 0073CA7A
            • __fassign.LIBCMT ref: 0073CA95
            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0073CABB
            • WriteFile.KERNEL32(?,?,00000000,0073D132,00000000,?,?,?,?,?,?,?,?,?,0073D132,?), ref: 0073CADA
            • WriteFile.KERNEL32(?,?,00000001,0073D132,00000000,?,?,?,?,?,?,?,?,?,0073D132,?), ref: 0073CB13
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
            • String ID:
            • API String ID: 1324828854-0
            • Opcode ID: c32d9e75ba7a3062c28130564ff0c38c47c232c08225a7253f95427465bf9ddd
            • Instruction ID: 8ff9c0ead3c2e83c1d160f6aa8f3dca093648386fb4cc62eebe8084bacac1b48
            • Opcode Fuzzy Hash: c32d9e75ba7a3062c28130564ff0c38c47c232c08225a7253f95427465bf9ddd
            • Instruction Fuzzy Hash: 8E51A3B190024DAFDB11CFA8DC85AEEBBF4EF0A300F14811AE555F7252E7749940CBA4
            Function 0071D206 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON
            Download Yara Rule
            APIs
            • CloseHandle.KERNEL32(00000000,?,?,00000001,0074B4F0,?,00000001,000000FF,?,?,75C0B390,00000000,00000001,00000000,?,007172F3), ref: 0071D32F
            Strings
            • Failed to elevate., xrefs: 0071D311
            • UX aborted elevation requirement., xrefs: 0071D244
            • Failed to connect to elevated child process., xrefs: 0071D318
            • Failed to create pipe name and client token., xrefs: 0071D270
            • elevation.cpp, xrefs: 0071D23A
            • Failed to create pipe and cache pipe., xrefs: 0071D28C
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseHandle
            • String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
            • API String ID: 2962429428-3003415917
            • Opcode ID: a29c5c7edc545a023364df772b958a7e3469d3076ae98c297cfb5bfd1fc901b5
            • Instruction ID: 3e1cf537b19cd656635fb633e0f5122f99675eb7b7c91fab3a5ca13131d70510
            • Opcode Fuzzy Hash: a29c5c7edc545a023364df772b958a7e3469d3076ae98c297cfb5bfd1fc901b5
            • Instruction Fuzzy Hash: C8314872A44721FAE735A66C9C4AFEF629CAF00730F100205F915B61C1DAACED809AA5
            Function 0074041B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118fileCOMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(0076B60C,00000000,?,?,?,00705407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 0074042B
            • CreateFileW.KERNEL32(40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,0076B604,?,00705407,00000000,Setup), ref: 007404CC
            • GetLastError.KERNEL32(?,00705407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 007404DC
            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00705407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 00740515
              • Part of subcall function 00702DE0: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00702F1F
            • LeaveCriticalSection.KERNEL32(0076B60C,?,?,0076B604,?,00705407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 0074056E
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
            • String ID: logutil.cpp
            • API String ID: 4111229724-3545173039
            • Opcode ID: 3ec302d3c1f28db4515209c105430351b61e169470f6e8b31fb13e74ae1fc3b1
            • Instruction ID: fc95695ec2d74744b5170ae8ec3d60025ba3f3eff4e3432542c973014c9c9cdc
            • Opcode Fuzzy Hash: 3ec302d3c1f28db4515209c105430351b61e169470f6e8b31fb13e74ae1fc3b1
            • Instruction Fuzzy Hash: 9931C7B5A01319FFDB21AF64DD85E6A7668EB01750F004225FF01E6161D7BCCD509BE4
            Function 00723750 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON
            Download Yara Rule
            APIs
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 007237B7
            Strings
            • Failed to append property string part., xrefs: 0072382B
            • %s%="%s", xrefs: 007237EA
            • Failed to format property string part., xrefs: 00723832
            • Failed to format property value., xrefs: 00723840
            • Failed to escape string., xrefs: 00723839
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Open@16
            • String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.
            • API String ID: 3613110473-515423128
            • Opcode ID: 221fc6a94ca4ce4b218a23c2b597a50e9565eec093b241882b1ece332013d234
            • Instruction ID: 4460fd5bd5f69e5ed734b71d6ce93261dd30ef9d01985be890cdb54a370dc2ec
            • Opcode Fuzzy Hash: 221fc6a94ca4ce4b218a23c2b597a50e9565eec093b241882b1ece332013d234
            • Instruction Fuzzy Hash: 9A31B3B2D01229FFDF159E94EC45AAEB7A8EF00B10F10016AF91166281D77C9F10DBA0
            Function 00707203 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,0070583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 00707215
            • LeaveCriticalSection.KERNEL32(00000000,00000000,00000002,00000000,?,?,?,0070583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 007072F4
            Strings
            • Failed to get unformatted string., xrefs: 00707285
            • Failed to get value as string for variable: %ls, xrefs: 007072E3
            • *****, xrefs: 007072B0, 007072BD
            • Failed to get variable: %ls, xrefs: 00707256
            • Failed to format value '%ls' of variable: %ls, xrefs: 007072BE
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave
            • String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
            • API String ID: 3168844106-2873099529
            • Opcode ID: fc4cff5cdbfe196ff3f27dfb2b14024caaf4f90d6f05abcecf44e5f6e04d016e
            • Instruction ID: 57a0bdfe0339a6475065092d77cb60678adc5a0d05ec363ded05c22baee34981
            • Opcode Fuzzy Hash: fc4cff5cdbfe196ff3f27dfb2b14024caaf4f90d6f05abcecf44e5f6e04d016e
            • Instruction Fuzzy Hash: CB318D32D0462EFBCF269A50CC05BAE7BB5BF14724F104225F90466590D77DBA60EBD4
            Function 00718BE5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON
            Download Yara Rule
            APIs
            • InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,00000000,?,00000000,00000000,?,?,00000000,00000000,?,?,-00000004,00000000), ref: 00718C30
            • GetLastError.KERNEL32(?,?,?,00000001), ref: 00718C3A
            • SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 00718C9A
            Strings
            • Failed to allocate administrator SID., xrefs: 00718C16
            • cache.cpp, xrefs: 00718C5E
            • Failed to initialize ACL., xrefs: 00718C68
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AttributesErrorFileInitializeLast
            • String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$cache.cpp
            • API String ID: 669721577-1117388985
            • Opcode ID: b1440ecf90b7a02cc109d62a31399bd8b62127056d0c2d5c74a21a886c44825e
            • Instruction ID: 188391aba9805c1eeb052660bc9d6abc6aabbdabf5d4c75835f05ae1dbf3d638
            • Opcode Fuzzy Hash: b1440ecf90b7a02cc109d62a31399bd8b62127056d0c2d5c74a21a886c44825e
            • Instruction Fuzzy Hash: D121F672A40318FBEB109E999C89FDBB7A8AB04711F10416AFD00F71C0EB789E4096E1
            Function 0070999B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON
            Download Yara Rule
            APIs
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 007099B6
            • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 007099CE
            • GetLastError.KERNEL32 ref: 007099D9
            Strings
            • Failed to set variable., xrefs: 00709A4E
            • Failed while searching directory search: %ls, for path: %ls, xrefs: 00709A16
            • Failed to format variable string., xrefs: 007099C1
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AttributesErrorFileLastOpen@16
            • String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
            • API String ID: 1811509786-402580132
            • Opcode ID: 0d685c4cbe3e83335b2abf40859d35ba8a316cfd938860f08e4c95b97a87d547
            • Instruction ID: 2ffbb65adc1ae57e2d7997cd5032e5b6c89d26166255cba8d615b40de7c0ecf2
            • Opcode Fuzzy Hash: 0d685c4cbe3e83335b2abf40859d35ba8a316cfd938860f08e4c95b97a87d547
            • Instruction Fuzzy Hash: DA21F972E50228F7CB119AB4CC05AADB7A5EF55320F20C31AFA00B21D1E7786E50DAD1
            Function 007208F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72fileCOMMON
            Download Yara Rule
            APIs
            Strings
            • Unexpected call to CabWrite()., xrefs: 00720923
            • cabextract.cpp, xrefs: 0072098D
            • Failed to write during cabinet extraction., xrefs: 00720997
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFileLastWrite_memcpy_s
            • String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
            • API String ID: 1970631241-3111339858
            • Opcode ID: 5bb3f0dd9028edb52c40be1523bb3dc9cc974ec56d712c3b8b1808ac76afcc22
            • Instruction ID: 972a3f715dd6444d4a2e463beb953a8b434757a5737e62f2a77e50cd2d4be831
            • Opcode Fuzzy Hash: 5bb3f0dd9028edb52c40be1523bb3dc9cc974ec56d712c3b8b1808ac76afcc22
            • Instruction Fuzzy Hash: 1121CFB6200204EFEB00DF6CDD84EAA37E9FF88310B114159FE09C7256D779EA008B64
            Function 007209B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON
            Download Yara Rule
            APIs
            • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00720A25
            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00720A37
            • SetFileTime.KERNEL32(?,?,?,?), ref: 00720A4A
            • CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00720616,?,?), ref: 00720A59
            Strings
            • Invalid operation for this state., xrefs: 007209FE
            • cabextract.cpp, xrefs: 007209F4
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Time$File$CloseDateHandleLocal
            • String ID: Invalid operation for this state.$cabextract.cpp
            • API String ID: 609741386-1751360545
            • Opcode ID: c3e1eebbc76972b80eee691b88d22184f462e3de327e8e7d1556ea7e547a8b41
            • Instruction ID: 0d304fd11eda09b53a98c7ef1ab2c35cdc4dfcb7b4c44f4e1a3c8d4b678f29a2
            • Opcode Fuzzy Hash: c3e1eebbc76972b80eee691b88d22184f462e3de327e8e7d1556ea7e547a8b41
            • Instruction Fuzzy Hash: 5E21C676800229BB8B109F68DC489EA7BBCFE04710B50821AF821D65D1D778DE11CBE0
            Function 00748803 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 69timeCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0074884C
            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00748874
            • GetLastError.KERNEL32 ref: 0074887E
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLastTime$FileSystem
            • String ID: Qdt$feclient.dll$inetutil.cpp
            • API String ID: 1528435940-2690032620
            • Opcode ID: ba422749d74de6fa1355c89e1b53cb3cd24f81f7f5352f3c770a9bf40255d2a6
            • Instruction ID: b1e4c1945fd3ab0f5bb31f37ed45cd3f4a8b51b874f86cd3c95e28fd51de3814
            • Opcode Fuzzy Hash: ba422749d74de6fa1355c89e1b53cb3cd24f81f7f5352f3c770a9bf40255d2a6
            • Instruction Fuzzy Hash: B6118176A01229ABE7609AB98C44BABB7ECEF08340F114126AE05F7150E7789D0487E5
            Function 00743B4A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON
            Download Yara Rule
            APIs
            • ShellExecuteExW.SHELL32(?), ref: 00743B98
            • GetLastError.KERNEL32(?,?,00000000), ref: 00743BA2
            • CloseHandle.KERNEL32(?,?,?,00000000), ref: 00743BD5
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseErrorExecuteHandleLastShell
            • String ID: <$PDu$shelutil.cpp
            • API String ID: 3023784893-2418939910
            • Opcode ID: 4da7ece89ddf428d0c9b388d4c47d8d78b8b7f44c7dd66b4d2e90fc06003aefd
            • Instruction ID: 0cb59c76a17aa8fcf1f5ef14c96236e34bfcad5171094480c2edf4adaeeefcb9
            • Opcode Fuzzy Hash: 4da7ece89ddf428d0c9b388d4c47d8d78b8b7f44c7dd66b4d2e90fc06003aefd
            • Instruction Fuzzy Hash: 4811EAB5E01218AFDB10DFA9D845A8E7BF8EF08750F10412AFD19E7350E7359A00CBA4
            Function 00709908 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 57COMMON
            Download Yara Rule
            APIs
            • SysFreeString.OLEAUT32(00000000), ref: 0070997F
            Strings
            • Condition, xrefs: 0070991A
            • Failed to select condition node., xrefs: 00709936
            • Failed to copy condition string from BSTR, xrefs: 00709969
            • Failed to get Condition inner text., xrefs: 0070994F
            • =Sp, xrefs: 00709908
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: FreeString
            • String ID: =Sp$Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.
            • API String ID: 3341692771-1868231490
            • Opcode ID: c5e748b4b5687fb0581954e20ec2aa2e1085df7fd331b1b5b3dc44633e8b2f65
            • Instruction ID: 5b233f8271cde479403f1d5bf500df941829b8ae10c7b689aa70c1a315e026ba
            • Opcode Fuzzy Hash: c5e748b4b5687fb0581954e20ec2aa2e1085df7fd331b1b5b3dc44633e8b2f65
            • Instruction Fuzzy Hash: 3D11A532D60228FBDB259B90CD49FADBBA8EF40720F10425DF900B6191DB7DAE00E790
            Function 00749555 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID:
            • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
            • API String ID: 0-1718035505
            • Opcode ID: b6b2da81041e728ef5efa65807793ac0da994762e5a0acd8e28148cf6f447c0a
            • Instruction ID: 246a4a802cfd55990da8ac9ed30fd7cc901941158c9f6daa5844c19346a69e6e
            • Opcode Fuzzy Hash: b6b2da81041e728ef5efa65807793ac0da994762e5a0acd8e28148cf6f447c0a
            • Instruction Fuzzy Hash: 1A0181B52412215B4F329E755C845A7A7889A82712320813BEA12C22D0D75DCCA596B4
            Function 007409BB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00705D8F,00000000), ref: 007409CF
            • GetProcAddress.KERNEL32(00000000), ref: 007409D6
            • GetLastError.KERNEL32(?,?,?,00705D8F,00000000), ref: 007409ED
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AddressErrorHandleLastModuleProc
            • String ID: IsWow64Process$kernel32$procutil.cpp
            • API String ID: 4275029093-1586155540
            • Opcode ID: 65aadc2074e6607b451954684e811dd1f5c9ab2e4ac6802b3823984b5e298e84
            • Instruction ID: 526b1fa3ee911bb91fa3dfa9a278df4244f3dd021f91d68e93d91f738d25fbc2
            • Opcode Fuzzy Hash: 65aadc2074e6607b451954684e811dd1f5c9ab2e4ac6802b3823984b5e298e84
            • Instruction Fuzzy Hash: 16F06875B00329EBD7209FA5DC0995BBA98EF05751B008115BD05E7250D77CCD00C7E4
            Function 0073A059 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00733382,00733382,?,?,?,0073A2AA,00000001,00000001,E3E85006), ref: 0073A0B3
            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0073A2AA,00000001,00000001,E3E85006,?,?,?), ref: 0073A139
            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,E3E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0073A233
            • __freea.LIBCMT ref: 0073A240
              • Part of subcall function 00735154: HeapAlloc.KERNEL32(00000000,?,?,?,00731E90,?,0000015D,?,?,?,?,007332E9,000000FF,00000000,?,?), ref: 00735186
            • __freea.LIBCMT ref: 0073A249
            • __freea.LIBCMT ref: 0073A26E
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ByteCharMultiWide__freea$AllocHeap
            • String ID:
            • API String ID: 3147120248-0
            • Opcode ID: 56f47859484dbf86cf655263cd33f3b70dd2025501d7f6a93c07103dfc88f85a
            • Instruction ID: fc486ee5dd4a1b141613166fec33794767d7cfc196fa0e1af2a8b01ab8c2398b
            • Opcode Fuzzy Hash: 56f47859484dbf86cf655263cd33f3b70dd2025501d7f6a93c07103dfc88f85a
            • Instruction Fuzzy Hash: A651047260021ABFFB258F64CC86EBB77A9EB84750F144229FD44E6142EB7DDC40C652
            Function 0071F6B8 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 138COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(?), ref: 0071F6D0
            • LeaveCriticalSection.KERNEL32(?,?), ref: 0071F81D
            Strings
            • Failed to recreate command-line for update bundle., xrefs: 0071F79C
            • Failed to set update bundle., xrefs: 0071F7F3
            • Failed to default local update source, xrefs: 0071F742
            • update\%ls, xrefs: 0071F72E
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave
            • String ID: Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
            • API String ID: 3168844106-1266646976
            • Opcode ID: b64bb4bd12913755d3c3a99e2dffef8b46a0a13aced88fb6a279c3398d8829fd
            • Instruction ID: d7094cce2bcb6fe06404bb30fbd844596536a0bf11745963170db36dfe27dee1
            • Opcode Fuzzy Hash: b64bb4bd12913755d3c3a99e2dffef8b46a0a13aced88fb6a279c3398d8829fd
            • Instruction Fuzzy Hash: 62415A3194021AEFDF129FA8CC49EEAB7A5EF04310F418275F905A71E1D779ED909B90
            Function 00718AA3 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(000007D0,00000000,00000000), ref: 00718B0F
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Sleep
            • String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
            • API String ID: 3472027048-398165853
            • Opcode ID: 269dc1015037925237f4bd1b2699327f9cd5e31f0fbe63eb640f5922ade92d9f
            • Instruction ID: c76d56860f407099bd442d15292516327de72eaa6df9117f73cdc9e387cc7bda
            • Opcode Fuzzy Hash: 269dc1015037925237f4bd1b2699327f9cd5e31f0fbe63eb640f5922ade92d9f
            • Instruction Fuzzy Hash: FF31E6F2A04218FBEB21AA688C4AFFFB66DDF00711F540129FD05E61C1DB7C9D8056A2
            Function 0071E705 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON
            Download Yara Rule
            APIs
            • DefWindowProcW.USER32(?,00000082,?,?), ref: 0071E734
            • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0071E743
            • SetWindowLongW.USER32(?,000000EB,?), ref: 0071E757
            • DefWindowProcW.USER32(?,?,?,?), ref: 0071E767
            • GetWindowLongW.USER32(?,000000EB), ref: 0071E781
            • PostQuitMessage.USER32(00000000), ref: 0071E7DE
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Window$Long$Proc$MessagePostQuit
            • String ID:
            • API String ID: 3812958022-0
            • Opcode ID: 85c21876e470e0d6a15985fa4f1a6c939827a33a533979326270b5664f31e602
            • Instruction ID: 748c6ef601d384059a1b835504a4ebe2cd464443619f66a7f6fb355bb0922ff1
            • Opcode Fuzzy Hash: 85c21876e470e0d6a15985fa4f1a6c939827a33a533979326270b5664f31e602
            • Instruction Fuzzy Hash: D921AF36104118BFEB119FA8DC48EAA3BA9FF49750F148525FD06AA1E0C739DD90DB60
            Function 0071C59C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163synchronizationCOMMON
            Download Yara Rule
            APIs
            Strings
            • Unexpected elevated message sent to child process, msg: %u, xrefs: 0071C794
            • elevation.cpp, xrefs: 0071C788
            • Failed to save state., xrefs: 0071C661
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseHandleMutexRelease
            • String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
            • API String ID: 4207627910-1576875097
            • Opcode ID: 1bf8c4d5aaa936a8df27a5f97045270144181571efe22e0f5a2971ba7edaec57
            • Instruction ID: 9797adb46f4014d7a6ada3752560df75718e14277328d14dbd9531a06191b4a0
            • Opcode Fuzzy Hash: 1bf8c4d5aaa936a8df27a5f97045270144181571efe22e0f5a2971ba7edaec57
            • Instruction Fuzzy Hash: 3D61283A140604FFCB225F98CD46C95BBB2FF08310711C558FAA95A6B2C776E960EF40
            Function 007410C5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149registrystringCOMMON
            Download Yara Rule
            APIs
            • RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 007410ED
            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,00716EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 00741126
            • lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 0074121A
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: QueryValue$lstrlen
            • String ID: BundleUpgradeCode$regutil.cpp
            • API String ID: 3790715954-1648651458
            • Opcode ID: adbc47a551fb915d465063e80a60f0ff739154f444dfabf59b01d914f4469f63
            • Instruction ID: 4948501b0b8e64e614d9e9722fa347779798bb5c78c7a3a26adbc70cc22dc5f1
            • Opcode Fuzzy Hash: adbc47a551fb915d465063e80a60f0ff739154f444dfabf59b01d914f4469f63
            • Instruction Fuzzy Hash: A141B531B0021EEFDB25AFA5C884AAE77B9FF44710F914169ED05EB210D778DD418B90
            Function 007461FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 007447D3: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00718564,00000000,00000000,00000000,00000000,00000000), ref: 007447EB
              • Part of subcall function 007447D3: GetLastError.KERNEL32(?,?,?,00718564,00000000,00000000,00000000,00000000,00000000), ref: 007447F5
            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00745AC5,?,?,?,?,?,?,?,00010000,?), ref: 00746263
            • WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,00745AC5,?,?,?,?), ref: 007462B5
            • GetLastError.KERNEL32(?,00745AC5,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 007462FB
            • GetLastError.KERNEL32(?,00745AC5,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 00746321
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFileLast$Write$Pointer
            • String ID: dlutil.cpp
            • API String ID: 133221148-2067379296
            • Opcode ID: bed328873368685e816da84ed22a2405faff89c5026c2468d715f7c42d12eab3
            • Instruction ID: 974eead663bff1c565336b230842937f005976ce362bd1f2f2fedeb6f4f96851
            • Opcode Fuzzy Hash: bed328873368685e816da84ed22a2405faff89c5026c2468d715f7c42d12eab3
            • Instruction Fuzzy Hash: 29418D72A00219FFEB118EA4CD44BAA7BA8FF05351F144225FD04E60A0D779DD60DBA1
            Function 00702436 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • WideCharToMultiByte.KERNEL32(00000000,00000000,0073FEE7,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0073FEE7,?,00000000,00000000), ref: 0070247C
            • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0073FEE7,?,00000000,00000000,0000FDE9), ref: 00702488
              • Part of subcall function 00703B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,007021DC,000001C7,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 00703B59
              • Part of subcall function 00703B51: HeapSize.KERNEL32(00000000,?,007021DC,000001C7,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 00703B60
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
            • String ID: strutil.cpp
            • API String ID: 3662877508-3612885251
            • Opcode ID: 9180b8e1e814cfa7dde8371af933247f8e1168682fa7ededd28e563bc8cb600d
            • Instruction ID: 4c7395d6f8905484fa7e1c765df64600d3037ce78c51e8bc5e14deb85a3ac70d
            • Opcode Fuzzy Hash: 9180b8e1e814cfa7dde8371af933247f8e1168682fa7ededd28e563bc8cb600d
            • Instruction Fuzzy Hash: C631C672300259EFEB119E798CC8A7672DDEB44368B10832AFD15DB1E2E779CC518764
            Function 0072AAE8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 107COMMON
            Download Yara Rule
            Strings
            • Failed to extract all payloads from container: %ls, xrefs: 0072AB9C
            • Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 0072ABEF
            • Failed to extract payload: %ls from container: %ls, xrefs: 0072ABE3
            • Failed to open container: %ls., xrefs: 0072AB2A
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CreateErrorFileLast
            • String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
