Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Analysis ID:1467853
MD5:877d291ad79381cb54de729ac307b613
SHA1:f57f2b08e73a780ab677cb8a9e8b81e6a9081bd9
SHA256:f6037690187d1989a891542c29907786e4f4e4a406a0f8b0e3b3049dff4c1af4
Tags:exe
Infos:

Detection

Score:32
Range:0 - 100
Whitelisted:false
Confidence:0%

Compliance

Score:50
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe (PID: 6592 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe" MD5: 877D291AD79381CB54DE729AC307B613)
    • taskkill.exe (PID: 5480 