            • API String ID: 1214770103-3891707333
            • Opcode ID: 481196f94e166a006e097f8e10b4af1c6a975d3fb36ea05de1af1fa5cbe02de6
            • Instruction ID: 6e203c8c0ce62399568c06d34f3e497bb1318bfda2c8ad92a841a7f1642f3bc4
            • Opcode Fuzzy Hash: 481196f94e166a006e097f8e10b4af1c6a975d3fb36ea05de1af1fa5cbe02de6
            • Instruction Fuzzy Hash: E531C5B2C00129FBCF129BE4DC46E8E7779AF04711F200225FE11A6191D779DA55DBA1
            Function 007440C8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON
            Download Yara Rule
            APIs
            • MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,00744203,00000003,00000001,00000001,000007D0,00000003,00000000,?,00719E5F,00000000), ref: 007440ED
            • GetLastError.KERNEL32(00000001,?,00744203,00000003,00000001,00000001,000007D0,00000003,00000000,?,00719E5F,00000000,000007D0,00000001,00000001,00000003), ref: 007440FC
            • MoveFileExW.KERNEL32(00000003,00000001,000007D0,00000001,00000000,?,00744203,00000003,00000001,00000001,000007D0,00000003,00000000,?,00719E5F,00000000), ref: 0074417F
            • GetLastError.KERNEL32(?,00744203,00000003,00000001,00000001,000007D0,00000003,00000000,?,00719E5F,00000000,000007D0,00000001,00000001,00000003,000007D0), ref: 00744189
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFileLastMove
            • String ID: fileutil.cpp
            • API String ID: 55378915-2967768451
            • Opcode ID: 9281f96ce294c1bf0724f56b3c189bc853f2ee78612ebed57ceec898e27abeaf
            • Instruction ID: eb59e2e6bb02d4cc5c308f4b00d0ca617c884f2a8299886c3e37f65a3b5fb0c8
            • Opcode Fuzzy Hash: 9281f96ce294c1bf0724f56b3c189bc853f2ee78612ebed57ceec898e27abeaf
            • Instruction Fuzzy Hash: 0421D63660073E9BEB311E649C4177F76A9EF657A1F024127FD05A7190DB38CC91A2E1
            Function 0070EEF9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92registryCOMMON
            Download Yara Rule
            APIs
            • CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,007104CB,00000001,00000001,00000001,007104CB,00000000), ref: 0070EF70
            • RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,007104CB,00000001,00000001,00000001,007104CB,00000000,00000001,00000002,007104CB,00000001), ref: 0070EF87
            Strings
            • Failed to remove update registration key: %ls, xrefs: 0070EFB4
            • PackageVersion, xrefs: 0070EF51
            • Failed to format key for update registration., xrefs: 0070EF26
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseCompareString
            • String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
            • API String ID: 446873843-3222553582
            • Opcode ID: db6567b35af40852ab0780c8fe0a12d1d3ec3dd4bd152a0ff7fa06124dd2b405
            • Instruction ID: b40d2760dbd85e2016d7c77b4e75fa61f587b49c4276f27fed43c8d32b3a89db
            • Opcode Fuzzy Hash: db6567b35af40852ab0780c8fe0a12d1d3ec3dd4bd152a0ff7fa06124dd2b405
            • Instruction Fuzzy Hash: ED21F632A05219FFCB119AA4CD45E9FBFF8EF00721F104679FA00A6190D738AE40D690
            Function 0070EE0F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON
            Download Yara Rule
            APIs
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0070EE4A
              • Part of subcall function 00744038: SetFileAttributesW.KERNEL32(00728FFA,00000080,00000000,00728FFA,000000FF,00000000,?,?,00728FFA), ref: 00744067
              • Part of subcall function 00744038: GetLastError.KERNEL32(?,?,00728FFA), ref: 00744071
              • Part of subcall function 00703B6A: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,0070EE95,00000001,00000000,00000095,00000001,007104DA,00000095,00000000,swidtag,00000001), ref: 00703B87
            Strings
            • Failed to allocate regid folder path., xrefs: 0070EEB0
            • swidtag, xrefs: 0070EE59
            • Failed to allocate regid file path., xrefs: 0070EEA9
            • Failed to format tag folder path., xrefs: 0070EEB7
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AttributesDirectoryErrorFileLastOpen@16Remove
            • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
            • API String ID: 1428973842-4170906717
            • Opcode ID: 7dd06482b9024b87b544250010d849f0e3e9da152fa05fc30148665a8e90054b
            • Instruction ID: dc02c8cf9b7ed9a7ab6bf41a867b8d476e8684b396098578759283be56ca8ffc
            • Opcode Fuzzy Hash: 7dd06482b9024b87b544250010d849f0e3e9da152fa05fc30148665a8e90054b
            • Instruction Fuzzy Hash: 7921AE32D0051CFBDB15EB99CC05A9EBBF5EF44310F1082A6F904AA2E2D7799E509B50
            Function 00728B73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00740E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00745699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00740E52
            • CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 00728BF7
            • RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,0070F66B,00000001,00000100,000001B4,00000000), ref: 00728C45
            Strings
            • Failed to open uninstall registry key., xrefs: 00728BBA
            • Failed to enumerate uninstall key for related bundles., xrefs: 00728C56
            • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00728B94
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseCompareOpenString
            • String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
            • API String ID: 2817536665-2531018330
            • Opcode ID: 9ed8b6571e47c77d70833de41de2eb020c2119c395980db92ce586654956c845
            • Instruction ID: f56fe34e83e86d1d18e88e3213f8166b21b2950dffd417e3d3826262805e8995
            • Opcode Fuzzy Hash: 9ed8b6571e47c77d70833de41de2eb020c2119c395980db92ce586654956c845
            • Instruction Fuzzy Hash: 2E21EA7290212CFFDB156BA4DC49FEDBA79EB00321F144165F90076090CB7E4ED0E6A1
            Function 00743F04 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85fileCOMMON
            Download Yara Rule
            APIs
            • CopyFileW.KERNEL32(00000000,00704CB6,00000000,?,?,00000000,?,00744012,00000000,00704CB6,00000000,00000000,?,007183E2,?,?), ref: 00743F1E
            • GetLastError.KERNEL32(?,00744012,00000000,00704CB6,00000000,00000000,?,007183E2,?,?,00000001,00000003,000007D0,?,?,?), ref: 00743F2C
            • CopyFileW.KERNEL32(00000000,00704CB6,00000000,00704CB6,00000000,?,00744012,00000000,00704CB6,00000000,00000000,?,007183E2,?,?,00000001), ref: 00743F92
            • GetLastError.KERNEL32(?,00744012,00000000,00704CB6,00000000,00000000,?,007183E2,?,?,00000001,00000003,000007D0,?,?,?), ref: 00743F9C
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CopyErrorFileLast
            • String ID: fileutil.cpp
            • API String ID: 374144340-2967768451
            • Opcode ID: 969545b811010126d7cc1792250028673f8f81c1cc4bdb6598532566a58a0764
            • Instruction ID: 990e1de825d4dbcad15e5a09036fb1beab96ad3675cf040da26f5991a64c0635
            • Opcode Fuzzy Hash: 969545b811010126d7cc1792250028673f8f81c1cc4bdb6598532566a58a0764
            • Instruction Fuzzy Hash: AC21083AE446369AEB201E654C48B7B76B8EF50BA0B124126FD1EDB150D72CCE0592E1
            Function 0072D047 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80synchronizationCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 007038D4: GetProcessHeap.KERNEL32(?,000001C7,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038E5
              • Part of subcall function 007038D4: RtlAllocateHeap.NTDLL(00000000,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038EC
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0072D0DC
            • ReleaseMutex.KERNEL32(?), ref: 0072D10A
            • SetEvent.KERNEL32(?), ref: 0072D113
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
            • String ID: Failed to allocate buffer.$NetFxChainer.cpp
            • API String ID: 944053411-3611226795
            • Opcode ID: 675f03431607a08b3ae4539ec7c761c39873c11e1a228ca08657ea1cdc6237ac
            • Instruction ID: 53e362c4e7501b6733510a8bef4f8b57ed4e0d30760c83cfc3f272b7c4332e8f
            • Opcode Fuzzy Hash: 675f03431607a08b3ae4539ec7c761c39873c11e1a228ca08657ea1cdc6237ac
            • Instruction Fuzzy Hash: 3D2191B4600319FFDB209F68D848A99B7F5FF48314F108669F924A7291C779ED50CB90
            Function 007055B6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,00000007,0070648B,0070648B,?,0070554A,?,?,00000000), ref: 007055F2
            • GetLastError.KERNEL32(?,0070554A,?,?,00000000,?,00000000,0070648B,?,00707DDC,?,?,?,?,?), ref: 00705621
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CompareErrorLastString
            • String ID: Failed to compare strings.$variable.cpp$version.dll
            • API String ID: 1733990998-4228644734
            • Opcode ID: 93dc61d5f8694a58d96a15b966672c7ac4cd7b198a9b51efe8d936d1ff9ac27c
            • Instruction ID: 2fb6e38fb623ece9b198d0f1ebe4a313f1ed025191dafd49692d0c2787cc1358
            • Opcode Fuzzy Hash: 93dc61d5f8694a58d96a15b966672c7ac4cd7b198a9b51efe8d936d1ff9ac27c
            • Instruction Fuzzy Hash: D221F332600614EBC7148FACCC44A6AB7E4EF49B60F650319F915EB2D0DB3ADE018AA0
            Function 007457BF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON
            Download Yara Rule
            APIs
            • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,007268CE,00000000,?), ref: 007457D5
            • GetLastError.KERNEL32(?,?,007268CE,00000000,?,?,?,?,?,?,?,?,?,00726CE1,?,?), ref: 007457E3
              • Part of subcall function 007038D4: GetProcessHeap.KERNEL32(?,000001C7,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038E5
              • Part of subcall function 007038D4: RtlAllocateHeap.NTDLL(00000000,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038EC
            • QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,007268CE,00000000,?), ref: 0074581D
            • GetLastError.KERNEL32(?,?,007268CE,00000000,?,?,?,?,?,?,?,?,?,00726CE1,?,?), ref: 00745827
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ConfigErrorHeapLastQueryService$AllocateProcess
            • String ID: svcutil.cpp
            • API String ID: 355237494-1746323212
            • Opcode ID: 8913fd13d235662238bdb510b4e8edde61f6137ef5b83d45ef3fe4d4ccf1c710
            • Instruction ID: 7baf72b884c2382ca856e381f0cfc3756a5d450b4791d7d3f00587eaeb08ef3b
            • Opcode Fuzzy Hash: 8913fd13d235662238bdb510b4e8edde61f6137ef5b83d45ef3fe4d4ccf1c710
            • Instruction Fuzzy Hash: 67212736A40624FBE7209AAA8D08BAB7AECDF45790F114116FD05EB151DB39CD00D3F0
            Function 0070410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
            Download Yara Rule
            APIs
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,0074B4F0,?,?,00713ED4,00000001,feclient.dll,?,00000000,?,?,?,00704A0C), ref: 00704148
            • GetLastError.KERNEL32(?,?,00713ED4,00000001,feclient.dll,?,00000000,?,?,?,00704A0C,?,?,0074B478,?,00000001), ref: 00704154
            • GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,00713ED4,00000001,feclient.dll,?,00000000,?,?,?,00704A0C,?), ref: 0070418F
            • GetLastError.KERNEL32(?,?,00713ED4,00000001,feclient.dll,?,00000000,?,?,?,00704A0C,?,?,0074B478,?,00000001), ref: 00704199
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CurrentDirectoryErrorLast
            • String ID: dirutil.cpp
            • API String ID: 152501406-2193988115
            • Opcode ID: 4968bf444a3b91a05667a35109533771e3b8215c302ab50a753c864ccbd2804c
            • Instruction ID: daaf2cb00ec9cdb43f7c508287979c96935025b6b3da0e2f405e2a4cc3a0b002
            • Opcode Fuzzy Hash: 4968bf444a3b91a05667a35109533771e3b8215c302ab50a753c864ccbd2804c
            • Instruction Fuzzy Hash: 6F119AB6A0072EEBE7319BA98C8466BB6ECDF15751B114336FE04E7190F768CC4086E4
            Function 007096F4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: _memcpy_s
            • String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
            • API String ID: 2001391462-1605196437
            • Opcode ID: d444020198d4616d6665d018a78fd699b2d2a4bfff08f1f2ad546679ef7935ad
            • Instruction ID: 404f7fe240cf1075a81978a1579f0ee13ec2b5712cdfe868c9776ef0afcacb49
            • Opcode Fuzzy Hash: d444020198d4616d6665d018a78fd699b2d2a4bfff08f1f2ad546679ef7935ad
            • Instruction Fuzzy Hash: 12112773690220FBDB252D78DC8AE9B3A94EB01720F041265FB046E2D3C7BECD1096E1
            Function 00709D03 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON
            Download Yara Rule
            APIs
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00709D25
            Strings
            • Failed to set variable., xrefs: 00709D84
            • File search: %ls, did not find path: %ls, xrefs: 00709D90
            • Failed get file version., xrefs: 00709D65
            • Failed to format path string., xrefs: 00709D30
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Open@16
            • String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
            • API String ID: 3613110473-2458530209
            • Opcode ID: 1107070c566c9d7321a9188111cd867b27acdb468ba647ad29cf06e685d1d58b
            • Instruction ID: 5ebc0f7a9c9195b5094b4f39dba31f0ca8f3c7f1462a89a4c5b89c415bcea5fe
            • Opcode Fuzzy Hash: 1107070c566c9d7321a9188111cd867b27acdb468ba647ad29cf06e685d1d58b
            • Instruction Fuzzy Hash: B3119372E8012DFFCB126E94CC859AEFBB9EF04360F104266FA0466292D7395E10A7D1
            Function 00714880 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67fileCOMMON
            Download Yara Rule
            APIs
            • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,007151A4), ref: 007148CC
            Strings
            • pipe.cpp, xrefs: 00714904
            • Failed to write message type to pipe., xrefs: 0071490E
            • Failed to allocate message to write., xrefs: 007148AB
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: FileWrite
            • String ID: Failed to allocate message to write.$Failed to write message type to pipe.$pipe.cpp
            • API String ID: 3934441357-1996674626
            • Opcode ID: 142e4242a2ec20bdb0dc3697c630ec82ba11ff5aecd25f28274357478ae0fbcf
            • Instruction ID: 5e028dbf91944577141bfdee13368844581d7ce86e3105be27dbae9a5100f514
            • Opcode Fuzzy Hash: 142e4242a2ec20bdb0dc3697c630ec82ba11ff5aecd25f28274357478ae0fbcf
            • Instruction Fuzzy Hash: 1E119AB2A00218FEEB219F99DD09ADF7BF9EB40751F114126FC00A2190D778AE90D6A5
            Function 00745BBF Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67timeCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00745D7F: lstrlenW.KERNEL32(?), ref: 00745E3D
              • Part of subcall function 00745D7F: lstrlenW.KERNEL32(?), ref: 00745E55
              • Part of subcall function 007488BE: GetLastError.KERNEL32(?,?,Qdt,00745C11,feclient.dll,clbcatq.dll,0074B508,0074B4F0,HEAD,00000000,0074B4D8,Qdt,00000000,?,?,00000000), ref: 007488E8
            • GetSystemTimeAsFileTime.KERNEL32(0074B478,feclient.dll,0074B478,feclient.dll,clbcatq.dll,0074B508,0074B4F0,HEAD,00000000,0074B4D8,Qdt,00000000,?,?,00000000,00000000), ref: 00745C3D
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Timelstrlen$ErrorFileLastSystem
            • String ID: HEAD$Qdt$clbcatq.dll$feclient.dll
            • API String ID: 451455982-1094910895
            • Opcode ID: 3cbf915e279bd53ca15f121ee82005afd41b16793c97ebfa27f2b4032424cbab
            • Instruction ID: d79bd4e271eefd1d62cb1b02008dfee3ebeaa6cf123b5f2a5b5fcb0cea9031ce
            • Opcode Fuzzy Hash: 3cbf915e279bd53ca15f121ee82005afd41b16793c97ebfa27f2b4032424cbab
            • Instruction Fuzzy Hash: E721817590161EBBCB01DFA4CD809EEB7B9FF49354B114125F800A3211E735DE509BA1
            Function 00718003 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 007038D4: GetProcessHeap.KERNEL32(?,000001C7,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038E5
              • Part of subcall function 007038D4: RtlAllocateHeap.NTDLL(00000000,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038EC
            • CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,00718C10,0000001A,00000000,?,00000000,00000000), ref: 0071804C
            • GetLastError.KERNEL32(?,?,00718C10,0000001A,00000000,?,00000000,00000000,?,?,00000000,00000000,?,?,-00000004,00000000), ref: 00718056
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Heap$AllocateCreateErrorKnownLastProcessWell
            • String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
            • API String ID: 2186923214-2110050797
            • Opcode ID: bff915f65c8e4dc28f41225d6f24d43bdca6959b1ce45b1ea92544daa1e54677
            • Instruction ID: 8b7bc7e35c12934ed99705dd2392f54441a6d57f866d0ccc0bad858382e701e8
            • Opcode Fuzzy Hash: bff915f65c8e4dc28f41225d6f24d43bdca6959b1ce45b1ea92544daa1e54677
            • Instruction Fuzzy Hash: 5E014876A40328FAE72066795C0AE9B6ADCCF45B61F11411AFD04AB1C0EEBC8E4492F1
            Function 0072DB67 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64windowCOMMON
            Download Yara Rule
            APIs
            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 0072DB95
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0072DBBF
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0072DD8F,00000000,?,?,?,00000001,00000000), ref: 0072DBC7
            Strings
            • Failed while waiting for download., xrefs: 0072DBF5
            • bitsengine.cpp, xrefs: 0072DBEB
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLastMessageMultipleObjectsPeekWait
            • String ID: Failed while waiting for download.$bitsengine.cpp
            • API String ID: 435350009-228655868
            • Opcode ID: faec9fcdabe8e5fbc5fe4d80981013844ea56b592968346e088d38637621408d
            • Instruction ID: 2f8f47c0d42fdaa7a5efba3564ca84ed77c17677be4f577e089a076f93fc7f37
            • Opcode Fuzzy Hash: faec9fcdabe8e5fbc5fe4d80981013844ea56b592968346e088d38637621408d
            • Instruction Fuzzy Hash: 79110C73B41339BBE7305AB9AC49EDB7AACEB05720F014126FD05E61D0D6789D0085E4
            Function 00705E0B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON
            Download Yara Rule
            APIs
            • GetComputerNameW.KERNEL32(?,00000010), ref: 00705E39
            • GetLastError.KERNEL32 ref: 00705E43
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ComputerErrorLastName
            • String ID: Failed to get computer name.$Failed to set variant value.$variable.cpp
            • API String ID: 3560734967-484636765
            • Opcode ID: 33cd0217fa6bb3d3292444627843cb627ab094dba1c6dc3ddc44a54f83bee754
            • Instruction ID: 0c60961dcae944a43bf8ee7651d0dcebb98a27893a3602ac5865e54c71e3c35a
            • Opcode Fuzzy Hash: 33cd0217fa6bb3d3292444627843cb627ab094dba1c6dc3ddc44a54f83bee754
            • Instruction Fuzzy Hash: 4101A972A41628EBD711DAA49C45AEF77E8EB08710F014116FD05FB180DB789E0486E5
            Function 00705D71 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(?), ref: 00705D83
              • Part of subcall function 007409BB: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00705D8F,00000000), ref: 007409CF
              • Part of subcall function 007409BB: GetProcAddress.KERNEL32(00000000), ref: 007409D6
              • Part of subcall function 007409BB: GetLastError.KERNEL32(?,?,?,00705D8F,00000000), ref: 007409ED
              • Part of subcall function 00743BF7: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00743C24
            Strings
            • Failed to get 64-bit folder., xrefs: 00705DCD
            • Failed to set variant value., xrefs: 00705DE7
            • Failed to get shell folder., xrefs: 00705DB7
            • variable.cpp, xrefs: 00705DAD
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
            • String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$variable.cpp
            • API String ID: 2084161155-3906113122
            • Opcode ID: 7a90f194d53c7e6d72db8edb63c334dbfaf4084177b7e4861a0ee914a6c07c06
            • Instruction ID: be32a1478287ff6a2d7360e453f31dc7c34f5ab5dbd3c1afd97f116e05ebff8b
            • Opcode Fuzzy Hash: 7a90f194d53c7e6d72db8edb63c334dbfaf4084177b7e4861a0ee914a6c07c06
            • Instruction Fuzzy Hash: 03016571A41628F7DF12A694CC4EB9F7AACEB00764F104256F900BA191DBBC9E40DBE1
            Function 00706644 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?), ref: 0070667D
            • GetLastError.KERNEL32 ref: 00706687
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLastPathTemp
            • String ID: Failed to get temp path.$Failed to set variant value.$variable.cpp
            • API String ID: 1238063741-2915113195
            • Opcode ID: eb8ea24def957aa1a84e36862d70c48bc8b5f3ca61e21181f7f7d57869e2d3fe
            • Instruction ID: 144198bdf08894201e696160ef01849aaf9574fd54d60b11b2880b2521fa3eef
            • Opcode Fuzzy Hash: eb8ea24def957aa1a84e36862d70c48bc8b5f3ca61e21181f7f7d57869e2d3fe
            • Instruction Fuzzy Hash: 3C01C8B1E41338E7E720AB646C4ABAA73D89B04710F014266FD04F71C1EB699D1486E5
            Function 00744038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00744315: FindFirstFileW.KERNEL32(00728FFA,?,000002C0,00000000,00000000), ref: 00744350
              • Part of subcall function 00744315: FindClose.KERNEL32(00000000), ref: 0074435C
            • SetFileAttributesW.KERNEL32(00728FFA,00000080,00000000,00728FFA,000000FF,00000000,?,?,00728FFA), ref: 00744067
            • GetLastError.KERNEL32(?,?,00728FFA), ref: 00744071
            • DeleteFileW.KERNEL32(00728FFA,00000000,00728FFA,000000FF,00000000,?,?,00728FFA), ref: 00744090
            • GetLastError.KERNEL32(?,?,00728FFA), ref: 0074409A
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
            • String ID: fileutil.cpp
            • API String ID: 3967264933-2967768451
            • Opcode ID: d0a568cc07a4524ff5ec2f459ee5a3640403172593575693632475ea01771c22
            • Instruction ID: 8e9f4cad750c66ea204eb0acc3576e273c5326d5a4740d462dda1690f9926411
            • Opcode Fuzzy Hash: d0a568cc07a4524ff5ec2f459ee5a3640403172593575693632475ea01771c22
            • Instruction Fuzzy Hash: 3C019E31A01729A7D7316AB98D08B6B7AD8EF017A1F008366FE05E60A0D729CE10A5E5
            Function 0072D7CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(?), ref: 0072D7E1
            • LeaveCriticalSection.KERNEL32(?), ref: 0072D826
            • SetEvent.KERNEL32(?,?,?,?), ref: 0072D83A
            Strings
            • Failed to get state during job modification., xrefs: 0072D7FA
            • Failure while sending progress during BITS job modification., xrefs: 0072D815
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalSection$EnterEventLeave
            • String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
            • API String ID: 3094578987-1258544340
            • Opcode ID: d1ad5832927535b46df53011b5496bda686c5e052332b8ee6421dcd0ac0608e5
            • Instruction ID: cd0e402416f39768d6e5ef123aa4c8b729a5b97e05a01192472fe411d6e40548
            • Opcode Fuzzy Hash: d1ad5832927535b46df53011b5496bda686c5e052332b8ee6421dcd0ac0608e5
            • Instruction Fuzzy Hash: F701B572501629FBCB119F55E849AAEB7ACFF08331B10811AF805D7600D778FD049BD5
            Function 0072DA45 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,0072DBB5), ref: 0072DA59
            • LeaveCriticalSection.KERNEL32(00000008,?,0072DBB5), ref: 0072DA9E
            • SetEvent.KERNEL32(?,?,0072DBB5), ref: 0072DAB2
            Strings
            • Failed to get BITS job state., xrefs: 0072DA72
            • Failure while sending progress., xrefs: 0072DA8D
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalSection$EnterEventLeave
            • String ID: Failed to get BITS job state.$Failure while sending progress.
            • API String ID: 3094578987-2876445054
            • Opcode ID: f8df3273cac5bfce73dd0f47652903daeca26aced98d3e28264bf51e04b8cb37
            • Instruction ID: 9e308e27fc5db2a2173dc2df710c1eb70850060436173187c9a313223105224d
            • Opcode Fuzzy Hash: f8df3273cac5bfce73dd0f47652903daeca26aced98d3e28264bf51e04b8cb37
            • Instruction Fuzzy Hash: A301F572504625FBC711DB55E849DAEB7A8FF18321B008216F90993210D738ED0097D4
            Function 0072D5AF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48COMMON
            Download Yara Rule
            APIs
            • InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,0072DD19,?,?,?,?,?,00000001,00000000,?), ref: 0072D5C9
            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,0072DD19,?,?,?,?,?,00000001,00000000,?), ref: 0072D5D4
            • GetLastError.KERNEL32(?,0072DD19,?,?,?,?,?,00000001,00000000,?), ref: 0072D5E1
            Strings
            • bitsengine.cpp, xrefs: 0072D605
            • Failed to create BITS job complete event., xrefs: 0072D60F
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CreateCriticalErrorEventInitializeLastSection
            • String ID: Failed to create BITS job complete event.$bitsengine.cpp
            • API String ID: 3069647169-3441864216
            • Opcode ID: c2e1caea864ca85a042e0dd680a5198039b6d38b3f29861584d342fce47d1edd
            • Instruction ID: 0149022d429f2999bab2b261734ca86dd942000251c6879e1f3aee2b904da722
            • Opcode Fuzzy Hash: c2e1caea864ca85a042e0dd680a5198039b6d38b3f29861584d342fce47d1edd
            • Instruction Fuzzy Hash: 1A0171B6601726BBD7109F6AD805A87BBD8FF49760B004126FD09D7640E7B8D810CBE9
            Function 0070D39D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00716E4B,000000B8,00000000,?,00000000,75C0B390), ref: 0070D3AC
            • InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 0070D3BB
            • LeaveCriticalSection.KERNEL32(000000D0,?,00716E4B,000000B8,00000000,?,00000000,75C0B390), ref: 0070D3D0
            Strings
            • userexperience.cpp, xrefs: 0070D3E9
            • Engine active cannot be changed because it was already in that state., xrefs: 0070D3F3
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
            • String ID: Engine active cannot be changed because it was already in that state.$userexperience.cpp
            • API String ID: 3376869089-1544469594
            • Opcode ID: b4d2abe5e27c41ccf4ce6bfba3ad6663b1b49c90bd41db984e7183da2fb963ec
            • Instruction ID: 110d742d2dead1a7cd85e77ceb2ea4d7bcf717aa88120b659b6a2f2c0f18591b
            • Opcode Fuzzy Hash: b4d2abe5e27c41ccf4ce6bfba3ad6663b1b49c90bd41db984e7183da2fb963ec
            • Instruction Fuzzy Hash: B1F0AF76300308ABD7206EAAAC84E9B77ECEB86765700452AFA05C3180DB78FC058765
            Function 00741B28 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 00741B53
            • GetLastError.KERNEL32(?,007048D4,00000001,?,?,0070444C,?,?,?,?,0070535E,?,?,?,?), ref: 00741B62
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AddressErrorLastProc
            • String ID: SRSetRestorePointW$srclient.dll$srputil.cpp
            • API String ID: 199729137-398595594
            • Opcode ID: 748634d68803df60ad69e99f0ab86ed8447ea18a2b6602ccf87eae6cdfcb5a2c
            • Instruction ID: ef9d049f32d53815cb28e8f3487542b9493b57c4ff1900c19aeb68b06d162bd9
            • Opcode Fuzzy Hash: 748634d68803df60ad69e99f0ab86ed8447ea18a2b6602ccf87eae6cdfcb5a2c
            • Instruction Fuzzy Hash: 85F0A9F6B80771D7D72237B58C097666994DB017A1F818132ED02E66A1FB6DCCC0C6E9
            Function 00734897 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00734848,00000000,?,007347E8,00000000,00767CF8,0000000C,0073493F,00000000,00000002), ref: 007348B7
            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007348CA
            • FreeLibrary.KERNEL32(00000000,?,?,?,00734848,00000000,?,007347E8,00000000,00767CF8,0000000C,0073493F,00000000,00000002), ref: 007348ED
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AddressFreeHandleLibraryModuleProc
            • String ID: CorExitProcess$mscoree.dll
            • API String ID: 4061214504-1276376045
            • Opcode ID: 64c7c998f7cd2d37af3a7723d9cad08c5dd31f214275fa5c51c618d26b8e26e4
            • Instruction ID: d0b22c982856acce5cd5e7d6f8331d3ab6b272e8fb0023672022b9b11c4dc4d4
            • Opcode Fuzzy Hash: 64c7c998f7cd2d37af3a7723d9cad08c5dd31f214275fa5c51c618d26b8e26e4
            • Instruction Fuzzy Hash: 39F04474A0021CFBDB159FA4EC19BEDBFB8EF04711F404165F805A2150DB789E40DB54
            Function 00745D7F Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 159stringCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: lstrlen
            • String ID: Qdt$dlutil.cpp
            • API String ID: 1659193697-743405868
            • Opcode ID: 7fa53a5d49652edc0d0cf4b1229e73ae41c0e99d4be4afd54e7f90c1a05181d6
            • Instruction ID: 5929cb4b546dbbb6b4af277f6f81cbb4897d90ab8e1ddffe59c18bf5067c51db
            • Opcode Fuzzy Hash: 7fa53a5d49652edc0d0cf4b1229e73ae41c0e99d4be4afd54e7f90c1a05181d6
            • Instruction Fuzzy Hash: E651B132A01729ABDB219FA48C88EAFBBB9EF48750B154115FD01B7211DB79DD019BA0
            Function 0074937F Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00740E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00745699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00740E52
            • RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 00749457
            • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 00749492
            • RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000), ref: 007494AE
            • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000), ref: 007494BB
            • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000), ref: 007494C8
              • Part of subcall function 00740B49: RegCloseKey.ADVAPI32(00000000), ref: 00740CA0
              • Part of subcall function 00740E9B: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00749444,00000001), ref: 00740EB3
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Close$InfoOpenQuery
            • String ID:
            • API String ID: 796878624-0
            • Opcode ID: efbdf2fd0ddba7b010ea3f0f44d7d418e2930dea11e23835ae57f5627b543ed7
            • Instruction ID: f52e10c5631c6ed9459cf12f583d875a2a5616c88e962e6717187e8b14b16c3f
            • Opcode Fuzzy Hash: efbdf2fd0ddba7b010ea3f0f44d7d418e2930dea11e23835ae57f5627b543ed7
            • Instruction Fuzzy Hash: CF412F76C0126DFFCF11AF99CD819AFFB79EF04764F11416AEA0076121C7394E51AA90
            Function 007088DE Relevance: 7.6, APIs: 5, Instructions: 118stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00708A9E,007095E7,?,007095E7,?,?,007095E7,?,?), ref: 007088FE
            • lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00708A9E,007095E7,?,007095E7,?,?,007095E7,?,?), ref: 00708906
            • CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,00708A9E,007095E7,?,007095E7,?), ref: 00708955
            • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00708A9E,007095E7,?,007095E7,?), ref: 007089B7
            • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00708A9E,007095E7,?,007095E7,?), ref: 007089E4
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CompareString$lstrlen
            • String ID:
            • API String ID: 1657112622-0
            • Opcode ID: 70aeb39bc24dca4d984dd0761113e4ea8500b8b7c0465923166637974a92b704
            • Instruction ID: 60a8d4444a8b0be9d395477cb005cd4d16277003c7f7ac74fcbb8ef246bf3d26
            • Opcode Fuzzy Hash: 70aeb39bc24dca4d984dd0761113e4ea8500b8b7c0465923166637974a92b704
            • Instruction Fuzzy Hash: F031B672710108FFCF519F58CC88ABE3FA6EB49350F148116F9999B250C639AD90DB93
            Function 007021BC Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 117COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 00702202
            • GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 0070220E
              • Part of subcall function 00703B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,007021DC,000001C7,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 00703B59
              • Part of subcall function 00703B51: HeapSize.KERNEL32(00000000,?,007021DC,000001C7,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 00703B60
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
            • String ID: strutil.cpp
            • API String ID: 3662877508-3612885251
            • Opcode ID: 1b5e00b3be26f845063b0aee800c4dd80213ae54361ce1cb1d33167e5191592d
            • Instruction ID: 293874b8c5c1f1b6bbde9438c6dc2b9a8ef22c263763cb6b19814ab916d2f314
            • Opcode Fuzzy Hash: 1b5e00b3be26f845063b0aee800c4dd80213ae54361ce1cb1d33167e5191592d
            • Instruction Fuzzy Hash: F131B733600216EBEB109AA98C48A6777D9FF45764B124325FC15DB1E2E778CC0287A4
            Function 0070738E Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(007052B5,WixBundleOriginalSource,?,?,0071A41D,007053B5,WixBundleOriginalSource,=Sp,0076AA90,?,00000000,0070533D,?,00717587,?,?), ref: 0070739A
            • LeaveCriticalSection.KERNEL32(007052B5,007052B5,00000000,00000000,?,?,0071A41D,007053B5,WixBundleOriginalSource,=Sp,0076AA90,?,00000000,0070533D,?,00717587), ref: 00707401
            Strings
            • Failed to get value as string for variable: %ls, xrefs: 007073F0
            • WixBundleOriginalSource, xrefs: 00707396
            • Failed to get value of variable: %ls, xrefs: 007073D4
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave
            • String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
            • API String ID: 3168844106-30613933
            • Opcode ID: 8d363d3410fa58fbfe987ea4f0bd50f4aafea3541bb3fc13f13d4bb810b6f802
            • Instruction ID: 3a3ac7cd8debaac1cdc4f862c3f1d59f0b0ebd039f1681bc2930d935f26d1b23
            • Opcode Fuzzy Hash: 8d363d3410fa58fbfe987ea4f0bd50f4aafea3541bb3fc13f13d4bb810b6f802
            • Instruction Fuzzy Hash: F7019E72D45168FBDF165E54CC05AAEBBA4DB00760F108225FD04AA260D73DAE20EBD0
            Function 0072CEF5 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
            Download Yara Rule
            APIs
            • CloseHandle.KERNEL32(?,00000000,?,00000000,?,0072CEEB,00000000), ref: 0072CF10
            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,0072CEEB,00000000), ref: 0072CF1C
            • CloseHandle.KERNEL32(0074B508,00000000,?,00000000,?,0072CEEB,00000000), ref: 0072CF29
            • CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,0072CEEB,00000000), ref: 0072CF36
            • UnmapViewOfFile.KERNEL32(0074B4D8,00000000,?,0072CEEB,00000000), ref: 0072CF45
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseHandle$FileUnmapView
            • String ID:
            • API String ID: 260491571-0
            • Opcode ID: 1e4c673c2db2da93d639d7ef37a8eba35de243cedd1835d3f57dba7e41e3cd5f
            • Instruction ID: 84b59b13f3bba7f44ab30589e711df589966ad2b598780b2d6ef843ac2e8d1c2
            • Opcode Fuzzy Hash: 1e4c673c2db2da93d639d7ef37a8eba35de243cedd1835d3f57dba7e41e3cd5f
            • Instruction Fuzzy Hash: BF01FB76404B25DFCB316F65ED9081AFBEAFF60715315C83ED29652521C375A840DF50
            Function 007479CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 007038D4: GetProcessHeap.KERNEL32(?,000001C7,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038E5
              • Part of subcall function 007038D4: RtlAllocateHeap.NTDLL(00000000,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038EC
            • SysFreeString.OLEAUT32(00000000), ref: 00747B2C
            • SysFreeString.OLEAUT32(00000000), ref: 00747B37
            • SysFreeString.OLEAUT32(00000000), ref: 00747B42
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: FreeString$Heap$AllocateProcess
            • String ID: atomutil.cpp
            • API String ID: 2724874077-4059165915
            • Opcode ID: 5c388af619ea0d621121ce8cacf4fa8dc66dbb321ff277ccf1399ceb7c47df04
            • Instruction ID: 48358aa07dbc5ae50bb656d178185c4413c5d709a1a20005b229f8f0333622eb
            • Opcode Fuzzy Hash: 5c388af619ea0d621121ce8cacf4fa8dc66dbb321ff277ccf1399ceb7c47df04
            • Instruction Fuzzy Hash: 6951A371E0422AEFDB15DF64C844FAEB7B9EF44754F114564E905AB250DB38DE00DBA0
            Function 007485CB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137timeCOMMON
            Download Yara Rule
            APIs
            • SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 007486D8
            • GetLastError.KERNEL32 ref: 007486E2
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Time$ErrorFileLastSystem
            • String ID: clbcatq.dll$timeutil.cpp
            • API String ID: 2781989572-961924111
            • Opcode ID: e98e1b0685a6d8fbe57be4f6326a20be85811aa2c5dcb3b9a5fe3741c6fbe957
            • Instruction ID: 39d86c0389c96e4a4d6da459e267fb2c55bb043f1a6311f5ef28f60476643fdf
            • Opcode Fuzzy Hash: e98e1b0685a6d8fbe57be4f6326a20be85811aa2c5dcb3b9a5fe3741c6fbe957
            • Instruction Fuzzy Hash: C041C775E40219B6EBA0ABB88C45BBF73A5EF41700F164519B901A7292DB3DCE0087A7
            Function 007435A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(000002C0), ref: 007435BE
            • SysAllocString.OLEAUT32(?), ref: 007435CE
            • VariantClear.OLEAUT32(?), ref: 007436AF
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Variant$AllocClearInitString
            • String ID: xmlutil.cpp
            • API String ID: 2213243845-1270936966
            • Opcode ID: 9aed3a817404ff67d4bef2ff6983edc41babab744f456aca8defaa81a64a9a05
            • Instruction ID: 8371c6b81ccf8f34d1c676c4d4b4817ff307d6e61049073ff38f47f3c1852bcb
            • Opcode Fuzzy Hash: 9aed3a817404ff67d4bef2ff6983edc41babab744f456aca8defaa81a64a9a05
            • Instruction Fuzzy Hash: 9E412675900626ABCB119FA5C888EAFBBB8EF45710B0645A5FD15EB311D738DD008BA1
            Function 00740D1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115registryCOMMON
            Download Yara Rule
            APIs
            • RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,00728BD8), ref: 00740D77
            • RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00728BD8,00000000), ref: 00740D99
            • RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,00728BD8,00000000,00000000,00000000), ref: 00740DF1
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Enum$InfoQuery
            • String ID: regutil.cpp
            • API String ID: 73471667-955085611
            • Opcode ID: 8b62266fb2a731bf456ca96273f4a5947ab87cea1e4675e7713e406831170ac3
            • Instruction ID: d882d51e078386cb6f6343e75651c29eb0217ef14ac0264e63299d0bd94ebba4
            • Opcode Fuzzy Hash: 8b62266fb2a731bf456ca96273f4a5947ab87cea1e4675e7713e406831170ac3
            • Instruction Fuzzy Hash: 2C31B4B6A01129FFEB219AD9CD84EABB7ACEF04750F114165FE04E7150D7399E10DAE0
            Function 007478C5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 007038D4: GetProcessHeap.KERNEL32(?,000001C7,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038E5
              • Part of subcall function 007038D4: RtlAllocateHeap.NTDLL(00000000,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038EC
            • SysFreeString.OLEAUT32(00000000), ref: 007479AA
            • SysFreeString.OLEAUT32(?), ref: 007479B5
            • SysFreeString.OLEAUT32(00000000), ref: 007479C0
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: FreeString$Heap$AllocateProcess
            • String ID: atomutil.cpp
            • API String ID: 2724874077-4059165915
            • Opcode ID: 397e98e6f600814435efbe0e1b136970ca5ac47aefa2cc871bb35767bef7ded8
            • Instruction ID: 748bd52f6e4bd9b02e3195b79b439c230d4970227b05fe4efbc405dca90cd31f
            • Opcode Fuzzy Hash: 397e98e6f600814435efbe0e1b136970ca5ac47aefa2cc871bb35767bef7ded8
            • Instruction Fuzzy Hash: 3E3194B2D05629FFDB16ABA4CC45AAEB7B8EF45710F0141A1E904AB250D738ED04DBE0
            Function 00744212 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 95registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00744315: FindFirstFileW.KERNEL32(00728FFA,?,000002C0,00000000,00000000), ref: 00744350
              • Part of subcall function 00744315: FindClose.KERNEL32(00000000), ref: 0074435C
            • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll), ref: 00744305
              • Part of subcall function 00740E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00745699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00740E52
              • Part of subcall function 007410C5: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 007410ED
              • Part of subcall function 007410C5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,00716EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 00741126
            Strings
            • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00744244
            • \, xrefs: 0074428E
            • PendingFileRenameOperations, xrefs: 00744270
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseFindQueryValue$FileFirstOpen
            • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\
            • API String ID: 3397690329-2982801162
            • Opcode ID: 9b3ed3020f5daec0b61341fa5d87211295726e57fe3b6f0b7c6735a9387bc4de
            • Instruction ID: 60256bf7828b755c28ff6092df84b883c4aae019169c98094934899321c69327
            • Opcode Fuzzy Hash: 9b3ed3020f5daec0b61341fa5d87211295726e57fe3b6f0b7c6735a9387bc4de
            • Instruction Fuzzy Hash: 7C310335A00219FBDF20AFD1CC45BAEB7B9FF00750F64816AF900A6151D7B98E80EB58
            Function 007288CF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00740E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00745699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00740E52
            • RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,00728C14,00000000,00000000), ref: 0072898C
            Strings
            • Failed to ensure there is space for related bundles., xrefs: 0072893F
            • Failed to open uninstall key for potential related bundle: %ls, xrefs: 007288FB
            • Failed to initialize package from related bundle id: %ls, xrefs: 00728972
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseOpen
            • String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
            • API String ID: 47109696-1717420724
            • Opcode ID: a3cb0c09c23bea2de50b382ec629d22b87e78e7865fe74753a44a1fc36740d45
            • Instruction ID: 893adc0e75bb0299067ef4ad8c750fe25c949e0800782cb5a80cb4583db198b6
            • Opcode Fuzzy Hash: a3cb0c09c23bea2de50b382ec629d22b87e78e7865fe74753a44a1fc36740d45
            • Instruction Fuzzy Hash: D321B37294122AFBDB129E90DC06BFEBB78FF00711F144155FD00A6150DB7AAE60EB92
            Function 00703A97 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(00000010,00000000,80004005,00000000,00000000,00000100,?,00701472,00000000,80004005,00000000,80004005,00000000,000001C7,?,007013B7), ref: 00703AB2
            • HeapReAlloc.KERNEL32(00000000,?,00701472,00000000,80004005,00000000,80004005,00000000,000001C7,?,007013B7,000001C7,00000100,?,80004005,00000000), ref: 00703AB9
              • Part of subcall function 007038D4: GetProcessHeap.KERNEL32(?,000001C7,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038E5
              • Part of subcall function 007038D4: RtlAllocateHeap.NTDLL(00000000,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038EC
              • Part of subcall function 00703B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,007021DC,000001C7,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 00703B59
              • Part of subcall function 00703B51: HeapSize.KERNEL32(00000000,?,007021DC,000001C7,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 00703B60
            • _memcpy_s.LIBCMT ref: 00703B04
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Heap$Process$AllocAllocateSize_memcpy_s
            • String ID: memutil.cpp
            • API String ID: 3406509257-2429405624
            • Opcode ID: c211512320bfafa2ed86aba060310a14b275363f34f851af680c457141671fb8
            • Instruction ID: aa93a13c2a0b7e6aecc276c381465bbdb2872baa8668bbdb62cff8300eea4a31
            • Opcode Fuzzy Hash: c211512320bfafa2ed86aba060310a14b275363f34f851af680c457141671fb8
            • Instruction Fuzzy Hash: 6B11E1B1601268EFDB211A28DC49EAE3ADDDF44768B004315F9154B2D0C77DCF5093A0
            Function 00713955 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00740E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00745699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00740E52
            • RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00713E61,feclient.dll,?,00000000,?,?,?,00704A0C), ref: 007139F1
              • Part of subcall function 00740F6E: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00740FE4
              • Part of subcall function 00740F6E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 0074101F
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: QueryValue$CloseOpen
            • String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
            • API String ID: 1586453840-3596319545
            • Opcode ID: 7dc4fcfecbf8caeb69a6aa50e6fa38c6976ae9db034e6b6f4740e59192485743
            • Instruction ID: 45b4942079399506a8faf8b85f0b39b16c49f1a7946e69e980a6c8b47baced82
            • Opcode Fuzzy Hash: 7dc4fcfecbf8caeb69a6aa50e6fa38c6976ae9db034e6b6f4740e59192485743
            • Instruction Fuzzy Hash: 5D11B973B40208FBDB219A99CD46AEEB778EB00B59F404066E5059B0D0D7F9AFC1E750
            Function 00740658 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62filestringCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,?,0073FF0B,?,?,00000000,00000000,0000FDE9), ref: 0074066A
            • WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,?,?,0073FF0B,?,?,00000000,00000000,0000FDE9), ref: 007406A6
            • GetLastError.KERNEL32(?,?,0073FF0B,?,?,00000000,00000000,0000FDE9), ref: 007406B0
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFileLastWritelstrlen
            • String ID: logutil.cpp
            • API String ID: 606256338-3545173039
            • Opcode ID: 75ddc569244d677f909f3b7866ef2a5bcc60bde13712c433b36261c7c37955ab
            • Instruction ID: 8ef39ed8d61a281bd03b5eaee576b7784f9376dd31b2731904b71aa2eee04486
            • Opcode Fuzzy Hash: 75ddc569244d677f909f3b7866ef2a5bcc60bde13712c433b36261c7c37955ab
            • Instruction Fuzzy Hash: C511C672A01325ABD3109A798C48DAFB6ACEBC5761B024215FE07E7140E77CED1086E5
            Function 00701209 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON
            Download Yara Rule
            APIs
            • CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00705137,00000000,?), ref: 00701247
            • GetLastError.KERNEL32(?,?,?,00705137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00701251
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ArgvCommandErrorLastLine
            • String ID: apputil.cpp$ignored
            • API String ID: 3459693003-568828354
            • Opcode ID: d329519c9705d25c54f85ec0768698cb61257086e9fa5a958245e476bb757f1c
            • Instruction ID: 0ee7b7ca3736ee18ec43edc8ed90d1ef13d465be333b60caf72d6241bc5cad3e
            • Opcode Fuzzy Hash: d329519c9705d25c54f85ec0768698cb61257086e9fa5a958245e476bb757f1c
            • Instruction Fuzzy Hash: E0116D75A01228EBDB11DBA9C905DAEBBF8EB44750B01425AFD04E7250E734DE109AA0
            Function 0072CF56 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,000000FF,00000002,00000000,?,?,0072D1DC,00000000,00000000,00000000,?), ref: 0072CF66
            • ReleaseMutex.KERNEL32(?,?,0072D1DC,00000000,00000000,00000000,?), ref: 0072CFED
              • Part of subcall function 007038D4: GetProcessHeap.KERNEL32(?,000001C7,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038E5
              • Part of subcall function 007038D4: RtlAllocateHeap.NTDLL(00000000,?,00702284,000001C7,00000001,80004005,8007139F,?,?,0074015F,8007139F,?,00000000,00000000,8007139F), ref: 007038EC
            Strings
            • Failed to allocate memory for message data, xrefs: 0072CFB5
            • NetFxChainer.cpp, xrefs: 0072CFAB
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
            • String ID: Failed to allocate memory for message data$NetFxChainer.cpp
            • API String ID: 2993511968-1624333943
            • Opcode ID: 8dfb7369fe6435d732be461be08d78289dec22a6fb7ffb4b2381398cfe1b3fc7
            • Instruction ID: 0a256c22317d209d3bc0e330af417a5a477be8018ce51601084c014dd0efa971
            • Opcode Fuzzy Hash: 8dfb7369fe6435d732be461be08d78289dec22a6fb7ffb4b2381398cfe1b3fc7
            • Instruction Fuzzy Hash: 32118FB5300225EFCB15DF28E895E5ABBB5FF09720B104269F9159B391C775AC10CBA4
            Function 00701F78 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
            Download Yara Rule
            APIs
            • FormatMessageW.KERNEL32(000011FF,00705386,?,00000000,00000000,00000000,?,80070656,?,?,?,0071E50B,00000000,00705386,00000000,80070656), ref: 00701FAA
            • GetLastError.KERNEL32(?,?,?,0071E50B,00000000,00705386,00000000,80070656,?,?,00713F6B,00705386,?,80070656,00000001,0074B4F0), ref: 00701FB7
            • LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,0071E50B,00000000,00705386,00000000,80070656,?,?,00713F6B,00705386), ref: 00701FFE
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFormatFreeLastLocalMessage
            • String ID: strutil.cpp
            • API String ID: 1365068426-3612885251
            • Opcode ID: 0996203e66a05de003cef3c2cd535a8a4d22f14943035aa46f68791a6bab6e83
            • Instruction ID: 5caac4591d5e682720c601be49cb1b713d93482c275e5a9357dd9717483344ad
            • Opcode Fuzzy Hash: 0996203e66a05de003cef3c2cd535a8a4d22f14943035aa46f68791a6bab6e83
            • Instruction Fuzzy Hash: F7116576901229FFEB159FA4CC09AEF7AA9EF05341F00425AFD01E2150E7759E10D7E0
            Function 0071FC51 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
            Download Yara Rule
            APIs
            Strings
            • EngineForApplication.cpp, xrefs: 0071FC84
            • Failed to allocate new BootstrapperEngineForApplication object., xrefs: 0071FC8E
            • Failed to QI for IBootstrapperEngine from BootstrapperEngineForApplication object., xrefs: 0071FCB0
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID:
            • String ID: EngineForApplication.cpp$Failed to QI for IBootstrapperEngine from BootstrapperEngineForApplication object.$Failed to allocate new BootstrapperEngineForApplication object.
            • API String ID: 0-1509993410
            • Opcode ID: 6a8a0d5de35030d0352c540e3e831945ac058c41e08436c5a12fe943429a20fe
            • Instruction ID: 8bff66660a1bc9f8b2013c03174f0532b14c7d5aa4e0aaaf98aa560568e024dd
            • Opcode Fuzzy Hash: 6a8a0d5de35030d0352c540e3e831945ac058c41e08436c5a12fe943429a20fe
            • Instruction Fuzzy Hash: 72F0D63624471AFB97112A28EC0ADEE7768DF45771710013AFD04AA2D0EB6C9951A1F6
            Function 00744C67 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(0074B4F0,40000000,00000001,00000000,00000002,00000080,00000000,00710328,00000000,?,0070F37F,?,00000080,0074B4F0,00000000), ref: 00744C7F
            • GetLastError.KERNEL32(?,0070F37F,?,00000080,0074B4F0,00000000,?,00710328,?,00000094,?,?,?,?,?,00000000), ref: 00744C8C
            • CloseHandle.KERNEL32(00000000,00000000,?,0070F37F,?,0070F37F,?,00000080,0074B4F0,00000000,?,00710328,?,00000094), ref: 00744CE0
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseCreateErrorFileHandleLast
            • String ID: fileutil.cpp
            • API String ID: 2528220319-2967768451
            • Opcode ID: 0dd5ef5aee14744b1f293b024fbbef63941cb4b9fcb3a60e3e9d26818f85a16d
            • Instruction ID: af994c1db268aef2c31a4e011f4780bd05f8d37e1d9e30357d441142318adfa4
            • Opcode Fuzzy Hash: 0dd5ef5aee14744b1f293b024fbbef63941cb4b9fcb3a60e3e9d26818f85a16d
            • Instruction Fuzzy Hash: C301D476701224A7EB315E699C45F5B3A98DB41BB0F154311FE24A71E0C739CC11A2B4
            Function 00744840 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,00728A30,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 00744874
            • GetLastError.KERNEL32(?,00728A30,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,EngineVersion,000002C0,000000B0), ref: 00744881
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CreateErrorFileLast
            • String ID: fileutil.cpp
            • API String ID: 1214770103-2967768451
            • Opcode ID: f69be2966accf74c62cee1d44917ec99bfe3b428ea699d0765d2165612f67e4a
            • Instruction ID: dcf2a9c659da18c8834020c18670b2d0d1f449097b794bd4c39572ea292bcb13
            • Opcode Fuzzy Hash: f69be2966accf74c62cee1d44917ec99bfe3b428ea699d0765d2165612f67e4a
            • Instruction Fuzzy Hash: F701F436780320FAF73026A8AC09F7B269CDB41B62F014321FE15AB1E0C76D8D00A2E5
            Function 007269A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48serviceCOMMON
            Download Yara Rule
            APIs
            • ControlService.ADVAPI32(007268BA,00000001,?,00000001,00000000,?,?,?,?,?,?,007268BA,00000000), ref: 007269D0
            • GetLastError.KERNEL32(?,?,?,?,?,?,007268BA,00000000), ref: 007269DA
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ControlErrorLastService
            • String ID: Failed to stop wusa service.$msuengine.cpp
            • API String ID: 4114567744-2259829683
            • Opcode ID: e959701b3d471a5d4564f54041aa50737c5ae1593d291d24b311b8cc5a8d7f35
            • Instruction ID: 9fd8c4ea9b0e12b32bdfa6a4cfc4c4bb40c4e3cae0aed3925d613c2d829c263d
            • Opcode Fuzzy Hash: e959701b3d471a5d4564f54041aa50737c5ae1593d291d24b311b8cc5a8d7f35
            • Instruction Fuzzy Hash: 4901DB72B40328ABE720ABB5AC45AEB77E8DB48711F01413AFD05FB180EA789D0586D5
            Function 0071EA72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38threadwindowCOMMON
            Download Yara Rule
            APIs
            • PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 0071EA9A
            • GetLastError.KERNEL32 ref: 0071EAA4
            Strings
            • EngineForApplication.cpp, xrefs: 0071EAC8
            • Failed to post elevate message., xrefs: 0071EAD2
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLastMessagePostThread
            • String ID: EngineForApplication.cpp$Failed to post elevate message.
            • API String ID: 2609174426-4098423239
            • Opcode ID: 5dab63ba40572353eba05bbf531e5af548026903ed168093c357ec7b9291b200
            • Instruction ID: 038fa0981f1118077ba73ff2773e0e6551be2a51907953f3ee5bf3f9ec37950e
            • Opcode Fuzzy Hash: 5dab63ba40572353eba05bbf531e5af548026903ed168093c357ec7b9291b200
            • Instruction Fuzzy Hash: 00F0C236700324ABD3205AAC9C09AA736D8FF04761F11822ABE18AA1D0D729CC4186D5
            Function 0070D7CF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 0070D7F6
            • FreeLibrary.KERNEL32(?,?,007047D1,00000000,?,?,00705386,?,?), ref: 0070D805
            • GetLastError.KERNEL32(?,007047D1,00000000,?,?,00705386,?,?), ref: 0070D80F
            Strings
            • BootstrapperApplicationDestroy, xrefs: 0070D7EE
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AddressErrorFreeLastLibraryProc
            • String ID: BootstrapperApplicationDestroy
            • API String ID: 1144718084-3186005537
            • Opcode ID: af15fb60403215afd76c43bb48918bd81e863cd40c3a75d29a6bcc8767947c5f
            • Instruction ID: 3fbc52f5fac38168fdd3e1d0b7caad5c1b8ea000d94d91f313a8516656459649
            • Opcode Fuzzy Hash: af15fb60403215afd76c43bb48918bd81e863cd40c3a75d29a6bcc8767947c5f
            • Instruction Fuzzy Hash: B8F04936200700DFD7309FA6DC08A67B7E9BF81362B01C62EE566C25A0D739EC00CB64
            Function 00743C58 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36comCOMMON
            Download Yara Rule
            APIs
            • CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,^Sp,?,00000000,0070535E,?,?,?), ref: 00743C7F
            • CoCreateInstance.OLE32(00000000,00000000,00000001,00766F3C,?), ref: 00743C97
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CreateFromInstanceProg
            • String ID: Microsoft.Update.AutoUpdate$^Sp
            • API String ID: 2151042543-5779574
            • Opcode ID: 2fc79f5f8511a69bf1f0c67cf96dc924bdf5a526931317b1c7108629a372fc7a
            • Instruction ID: 15aed907ff788548baaea81efcb904b8a3b36efb948fbb71d316bc0e09b0b72b
            • Opcode Fuzzy Hash: 2fc79f5f8511a69bf1f0c67cf96dc924bdf5a526931317b1c7108629a372fc7a
            • Instruction Fuzzy Hash: 3EF054B5600218BBDB10DFA9DD45DFFB7B8DB09710F414066ED01F7150D774AE0486A6
            Function 0071F086 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON
            Download Yara Rule
            APIs
            • PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 0071F09B
            • GetLastError.KERNEL32 ref: 0071F0A5
            Strings
            • EngineForApplication.cpp, xrefs: 0071F0C9
            • Failed to post plan message., xrefs: 0071F0D3
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLastMessagePostThread
            • String ID: EngineForApplication.cpp$Failed to post plan message.
            • API String ID: 2609174426-2952114608
            • Opcode ID: c95a23ee6d0253995c7e9250cfd0d1ec1a93a8fd800708ed18c2cb8d02a70b54
            • Instruction ID: a5b96d9f3a36fab5f1421651c2b35806d073f8c56fb0b3ecec6e3c8c59189343
            • Opcode Fuzzy Hash: c95a23ee6d0253995c7e9250cfd0d1ec1a93a8fd800708ed18c2cb8d02a70b54
            • Instruction Fuzzy Hash: BEF0A736740334BAE7206AAA5C09E877BD8EF08BA1F018126FE0CE6091D669CC4085E5
            Function 0071F194 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON
            Download Yara Rule
            APIs
            • PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 0071F1A9
            • GetLastError.KERNEL32 ref: 0071F1B3
            Strings
            • Failed to post shutdown message., xrefs: 0071F1E1
            • EngineForApplication.cpp, xrefs: 0071F1D7
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLastMessagePostThread
            • String ID: EngineForApplication.cpp$Failed to post shutdown message.
            • API String ID: 2609174426-188808143
            • Opcode ID: de7ff1bbe30c55ee216ea54fbf20524afd29977b2f438f957927cfbdaf00d01d
            • Instruction ID: dece2d65d1660ab545c1f3237f766813f1bb6ec76a91ecb1dfb14e1e55cabd41
            • Opcode Fuzzy Hash: de7ff1bbe30c55ee216ea54fbf20524afd29977b2f438f957927cfbdaf00d01d
            • Instruction Fuzzy Hash: 30F0A736740334BBE7206AAA9C09E877AD8EF04B61F024126FE08E6091D669CD0096E5
            Function 0072051A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
            Download Yara Rule
            APIs
            • SetEvent.KERNEL32(0074B468,00000000,?,0072145A,?,00000000,?,0070C121,?,007052FD,?,007173B2,?,?,007052FD,?), ref: 00720524
            • GetLastError.KERNEL32(?,0072145A,?,00000000,?,0070C121,?,007052FD,?,007173B2,?,?,007052FD,?,0070533D,00000001), ref: 0072052E
            Strings
            • cabextract.cpp, xrefs: 00720552
            • Failed to set begin operation event., xrefs: 0072055C
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorEventLast
            • String ID: Failed to set begin operation event.$cabextract.cpp
            • API String ID: 3848097054-4159625223
            • Opcode ID: bcfead91601be4012134f34425c9a026aa215c15cda19f3226cdbc07c982a43e
            • Instruction ID: 3a758cdc8c7fdc0d5725be065703e992a1889d57731337c4889337cbabef173c
            • Opcode Fuzzy Hash: bcfead91601be4012134f34425c9a026aa215c15cda19f3226cdbc07c982a43e
            • Instruction Fuzzy Hash: D7F02073A00730ABA72066BA7C09ECB36D8DF087A1B01023AFD08E7050E66C9D0082E9
            Function 0071E978 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON
            Download Yara Rule
            APIs
            • PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 0071E98D
            • GetLastError.KERNEL32 ref: 0071E997
            Strings
            • EngineForApplication.cpp, xrefs: 0071E9BB
            • Failed to post apply message., xrefs: 0071E9C5
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLastMessagePostThread
            • String ID: EngineForApplication.cpp$Failed to post apply message.
            • API String ID: 2609174426-1304321051
            • Opcode ID: 3c2e6b2b322e4fd85b5e67189ecaea218f1766b51cef6f5353997cc74cea2177
            • Instruction ID: ffad93375603de2b9f376de6c5e0b8e4be486182e3a66cfee77836506cbcbeb3
            • Opcode Fuzzy Hash: 3c2e6b2b322e4fd85b5e67189ecaea218f1766b51cef6f5353997cc74cea2177
            • Instruction Fuzzy Hash: F5F0A736740334AAE7202AA99C09E877BD8EF04BA1F024126BE08EA091D769CC0096E5
            Function 0071EA09 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON
            Download Yara Rule
            APIs
            • PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 0071EA1E
            • GetLastError.KERNEL32 ref: 0071EA28
            Strings
            • EngineForApplication.cpp, xrefs: 0071EA4C
            • Failed to post detect message., xrefs: 0071EA56
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLastMessagePostThread
            • String ID: EngineForApplication.cpp$Failed to post detect message.
            • API String ID: 2609174426-598219917
            • Opcode ID: 7caf110fd2f7ac211832571b516fc50c68e3cc135ca0304458fa3b3d369fb13b
            • Instruction ID: ebc6400f04bff9f6a2c7e5c632e986b1f42ec5e967c8be7a38ba59a537f0bc7a
            • Opcode Fuzzy Hash: 7caf110fd2f7ac211832571b516fc50c68e3cc135ca0304458fa3b3d369fb13b
            • Instruction Fuzzy Hash: 13F0A736740334ABE7206AA99C09F977AD8EF09BA1F014126FE08E6090D669CD00C6E5
            Function 007390AA Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(?,00000000,?,0073234D,00000000,00000000,00733382,?,00733382,?,00000001,0073234D,?,00000001,00733382,00733382), ref: 007390F7
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00739180
            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00739192
            • __freea.LIBCMT ref: 0073919B
              • Part of subcall function 00735154: HeapAlloc.KERNEL32(00000000,?,?,?,00731E90,?,0000015D,?,?,?,?,007332E9,000000FF,00000000,?,?), ref: 00735186
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ByteCharMultiWide$AllocHeapStringType__freea
            • String ID:
            • API String ID: 573072132-0
            • Opcode ID: 07d25edf91dff46b47a31d34e6e3cd6a4de5384018f408b9a5bedaa32b9421c2
            • Instruction ID: 5e56ee03943841c4de8490d54a417bb9d30dca32d276bcce5d23e9f06b6a72b2
            • Opcode Fuzzy Hash: 07d25edf91dff46b47a31d34e6e3cd6a4de5384018f408b9a5bedaa32b9421c2
            • Instruction Fuzzy Hash: 7131EF72A0021AABEF248F65CC89DAF7BA5EB01710F044129FD04E7252E779DD54CBA0
            Function 00704E9C Relevance: 6.1, APIs: 4, Instructions: 110COMMON
            Download Yara Rule
            APIs
            • CloseHandle.KERNEL32(?,?,?,00000000,?,0070545F,?,?,?,?,?,?), ref: 00704EF6
            • DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,0070545F,?,?,?,?,?,?), ref: 00704F0A
            • TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0070545F,?,?), ref: 00704FF9
            • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0070545F,?,?), ref: 00705000
              • Part of subcall function 00701160: LocalFree.KERNEL32(?,?,00704EB3,?,00000000,?,0070545F,?,?,?,?,?,?), ref: 0070116A
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalDeleteFreeSection$CloseHandleLocal
            • String ID:
            • API String ID: 3671900028-0
            • Opcode ID: 1c7a21ded5c2b058bf67114082440a3ab3f22caea5393fc65877987d1dbae66a
            • Instruction ID: 38ce045ce48e43850b2a35f1fd194352b498f4db2b9a10dbab417a93b77ed06c
            • Opcode Fuzzy Hash: 1c7a21ded5c2b058bf67114082440a3ab3f22caea5393fc65877987d1dbae66a
            • Instruction Fuzzy Hash: 7541A6B1500B45EBCA20EBB5C88DF9B73ECAF04341F444A29B69AD7092DB3CF5448724
            Function 00745F0F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 101COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast
            • String ID: Hhv$dlutil.cpp
            • API String ID: 1452528299-2452266340
            • Opcode ID: 475b16b540b2b9afe578f4df0b23e47fb40b90fcf8bd78c051373e217fd459df
            • Instruction ID: 9a8bf1db862995a63bb0fc22d1f887d76aa9d53c0fdbb96bd37cbd7245e9192f
            • Opcode Fuzzy Hash: 475b16b540b2b9afe578f4df0b23e47fb40b90fcf8bd78c051373e217fd459df
            • Instruction Fuzzy Hash: 0531E872900315FBEB219EA98C44F6B76ECEF41750B114129FD05E7160E739CD0096B2
            Function 00743119 Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON
            Download Yara Rule
            APIs
            • SysAllocString.OLEAUT32(?), ref: 0074312C
            • VariantInit.OLEAUT32(?), ref: 00743138
            • VariantClear.OLEAUT32(?), ref: 007431AC
            • SysFreeString.OLEAUT32(00000000), ref: 007431B7
              • Part of subcall function 0074336E: SysAllocString.OLEAUT32(?), ref: 00743383
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: String$AllocVariant$ClearFreeInit
            • String ID:
            • API String ID: 347726874-0
            • Opcode ID: db60c81dfd46a564aada26f65949f2090917a29d27a3c44688d81eb0ce7dddc1
            • Instruction ID: 20e7b49b5548bf11beb08fa7dbf93576119eea960586965ae4c95f6bd87bd793
            • Opcode Fuzzy Hash: db60c81dfd46a564aada26f65949f2090917a29d27a3c44688d81eb0ce7dddc1
            • Instruction Fuzzy Hash: 2C217C35901619EFCB28DFA5C888EAEBBB8EF45711F00415CE8059B220DB34DE04CBA0
            Function 00704B80 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 67COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0070F7F7: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,00704B9F,?,?,00000001), ref: 0070F847
            • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 00704C06
              • Part of subcall function 0074082D: CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 0074089A
              • Part of subcall function 0074082D: GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 007408A4
              • Part of subcall function 0074082D: CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 007408ED
              • Part of subcall function 0074082D: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 007408FA
            Strings
            • Failed to get current process path., xrefs: 00704BC4
            • Failed to re-launch bundle process after RunOnce: %ls, xrefs: 00704BF0
            • Unable to get resume command line from the registry, xrefs: 00704BA5
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Close$Handle$CreateErrorLastProcess
            • String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
            • API String ID: 1572399834-642631345
            • Opcode ID: e8b8547911fd321eac214f0b8a213094a09b6339980ae1afbf36a580a38f96f6
            • Instruction ID: 6a188f1921ebfc5bf25f90d1d4b4707782cc721d12953d13cb40946c84676060
            • Opcode Fuzzy Hash: e8b8547911fd321eac214f0b8a213094a09b6339980ae1afbf36a580a38f96f6
            • Instruction Fuzzy Hash: D41142B5D01518FBCF22AB98DD058AEFBF8EF44710B1042A6EA04B6251D7798E50AB91
            Function 00738731 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007388D5,00000000,00000000,?,007386D8,007388D5,00000000,00000000,00000000,?,007388D5,00000006,FlsSetValue), ref: 00738763
            • GetLastError.KERNEL32(?,007386D8,007388D5,00000000,00000000,00000000,?,007388D5,00000006,FlsSetValue,00762208,00762210,00000000,00000364,?,00736130), ref: 0073876F
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,007386D8,007388D5,00000000,00000000,00000000,?,007388D5,00000006,FlsSetValue,00762208,00762210,00000000), ref: 0073877D
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: LibraryLoad$ErrorLast
            • String ID:
            • API String ID: 3177248105-0
            • Opcode ID: dc4972fd30638e06494be067232a28b5dadcf68cbdbb0da25f866c73925304e5
            • Instruction ID: 28bc3210207a12f3ce0752dfc9a900815702e731c51e9920b076e2456128baed
            • Opcode Fuzzy Hash: dc4972fd30638e06494be067232a28b5dadcf68cbdbb0da25f866c73925304e5
            • Instruction Fuzzy Hash: D801F73A2113269BE7714AF99C48A673759AF05BE1F344621F906D7241DF3CDC01C6E5
            Function 0073605E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,00000000,007319F5,00000000,80004004,?,00731CF9,00000000,80004004,00000000,00000000), ref: 00736062
            • SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 007360CA
            • SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 007360D6
            • _abort.LIBCMT ref: 007360DC
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast$_abort
            • String ID:
            • API String ID: 88804580-0
            • Opcode ID: ef31b50cc2620f8f671b201266dd11ad9e76c4bcd4fc3ec61342f84966f70eaf
            • Instruction ID: 10f9586c8e9f627f5117a8ecc32681035f4f29a0a5823b39b67e6d04ae0c3c55
            • Opcode Fuzzy Hash: ef31b50cc2620f8f671b201266dd11ad9e76c4bcd4fc3ec61342f84966f70eaf
            • Instruction Fuzzy Hash: D1F02836100B00B6F62A37746C0FF1B165ADFC2731F248119F91AA6193FF2CCC014166
            Function 0070730C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(?), ref: 00707318
            • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 0070737F
            Strings
            • Failed to get value as numeric for variable: %ls, xrefs: 0070736E
            • Failed to get value of variable: %ls, xrefs: 00707352
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave
            • String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
            • API String ID: 3168844106-4270472870
            • Opcode ID: 3700a8fb24c3f1316359063cc15b0692991080280ae6c5b59c87ab72b72db651
            • Instruction ID: ae7695f4b598f3cf14642681a70a5b9b85f9ac4c87628f1c2d0370f93d845abf
            • Opcode Fuzzy Hash: 3700a8fb24c3f1316359063cc15b0692991080280ae6c5b59c87ab72b72db651
            • Instruction Fuzzy Hash: F9015E76D45168FBDF269E54CC05A9EBBA99B05720F108225FD04AA261C33DAE10FBE4
            Function 00707481 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(?), ref: 0070748D
            • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 007074F4
            Strings
            • Failed to get value as version for variable: %ls, xrefs: 007074E3
            • Failed to get value of variable: %ls, xrefs: 007074C7
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave
            • String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
            • API String ID: 3168844106-1851729331
            • Opcode ID: e331d3af5b34a2f2ddc50384f4dc57d72ffcf564b87a27d2d8284e2083c1b827
            • Instruction ID: f9099b4789de497a8e8290fafae5e3b4dfda7ba12eb0a438d49d725e76fa7934
            • Opcode Fuzzy Hash: e331d3af5b34a2f2ddc50384f4dc57d72ffcf564b87a27d2d8284e2083c1b827
            • Instruction Fuzzy Hash: CE017C72D4516DFBCF165F94CC05AAE3FA8AB10725F108225FD04AA260C33DAE10EBE0
            Function 00707410 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,00709752,00000000,?,00000000,00000000,00000000,?,00709590,00000000,?,00000000,00000000), ref: 0070741C
            • LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,00709752,00000000,?,00000000,00000000,00000000,?,00709590,00000000,?,00000000), ref: 00707472
            Strings
            • Failed to copy value of variable: %ls, xrefs: 00707461
            • Failed to get value of variable: %ls, xrefs: 00707442
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave
            • String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
            • API String ID: 3168844106-2936390398
            • Opcode ID: 689702d7e7299383f1144185c9486fb39885fad58f33778348e97832bc4287c9
            • Instruction ID: b7d9c01bbe907800817513448bba8a695ece991f4cf8f414852c1889f8d988ce
            • Opcode Fuzzy Hash: 689702d7e7299383f1144185c9486fb39885fad58f33778348e97832bc4287c9
            • Instruction Fuzzy Hash: 9AF06D76D44168FBCB126F54CC0599E7FA8DB04360F00C224FD04A6260D739AA20ABD5
            Function 007488BE Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 38COMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,Qdt,00745C11,feclient.dll,clbcatq.dll,0074B508,0074B4F0,HEAD,00000000,0074B4D8,Qdt,00000000,?,?,00000000), ref: 007488E8
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLast
            • String ID: Qdt$feclient.dll$inetutil.cpp
            • API String ID: 1452528299-2690032620
            • Opcode ID: 30a2bcf2697ce30c2a674b5c2f5c770f3b3538bf2fc48999b4a9b8fa5fe3e368
            • Instruction ID: 8edbdc283232bed594b05d00ea0ca3306ba25541bdb34a3b1aced3a8e575be44
            • Opcode Fuzzy Hash: 30a2bcf2697ce30c2a674b5c2f5c770f3b3538bf2fc48999b4a9b8fa5fe3e368
            • Instruction Fuzzy Hash: 98F04FB660162CBBE7109F95CC49FABBBACEB05751F018256FD01E7140EB74AA4097E2
            Function 00731246 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
            Download Yara Rule
            APIs
            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00731246
            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0073124B
            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00731250
              • Part of subcall function 00731548: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00731559
            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00731265
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
            • String ID:
            • API String ID: 1761009282-0
            • Opcode ID: 294756368ebb91e0d837f8d85631f380e5f2af2aa371e18ba28d844398db2aca
            • Instruction ID: f4df507e31d6b5496c60db7ae0ad6e4c0a122eb25fe0b19c4393bcce2a184f03
            • Opcode Fuzzy Hash: 294756368ebb91e0d837f8d85631f380e5f2af2aa371e18ba28d844398db2aca
            • Instruction Fuzzy Hash: 4EC04888204241D47E203BF2226E2EE43882CE2796FE020C5F866A7903AD1E042F2132
            Function 00744661 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00740E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00745699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00740E52
            • RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,00000000,00000000,00000101), ref: 007447C2
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseOpen
            • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
            • API String ID: 47109696-3023217399
            • Opcode ID: 9da3855d64171f8b11d0efeab50168816acde16cb6305fd255204b4963a3335b
            • Instruction ID: f64ce457d67f4a123abb855a43eac1b810c4d16aaecc13d6abc24bd2ea46281b
            • Opcode Fuzzy Hash: 9da3855d64171f8b11d0efeab50168816acde16cb6305fd255204b4963a3335b
            • Instruction Fuzzy Hash: 7D41C775E00115EFCF22DF94C984BADB7F9EF46B10F114069E500AB212DB399E52EB50
            Function 00740B49 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130registryCOMMON
            Download Yara Rule
            APIs
            • RegCloseKey.ADVAPI32(00000000), ref: 00740CA0
              • Part of subcall function 00740E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00745699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00740E52
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseOpen
            • String ID: regutil.cpp
            • API String ID: 47109696-955085611
            • Opcode ID: 52f966e96e1bda5993a49bfa72219ef0804d6d3a394ad361162a80a41239ea1b
            • Instruction ID: a029cde7340f4422ecf747f910bacfacbf8ea3c4d3ffd341a63373f2ad24f7b0
            • Opcode Fuzzy Hash: 52f966e96e1bda5993a49bfa72219ef0804d6d3a394ad361162a80a41239ea1b
            • Instruction Fuzzy Hash: 1441D432E41229FBDF215AA4CD84BED7BA5AB04311F118369EE05AB160D37D8E50DBE4
            Function 00740F6E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126registryCOMMON
            Download Yara Rule
            APIs
            • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00740FE4
            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 0074101F
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: QueryValue
            • String ID: regutil.cpp
            • API String ID: 3660427363-955085611
            • Opcode ID: e0b9499fd0d9ed87a568c7b3efcacce309c1b99bb88407688f90fb1064972594
            • Instruction ID: fb7f1f5e7d102485a66f772f47ffaace038b8fc3438264942e96562a4a5d4538
            • Opcode Fuzzy Hash: e0b9499fd0d9ed87a568c7b3efcacce309c1b99bb88407688f90fb1064972594
            • Instruction Fuzzy Hash: 5341D231D0022AFFDF20AF94C884AAEBBB9EF14350F504169E915E7260D7798E91DB90
            Function 007365D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • WideCharToMultiByte.KERNEL32(0074B508,00000000,00000006,00000001,comres.dll,?,00000000,?,00000000,?,?,00000000,00000006,?,comres.dll,?), ref: 007366A3
            • GetLastError.KERNEL32 ref: 007366BF
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ByteCharErrorLastMultiWide
            • String ID: comres.dll
            • API String ID: 203985260-246242247
            • Opcode ID: a274df4fbc5a919e37ac76837b3b5ef241592a58741f4a78d9eb52d1531d506d
            • Instruction ID: c46f16432838349ea2d69b5228f7436cb2c0f6cbf939bcb22bdef6ca85cc3eb4
            • Opcode Fuzzy Hash: a274df4fbc5a919e37ac76837b3b5ef241592a58741f4a78d9eb52d1531d506d
            • Instruction Fuzzy Hash: 2231E371600215FBFB31AF65C88BAAB3B68DF52B90F148129F9145B293DB38CD00C7A1
            Function 00748E07 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00748CFB: lstrlenW.KERNEL32(00000100,?,?,00749098,000002C0,00000100,00000100,00000100,?,?,?,00727B40,?,?,000001BC,00000000), ref: 00748D1B
            • RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,0074B4F0,wininet.dll,?), ref: 00748F07
            • RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,0074B4F0,wininet.dll,?), ref: 00748F14
              • Part of subcall function 00740E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00745699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00740E52
              • Part of subcall function 00740D1C: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,00728BD8), ref: 00740D77
              • Part of subcall function 00740D1C: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00728BD8,00000000), ref: 00740D99
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Close$EnumInfoOpenQuerylstrlen
            • String ID: wininet.dll
            • API String ID: 2680864210-3354682871
            • Opcode ID: 177b06de00f5d0cec9bb88c9dc7edec69c4865d79de9cad49da666d00f6f85c3
            • Instruction ID: 43a6fd3eae586058af850197032b2a857c0ed17932ad6231a0a2833987fe822d
            • Opcode Fuzzy Hash: 177b06de00f5d0cec9bb88c9dc7edec69c4865d79de9cad49da666d00f6f85c3
            • Instruction Fuzzy Hash: 3E314C36C0113EFFCF61AF94C8409AEBBBAEF04350B154169EA1076121DB398E50EB91
            Function 00749220 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00748CFB: lstrlenW.KERNEL32(00000100,?,?,00749098,000002C0,00000100,00000100,00000100,?,?,?,00727B40,?,?,000001BC,00000000), ref: 00748D1B
            • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000), ref: 00749305
            • RegCloseKey.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0074931F
              • Part of subcall function 00740AD5: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,00710491,?,00000000,00020006), ref: 00740AFA
              • Part of subcall function 00741392: RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0070F1C2,00000000,?,00020006), ref: 007413C5
              • Part of subcall function 00741392: RegDeleteValueW.ADVAPI32(00020006,00020006,00000000,?,?,0070F1C2,00000000,?,00020006,?,00020006,00020006,00000000,?,?,?), ref: 007413F5
              • Part of subcall function 00741344: RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,0070F11A,00000005,Resume,?,?,?,00000002,00000000), ref: 00741359
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Value$Close$CreateDeletelstrlen
            • String ID: %ls\%ls
            • API String ID: 3924016894-2125769799
            • Opcode ID: abd94e876931a8e6762ef1009eb98fba0113002bb5a842ff65bbcd5537c2e44b
            • Instruction ID: 87d6b6799c1442a9cb733c2af6ef550307ad1504326c7d1d415045a5c8a7fb44
            • Opcode Fuzzy Hash: abd94e876931a8e6762ef1009eb98fba0113002bb5a842ff65bbcd5537c2e44b
            • Instruction Fuzzy Hash: 29310C72C0122EFBCF12AF94CC858AFBBB9FF44350B41416AFA0176121D7798E50AB90
            Function 00741392 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61registryCOMMON
            Download Yara Rule
            APIs
            • RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0070F1C2,00000000,?,00020006), ref: 007413C5
            • RegDeleteValueW.ADVAPI32(00020006,00020006,00000000,?,?,0070F1C2,00000000,?,00020006,?,00020006,00020006,00000000,?,?,?), ref: 007413F5
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Value$Delete
            • String ID: regutil.cpp
            • API String ID: 1738766685-955085611
            • Opcode ID: 279fdf94a86fc86c293a0c17c7ea0a2e3a7458bd82eb012f61eae0395cb82966
            • Instruction ID: 834a49b54a8d3352b0b41f7f2d20d9f505b1619e204ca75ee9379ee0ced8d8bf
            • Opcode Fuzzy Hash: 279fdf94a86fc86c293a0c17c7ea0a2e3a7458bd82eb012f61eae0395cb82966
            • Instruction Fuzzy Hash: EE11C632E00379BBEF216EA9CD04BAA7AA9EF05790F414225FD00FA1A0E775CD5096D0
            Function 0070DCA5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
            Download Yara Rule
            APIs
            • CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,0072744B,00000000,IGNOREDEPENDENCIES,00000000,?,0074B508), ref: 0070DCF6
            Strings
            • IGNOREDEPENDENCIES, xrefs: 0070DCAD
            • Failed to copy the property value., xrefs: 0070DD2A
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CompareString
            • String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
            • API String ID: 1825529933-1412343224
            • Opcode ID: b31f827ef7dd498ff3e50f9eaffcb6977bf716496cb79f07384d75c7468e430e
            • Instruction ID: f024d5328269c85b22707d9fd058a6cf2a0f2c772b63da3600fe9953d7ad8741
            • Opcode Fuzzy Hash: b31f827ef7dd498ff3e50f9eaffcb6977bf716496cb79f07384d75c7468e430e
            • Instruction Fuzzy Hash: 8D11A336204315EFDB204F94CC84FAA77E5EF19324F254376EA189B2D1C7B8AC50DA90
            Function 007454F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,00718C90,?,00000001,20000004,00000000,00000000,?,00000000), ref: 00745527
            • SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00718C90,?), ref: 00745542
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: InfoNamedSecuritySleep
            • String ID: aclutil.cpp
            • API String ID: 2352087905-2159165307
            • Opcode ID: 72c6bcd4fa63eecfd3a8cc1f35b1d68b55a6553755c0264e254dbc91d675e269
            • Instruction ID: c257e4170126aad2296dc6dde55ca9d59b8f22e00d16453a36b2659675c8d6ad
            • Opcode Fuzzy Hash: 72c6bcd4fa63eecfd3a8cc1f35b1d68b55a6553755c0264e254dbc91d675e269
            • Instruction Fuzzy Hash: BE018277800528FBCF129E95CC04EDEBE7AEF44760F060215FD0566121D7398E60A7A0
            Function 007155BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
            Download Yara Rule
            APIs
            • CoInitializeEx.OLE32(00000000,00000000), ref: 007155D9
            • CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 00715633
            Strings
            • Failed to initialize COM on cache thread., xrefs: 007155E5
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: InitializeUninitialize
            • String ID: Failed to initialize COM on cache thread.
            • API String ID: 3442037557-3629645316
            • Opcode ID: f803fb1282a4d6418fbaf04f0880c3654dd76063ad53995a418f309dd56797a9
            • Instruction ID: 40f154f53cced0a3a16a2bc6e63606eb3e9e73ab8c4c84cdf1df02ae1fe793bf
            • Opcode Fuzzy Hash: f803fb1282a4d6418fbaf04f0880c3654dd76063ad53995a418f309dd56797a9
            • Instruction Fuzzy Hash: 54015B72600619FFCB058FA9D884DDAFBADFF48354B408126FA08D7221DB35AD549BD4
            Function 0070155F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
            Download Yara Rule
            APIs
            • LCMapStringW.KERNEL32(0000007F,00000000,00000000,00716EF3,00000000,00716EF3,00000000,00000000,00716EF3,00000000,00000000,00000000,?,00702326,00000000,00000000), ref: 007015A3
            • GetLastError.KERNEL32(?,00702326,00000000,00000000,00716EF3,00000200,?,0074516B,00000000,00716EF3,00000000,00716EF3,00000000,00000000,00000000), ref: 007015AD
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorLastString
            • String ID: strutil.cpp
            • API String ID: 3728238275-3612885251
            • Opcode ID: 0886c9435bf3f25f273f42b0c200ac5fe7eb2af5cd004e5590f82bd15cc110e3
            • Instruction ID: ded352e9027c7448b2f0a74de1f9dca0d2b72e23d6363fcff0863b5883207765
            • Opcode Fuzzy Hash: 0886c9435bf3f25f273f42b0c200ac5fe7eb2af5cd004e5590f82bd15cc110e3
            • Instruction Fuzzy Hash: D301B533600629E7DB219EA68C44E577AE9EF86760B020215FE159B190D724DC2087E1
            Function 00743803 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memoryCOMMON
            Download Yara Rule
            APIs
            • SysAllocString.OLEAUT32(00000000), ref: 00743849
            • SysFreeString.OLEAUT32(00000000), ref: 0074387C
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: String$AllocFree
            • String ID: xmlutil.cpp
            • API String ID: 344208780-1270936966
            • Opcode ID: 7cd2c36aafd76395121f9f5013d42947645a91f88b75dfd3e3c2cd645ef54353
            • Instruction ID: 13c93b9dc5e9da783570c466e185c91ff42c2f3e8f0fd62e4d4bcbaeedf272bb
            • Opcode Fuzzy Hash: 7cd2c36aafd76395121f9f5013d42947645a91f88b75dfd3e3c2cd645ef54353
            • Instruction Fuzzy Hash: 3F01A275640215EBDB211A598C09F7BB2ECDF45760F508139FE09A7641C77CCE1197B1
            Function 0074388A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memoryCOMMON
            Download Yara Rule
            APIs
            • SysAllocString.OLEAUT32(00000000), ref: 007438D0
            • SysFreeString.OLEAUT32(00000000), ref: 00743903
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: String$AllocFree
            • String ID: xmlutil.cpp
            • API String ID: 344208780-1270936966
            • Opcode ID: 64d532dc1bac2d8d0d5f878a71b0287df6cd4c03cf3f0fe9805c529152669e7a
            • Instruction ID: fd740805d47c83cce5b777e173d4c94f3da77fdfbc3455b04004bc2ab682496e
            • Opcode Fuzzy Hash: 64d532dc1bac2d8d0d5f878a71b0287df6cd4c03cf3f0fe9805c529152669e7a
            • Instruction Fuzzy Hash: 0E01A275A40215FBDB205A588C09F7B76ECEF45760F104025FD09AB240C7BCCE0057A1
            Function 00743AC9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00740E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00745699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00740E52
            • RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,0074396A,?), ref: 00743B3A
            Strings
            • EnableLUA, xrefs: 00743B0C
            • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00743AE4
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseOpen
            • String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
            • API String ID: 47109696-3551287084
            • Opcode ID: 1f015873e1ad96e18dff1ebcd9c097a25f009f28a8fcbcbced7b8ddda3226d3f
            • Instruction ID: 25ccde67b42ca8ceb1377694031136c66aa5c4077d8f1a9977a0a2e798322f6e
            • Opcode Fuzzy Hash: 1f015873e1ad96e18dff1ebcd9c097a25f009f28a8fcbcbced7b8ddda3226d3f
            • Instruction Fuzzy Hash: 550178B2810238EBDB10AAA4C80ABEEFAACEB04721F204169A905A7111D37C5E50E6D4
            Function 00746754 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
            Download Yara Rule
            APIs
            • SysFreeString.OLEAUT32(?), ref: 007467B3
              • Part of subcall function 007485CB: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 007486D8
              • Part of subcall function 007485CB: GetLastError.KERNEL32 ref: 007486E2
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Time$ErrorFileFreeLastStringSystem
            • String ID: atomutil.cpp$clbcatq.dll
            • API String ID: 211557998-3749116663
            • Opcode ID: fd50b80d5ccb0c87cb658b3aa82a0dfa8d9f00bc7f7ad3a1481a5edf12a2a11e
            • Instruction ID: 37e64aba4d7e0583e084659e4448b624b524c9472869a25253aab0ee358bd439
            • Opcode Fuzzy Hash: fd50b80d5ccb0c87cb658b3aa82a0dfa8d9f00bc7f7ad3a1481a5edf12a2a11e
            • Instruction Fuzzy Hash: 4501D6B190011AFBDB219F959981C6EFBB8EF16764B50427AF90567100D3399E10D7E2
            Function 00706418 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(?), ref: 0070642A
              • Part of subcall function 007409BB: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00705D8F,00000000), ref: 007409CF
              • Part of subcall function 007409BB: GetProcAddress.KERNEL32(00000000), ref: 007409D6
              • Part of subcall function 007409BB: GetLastError.KERNEL32(?,?,?,00705D8F,00000000), ref: 007409ED
              • Part of subcall function 00705BF0: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00705C77
            Strings
            • Failed to get 64-bit folder., xrefs: 0070644D
            • Failed to set variant value., xrefs: 00706467
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
            • String ID: Failed to get 64-bit folder.$Failed to set variant value.
            • API String ID: 3109562764-2681622189
            • Opcode ID: 98835d6ca6d52c52db99aec5949047aee49127b0ef4d3bfacdf0837b98792993
            • Instruction ID: d6c39dd500d77521304ca48307002ba72b5e7c086811b1af08ab44ecd030d16c
            • Opcode Fuzzy Hash: 98835d6ca6d52c52db99aec5949047aee49127b0ef4d3bfacdf0837b98792993
            • Instruction Fuzzy Hash: D201627290126CFBCF11E7A4DC19AAE7AB8EB00721F108256F940B6192D779AF50D7D0
            Function 007033D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,007010DD,?,00000000), ref: 007033F8
            • GetLastError.KERNEL32(?,?,?,007010DD,?,00000000), ref: 0070340F
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFileLastModuleName
            • String ID: pathutil.cpp
            • API String ID: 2776309574-741606033
            • Opcode ID: 7c34c64c77a4926f441cca94be0ff93f9836675f162924d8eb152603a1815435
            • Instruction ID: da6e6339dd156c89adbe1deb7b78b7917e5bd5129fcbce2fe962087038e533d9
            • Opcode Fuzzy Hash: 7c34c64c77a4926f441cca94be0ff93f9836675f162924d8eb152603a1815435
            • Instruction Fuzzy Hash: A8F06273B40274EBD722566A9C88A97BADDDB867A0B124222BD05EF190D779CD0182E0
            Function 00710598 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00740E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00745699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00740E52
            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000,?,?,0072BB7C,00000101,?), ref: 007105EF
            Strings
            • Failed to update resume mode., xrefs: 007105D9
            • Failed to open registration key., xrefs: 007105BF
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: CloseOpen
            • String ID: Failed to open registration key.$Failed to update resume mode.
            • API String ID: 47109696-3366686031
            • Opcode ID: 4cf2e6a95ff804e86bc51667ec55dc74ec0a719baa38d939bc70afa2388929ff
            • Instruction ID: 80665b37c7ea43ac44ea6a91efac0c0cc3f64bc1ef8105c3a9e23fcf22b4d9cd
            • Opcode Fuzzy Hash: 4cf2e6a95ff804e86bc51667ec55dc74ec0a719baa38d939bc70afa2388929ff
            • Instruction Fuzzy Hash: 2BF0C832941228F7D7225A98DC06FDEB76AEB00761F100165FA00B6190DBF9AFA0A7D0
            Function 007448CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
            Download Yara Rule
            APIs
            • GetFileSizeEx.KERNEL32(00000000,00000000,00000000,74DF34C0,?,?,?,0070B919,?,?,?,00000000,00000000), ref: 007448E3
            • GetLastError.KERNEL32(?,?,?,0070B919,?,?,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 007448ED
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: ErrorFileLastSize
            • String ID: fileutil.cpp
            • API String ID: 464720113-2967768451
            • Opcode ID: 5e5b25a78c54555d72524a28b1cac9a01c1203ef817db5964dd04de65a0412fd
            • Instruction ID: 831e0bbfdec391fc4cb4964ede8dca2fe7cad33f4e5ffca95430b625cc6892b5
            • Opcode Fuzzy Hash: 5e5b25a78c54555d72524a28b1cac9a01c1203ef817db5964dd04de65a0412fd
            • Instruction Fuzzy Hash: 3AF0A4B5A00225AFA7109F998804A5BFBECEF05751B01421AFC05D3200D374AD10D7E4
            Function 007430BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON
            Download Yara Rule
            APIs
            • SysAllocString.OLEAUT32(?), ref: 007430D4
            • SysFreeString.OLEAUT32(00000000), ref: 00743104
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: String$AllocFree
            • String ID: xmlutil.cpp
            • API String ID: 344208780-1270936966
            • Opcode ID: c3be2b3cf1b83127f51b56c8b08eba0fc98e9918b8e3cb983d5486029a9204e8
            • Instruction ID: 40c4c5a5a726e904bd42a7591cb6038afcd0a73ddd70c4a5d447ac5eeea39dca
            • Opcode Fuzzy Hash: c3be2b3cf1b83127f51b56c8b08eba0fc98e9918b8e3cb983d5486029a9204e8
            • Instruction Fuzzy Hash: D7F0BE35200A58E7CB219F049C09FAB7BB9EB85B60F248129FC096B210C77DCE109AA1
            Function 0074336E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON
            Download Yara Rule
            APIs
            • SysAllocString.OLEAUT32(?), ref: 00743383
            • SysFreeString.OLEAUT32(00000000), ref: 007433B3
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: String$AllocFree
            • String ID: xmlutil.cpp
            • API String ID: 344208780-1270936966
            • Opcode ID: 8b2266abe507050dc98318aa71f58d0cf2c01239cc09c0c193d2fef0131aeb3b
            • Instruction ID: db399f4dee45083aeecc1fae8d02a318dfae0d784cd05a5cf1ddc13ba19df53c
            • Opcode Fuzzy Hash: 8b2266abe507050dc98318aa71f58d0cf2c01239cc09c0c193d2fef0131aeb3b
            • Instruction Fuzzy Hash: A5F0E23A200218E7C7221F099C08F6F3BA8EF85760F10411AFC099B211CB7CCE10DAE1
            Function 00741344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29registryCOMMON
            Download Yara Rule
            APIs
            • RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,0070F11A,00000005,Resume,?,?,?,00000002,00000000), ref: 00741359
            Strings
            • regutil.cpp, xrefs: 00741381
            • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00741347
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: Value
            • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$regutil.cpp
            • API String ID: 3702945584-2416625845
            • Opcode ID: 1ef60df0642e0b430753b27d81133bf02adfa4fa5c232a589324fea50bcfa69f
            • Instruction ID: 6076b53cf2b1180300ea34459c1f49878d4bbefd60067596f5cbd0bde661744b
            • Opcode Fuzzy Hash: 1ef60df0642e0b430753b27d81133bf02adfa4fa5c232a589324fea50bcfa69f
            • Instruction Fuzzy Hash: 37E06DB2B40335BAE7206AA68C09F977EDCDB04AE0F414121BE09EA090D6658D0082E4
            Function 00740CD1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00740CF2
            Strings
            Memory Dump Source
            • Source File: 00000001.00000002.1752958280.0000000000701000.00000020.00000001.01000000.00000008.sdmp, Offset: 00700000, based on PE: true
            • Associated: 00000001.00000002.1752943352.0000000000700000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1752987760.000000000074B000.00000002.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753008771.000000000076A000.00000004.00000001.01000000.00000008.sdmpDownload File
            • Associated: 00000001.00000002.1753023557.000000000076E000.00000002.00000001.01000000.00000008.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_1_2_700000_vc_redist.jbxd
            Similarity
            • API ID: AddressProc
            • String ID: AdvApi32.dll$RegDeleteKeyExW
            • API String ID: 190572456-850864035
            • Opcode ID: a50c7cb806eb9971cf796b8a6f9fb7948edfc3d15f550cd8f0b88541868d6098
            • Instruction ID: f23fae49984c8331516089eb1dc943660f30c3b2811b0da3549ddb8d29467e58
            • Opcode Fuzzy Hash: a50c7cb806eb9971cf796b8a6f9fb7948edfc3d15f550cd8f0b88541868d6098
            • Instruction Fuzzy Hash: EAE086F0705714DBCB045F34FC069053AA0A71AB15340C129EC03D2271DBFC98808B98

            Executed Functions

            Function 00B31070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 77fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00B333D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00B310DD,?,00000000), ref: 00B333F8
            • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 00B310F6
              • Part of subcall function 00B31174: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00B3111A,cabinet.dll,00000009,?,?,00000000), ref: 00B31185
              • Part of subcall function 00B31174: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,00B3111A,cabinet.dll,00000009,?,?,00000000), ref: 00B31190
              • Part of subcall function 00B31174: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B3119E
              • Part of subcall function 00B31174: GetLastError.KERNEL32(?,?,?,?,00B3111A,cabinet.dll,00000009,?,?,00000000), ref: 00B311B9
              • Part of subcall function 00B31174: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B311C1
              • Part of subcall function 00B31174: GetLastError.KERNEL32(?,?,?,?,00B3111A,cabinet.dll,00000009,?,?,00000000), ref: 00B311D6
            • CloseHandle.KERNEL32(?,?,?,?,00B7B4C0,?,cabinet.dll,00000009,?,?,00000000), ref: 00B31131
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
            • String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
            • API String ID: 3687706282-3151496603
            • Opcode ID: ddfecf26156680bfaaae8417a093f2c798a4c1406f854b16e06825e79223c296
            • Instruction ID: f6a434db642a67ca28901eda844bba2b15eb7dba1a4d4251bdc66a19b9dfbd55
            • Opcode Fuzzy Hash: ddfecf26156680bfaaae8417a093f2c798a4c1406f854b16e06825e79223c296
            • Instruction Fuzzy Hash: B5214672900218ABDB109FA9DC49FDEBBF8EF45714F508595F924B7291DB705504CFA0
            Function 00B64812 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(00000000,?,00B647E8,00000000,00B97CF8,0000000C,00B6493F,00000000,00000002,00000000), ref: 00B64833
            • TerminateProcess.KERNEL32(00000000,?,00B647E8,00000000,00B97CF8,0000000C,00B6493F,00000000,00000002,00000000), ref: 00B6483A
            • ExitProcess.KERNEL32 ref: 00B6484C
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: Process$CurrentExitTerminate
            • String ID:
            • API String ID: 1703294689-0
            • Opcode ID: 914ddf5579760cbaf272a4524eb75bc022b106ce7be9363644198adffccb659e
            • Instruction ID: f0d28e7ab1941ddaac235f2b7ea6b699f69ef05bb08284f27130119b269bdfbe
            • Opcode Fuzzy Hash: 914ddf5579760cbaf272a4524eb75bc022b106ce7be9363644198adffccb659e
            • Instruction Fuzzy Hash: 24E0B632401A88AFCF116F55DD09E5A3FA9FB51351F4504A4F9099B132CF39ED82DA84
            Function 00B3F86E Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 445COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 b3f86e-b3f8a4 call b7388a 3 b3f8a6-b3f8b3 call b7012f 0->3 4 b3f8b8-b3f8d1 call b731c7 0->4 9 b3fda0-b3fda5 3->9 10 b3f8d3-b3f8d8 4->10 11 b3f8dd-b3f8f2 call b731c7 4->11 14 b3fda7-b3fda9 9->14 15 b3fdad-b3fdb2 9->15 12 b3fd97-b3fd9e call b7012f 10->12 22 b3f8f4-b3f8f9 11->22 23 b3f8fe-b3f90b call b3e936 11->23 28 b3fd9f 12->28 14->15 16 b3fdb4-b3fdb6 15->16 17 b3fdba-b3fdbf 15->17 16->17 20 b3fdc1-b3fdc3 17->20 21 b3fdc7-b3fdcb 17->21 20->21 25 b3fdd5-b3fddc 21->25 26 b3fdcd-b3fdd0 call b754ef 21->26 22->12 31 b3f917-b3f92c call b731c7 23->31 32 b3f90d-b3f912 23->32 26->25 28->9 35 b3f938-b3f94a call b74b5a 31->35 36 b3f92e-b3f933 31->36 32->12 39 b3f959-b3f96e call b731c7 35->39 40 b3f94c-b3f954 35->40 36->12 45 b3f970-b3f975 39->45 46 b3f97a-b3f98f call b731c7 39->46 41 b3fc23-b3fc2c call b7012f 40->41 41->28 45->12 50 b3f991-b3f996 46->50 51 b3f99b-b3f9ad call b733db 46->51 50->12 54 b3f9b9-b3f9cf call b7388a 51->54 55 b3f9af-b3f9b4 51->55 58 b3f9d5-b3f9d7 54->58 59 b3fc7e-b3fc98 call b3ebb2 54->59 55->12 60 b3f9e3-b3f9f8 call b733db 58->60 61 b3f9d9-b3f9de 58->61 66 b3fca4-b3fcbc call b7388a 59->66 67 b3fc9a-b3fc9f 59->67 68 b3fa04-b3fa19 call b731c7 60->68 69 b3f9fa-b3f9ff 60->69 61->12 74 b3fcc2-b3fcc4 66->74 75 b3fd86-b3fd87 call b3efe5 66->75 67->12 77 b3fa1b-b3fa1d 68->77 78 b3fa29-b3fa3e call b731c7 68->78 69->12 79 b3fcd0-b3fcee call b731c7 74->79 80 b3fcc6-b3fccb 74->80 81 b3fd8c-b3fd90 75->81 77->78 82 b3fa1f-b3fa24 77->82 88 b3fa40-b3fa42 78->88 89 b3fa4e-b3fa63 call b731c7 78->89 90 b3fcf0-b3fcf5 79->90 91 b3fcfa-b3fd12 call b731c7 79->91 80->12 81->28 87 b3fd92 81->87 82->12 87->12 88->89 92 b3fa44-b3fa49 88->92 99 b3fa73-b3fa88 call b731c7 89->99 100 b3fa65-b3fa67 89->100 90->12 97 b3fd14-b3fd16 91->97 98 b3fd1f-b3fd37 call b731c7 91->98 92->12 97->98 101 b3fd18-b3fd1d 97->101 107 b3fd44-b3fd5c call b731c7 98->107 108 b3fd39-b3fd3b 98->108 109 b3fa8a-b3fa8c 99->109 110 b3fa98-b3faad call b731c7 99->110 100->99 102 b3fa69-b3fa6e 100->102 101->12 102->12 119 b3fd65-b3fd7d call b731c7 107->119 120 b3fd5e-b3fd63 107->120 108->107 111 b3fd3d-b3fd42 108->111 109->110 112 b3fa8e-b3fa93 109->112 117 b3faaf-b3fab1 110->117 118 b3fabd-b3fad2 call b731c7 110->118 111->12 112->12 117->118 121 b3fab3-b3fab8 117->121 127 b3fae2-b3faf7 call b731c7 118->127 128 b3fad4-b3fad6 118->128 119->75 126 b3fd7f-b3fd84 119->126 120->12 121->12 126->12 132 b3fb07-b3fb1c call b731c7 127->132 133 b3faf9-b3fafb 127->133 128->127 129 b3fad8-b3fadd 128->129 129->12 137 b3fb1e-b3fb20 132->137 138 b3fb2c-b3fb44 call b731c7 132->138 133->132 134 b3fafd-b3fb02 133->134 134->12 137->138 139 b3fb22-b3fb27 137->139 142 b3fb46-b3fb48 138->142 143 b3fb54-b3fb6c call b731c7 138->143 139->12 142->143 144 b3fb4a-b3fb4f 142->144 147 b3fb6e-b3fb70 143->147 148 b3fb7c-b3fb91 call b731c7 143->148 144->12 147->148 149 b3fb72-b3fb77 147->149 152 b3fc31-b3fc33 148->152 153 b3fb97-b3fbb4 CompareStringW 148->153 149->12 154 b3fc35-b3fc3c 152->154 155 b3fc3e-b3fc40 152->155 156 b3fbb6-b3fbbc 153->156 157 b3fbbe-b3fbd3 CompareStringW 153->157 154->155 161 b3fc42-b3fc47 155->161 162 b3fc4c-b3fc64 call b733db 155->162 158 b3fbff-b3fc04 156->158 159 b3fbe1-b3fbf6 CompareStringW 157->159 160 b3fbd5-b3fbdf 157->160 158->155 164 b3fc06-b3fc1e call b337d3 159->164 165 b3fbf8 159->165 160->158 161->12 162->59 168 b3fc66-b3fc68 162->168 164->41 165->158 170 b3fc74 168->170 171 b3fc6a-b3fc6f 168->171 170->59 171->12
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID:
            • String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
            • API String ID: 0-2956246334
            • Opcode ID: 046fd1360de51d973aaab70dde5364cc9ca9a49f3570939542c65da013a50db6
            • Instruction ID: f26ed0fa330ab755e57cd3e50ba0ae060821868cae017a5ac023e3c69188f704
            • Opcode Fuzzy Hash: 046fd1360de51d973aaab70dde5364cc9ca9a49f3570939542c65da013a50db6
            • Instruction Fuzzy Hash: 6DE1A632E41767BACF11BAA4CC45EBEBAE8EB00B10F2546F5FD14B66B0D7619D019780
            Function 00B3B389 Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 565fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 172 b3b389-b3b3fd call b5f670 * 2 177 b3b435-b3b450 SetFilePointerEx 172->177 178 b3b3ff-b3b42a GetLastError call b337d3 172->178 180 b3b452-b3b482 GetLastError call b337d3 177->180 181 b3b484-b3b49e ReadFile 177->181 188 b3b42f-b3b430 178->188 180->188 184 b3b4a0-b3b4d0 GetLastError call b337d3 181->184 185 b3b4d5-b3b4dc 181->185 184->188 186 b3bad3-b3bae7 call b337d3 185->186 187 b3b4e2-b3b4eb 185->187 203 b3baec 186->203 187->186 192 b3b4f1-b3b501 SetFilePointerEx 187->192 193 b3baed-b3baf3 call b7012f 188->193 196 b3b503-b3b52e GetLastError call b337d3 192->196 197 b3b538-b3b550 ReadFile 192->197 204 b3baf4-b3bb06 call b5de36 193->204 196->197 201 b3b552-b3b57d GetLastError call b337d3 197->201 202 b3b587-b3b58e 197->202 201->202 207 b3b594-b3b59e 202->207 208 b3bab8-b3bad1 call b337d3 202->208 203->193 207->208 212 b3b5a4-b3b5c7 SetFilePointerEx 207->212 208->203 213 b3b5c9-b3b5f4 GetLastError call b337d3 212->213 214 b3b5fe-b3b616 ReadFile 212->214 213->214 218 b3b618-b3b643 GetLastError call b337d3 214->218 219 b3b64d-b3b665 ReadFile 214->219 218->219 222 b3b667-b3b692 GetLastError call b337d3 219->222 223 b3b69c-b3b6b7 SetFilePointerEx 219->223 222->223 226 b3b6f1-b3b710 ReadFile 223->226 227 b3b6b9-b3b6e7 GetLastError call b337d3 223->227 229 b3b716-b3b718 226->229 230 b3ba79-b3baad GetLastError call b337d3 226->230 227->226 234 b3b719-b3b720 229->234 238 b3baae-b3bab6 call b7012f 230->238 236 b3b726-b3b732 234->236 237 b3ba54-b3ba71 call b337d3 234->237 239 b3b734-b3b73b 236->239 240 b3b73d-b3b746 236->240 247 b3ba76-b3ba77 237->247 238->204 239->240 244 b3b780-b3b787 239->244 245 b3ba17-b3ba2e call b337d3 240->245 246 b3b74c-b3b772 ReadFile 240->246 251 b3b7b0-b3b7c7 call b338d4 244->251 252 b3b789-b3b7ab call b337d3 244->252 257 b3ba33-b3ba39 call b7012f 245->257 246->230 250 b3b778-b3b77e 246->250 247->238 250->234 259 b3b7eb-b3b800 SetFilePointerEx 251->259 260 b3b7c9-b3b7e6 call b337d3 251->260 252->247 268 b3ba3f-b3ba40 257->268 263 b3b802-b3b830 GetLastError call b337d3 259->263 264 b3b840-b3b865 ReadFile 259->264 260->193 279 b3b835-b3b83b call b7012f 263->279 269 b3b867-b3b89a GetLastError call b337d3 264->269 270 b3b89c-b3b8a8 264->270 274 b3ba41-b3ba43 268->274 269->279 271 b3b8cb-b3b8cf 270->271 272 b3b8aa-b3b8c6 call b337d3 270->272 277 b3b8d1-b3b905 call b337d3 call b7012f 271->277 278 b3b90a-b3b91d call b748cb 271->278 272->257 274->204 280 b3ba49-b3ba4f call b33999 274->280 277->274 292 b3b929-b3b933 278->292 293 b3b91f-b3b924 278->293 279->268 280->204 295 b3b935-b3b93b 292->295 296 b3b93d-b3b945 292->296 293->279 297 b3b956-b3b9b6 call b338d4 295->297 298 b3b951-b3b954 296->298 299 b3b947-b3b94f 296->299 302 b3b9da-b3b9fb call b5f0f0 call b3b106 297->302 303 b3b9b8-b3b9d4 call b337d3 297->303 298->297 299->297 302->274 310 b3b9fd-b3ba0d call b337d3 302->310 303->302 310->245
            APIs
            • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 00B3B3FF
            • SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00B3B44C
            • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 00B3B452
            • ReadFile.KERNELBASE(00000000,00B3435C,00000040,?,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00B3B49A
            • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 00B3B4A0
            • SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00B3B4FD
            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00B3B503
            • ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00B3B54C
            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00B3B552
            • SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00B3B5C3
            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00B3B5C9
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: ErrorLast$File$Pointer$Read
            • String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
            • API String ID: 2600052162-695169583
            • Opcode ID: dda0575a4714367437c81d787c211bf5a5fb0fd8c56cf881e2d71e411cf7b8e6
            • Instruction ID: c041a1a159d0f7fcbe34054a3470bba1178f6960f06802012d7afd84ddd60c1c
            • Opcode Fuzzy Hash: dda0575a4714367437c81d787c211bf5a5fb0fd8c56cf881e2d71e411cf7b8e6
            • Instruction Fuzzy Hash: 4312A271A40325EBEB209A25CC85FA776E8EF44700F2141E5FE19FB295DB708D40CBA5
            Function 00B3508D Relevance: 44.1, APIs: 5, Strings: 20, Instructions: 322COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 594 b3508d-b3513b call b5f670 * 2 GetModuleHandleW call b703f0 call b705a2 call b31209 605 b35151-b35162 call b341d2 594->605 606 b3513d 594->606 611 b35164-b35169 605->611 612 b3516b-b35187 call b35525 CoInitializeEx 605->612 607 b35142-b3514c call b7012f 606->607 615 b353cc-b353d3 607->615 611->607 619 b35190-b3519c call b6fbad 612->619 620 b35189-b3518e 612->620 617 b353e0-b353e2 615->617 618 b353d5-b353db call b754ef 615->618 622 b35407-b35425 call b3d723 call b4a6d0 call b4a91e 617->622 623 b353e4-b353eb 617->623 618->617 631 b351b0-b351bf call b70cd1 619->631 632 b3519e 619->632 620->607 644 b35453-b35466 call b34e9c 622->644 645 b35427-b3542f 622->645 623->622 626 b353ed-b35402 call b7041b 623->626 626->622 641 b351c1-b351c6 631->641 642 b351c8-b351d7 call b729b3 631->642 634 b351a3-b351ab call b7012f 632->634 634->615 641->634 650 b351e0-b351ef call b7343b 642->650 651 b351d9-b351de 642->651 653 b35468 call b73911 644->653 654 b3546d-b35474 644->654 645->644 648 b35431-b35434 645->648 648->644 652 b35436-b35451 call b4416a call b3550f 648->652 663 b351f1-b351f6 650->663 664 b351f8-b35217 GetVersionExW 650->664 651->634 652->644 653->654 658 b35476 call b72dd0 654->658 659 b3547b-b35482 654->659 658->659 665 b35484 call b71317 659->665 666 b35489-b35490 659->666 663->634 668 b35251-b35296 call b333d7 call b3550f 664->668 669 b35219-b3524c GetLastError call b337d3 664->669 665->666 671 b35492 call b6fcbc 666->671 672 b35497-b35499 666->672 690 b352a9-b352b9 call b47337 668->690 691 b35298-b352a3 call b754ef 668->691 669->634 671->672 677 b354a1-b354a8 672->677 678 b3549b CoUninitialize 672->678 679 b354e3-b354ec call b7000b 677->679 680 b354aa-b354ac 677->680 678->677 693 b354f3-b3550c call b706f5 call b5de36 679->693 694 b354ee call b344e9 679->694 683 b354b2-b354b8 680->683 684 b354ae-b354b0 680->684 688 b354ba-b354c9 call b43c30 call b3550f 683->688 684->688 707 b354ce-b354d3 688->707 705 b352c5-b352ce 690->705 706 b352bb 690->706 691->690 694->693 710 b35396-b353ac call b34c33 705->710 711 b352d4-b352d7 705->711 706->705 707->679 709 b354d5-b354e2 call b3550f 707->709 709->679 722 b353b8-b353ca 710->722 723 b353ae 710->723 714 b3536e-b35381 call b349df 711->714 715 b352dd-b352e0 711->715 721 b35386-b3538a 714->721 719 b352e2-b352e5 715->719 720 b35346-b35362 call b347e9 715->720 725 b352e7-b352ea 719->725 726 b3531e-b3533a call b34982 719->726 720->722 734 b35364 720->734 721->722 727 b3538c 721->727 722->615 723->722 730 b352fb-b3530e call b34b80 725->730 731 b352ec-b352f1 725->731 726->722 736 b3533c 726->736 727->710 730->722 737 b35314 730->737 731->730 734->714 736->720 737->726
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00B3510F
              • Part of subcall function 00B703F0: InitializeCriticalSection.KERNEL32(00B9B60C,?,00B3511B,00000000,?,?,?,?,?,?), ref: 00B70407
              • Part of subcall function 00B31209: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00B35137,00000000,?), ref: 00B31247
              • Part of subcall function 00B31209: GetLastError.KERNEL32(?,?,?,00B35137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00B31251
            • CoInitializeEx.OLE32(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00B3517D
              • Part of subcall function 00B70CD1: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00B70CF2
            • GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00B3520F
            • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00B35219
            • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B3549B
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
            • String ID: 3.10.4.4718$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$Setup$_Failed$engine.cpp$txt
            • API String ID: 3262001429-867073019
            • Opcode ID: e984e049b84f2b5e5495bd5041d02a96b028409002a7c29185401ca675d70f84
            • Instruction ID: 68e596ab7fa65fe1f9aedba2225a43a7ca6511be8b4901ed3d7aa507dbf10f0e
            • Opcode Fuzzy Hash: e984e049b84f2b5e5495bd5041d02a96b028409002a7c29185401ca675d70f84
            • Instruction Fuzzy Hash: 48B1A471D41A299BDB32AB64CC86BEE76F8EF04701F2441E5F919B7251DB709E808E90
            Function 00B3A311 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299registryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 738 b3a311-b3a35f call b371cf 741 b3a361-b3a366 738->741 742 b3a36b-b3a36e 738->742 743 b3a62e-b3a638 call b7012f 741->743 744 b3a391-b3a3ab call b70e3f 742->744 745 b3a370-b3a385 call b371cf 742->745 755 b3a63a-b3a64a call b7061a 743->755 756 b3a64d-b3a661 call b32793 * 2 743->756 753 b3a3e5-b3a3e7 744->753 754 b3a3ad-b3a3bc call b7061a 744->754 745->744 752 b3a387-b3a38c 745->752 752->743 760 b3a3f3-b3a410 RegQueryValueExW 753->760 761 b3a3e9-b3a3ee 753->761 771 b3a3bf-b3a3d2 call b38137 754->771 755->756 778 b3a663-b3a66c RegCloseKey 756->778 779 b3a670-b3a672 756->779 762 b3a412-b3a426 call b7061a 760->762 763 b3a428-b3a42a 760->763 761->743 762->771 768 b3a45e-b3a470 call b338d4 763->768 769 b3a42c-b3a459 call b337d3 763->769 784 b3a472-b3a494 call b337d3 call b7012f 768->784 785 b3a499-b3a4ae RegQueryValueExW 768->785 769->743 786 b3a3d4-b3a3d9 771->786 787 b3a3de-b3a3e0 771->787 778->779 782 b3a674-b3a675 call b33999 779->782 783 b3a67a-b3a68b call b50499 779->783 782->783 784->755 788 b3a4e2-b3a4e8 785->788 789 b3a4b0-b3a4dd call b337d3 785->789 786->743 787->756 794 b3a5e2-b3a5e9 call b502f4 788->794 795 b3a4ee-b3a4f1 788->795 789->743 803 b3a5ee 794->803 800 b3a4f3-b3a4f7 795->800 801 b3a549-b3a54d 795->801 805 b3a4f9-b3a4fc 800->805 806 b3a53c-b3a540 800->806 801->794 804 b3a553-b3a563 call b31ede 801->804 810 b3a5f0-b3a5f2 803->810 821 b3a565-b3a56a 804->821 822 b3a56f-b3a589 ExpandEnvironmentStringsW 804->822 812 b3a519-b3a51d 805->812 813 b3a4fe-b3a514 call b7012f 805->813 808 b3a542-b3a547 806->808 809 b3a51f-b3a524 806->809 814 b3a52e-b3a537 call b502b0 808->814 809->755 815 b3a5f4-b3a5f9 810->815 816 b3a5fb-b3a60b call b4feb7 810->816 812->809 819 b3a529-b3a52c 812->819 813->755 814->803 815->743 828 b3a614-b3a61e call b38137 816->828 829 b3a60d-b3a612 816->829 819->814 821->743 822->810 826 b3a58b-b3a599 call b31ede 822->826 826->821 834 b3a59b-b3a5ab ExpandEnvironmentStringsW 826->834 833 b3a623-b3a627 828->833 829->743 833->756 835 b3a629 833->835 834->810 836 b3a5ad-b3a5e0 GetLastError call b337d3 834->836 835->743 836->743
            APIs
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00B3A356
            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00B3A37C
            • RegCloseKey.KERNELBASE(00000000,?,00000000,?,?,?,?,?), ref: 00B3A666
            Strings
            • Failed to query registry key value size., xrefs: 00B3A454
            • Failed to read registry value., xrefs: 00B3A5F4
            • Failed to format key string., xrefs: 00B3A361
            • Failed to open registry key., xrefs: 00B3A3E9
            • Failed to allocate string buffer., xrefs: 00B3A565
            • Failed to allocate memory registry value., xrefs: 00B3A487
            • Failed to query registry key value., xrefs: 00B3A4D8
            • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00B3A418
            • search.cpp, xrefs: 00B3A44A, 00B3A47D, 00B3A4CE, 00B3A5D1
            • Failed to clear variable., xrefs: 00B3A3D4
            • RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 00B3A63E
            • Registry key not found. Key = '%ls', xrefs: 00B3A3B0
            • Failed to format value string., xrefs: 00B3A387
            • Failed to set variable., xrefs: 00B3A629
            • Failed to change value type., xrefs: 00B3A60D
            • Unsupported registry key value type. Type = '%u', xrefs: 00B3A506
            • Failed to get expand environment string., xrefs: 00B3A5DB
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: Open@16$Close
            • String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
            • API String ID: 2348241696-3124384294
            • Opcode ID: 3bf24a3e9b4ade62fabf8c009bcde7b9381b0a2697cffe468ed2ef242c520b1c
            • Instruction ID: 932929d93088f1478496a9732c519ffc4bd6a96fd5d1e8deca80744db9597b6e
            • Opcode Fuzzy Hash: 3bf24a3e9b4ade62fabf8c009bcde7b9381b0a2697cffe468ed2ef242c520b1c
            • Instruction Fuzzy Hash: 69A1D772D40629FBDF11AAA4CC46EAE7AE9EF08710F3581E1F914B6160D771DE009B92
            Function 00B3567D Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 476stringCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 839 b3567d-b356c4 EnterCriticalSection lstrlenW call b31ede 842 b358b1-b358bf call b5f7ca 839->842 843 b356ca-b356d7 call b7012f 839->843 848 b358c5-b358e2 call b3823e 842->848 849 b356dc-b356ee call b5f7ca 842->849 850 b35b53-b35b61 LeaveCriticalSection 843->850 862 b35728 848->862 863 b358e8-b358eb call b6f3d0 848->863 849->848 867 b356f4-b35700 849->867 853 b35b63-b35b69 850->853 854 b35b9c-b35ba1 850->854 859 b35b96-b35b97 call b33999 853->859 860 b35b6b 853->860 856 b35ba3-b35ba4 call b6f3c0 854->856 857 b35ba9-b35bad 854->857 856->857 865 b35baf-b35bb3 857->865 866 b35bcd-b35be0 call b32793 * 3 857->866 859->854 868 b35b6d-b35b71 860->868 869 b3572d 862->869 888 b358f0-b358f7 863->888 872 b35bb5-b35bb8 call b754ef 865->872 873 b35bbd-b35bc1 865->873 882 b35be5-b35bed 866->882 874 b35702-b35722 call b3823e 867->874 875 b3573a-b3573c 867->875 876 b35b83-b35b86 call b32793 868->876 877 b35b73-b35b77 868->877 883 b3572e-b35735 call b7012f 869->883 872->873 881 b35bc3-b35bcb call b754ef 873->881 873->882 874->862 901 b358ab-b358ae 874->901 886 b35764-b35785 call b38281 875->886 887 b3573e-b3575f call b3823e 875->887 879 b35b8b-b35b8e 876->879 877->879 880 b35b79-b35b81 call b754ef 877->880 879->868 894 b35b90-b35b93 879->894 880->879 881->882 910 b35b50 883->910 914 b3578b-b3579d 886->914 915 b35998-b3599d 886->915 887->862 912 b35761 887->912 897 b359a2-b359b0 call b6f3e0 888->897 898 b358fd-b3591c call b337d3 888->898 894->859 918 b359b2-b359e2 call b337d3 897->918 919 b359e7-b359ee 897->919 920 b3593d-b3593e 898->920 901->842 910->850 912->886 916 b357b4-b357c0 call b338d4 914->916 917 b3579f-b357a7 call b33a72 914->917 915->869 934 b35977-b35996 call b337d3 916->934 935 b357c6-b357ca 916->935 932 b3591e-b35938 call b337d3 917->932 933 b357ad-b357b2 917->933 918->869 924 b35a21-b35a3c call b6f3f0 919->924 925 b359f0-b359f3 919->925 920->883 939 b35a3e-b35a40 924->939 940 b35aac-b35ab0 924->940 930 b359f6-b35a01 925->930 936 b35a03-b35a12 call b6f3e0 930->936 937 b35a1a-b35a1d 930->937 932->920 933->935 934->920 941 b357f2-b357f6 935->941 942 b357cc-b357d3 935->942 961 b35a77-b35aa7 call b337d3 936->961 962 b35a14-b35a17 936->962 937->930 945 b35a1f 937->945 939->940 947 b35a42-b35a72 call b337d3 939->947 949 b35ab6-b35acf call b3821f 940->949 950 b35b44-b35b49 940->950 952 b35814-b3581b 941->952 953 b357f8-b3580e call b37e13 941->953 942->941 948 b357d5-b357f0 call b38281 942->948 945->924 947->869 975 b35862-b35864 948->975 976 b35ad1-b35ad6 949->976 977 b35adb-b35aed call b6f3f0 949->977 950->910 958 b35b4b-b35b4e 950->958 955 b35830-b3583a call b37203 952->955 956 b3581d-b3582e call b321a5 952->956 953->952 971 b35943-b35954 call b7012f 953->971 973 b3583f-b3584a 955->973 979 b3585a-b3585c 956->979 958->910 961->869 962->937 971->910 980 b3585f 973->980 981 b3584c-b35855 call b322f9 973->981 982 b3586a-b35888 call b38260 975->982 983 b3596d 975->983 976->869 989 b35b24-b35b38 call b38281 977->989 990 b35aef-b35b1f call b337d3 977->990 979->980 980->975 981->979 994 b35963 982->994 995 b3588e-b358a5 call b3823e 982->995 983->934 989->950 1000 b35b3a-b35b3f 989->1000 990->869 994->983 995->901 1001 b35959 995->1001 1000->869 1001->994
            APIs
            • EnterCriticalSection.KERNEL32(000002C0,00000100,00000100,00000000,00000000,?,00B399BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 00B356A2
            • lstrlenW.KERNEL32(00000000,?,00B399BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 00B356AC
            • _wcschr.LIBVCRUNTIME ref: 00B358B4
            • LeaveCriticalSection.KERNEL32(000002C0,00000000,00000000,00000000,00000000,00000000,00000001,?,00B399BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0), ref: 00B35B56
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave_wcschrlstrlen
            • String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
            • API String ID: 1026845265-2050445661
            • Opcode ID: c7a3a77ae0dc07471d9a96aaa78bb4d63bbe6cd279090ffc43579aae52964268
            • Instruction ID: c79f5ded09aa05d8489e5c1cfec7d6244047f3b8bcae8edbf99c55564a7dd712
            • Opcode Fuzzy Hash: c7a3a77ae0dc07471d9a96aaa78bb4d63bbe6cd279090ffc43579aae52964268
            • Instruction Fuzzy Hash: 2BF1A3B1D00719EADF219FA48C41EAF7BF8EF04750F2181A9BD15B7250E7749E418BA1
            Function 00B47337 Relevance: 35.3, APIs: 1, Strings: 19, Instructions: 277COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1107 b47337-b4737c call b5f670 call b37503 1112 b4737e-b47383 1107->1112 1113 b47388-b47399 call b3c2a1 1107->1113 1114 b47602-b47609 call b7012f 1112->1114 1119 b473a5-b473b6 call b3c108 1113->1119 1120 b4739b-b473a0 1113->1120 1121 b4760a-b4760f 1114->1121 1129 b473c2-b473d7 call b3c362 1119->1129 1130 b473b8-b473bd 1119->1130 1120->1114 1123 b47617-b4761b 1121->1123 1124 b47611-b47612 call b754ef 1121->1124 1127 b47625-b4762a 1123->1127 1128 b4761d-b47620 call b754ef 1123->1128 1124->1123 1133 b47632-b4763f call b3c055 1127->1133 1134 b4762c-b4762d call b754ef 1127->1134 1128->1127 1138 b473e3-b473f3 call b5bdc9 1129->1138 1139 b473d9-b473de 1129->1139 1130->1114 1142 b47641-b47644 call b754ef 1133->1142 1143 b47649-b4764d 1133->1143 1134->1133 1151 b473f5-b473fa 1138->1151 1152 b473ff-b47472 call b45a35 1138->1152 1139->1114 1142->1143 1144 b47657-b4765b 1143->1144 1145 b4764f-b47652 call b754ef 1143->1145 1149 b47665-b4766d 1144->1149 1150 b4765d-b47660 call b33999 1144->1150 1145->1144 1150->1149 1151->1114 1156 b47474-b47479 1152->1156 1157 b4747e-b474c2 call b3550f GetCurrentProcess call b7076c call b38152 1152->1157 1156->1114 1164 b474c4-b474d7 call b7012f 1157->1164 1165 b474dc-b474e1 1157->1165 1164->1121 1167 b474e3-b474f5 call b380f6 1165->1167 1168 b4753d-b47542 1165->1168 1179 b474f7-b474fc 1167->1179 1180 b47501-b47511 call b33446 1167->1180 1169 b47544-b47556 call b380f6 1168->1169 1170 b47562-b4756b 1168->1170 1169->1170 1182 b47558-b4755d 1169->1182 1174 b47577-b4758b call b4a307 1170->1174 1175 b4756d-b47570 1170->1175 1189 b47594 1174->1189 1190 b4758d-b47592 1174->1190 1175->1174 1178 b47572-b47575 1175->1178 1178->1174 1183 b4759a-b4759d 1178->1183 1179->1114 1192 b47513-b47518 1180->1192 1193 b4751d-b47531 call b380f6 1180->1193 1182->1114 1186 b475a4-b475ba call b3d497 1183->1186 1187 b4759f-b475a2 1183->1187 1197 b475c3-b475d2 call b3cabe 1186->1197 1198 b475bc-b475c1 1186->1198 1187->1121 1187->1186 1189->1183 1190->1114 1192->1114 1193->1168 1199 b47533-b47538 1193->1199 1201 b475d7-b475db 1197->1201 1198->1114 1199->1114 1202 b475e4-b475fb call b3c7df 1201->1202 1203 b475dd-b475e2 1201->1203 1202->1121 1206 b475fd 1202->1206 1203->1114 1206->1114
            Strings
            • Failed to initialize variables., xrefs: 00B4737E
            • Failed to parse command line., xrefs: 00B47474
            • Failed to set source process path variable., xrefs: 00B474F7
            • WixBundleSourceProcessFolder, xrefs: 00B47522
            • Failed to load catalog files., xrefs: 00B475FD
            • WixBundleSourceProcessPath, xrefs: 00B474E6
            • Failed to extract bootstrapper application payloads., xrefs: 00B475DD
            • Failed to set original source variable., xrefs: 00B47558
            • WixBundleOriginalSource, xrefs: 00B47547
            • Failed to open manifest stream., xrefs: 00B473B8
            • Failed to set source process folder variable., xrefs: 00B47533
            • Failed to get manifest stream from container., xrefs: 00B473D9
            • Failed to load manifest., xrefs: 00B473F5
            • WixBundleElevated, xrefs: 00B474B3, 00B474C4
            • Failed to open attached UX container., xrefs: 00B4739B
            • Failed to get unique temporary folder for bootstrapper application., xrefs: 00B475BC
            • Failed to get source process folder from path., xrefs: 00B47513
            • Failed to overwrite the %ls built-in variable., xrefs: 00B474C9
            • Failed to initialize internal cache functionality., xrefs: 00B4758D
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: CriticalInitializeSection
            • String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath
            • API String ID: 32694325-252221001
            • Opcode ID: 9059601e81d11c1d9c3b6ab30a601dec2d08e0ea9a25e753b1ff0729696cae05
            • Instruction ID: 83d80587319839c41dace93cafd07f69e8f636ab927f8f8bbf7c58de434ee0cd
            • Opcode Fuzzy Hash: 9059601e81d11c1d9c3b6ab30a601dec2d08e0ea9a25e753b1ff0729696cae05
            • Instruction Fuzzy Hash: 74919472984A1ABACB12DAA4CC81EEEB7EDBF14300F1142E6F515F7151DB70AB44DB90
            Function 00B37503 Relevance: 33.4, APIs: 1, Strings: 21, Instructions: 378COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1207 b37503-b37dc0 InitializeCriticalSection 1208 b37dc3-b37de0 call b35530 1207->1208 1211 b37de2-b37de9 1208->1211 1212 b37ded-b37dfb call b7012f 1208->1212 1211->1208 1213 b37deb 1211->1213 1215 b37dfe-b37e10 call b5de36 1212->1215 1213->1215
            APIs
            • InitializeCriticalSection.KERNEL32(00B47378,00B352B5,00000000,00B3533D), ref: 00B37523
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: CriticalInitializeSection
            • String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleVersion
            • API String ID: 32694325-826827252
            • Opcode ID: 6a1a48c727d3df34ef1b8ccd6c17496923ccd531454d347b2396234e44c1ab21
            • Instruction ID: 09c3e36247b9eeac222bb74c0428a99c0850aee2aedbccd7fbde47ed45695ab2
            • Opcode Fuzzy Hash: 6a1a48c727d3df34ef1b8ccd6c17496923ccd531454d347b2396234e44c1ab21
            • Instruction Fuzzy Hash: 053227B1C262799BDB65CF5989887DDBAF8BB49B04F5081DEE11CB6211D7B00B84CF84
            Function 00B480AE Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 151COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1219 b480ae-b480f7 call b5f670 1222 b48270-b4827d call b321a5 1219->1222 1223 b480fd-b4810b GetCurrentProcess call b7076c 1219->1223 1228 b4828c-b4829e call b5de36 1222->1228 1229 b4827f 1222->1229 1227 b48110-b4811d 1223->1227 1230 b48123-b48132 GetWindowsDirectoryW 1227->1230 1231 b481ab-b481b9 GetTempPathW 1227->1231 1234 b48284-b4828b call b7012f 1229->1234 1235 b48134-b48167 GetLastError call b337d3 1230->1235 1236 b4816c-b4817d call b3338f 1230->1236 1232 b481f3-b48205 UuidCreate 1231->1232 1233 b481bb-b481ee GetLastError call b337d3 1231->1233 1241 b48207-b4820c 1232->1241 1242 b4820e-b48223 StringFromGUID2 1232->1242 1233->1234 1234->1228 1235->1234 1251 b4817f-b48184 1236->1251 1252 b48189-b4819f call b336b4 1236->1252 1241->1234 1248 b48225-b4823f call b337d3 1242->1248 1249 b48241-b48262 call b31f20 1242->1249 1248->1234 1258 b48264-b48269 1249->1258 1259 b4826b 1249->1259 1251->1234 1252->1232 1261 b481a1-b481a6 1252->1261 1258->1234 1259->1222 1261->1234
            APIs
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00B35381), ref: 00B48104
              • Part of subcall function 00B7076C: OpenProcessToken.ADVAPI32(?,00000008,?,00B352B5,00000000,?,?,?,?,?,?,?,00B474AB,00000000), ref: 00B7078A
              • Part of subcall function 00B7076C: GetLastError.KERNEL32(?,?,?,?,?,?,?,00B474AB,00000000), ref: 00B70794
              • Part of subcall function 00B7076C: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00B474AB,00000000), ref: 00B7081D
            • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00B4812A
            • GetLastError.KERNEL32 ref: 00B48134
            • GetTempPathW.KERNEL32(00000104,?,00000000), ref: 00B481B1
            • GetLastError.KERNEL32 ref: 00B481BB
            Strings
            • Failed to ensure windows path for working folder ended in backslash., xrefs: 00B4817F
            • Failed to get temp path for working folder., xrefs: 00B481E9
            • Temp\, xrefs: 00B48189
            • Failed to convert working folder guid into string., xrefs: 00B4823A
            • Failed to get windows path for working folder., xrefs: 00B48162
            • %ls%ls\, xrefs: 00B4824C
            • cache.cpp, xrefs: 00B48158, 00B481DF, 00B48230
            • Failed to copy working folder path., xrefs: 00B4827F
            • Failed to append bundle id on to temp path for working folder., xrefs: 00B48264
            • Failed to concat Temp directory on windows path for working folder., xrefs: 00B481A1
            • Failed to create working folder guid., xrefs: 00B48207
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: ErrorLast$Process$ChangeCloseCurrentDirectoryFindNotificationOpenPathTempTokenWindows
            • String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
            • API String ID: 58964441-819636856
            • Opcode ID: a9c47084ee5a1c38b1606164295239bd6182056f5e273e97dca4939fdfa332fd
            • Instruction ID: 17f7295bf55336bc60b59e59dc8d0cbb75de9cb5278e64f0600e0ada40cedb56
            • Opcode Fuzzy Hash: a9c47084ee5a1c38b1606164295239bd6182056f5e273e97dca4939fdfa332fd
            • Instruction Fuzzy Hash: 6641F972B40724ABEF20A6A49D4AF9F73E8AB04710F1042E1F909F7160EE74DE449BD1
            Function 00B53870 Relevance: 28.6, APIs: 1, Strings: 15, Instructions: 589COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: lstrlen
            • String ID: Failed to convert version: %ls to DWORD64 for ProductCode: %ls$Failed to copy the installed ProductCode to the package.$Failed to enum related products.$Failed to get product information for ProductCode: %ls$Failed to get version for product in machine context: %ls$Failed to get version for product in user unmanaged context: %ls$Failed to query feature state.$Invalid state value.$Language$UX aborted detect compatible MSI package.$UX aborted detect related MSI package.$UX aborted detect.$VersionString$msasn1.dll$msiengine.cpp
            • API String ID: 1659193697-2574767977
            • Opcode ID: 1323d2dfe502108a5f522a5558186d7254d7bc91b377dfca95a144d48e3de535
            • Instruction ID: b1668ed680f907ec39c66335ea938d85bf924805011df43b38dcbcc087e1fdae
            • Opcode Fuzzy Hash: 1323d2dfe502108a5f522a5558186d7254d7bc91b377dfca95a144d48e3de535
            • Instruction Fuzzy Hash: F922A071A00619AFDB249FA4CC81FADB7F9FF04B41F1081E9E919AB251D730AE59CB50
            Function 00B341D2 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158stringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1535 b341d2-b34229 InitializeCriticalSection * 2 call b44b0e * 2 1540 b3422f 1535->1540 1541 b3434d-b34357 call b3b389 1535->1541 1542 b34235-b34242 1540->1542 1546 b3435c-b34360 1541->1546 1544 b34340-b34347 1542->1544 1545 b34248-b34274 lstrlenW * 2 CompareStringW 1542->1545 1544->1541 1544->1542 1549 b342c6-b342f2 lstrlenW * 2 CompareStringW 1545->1549 1550 b34276-b34299 lstrlenW 1545->1550 1547 b34362-b3436e call b7012f 1546->1547 1548 b3436f-b34377 1546->1548 1547->1548 1549->1544 1554 b342f4-b34317 lstrlenW 1549->1554 1551 b34385-b3439a call b337d3 1550->1551 1552 b3429f-b342a4 1550->1552 1565 b3439f-b343a6 1551->1565 1552->1551 1555 b342aa-b342ba call b329dc 1552->1555 1558 b343b1-b343cb call b337d3 1554->1558 1559 b3431d-b34322 1554->1559 1568 b342c0 1555->1568 1569 b3437a-b34383 1555->1569 1558->1565 1559->1558 1562 b34328-b34338 call b329dc 1559->1562 1562->1569 1573 b3433a 1562->1573 1570 b343a7-b343af call b7012f 1565->1570 1568->1549 1569->1570 1570->1548 1573->1544
            APIs
            • InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00B3515E,?,?,00000000,?,?), ref: 00B341FE
            • InitializeCriticalSection.KERNEL32(000000D0,?,?,00B3515E,?,?,00000000,?,?), ref: 00B34207
            • lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00B3515E,?,?,00000000,?,?), ref: 00B3424D
            • lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00B3515E,?,?,00000000,?,?), ref: 00B34257
            • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00B3515E,?,?,00000000,?,?), ref: 00B3426B
            • lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00B3515E,?,?,00000000,?,?), ref: 00B3427B
            • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00B3515E,?,?,00000000,?,?), ref: 00B342CB
            • lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00B3515E,?,?,00000000,?,?), ref: 00B342D5
            • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00B3515E,?,?,00000000,?,?), ref: 00B342E9
            • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00B3515E,?,?,00000000,?,?), ref: 00B342F9
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: lstrlen$CompareCriticalInitializeSectionString
            • String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
            • API String ID: 3039292287-3209860532
            • Opcode ID: f24953b6fbbe74720753257d94de4c9ab8d4e95c9a9b194de85d9fc2eda750c6
            • Instruction ID: 359913400d017e24c523a96f40d91c79c7c8c860c927ba2631ad0509faedf343
            • Opcode Fuzzy Hash: f24953b6fbbe74720753257d94de4c9ab8d4e95c9a9b194de85d9fc2eda750c6
            • Instruction Fuzzy Hash: 9651A671A40215BFC7249B65DC86F9A77ECEF04760F1041A6F629E72A0DB70B950CBA4
            Function 00B4E563 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 135registryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1575 b4e563-b4e5a0 1576 b4e5c2-b4e5e3 RegisterClassW 1575->1576 1577 b4e5a2-b4e5b6 TlsSetValue 1575->1577 1579 b4e5e5-b4e618 GetLastError call b337d3 1576->1579 1580 b4e61d-b4e654 CreateWindowExW 1576->1580 1577->1576 1578 b4e5b8-b4e5bd 1577->1578 1581 b4e6ec-b4e702 UnregisterClassW 1578->1581 1591 b4e6e4-b4e6eb call b7012f 1579->1591 1583 b4e656-b4e689 GetLastError call b337d3 1580->1583 1584 b4e68b-b4e69f SetEvent 1580->1584 1583->1591 1585 b4e6cb-b4e6d6 KiUserCallbackDispatcher 1584->1585 1589 b4e6a1-b4e6a4 1585->1589 1590 b4e6d8 1585->1590 1592 b4e6a6-b4e6b5 IsDialogMessageW 1589->1592 1593 b4e6da-b4e6df 1589->1593 1590->1581 1591->1581 1592->1585 1595 b4e6b7-b4e6c5 TranslateMessage DispatchMessageW 1592->1595 1593->1591 1595->1585
            APIs
            • TlsSetValue.KERNEL32(?,?), ref: 00B4E5AE
            • RegisterClassW.USER32(?), ref: 00B4E5DA
            • GetLastError.KERNEL32 ref: 00B4E5E5
            • CreateWindowExW.USER32(00000080,00B89CC4,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 00B4E64C
            • GetLastError.KERNEL32 ref: 00B4E656
            • UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 00B4E6F4
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
            • String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
            • API String ID: 213125376-288575659
            • Opcode ID: b344d6759743c2099718d21d8b6495f4996fdb2316eb9ac5e9001ea145715610
            • Instruction ID: 3de9a0573dcae6006bfda9a951f3adfec661400413e58a510f439340af57420d
            • Opcode Fuzzy Hash: b344d6759743c2099718d21d8b6495f4996fdb2316eb9ac5e9001ea145715610
            • Instruction Fuzzy Hash: 35417272A00214ABDB109BA5DC48FDABEE8FF18750F1141A6F919E71A0DB31DA40DFA5
            Function 00B3C129 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 128fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,00B3C319,00B352FD,?,?,00B3533D), ref: 00B3C170
            • GetLastError.KERNEL32(?,00B3C319,00B352FD,?,?,00B3533D,00B3533D,00000000,?,00000000), ref: 00B3C181
            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,00B3C319,00B352FD,?,?,00B3533D,00B3533D,00000000,?), ref: 00B3C1D0
            • GetCurrentProcess.KERNEL32(000000FF,00000000,?,00B3C319,00B352FD,?,?,00B3533D,00B3533D,00000000,?,00000000), ref: 00B3C1D6
            • DuplicateHandle.KERNELBASE(00000000,?,00B3C319,00B352FD,?,?,00B3533D,00B3533D,00000000,?,00000000), ref: 00B3C1D9
            • GetLastError.KERNEL32(?,00B3C319,00B352FD,?,?,00B3533D,00B3533D,00000000,?,00000000), ref: 00B3C1E3
            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00B3C319,00B352FD,?,?,00B3533D,00B3533D,00000000,?,00000000), ref: 00B3C235
            • GetLastError.KERNEL32(?,00B3C319,00B352FD,?,?,00B3533D,00B3533D,00000000,?,00000000), ref: 00B3C23F
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
            • String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
            • API String ID: 2619879409-373955632
            • Opcode ID: c1619a3bf72cd41e89ed370bfc55710ee542f3c8aaacaefc7bb27ba082637970
            • Instruction ID: 7fa077d1406cbe05640f55dfa9916aaaeab004b891a941af49071f6a62fed3f5
            • Opcode Fuzzy Hash: c1619a3bf72cd41e89ed370bfc55710ee542f3c8aaacaefc7bb27ba082637970
            • Instruction Fuzzy Hash: A8418472240301ABDB109F699C45F673BE9EB85750F2181A9FD18EB291DA31C811DB61
            Function 00B729B3 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 86libraryloaderCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00B337EA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00B33829
              • Part of subcall function 00B337EA: GetLastError.KERNEL32 ref: 00B33833
              • Part of subcall function 00B74932: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00B7495A
            • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00B729FD
            • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00B72A20
            • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00B72A43
            • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00B72A66
            • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00B72A89
            • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00B72AAC
            • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00B72ACF
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: AddressProc$ErrorLast$DirectorySystem
            • String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
            • API String ID: 2510051996-1735120554
            • Opcode ID: fb1c59462d8569caa9f94bc3bf1dc9c12333c7a5612842d49d431aea96220b40
            • Instruction ID: e2749e7975c8be65223cb2ec9b6815ddbf4f9ce253d68fbb2b15e603951b8d2b
            • Opcode Fuzzy Hash: fb1c59462d8569caa9f94bc3bf1dc9c12333c7a5612842d49d431aea96220b40
            • Instruction Fuzzy Hash: 4431B5B1A41218AFDF18DF65FF52E29BBF5AB54B00741456FE409932B1DFB1B9009B40
            Function 00B51484 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 103COMMON
            Download Yara Rule
            APIs
            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,00B3C285,?,00000000,?,00B3C319), ref: 00B514BB
            • GetLastError.KERNEL32(?,00B3C285,?,00000000,?,00B3C319,00B352FD,?,?,00B3533D,00B3533D,00000000,?,00000000), ref: 00B514C4
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: CreateErrorEventLast
            • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
            • API String ID: 545576003-938279966
            • Opcode ID: 9d99d3030450eb6302302a71d43279023c1caf217f5d266ba5f222960dac1515
            • Instruction ID: 5c292893c6cc7f8398747f99a981c89f1c40a9d50e354a0a9041f54d0d761294
            • Opcode Fuzzy Hash: 9d99d3030450eb6302302a71d43279023c1caf217f5d266ba5f222960dac1515
            • Instruction Fuzzy Hash: 552127B2A407257AF72036795C81F6739DCEF44791F0146A2FD09E71A0EA64CC008AE1
            Function 00B50627 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103fileCOMMON
            Download Yara Rule
            APIs
            • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 00B50657
            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 00B5066F
            • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 00B50674
            • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00B50677
            • GetLastError.KERNEL32(?,?), ref: 00B50681
            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 00B506F0
            • GetLastError.KERNEL32(?,?), ref: 00B506FD
            Strings
            • cabextract.cpp, xrefs: 00B506A5, 00B50721
            • Failed to open cabinet file: %hs, xrefs: 00B5072E
            • <the>.cab, xrefs: 00B50650
            • Failed to duplicate handle to cab container., xrefs: 00B506AF
            • Failed to add virtual file pointer for cab container., xrefs: 00B506D6
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
            • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
            • API String ID: 3030546534-3446344238
            • Opcode ID: e8e2d9ab197f48fe513e526d4b9a322573444295fd092db3ab2bdc37b6954b7b
            • Instruction ID: 764b5e213ae794642c14df8b5ccaa84ca3e6c5ebe2df8202dce205c878250aef
            • Opcode Fuzzy Hash: e8e2d9ab197f48fe513e526d4b9a322573444295fd092db3ab2bdc37b6954b7b
            • Instruction Fuzzy Hash: 0631D572A11625BBEB207B658C48F9B7AECEF04760F110196FD08F7560D7209D11CBE4
            Function 00B349DF Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(?), ref: 00B34B5E
            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B34B6F
            Strings
            • Failed to set registration variables., xrefs: 00B34AD8
            • WixBundleLayoutDirectory, xrefs: 00B34AEF
            • Failed to check global conditions, xrefs: 00B34A43
            • Failed to create the message window., xrefs: 00B34A92
            • Failed to set layout directory variable to value provided from command-line., xrefs: 00B34B00
            • Failed while running , xrefs: 00B34B24
            • Failed to query registration., xrefs: 00B34AA8
            • Failed to set action variables., xrefs: 00B34ABE
            • Failed to open log., xrefs: 00B34A12
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: MessagePostWindow
            • String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
            • API String ID: 3618638489-3051724725
            • Opcode ID: bd3d42ce4eafdc3ff308c0499c4d1292dcc0111bd1896fc7f42117b0903ace04
            • Instruction ID: 38c46a391f6bd4dcf7a19e9f79eb7ba5bbf3c380a8fc665ffb5878d3abe81db1
            • Opcode Fuzzy Hash: bd3d42ce4eafdc3ff308c0499c4d1292dcc0111bd1896fc7f42117b0903ace04
            • Instruction Fuzzy Hash: 2B41D771A40A1ABBDB265A60CC85FBBFADCFF00750F2042E5B818A6550EB70FD509BD1
            Function 00B4E82A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 99threadCOMMON
            Download Yara Rule
            APIs
            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00B35386,?,?), ref: 00B4E84A
            • GetLastError.KERNEL32(?,00B35386,?,?), ref: 00B4E857
            • CreateThread.KERNELBASE(00000000,00000000,Function_0001E563,?,00000000,00000000), ref: 00B4E8B0
            • GetLastError.KERNEL32(?,00B35386,?,?), ref: 00B4E8BD
            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,00B35386,?,?), ref: 00B4E8F8
            • CloseHandle.KERNEL32(00000000,?,00B35386,?,?), ref: 00B4E917
            • FindCloseChangeNotification.KERNELBASE(?,?,00B35386,?,?), ref: 00B4E924
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: CloseCreateErrorLast$ChangeEventFindHandleMultipleNotificationObjectsThreadWait
            • String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
            • API String ID: 1372344712-3599963359
            • Opcode ID: 68789781390fd69ae71b3b210209da025b5167ff018807c3272cadeec8692125
            • Instruction ID: 04d4f75a101c9127197f77a5462af801a8cbb8f0216d5f571694f34abab2c1f9
            • Opcode Fuzzy Hash: 68789781390fd69ae71b3b210209da025b5167ff018807c3272cadeec8692125
            • Instruction Fuzzy Hash: 9A316671E01219BFEB10AFA99D84AAFBAECFF08350F114166F915F3151D6319F009BA1
            Function 00B51224 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88threadCOMMON
            Download Yara Rule
            APIs
            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,74DF2F60,?,?,00B352FD,00B352B5,00000000,00B3533D), ref: 00B51249
            • GetLastError.KERNEL32 ref: 00B5125C
            • GetExitCodeThread.KERNELBASE(00B7B478,?), ref: 00B5129E
            • GetLastError.KERNEL32 ref: 00B512AC
            • ResetEvent.KERNEL32(00B7B450), ref: 00B512E7
            • GetLastError.KERNEL32 ref: 00B512F1
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
            • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
            • API String ID: 2979751695-3400260300
            • Opcode ID: bc36b21c6ba3bfcad43099224f9f5569fef15fda129db33f16198956993ace82
            • Instruction ID: 73ffd115f79a8d12fae782638746306154f6a927b2a5e5bc97f03c6124a063fb
            • Opcode Fuzzy Hash: bc36b21c6ba3bfcad43099224f9f5569fef15fda129db33f16198956993ace82
            • Instruction Fuzzy Hash: 7021AE71600304EFFB14AB298D59BBE7AE8EB04711F1041AEE94AE61B0EA308E00DB14
            Function 00B3D5C0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 61libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryW.KERNELBASE(?,00000000,?,00B346F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00B35386,?,?), ref: 00B3D5CD
            • GetLastError.KERNEL32(?,00B346F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00B35386,?,?), ref: 00B3D5DA
            • GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 00B3D612
            • GetLastError.KERNEL32(?,00B346F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00B35386,?,?), ref: 00B3D61E
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: ErrorLast$AddressLibraryLoadProc
            • String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp$wininet.dll
            • API String ID: 1866314245-1140179540
            • Opcode ID: d4c6c4bce99f1f7152982f3c9e1806c65bcc72ca99b16a56410939e4641ec126
            • Instruction ID: febc157ee2df6da7475faa14b932c4e8fedd2472f94e741a71cef502ed04d958
            • Opcode Fuzzy Hash: d4c6c4bce99f1f7152982f3c9e1806c65bcc72ca99b16a56410939e4641ec126
            • Instruction Fuzzy Hash: 5811E932B41722ABEB216A69AC05F6736D4EF05750F11817AFD2DF75A0DF20CC008AD8
            Function 00B34690 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON
            Download Yara Rule
            APIs
            • PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 00B346B5
            • GetCurrentThreadId.KERNEL32 ref: 00B346BB
              • Part of subcall function 00B4FC51: new.LIBCMT ref: 00B4FC58
            • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B34749
            Strings
            • Failed to start bootstrapper application., xrefs: 00B34717
            • Unexpected return value from message pump., xrefs: 00B3479F
            • Failed to create engine for UX., xrefs: 00B346D5
            • engine.cpp, xrefs: 00B34795
            • wininet.dll, xrefs: 00B346E8
            • Failed to load UX., xrefs: 00B346FE
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: Message$CurrentPeekThread
            • String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
            • API String ID: 673430819-2573580774
            • Opcode ID: d23d509d6d00f582c7123c4270b88821cab0ba517a202cc95f3f29b645c24cab
            • Instruction ID: 3158b469a90396bf32ce2e881c86b15625c56d63022b0bdbdef72899bd35c879
            • Opcode Fuzzy Hash: d23d509d6d00f582c7123c4270b88821cab0ba517a202cc95f3f29b645c24cab
            • Instruction Fuzzy Hash: 3B419F71600219FFEB159BA4CC85EBAB7ECEF05714F2041A9F919EB250DB30BD458BA0
            Function 00B3F69D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON
            Download Yara Rule
            APIs
            • RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00B3F7CD
            • RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00B3F7DA
            Strings
            • Failed to open registration key., xrefs: 00B3F736
            • %ls.RebootRequired, xrefs: 00B3F6BA
            • Failed to read Resume value., xrefs: 00B3F763
            • Resume, xrefs: 00B3F741
            • Failed to format pending restart registry key to read., xrefs: 00B3F6D1
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: Close
            • String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
            • API String ID: 3535843008-3890505273
            • Opcode ID: c2afbdf6de48359bed8f2c780cb5f6f5798dde647912e8ed302c624dc147bfca
            • Instruction ID: 483778ea277fff9bb4873699ac14c5a16537ea2743b66cc79cf3cb4a085a8eff
            • Opcode Fuzzy Hash: c2afbdf6de48359bed8f2c780cb5f6f5798dde647912e8ed302c624dc147bfca
            • Instruction Fuzzy Hash: E5411C36D0011AEFCB11AF98C981ABDBBE5FB05350F3581F6E814AB220D7719E51DB90
            Function 00B7041B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118fileCOMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(00B9B60C,00000000,?,?,?,00B35407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 00B7042B
            • CreateFileW.KERNEL32(40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,00B9B604,?,00B35407,00000000,Setup), ref: 00B704CC
            • GetLastError.KERNEL32(?,00B35407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 00B704DC
            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00B35407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 00B70515
              • Part of subcall function 00B32DE0: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00B32F1F
            • LeaveCriticalSection.KERNEL32(00B9B60C,?,?,00B9B604,?,00B35407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 00B7056E
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
            • String ID: logutil.cpp
            • API String ID: 4111229724-3545173039
            • Opcode ID: b515a1b7b21346d7a1d5817bb0879b9bc7f20def72738c5a7a5ce146081f0cf2
            • Instruction ID: 06abf06e152d35fe7f5b52b670802f97aa3738dccca1a0ab7539855af31e724a
            • Opcode Fuzzy Hash: b515a1b7b21346d7a1d5817bb0879b9bc7f20def72738c5a7a5ce146081f0cf2
            • Instruction Fuzzy Hash: 7631B772A11215EFDF21BF61EDC6E6A76F8EB10B50F0081A7F919A7160DB30DD409B90
            Function 00B37203 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,00B3583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 00B37215
            • LeaveCriticalSection.KERNEL32(00000000,00000000,00000002,00000000,?,?,?,00B3583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 00B372F4
            Strings
            • Failed to format value '%ls' of variable: %ls, xrefs: 00B372BE
            • Failed to get value as string for variable: %ls, xrefs: 00B372E3
            • *****, xrefs: 00B372B0, 00B372BD
            • Failed to get unformatted string., xrefs: 00B37285
            • Failed to get variable: %ls, xrefs: 00B37256
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave
            • String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
            • API String ID: 3168844106-2873099529
            • Opcode ID: a0ce18b9b1d52caeb0a425598756ccf60594e6a58b9dae5edb73379e8bbf0684
            • Instruction ID: 736179d90d6700e123b7c17baa7988ebe1631e7654213d45a667765491071425
            • Opcode Fuzzy Hash: a0ce18b9b1d52caeb0a425598756ccf60594e6a58b9dae5edb73379e8bbf0684
            • Instruction Fuzzy Hash: B331C0B298461AFBCF319A50CC05B9F7BE4EF16720F6081E9F81876550DB31AE909BC0
            Function 00B508F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72fileCOMMON
            Download Yara Rule
            APIs
            Strings
            • cabextract.cpp, xrefs: 00B5098D
            • Unexpected call to CabWrite()., xrefs: 00B50923
            • Failed to write during cabinet extraction., xrefs: 00B50997
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: ErrorFileLastWrite_memcpy_s
            • String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
            • API String ID: 1970631241-3111339858
            • Opcode ID: ae129ccaa3ce271d95e84c38de9a0594413b0dc06313f9a2fc2257636cc46e0e
            • Instruction ID: 0669bbb1cefeff1d405d2e70a3d45da5abbf9d64339c87528620bdb036792da3
            • Opcode Fuzzy Hash: ae129ccaa3ce271d95e84c38de9a0594413b0dc06313f9a2fc2257636cc46e0e
            • Instruction Fuzzy Hash: 31218B76610204AFEB00EF6DDD84EAA77E9EF88710B11409AFE08D7266D631DA009B51
            Function 00B7076C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
            Download Yara Rule
            APIs
            • OpenProcessToken.ADVAPI32(?,00000008,?,00B352B5,00000000,?,?,?,?,?,?,?,00B474AB,00000000), ref: 00B7078A
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00B474AB,00000000), ref: 00B70794
            • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,00B474AB,00000000), ref: 00B707C6
            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00B474AB,00000000), ref: 00B7081D
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: Token$ChangeCloseErrorFindInformationLastNotificationOpenProcess
            • String ID: procutil.cpp
            • API String ID: 2387526074-1178289305
            • Opcode ID: fb7b80c0419f6e120ba3605902d1d9a1cbd538c8883035d1adab4eb9a8f4e27c
            • Instruction ID: fadba22c3f186c6d711bb67fe3c93f87e9c42ae7eb522df7680c267a288ff848
            • Opcode Fuzzy Hash: fb7b80c0419f6e120ba3605902d1d9a1cbd538c8883035d1adab4eb9a8f4e27c
            • Instruction Fuzzy Hash: DC219371E50228EFDB10AB999C48B9EBBE8EF54710F1181A7ED19E7160E7708E40DBD1
            Function 00B509B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON
            Download Yara Rule
            APIs
            • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00B50A25
            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B50A37
            • SetFileTime.KERNELBASE(?,?,?,?), ref: 00B50A4A
            • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00B50616,?,?), ref: 00B50A59
            Strings
            • cabextract.cpp, xrefs: 00B509F4
            • Invalid operation for this state., xrefs: 00B509FE
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: Time$File$ChangeCloseDateFindLocalNotification
            • String ID: Invalid operation for this state.$cabextract.cpp
            • API String ID: 1330928052-1751360545
            • Opcode ID: 41702003f29e02b97255a20e27d0898b9f993bcc0b4642fd4f094991b159912c
            • Instruction ID: 2ebee5b06a611dda91c2a9072c3ed6f2ed7c7046b2d6f2d5978e490a888dabca
            • Opcode Fuzzy Hash: 41702003f29e02b97255a20e27d0898b9f993bcc0b4642fd4f094991b159912c
            • Instruction Fuzzy Hash: 1421C372820219AB8710AF68DC48AAA7BFCFE04721B104296F815D75D0C770DE56CB90
            Function 00B7343B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 00B7344A
            • InterlockedIncrement.KERNEL32(00B9B6D8), ref: 00B73467
            • CLSIDFromProgID.OLE32(Msxml2.DOMDocument,00B9B6C8,?,?,?,?,?,?), ref: 00B73482
            • CLSIDFromProgID.OLE32(MSXML.DOMDocument,00B9B6C8,?,?,?,?,?,?), ref: 00B7348E
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: FromProg$IncrementInitializeInterlocked
            • String ID: MSXML.DOMDocument$Msxml2.DOMDocument
            • API String ID: 2109125048-2356320334
            • Opcode ID: 6b192ce4624f2d65ec492e1ad78076fe8bb5af31081935bbd65cd8e85cf95acd
            • Instruction ID: a2b0ef067d2cc7702164861f177ad7e42aa67c94a655b32d4cc56e7876d72cb0
            • Opcode Fuzzy Hash: 6b192ce4624f2d65ec492e1ad78076fe8bb5af31081935bbd65cd8e85cf95acd
            • Instruction Fuzzy Hash: D0F0E521740235A7DF264BA5BE4DF1BAEF4EB80F64F0180A5E80DD32A4D76099C19AB0
            Function 00B74932 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00B7495A
            • GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00B74989
            • GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 00B749B3
            • GetLastError.KERNEL32(00000000,00B7B790,?,?,?,00000000,00000000,00000000), ref: 00B749F4
            • GlobalFree.KERNEL32(00000000), ref: 00B74A28
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: ErrorLast$Global$AllocFree
            • String ID: fileutil.cpp
            • API String ID: 1145190524-2967768451
            • Opcode ID: baa5ae0bd5444784b32f236ee6517c89e1c1a04cb8bacc21cb32dae435a69e97
            • Instruction ID: 900fd6ad89aae9959afc3132cb5a79b68556c5bfcb34b989830add20fb244969
            • Opcode Fuzzy Hash: baa5ae0bd5444784b32f236ee6517c89e1c1a04cb8bacc21cb32dae435a69e97
            • Instruction Fuzzy Hash: E721C535A40329AB97119BA58C45EABBBE8EF84361F1181A6FD1DE7210DB308D40DAA0
            Function 00B4E705 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON
            Download Yara Rule
            APIs
            • DefWindowProcW.USER32(?,00000082,?,?), ref: 00B4E734
            • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00B4E743
            • SetWindowLongW.USER32(?,000000EB,?), ref: 00B4E757
            • DefWindowProcW.USER32(?,?,?,?), ref: 00B4E767
            • GetWindowLongW.USER32(?,000000EB), ref: 00B4E781
            • PostQuitMessage.USER32(00000000), ref: 00B4E7DE
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: Window$Long$Proc$MessagePostQuit
            • String ID:
            • API String ID: 3812958022-0
            • Opcode ID: 85c96d143685f32260672fdfc11244d8230d7add3601040ca35c2949171f5e71
            • Instruction ID: a3f4aca897d1fc2cd11872b8587ba9bdf3f9a9be288df3c959fcfc6da6b19611
            • Opcode Fuzzy Hash: 85c96d143685f32260672fdfc11244d8230d7add3601040ca35c2949171f5e71
            • Instruction Fuzzy Hash: 8621B032104218BFDB115FA8DC88F6A3BE9FF44360F154554F91AAB1A0C730DE50EB61
            Function 00B710C5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149registrystringCOMMON
            Download Yara Rule
            APIs
            • RegQueryValueExW.KERNELBASE(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 00B710ED
            • RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,?,?,?,?,00B46EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 00B71126
            • lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 00B7121A
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: QueryValue$lstrlen
            • String ID: BundleUpgradeCode$regutil.cpp
            • API String ID: 3790715954-1648651458
            • Opcode ID: 5ca8414d9ae10e0d9dcf185f9cb852e0edb61f2a4784d84dd3c4a1fe5d3f05f8
            • Instruction ID: de024d9dc08871ce4c7d916dc261f265a54ea1a7e28ea61ca4a1d1444ef49d49
            • Opcode Fuzzy Hash: 5ca8414d9ae10e0d9dcf185f9cb852e0edb61f2a4784d84dd3c4a1fe5d3f05f8
            • Instruction Fuzzy Hash: 13419431A00219EFDB258F9DC884AAEB7F9EF44710F5185A9ED29EB211D630DD018BA0
            Function 00B32436 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00B6FEE7,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00B6FEE7,?,00000000,00000000), ref: 00B3247C
            • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00B6FEE7,?,00000000,00000000,0000FDE9), ref: 00B32488
              • Part of subcall function 00B33B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,00B321DC,000001C7,80004005,8007139F,?,?,00B7015F,8007139F,?,00000000,00000000,8007139F), ref: 00B33B59
              • Part of subcall function 00B33B51: HeapSize.KERNEL32(00000000,?,00B321DC,000001C7,80004005,8007139F,?,?,00B7015F,8007139F,?,00000000,00000000,8007139F), ref: 00B33B60
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
            • String ID: strutil.cpp
            • API String ID: 3662877508-3612885251
            • Opcode ID: b998a310f25559afd8ee25c9bfb1484897b998b1c22e29563d4f9e12cd5c317c
            • Instruction ID: b6053ac0479a65301f5311922cec6452261d1a5aebc81341fe33940e691722be
            • Opcode Fuzzy Hash: b998a310f25559afd8ee25c9bfb1484897b998b1c22e29563d4f9e12cd5c317c
            • Instruction Fuzzy Hash: 7C319071200219BFEB109F698CD4A7A72DDEB54764F3182A9FA15DB2A0EB71CC409760
            Function 00B507E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON
            Download Yara Rule
            APIs
            • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00B5088A
            • GetLastError.KERNEL32(?,?,?), ref: 00B50894
            Strings
            • cabextract.cpp, xrefs: 00B508B8
            • Invalid seek type., xrefs: 00B50820
            • Failed to move file pointer 0x%x bytes., xrefs: 00B508C5
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: ErrorFileLastPointer
            • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
            • API String ID: 2976181284-417918914
            • Opcode ID: f2730a6b52e3e734bce4bf0237544a45ee5705e966e709a38fe406ba3578cc5e
            • Instruction ID: b72f0e80856cdbff13a72f83eb029b5fc209e3f4ce5e58cae722da4aeb0d18df
            • Opcode Fuzzy Hash: f2730a6b52e3e734bce4bf0237544a45ee5705e966e709a38fe406ba3578cc5e
            • Instruction Fuzzy Hash: 49318571A10619FFDB04EF69CC84E5AB7E9FB04710B04829AFD19A7650D730AD15CBD0
            Function 00B34013 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
            Download Yara Rule
            APIs
            • CreateDirectoryW.KERNELBASE(00B3533D,00B353B5,00000000,00000000,?,00B49EE4,00000000,00000000,00B3533D,00000000,00B352B5,00000000,?,?,00B3D4AC,00B3533D), ref: 00B34021
            • GetLastError.KERNEL32(?,00B49EE4,00000000,00000000,00B3533D,00000000,00B352B5,00000000,?,?,00B3D4AC,00B3533D,00000000,00000000), ref: 00B3402F
            • CreateDirectoryW.KERNEL32(00B3533D,00B353B5,00B35381,?,00B49EE4,00000000,00000000,00B3533D,00000000,00B352B5,00000000,?,?,00B3D4AC,00B3533D,00000000), ref: 00B34097
            • GetLastError.KERNEL32(?,00B49EE4,00000000,00000000,00B3533D,00000000,00B352B5,00000000,?,?,00B3D4AC,00B3533D,00000000,00000000), ref: 00B340A1
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: CreateDirectoryErrorLast
            • String ID: dirutil.cpp
            • API String ID: 1375471231-2193988115
            • Opcode ID: 5c0b19416b64918f5c523aea96f054df38ded125a5383afb55758d3f2583ce0d
            • Instruction ID: 50a2f8ee84a16b666469bf069503c3170e329d23676e00ea3cb3a2c575786091
            • Opcode Fuzzy Hash: 5c0b19416b64918f5c523aea96f054df38ded125a5383afb55758d3f2583ce0d
            • Instruction Fuzzy Hash: 75113636700321EAEB341AA54C44B7BB6D4DF41B60F3041A6FF49EB050DB60AC459AE1
            Function 00B588CF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00B70E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00B75699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00B70E52
            • RegCloseKey.KERNELBASE(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,00B58C14,00000000,00000000), ref: 00B5898C
            Strings
            • Failed to ensure there is space for related bundles., xrefs: 00B5893F
            • Failed to initialize package from related bundle id: %ls, xrefs: 00B58972
            • Failed to open uninstall key for potential related bundle: %ls, xrefs: 00B588FB
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: CloseOpen
            • String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
            • API String ID: 47109696-1717420724
            • Opcode ID: 5a398b1874444a8b7513827bf528c284f4738deda706b819e2b5271200b15851
            • Instruction ID: 41c9b6d913107a586b6942766cbaf784ea3ebaded21cd61c51ad5ca3b50555af
            • Opcode Fuzzy Hash: 5a398b1874444a8b7513827bf528c284f4738deda706b819e2b5271200b15851
            • Instruction Fuzzy Hash: DD21603294021AFBDF129E84DC06BBEBBA8EB00712F1451D9FD14B6160DB719E24EB91
            Function 00B70658 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62filestringCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,?,00B6FF0B,?,?,00000000,00000000,0000FDE9), ref: 00B7066A
            • WriteFile.KERNELBASE(FFFFFFFF,00000000,00000000,00000000,00000000,?,?,00B6FF0B,?,?,00000000,00000000,0000FDE9), ref: 00B706A6
            • GetLastError.KERNEL32(?,?,00B6FF0B,?,?,00000000,00000000,0000FDE9), ref: 00B706B0
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: ErrorFileLastWritelstrlen
            • String ID: logutil.cpp
            • API String ID: 606256338-3545173039
            • Opcode ID: 3259b15246ecf809526f63bfc6f8c94d6ab6d9fbd2ef37fe8773c0d8d366873b
            • Instruction ID: 278a2561ab932b7f4e4632110294c10d130c96d1556c961be83853659bdffa61
            • Opcode Fuzzy Hash: 3259b15246ecf809526f63bfc6f8c94d6ab6d9fbd2ef37fe8773c0d8d366873b
            • Instruction Fuzzy Hash: CD112972A11224EF8710AB769D54EAFB7ECEBD0B60F008256FD19D7140DB30ED1086E0
            Function 00B5074E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00B5114F: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00B5077D,?,?,?), ref: 00B51177
              • Part of subcall function 00B5114F: GetLastError.KERNEL32(?,00B5077D,?,?,?), ref: 00B51181
            • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 00B5078B
            • GetLastError.KERNEL32 ref: 00B50795
            Strings
            • cabextract.cpp, xrefs: 00B507B9
            • Failed to read during cabinet extraction., xrefs: 00B507C3
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: ErrorFileLast$PointerRead
            • String ID: Failed to read during cabinet extraction.$cabextract.cpp
            • API String ID: 2170121939-2426083571
            • Opcode ID: b781e71fd8642b585c7875943e79e42d9ee55111c3dbbfec73737a6769412f36
            • Instruction ID: 17261493fcbdd2d5e3272cecde70a8bd264317cd13bdf81060a4ab11a736c5b6
            • Opcode Fuzzy Hash: b781e71fd8642b585c7875943e79e42d9ee55111c3dbbfec73737a6769412f36
            • Instruction Fuzzy Hash: C101A572600224ABDB10AFA8DC04E9A7BE9FF08760F01015AFD08E7560D7319E11DBD4
            Function 00B74840 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,00B58A30,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 00B74874
            • GetLastError.KERNEL32(?,00B58A30,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,EngineVersion,000002C0,000000B0), ref: 00B74881
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: CreateErrorFileLast
            • String ID: fileutil.cpp
            • API String ID: 1214770103-2967768451
            • Opcode ID: 5eaf12d2e63b462c28af213df9bbcc34b429c006963223d85447b3e92b6cc4ae
            • Instruction ID: 696526d1fd83609b860edd0960ca9bc84895f9964d6c67c78abc2e9b511ab452
            • Opcode Fuzzy Hash: 5eaf12d2e63b462c28af213df9bbcc34b429c006963223d85447b3e92b6cc4ae
            • Instruction Fuzzy Hash: 3401F432780224BBF72126A4AC49F7B36D8DB40B61F1182A1FE1DEB1D0CB694D4096E2
            Function 00B5114F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
            Download Yara Rule
            APIs
            • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00B5077D,?,?,?), ref: 00B51177
            • GetLastError.KERNEL32(?,00B5077D,?,?,?), ref: 00B51181
            Strings
            • cabextract.cpp, xrefs: 00B511A5
            • Failed to move to virtual file pointer., xrefs: 00B511AF
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: ErrorFileLastPointer
            • String ID: Failed to move to virtual file pointer.$cabextract.cpp
            • API String ID: 2976181284-3005670968
            • Opcode ID: 007ff56e43c870ae12c056b162d9e33d2320d4c469d1cd185e348f395d74b305
            • Instruction ID: 1ce1612dc740e5a34af74ab4c5f6e6083465d1f43c59090eeb33b36626f88383
            • Opcode Fuzzy Hash: 007ff56e43c870ae12c056b162d9e33d2320d4c469d1cd185e348f395d74b305
            • Instruction Fuzzy Hash: A101F236600625BBE7112A6A9C04F87BFD9EF007A1B0081A6FE1CA6560DB218C10CBD4
            Function 00B3D7CF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 00B3D7F6
            • FreeLibrary.KERNELBASE(?,?,00B347D1,00000000,?,?,00B35386,?,?), ref: 00B3D805
            • GetLastError.KERNEL32(?,00B347D1,00000000,?,?,00B35386,?,?), ref: 00B3D80F
            Strings
            • BootstrapperApplicationDestroy, xrefs: 00B3D7EE
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: AddressErrorFreeLastLibraryProc
            • String ID: BootstrapperApplicationDestroy
            • API String ID: 1144718084-3186005537
            • Opcode ID: 5c39e466eaf584ffd7b33509690da21c03b3305b90946dd0b96fa51dd6b279cf
            • Instruction ID: 4e34becddc743cb2669a631844dff78427bcc15bda4dc16c421ed754e9c793c5
            • Opcode Fuzzy Hash: 5c39e466eaf584ffd7b33509690da21c03b3305b90946dd0b96fa51dd6b279cf
            • Instruction Fuzzy Hash: CDF049322007009FD7205F66EC08B67B7E9FF80762B11C56EE46AC7520DB35E840CBA0
            Function 00B4F194 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON
            Download Yara Rule
            APIs
            • PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 00B4F1A9
            • GetLastError.KERNEL32 ref: 00B4F1B3
            Strings
            • EngineForApplication.cpp, xrefs: 00B4F1D7
            • Failed to post shutdown message., xrefs: 00B4F1E1
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: ErrorLastMessagePostThread
            • String ID: EngineForApplication.cpp$Failed to post shutdown message.
            • API String ID: 2609174426-188808143
            • Opcode ID: f2148d2229174248c69e789361ba646c0ab19fa2a3b55d6705455e17f85e9fb2
            • Instruction ID: 194e9e33d8ac61f7c0958be070f8b2c1de8320b0a7b2ed3f1ee46e1cda19d358
            • Opcode Fuzzy Hash: f2148d2229174248c69e789361ba646c0ab19fa2a3b55d6705455e17f85e9fb2
            • Instruction Fuzzy Hash: 1FF0A732741330BAA7207AA99C09F977AC4EF04B60F024066FD0CE70A1DA118D40C7E4
            Function 00B5051A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
            Download Yara Rule
            APIs
            • SetEvent.KERNEL32(00B7B468,00000000,?,00B5145A,?,00000000,?,00B3C121,?,00B352FD,?,00B473B2,?,?,00B352FD,?), ref: 00B50524
            • GetLastError.KERNEL32(?,00B5145A,?,00000000,?,00B3C121,?,00B352FD,?,00B473B2,?,?,00B352FD,?,00B3533D,00000001), ref: 00B5052E
            Strings
            • cabextract.cpp, xrefs: 00B50552
            • Failed to set begin operation event., xrefs: 00B5055C
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: ErrorEventLast
            • String ID: Failed to set begin operation event.$cabextract.cpp
            • API String ID: 3848097054-4159625223
            • Opcode ID: 4ef50fada38814aba0c7ef87aea2a8be4c974bb94c6075d33a97861220fb8b78
            • Instruction ID: 2ad2ab287393c3d8fcd731e7a3ffc8e464f3d6ed1d9047cc31bd477d8e191610
            • Opcode Fuzzy Hash: 4ef50fada38814aba0c7ef87aea2a8be4c974bb94c6075d33a97861220fb8b78
            • Instruction Fuzzy Hash: 31F0A033A11730AAA72076A96C45F9B76D8CF04BA1B0201A6FD09E7160EA159D4196E9
            Function 00B3501B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00B31104,?,?,00000000), ref: 00B3503A
            • CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00B31104,?,?,00000000), ref: 00B3506A
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: CompareStringlstrlen
            • String ID: burn.clean.room
            • API String ID: 1433953587-3055529264
            • Opcode ID: 90f2654b4669af984786bb16153b080a4451e9d3dbf9345ffd4c9d83dd8130a4
            • Instruction ID: e05c3868ebe3994b2bde94352bc5f848982a7b8a658ae246805b21f5714c5aaa
            • Opcode Fuzzy Hash: 90f2654b4669af984786bb16153b080a4451e9d3dbf9345ffd4c9d83dd8130a4
            • Instruction Fuzzy Hash: 800186726006256F83384B59DD88DB7B7ECFB15750B604116F549D3610D776AC80CBE1
            Function 00B337EA Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON
            Download Yara Rule
            APIs
            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00B33829
            • GetLastError.KERNEL32 ref: 00B33833
            • LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 00B3389B
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: DirectoryErrorLastLibraryLoadSystem
            • String ID:
            • API String ID: 1230559179-0
            • Opcode ID: 347165cc7b2c908494198a46bfd3c6420c28c035cb8d7683cb605fe2f1fb1785
            • Instruction ID: e383dc85d363780fccd3ce9e477c7523fb4c1da29069f228c90aa2a7414ba0c2
            • Opcode Fuzzy Hash: 347165cc7b2c908494198a46bfd3c6420c28c035cb8d7683cb605fe2f1fb1785
            • Instruction Fuzzy Hash: 702198B6D0132967EB209BA49C49F9B77ECDF04B10F2542E5BD18E7241EA74DE448BE0
            Function 00B33999 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00B33B34,00000000,?,00B31472,00000000,80004005,00000000,80004005,00000000,000001C7,?,00B313B7), ref: 00B339A3
            • RtlFreeHeap.NTDLL(00000000,?,00B33B34,00000000,?,00B31472,00000000,80004005,00000000,80004005,00000000,000001C7,?,00B313B7,000001C7,00000100), ref: 00B339AA
            • GetLastError.KERNEL32(?,00B33B34,00000000,?,00B31472,00000000,80004005,00000000,80004005,00000000,000001C7,?,00B313B7,000001C7,00000100,?), ref: 00B339B4
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: Heap$ErrorFreeLastProcess
            • String ID:
            • API String ID: 406640338-0
            • Opcode ID: 94b82d83c2ada7dbafafe5c6ab60df7123aed12ddbc9439157e5219c36f0237f
            • Instruction ID: 3498534febcfeecf224d2f34d0a9eb36dc42dc3975ccbf1fb92ec94d98f8e7fc
            • Opcode Fuzzy Hash: 94b82d83c2ada7dbafafe5c6ab60df7123aed12ddbc9439157e5219c36f0237f
            • Instruction Fuzzy Hash: 3CD012326002346B87102BFA5C0CF97BEDCEF055A2B414121FD09D3110DB258850CAE4
            Function 00B4E7EB Relevance: 4.5, APIs: 3, Instructions: 19synchronizationwindowCOMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(?), ref: 00B4E7F8
            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B4E80E
            • WaitForSingleObject.KERNEL32(?,00003A98,?,00B34B37,?,?,?,?,?,00B7B490,?,?,?,?,?,?), ref: 00B4E81F
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: MessageObjectPostSingleWaitWindow
            • String ID:
            • API String ID: 1391784381-0
            • Opcode ID: 44123e18ef5b5f84018fcf852871ac517594947c71707b3d7116eae5fe312f31
            • Instruction ID: 53e8d3a7e9d7d98fd0b53ca69da3acc0caddf8dcf1d8e558c935471d2fc7a95e
            • Opcode Fuzzy Hash: 44123e18ef5b5f84018fcf852871ac517594947c71707b3d7116eae5fe312f31
            • Instruction Fuzzy Hash: D0E0E631280308B7D7215B60DC09FDA7B5CFF05751F180529B659660E0DBA175909B55
            Function 00B7124D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76registryCOMMON
            Download Yara Rule
            APIs
            • RegQueryValueExW.KERNELBASE(00000000,00000008,00000000,00000000,00000000,000000B0,000002C0,00000000,00000000), ref: 00B7127B
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: QueryValue
            • String ID: regutil.cpp
            • API String ID: 3660427363-955085611
            • Opcode ID: f4d47a20eff6a247419487e6820b35328d20266172dd089c17bce1faf7edf466
            • Instruction ID: 46bd924467c908860c4a102c004c1bf946dd4608466b43ea32243ab80da28a53
            • Opcode Fuzzy Hash: f4d47a20eff6a247419487e6820b35328d20266172dd089c17bce1faf7edf466
            • Instruction Fuzzy Hash: 54216F72A01119FFDF249E9D8D449AEBBE9EB04750F10C5F9F928E7211D2318E44D7A0
            Function 00B3F5E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00B70E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00B75699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00B70E52
            • RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,?,00B47B4D,?,?,?), ref: 00B3F644
              • Part of subcall function 00B70EEC: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000000,?,00000000,00000000,?,?,?,00B3F619,00000000,Installed,00000000,?,?), ref: 00B70F10
            Strings
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID: Installed
            • API String ID: 3677997916-3662710971
            • Opcode ID: fa222abd13431a2cb9861fc43183e6d0cd3d3a22940e5d4f8ec8efd21afe36a7
            • Instruction ID: c05be38d1c369c8c43b4bba53ea95b107fd81f449c5c4e7116e4e95361228cd6
            • Opcode Fuzzy Hash: fa222abd13431a2cb9861fc43183e6d0cd3d3a22940e5d4f8ec8efd21afe36a7
            • Instruction Fuzzy Hash: 5D014F36D20119FFCB11EB94C946BEEBBE8EB04711F2181E9E910A7160D7755E50DB90
            Function 00B338D4 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(?,000001C7,?,00B32284,000001C7,00000001,80004005,8007139F,?,?,00B7015F,8007139F,?,00000000,00000000,8007139F), ref: 00B338E5
            • RtlAllocateHeap.NTDLL(00000000,?,00B32284,000001C7,00000001,80004005,8007139F,?,?,00B7015F,8007139F,?,00000000,00000000,8007139F), ref: 00B338EC
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: Heap$AllocateProcess
            • String ID:
            • API String ID: 1357844191-0
            • Opcode ID: 422a66adeae6ed6ee3ac00e13c3d6f661aea431036dd7bc7200eea1309c30140
            • Instruction ID: 8394c09141aab87390cd0c8223ed414afb887934143c15b7d83d0a11a7bbf038
            • Opcode Fuzzy Hash: 422a66adeae6ed6ee3ac00e13c3d6f661aea431036dd7bc7200eea1309c30140
            • Instruction Fuzzy Hash: B2C012321A0208AB8B006FF8EC0ED9A3BACAB286027408420B909D3510CB3CE0948B60
            Function 00B73499 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00B734CE
              • Part of subcall function 00B72F23: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00B734DF,00000000,?,00000000), ref: 00B72F3D
              • Part of subcall function 00B72F23: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00B5BDED,?,00B352FD,?,00000000,?), ref: 00B72F49
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: ErrorHandleInitLastModuleVariant
            • String ID:
            • API String ID: 52713655-0
            • Opcode ID: 5b5a9903a48647621ff6938df2b23b21c764b27474c311423a0a69973b485e82
            • Instruction ID: 6cc1c987aad0cb4e197e05ffe41f66e1dc7694c581f61ce2c953af1d56e2d523
            • Opcode Fuzzy Hash: 5b5a9903a48647621ff6938df2b23b21c764b27474c311423a0a69973b485e82
            • Instruction Fuzzy Hash: B2311E76E006199BCB11DFA8D885ADEB7F4EF08710F01856AED15EB311D6709E048BA0
            Function 00B7907D Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00B78CFB: lstrlenW.KERNEL32(00000100,?,?,00B79098,000002C0,00000100,00000100,00000100,?,?,?,00B57B40,?,?,000001BC,00000000), ref: 00B78D1B
            • RegCloseKey.KERNELBASE(000002C0,000002C0,00000100,00000100,00000100,?,?,?,00B57B40,?,?,000001BC,00000000,00000000,00000000,00000100), ref: 00B79136
              • Part of subcall function 00B70E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00B75699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00B70E52
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: CloseOpenlstrlen
            • String ID:
            • API String ID: 514153755-0
            • Opcode ID: 6637353ac8193376fc7d9f28a4aa50d17dd4489a1feee325f73e0e2fa5e6dbd9
            • Instruction ID: b4b556204ba576aecb33a1b717dd13899a187672fef389d656af284882e23f7b
            • Opcode Fuzzy Hash: 6637353ac8193376fc7d9f28a4aa50d17dd4489a1feee325f73e0e2fa5e6dbd9
            • Instruction Fuzzy Hash: 45217473C0052AFBCF22AEA4D84589EBAF5EB44750B5182A6ED2577121D6324E6097D0
            Function 00B75728 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON
            Download Yara Rule
            APIs
            • RegCloseKey.ADVAPI32(80070490,00000000,80070490,00B9AAA0,00000000,80070490,00000000,?,00B4890E,WiX\Burn,PackageCache,00000000,00B9AAA0,00000000,00000000,80070490), ref: 00B75782
              • Part of subcall function 00B70F6E: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00B70FE4
              • Part of subcall function 00B70F6E: RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00B7101F
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: QueryValue$Close
            • String ID:
            • API String ID: 1979452859-0
            • Opcode ID: ff1717a00fb7b2065529a44cb2b608c0c3091451b571bd3ac56b1b8d416ee73a
            • Instruction ID: 9e6c212f88fb3af876853c61184d61460d145c81b546cd3170b0ad35b8f0073b
            • Opcode Fuzzy Hash: ff1717a00fb7b2065529a44cb2b608c0c3091451b571bd3ac56b1b8d416ee73a
            • Instruction Fuzzy Hash: 3711A036C00529EB9F35AEA4DD81AAEB6E9EB04320B1582B9ED696B110C7B14D50DAD0
            Function 00B7000B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • FindCloseChangeNotification.KERNELBASE(FFFFFFFF,?,00B354EA,00000000,?,?,?,?), ref: 00B7002E
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: ChangeCloseFindNotification
            • String ID:
            • API String ID: 2591292051-0
            • Opcode ID: 3db4ce4af06580d0ce5b2367d18e9d5ec1f99f4faf199cdb4754ec65afd1ffd8
            • Instruction ID: 01af916b7f28090f0b072e37ebbec853c3007c904fdefcdfca1e7c7b7aab04b4
            • Opcode Fuzzy Hash: 3db4ce4af06580d0ce5b2367d18e9d5ec1f99f4faf199cdb4754ec65afd1ffd8
            • Instruction Fuzzy Hash: EEF012305112088ACA34AB7AEB89B2A72E89711335F10824AE138C71E0CF78A8818A50
            Function 00B334C5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00B489CA,0000001C,80070490,00000000,00000000,80070490), ref: 00B334E5
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: FolderPath
            • String ID:
            • API String ID: 1514166925-0
            • Opcode ID: 7a759ea1e3ac2434283ea0f81991ea1cba0794677182dcf16acb556d1a770c10
            • Instruction ID: 68fc237a09b1fc07ee92a30ed95934a1955ea5682103422b19a10f813375bdaf
            • Opcode Fuzzy Hash: 7a759ea1e3ac2434283ea0f81991ea1cba0794677182dcf16acb556d1a770c10
            • Instruction Fuzzy Hash: 47E012722012257BAA022F666C05DEB7BDCDF05750F108491BE44D7100EA62E95086B4
            Function 00B340E2 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
            Download Yara Rule
            APIs
            • GetFileAttributesW.KERNELBASE(00000000,00000000,?,00B4A229,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,80070490), ref: 00B340EB
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: AttributesFile
            • String ID:
            • API String ID: 3188754299-0
            • Opcode ID: 584212fb05c1e8dbdd559ea63b3d29bd443284680a28c35d5d9b9cd052c937d1
            • Instruction ID: c878d67eb1ad4d976567fe7cc28053034b8a68e7878abe875b598762f5a55f6d
            • Opcode Fuzzy Hash: 584212fb05c1e8dbdd559ea63b3d29bd443284680a28c35d5d9b9cd052c937d1
            • Instruction Fuzzy Hash: FCD02B312019241747188E698C055667F95EF127B0B614214EC15EB1B0C730AC51C7C0
            Function 00B6F37A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • ___delayLoadHelper2@8.DELAYIMP ref: 00B6F35B
              • Part of subcall function 00B79814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B79891
              • Part of subcall function 00B79814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B798A2
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
            • String ID:
            • API String ID: 1269201914-0
            • Opcode ID: c1051259c3181d31d728227151f47cecfbe3df11d0645b2bd706f5ba38f4ee42
            • Instruction ID: 27b6c1d94bda465a1a3c7071d4b8c5ab355c594903c612b7c343b8ee05efbe78
            • Opcode Fuzzy Hash: c1051259c3181d31d728227151f47cecfbe3df11d0645b2bd706f5ba38f4ee42
            • Instruction Fuzzy Hash: 7AB012922985026C364453142C03C3601CCC1C2F60338C1FEF004C5140F8800C440033
            Function 00B6F36A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • ___delayLoadHelper2@8.DELAYIMP ref: 00B6F35B
              • Part of subcall function 00B79814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B79891
              • Part of subcall function 00B79814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B798A2
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
            • String ID:
            • API String ID: 1269201914-0
            • Opcode ID: fb562b37676b29408d525d6ba3c747f66e03b18a9c77bdbffafa06764d7fbb14
            • Instruction ID: 3ab18750226e5438c638a02721689d908b1ac4fb68efa747b42d99d3afcdc80d
            • Opcode Fuzzy Hash: fb562b37676b29408d525d6ba3c747f66e03b18a9c77bdbffafa06764d7fbb14
            • Instruction Fuzzy Hash: 32B012922984026D364453142D03D3601CCC1C2F20338C0FEB004C5140F8840C050033
            Function 00B6F349 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • ___delayLoadHelper2@8.DELAYIMP ref: 00B6F35B
              • Part of subcall function 00B79814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B79891
              • Part of subcall function 00B79814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B798A2
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
            • String ID:
            • API String ID: 1269201914-0
            • Opcode ID: b5ac374ad6d391c87b23ebc55c4d9da8b0ecccf110d808dc5b8c66349a44c57f
            • Instruction ID: e3d7e1892f44b37f39d780b70ca406689684a5d1b6f6272e2f02cce188ca9104
            • Opcode Fuzzy Hash: b5ac374ad6d391c87b23ebc55c4d9da8b0ecccf110d808dc5b8c66349a44c57f
            • Instruction Fuzzy Hash: B9B011A32A8802BC3A082320BC03C3A02CCC2C2F28338C0FEBA00C8080F8880E080033
            Function 00B794F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • ___delayLoadHelper2@8.DELAYIMP ref: 00B794E7
              • Part of subcall function 00B79814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B79891
              • Part of subcall function 00B79814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B798A2
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
            • String ID:
            • API String ID: 1269201914-0
            • Opcode ID: fa8213d94ad9737b64a5ce7352d506f930031d399324bdf08214a5f6176a463b
            • Instruction ID: 37e402a0bf30e36a0d3d5c282848a7485ab4f233077594d1d77590181be44229
            • Opcode Fuzzy Hash: fa8213d94ad9737b64a5ce7352d506f930031d399324bdf08214a5f6176a463b
            • Instruction Fuzzy Hash: 83B012962A84026C365462141C07C3601CCD1C1F10334C1FFBA18C2180F8400C091033
            Function 00B794D5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • ___delayLoadHelper2@8.DELAYIMP ref: 00B794E7
              • Part of subcall function 00B79814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B79891
              • Part of subcall function 00B79814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B798A2
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
            • String ID:
            • API String ID: 1269201914-0
            • Opcode ID: d3afaf3d11e298f7094e8a4ca17a868648f5e47446e064d8d8a9f103ac965ee3
            • Instruction ID: a5784dd749acf90bd90a377418211157316811453ceec5778ca5e8631872368c
            • Opcode Fuzzy Hash: d3afaf3d11e298f7094e8a4ca17a868648f5e47446e064d8d8a9f103ac965ee3
            • Instruction Fuzzy Hash: EEB012962A85017C3A1423141C83C3601CCE5C1F10334C1FFB214D1088B8400C051033
            Function 00B79506 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • ___delayLoadHelper2@8.DELAYIMP ref: 00B794E7
              • Part of subcall function 00B79814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B79891
              • Part of subcall function 00B79814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B798A2
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
            • String ID:
            • API String ID: 1269201914-0
            • Opcode ID: 01378fcc5e877cc4d6ef0176a5575ca0261990d1e4db0255d8d08ae808921ef3
            • Instruction ID: dd963706f0f6d11e0983695807cb96f6442fa44ce87a42d3ae933a4363d87130
            • Opcode Fuzzy Hash: 01378fcc5e877cc4d6ef0176a5575ca0261990d1e4db0255d8d08ae808921ef3
            • Instruction Fuzzy Hash: FAB012962A86016C3A5462542E43D3601CCD5C1F10334C1FFB218C2180F8400C061033
            Function 00B314B2 Relevance: 1.3, APIs: 1, Instructions: 54stringCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,00B321B8,?,00000000,?,00000000,?,00B338BD,00000000,?,00000104), ref: 00B314E4
              • Part of subcall function 00B33B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,00B321DC,000001C7,80004005,8007139F,?,?,00B7015F,8007139F,?,00000000,00000000,8007139F), ref: 00B33B59
              • Part of subcall function 00B33B51: HeapSize.KERNEL32(00000000,?,00B321DC,000001C7,80004005,8007139F,?,?,00B7015F,8007139F,?,00000000,00000000,8007139F), ref: 00B33B60
            Memory Dump Source
            • Source File: 00000002.00000002.1751735500.0000000000B31000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B30000, based on PE: true
            • Associated: 00000002.00000002.1751720139.0000000000B30000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751762682.0000000000B7B000.00000002.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751851842.0000000000B9A000.00000004.00000001.01000000.0000000A.sdmpDownload File
            • Associated: 00000002.00000002.1751866963.0000000000B9E000.00000002.00000001.01000000.0000000A.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_b30000_VC_redist.jbxd
            Similarity
            • API ID: Heap$ProcessSizelstrlen
            • String ID:
            • API String ID: 3492610842-0
            • Opcode ID: 946bba5023864fc577b6f93dfda00cb27ae94048cc7114a1601b82e43d3646c5
            • Instruction ID: 92196ba4156a8c2798eb1d1eb9a68da3cd6ce2e552ce7a4f02e88e731f7528ee
            • Opcode Fuzzy Hash: 946bba5023864fc577b6f93dfda00cb27ae94048cc7114a1601b82e43d3646c5
            • Instruction Fuzzy Hash: FA014537200218AFCF215E18CC84F9A77DDEF50760F3286A4FA259B260D731DC108A90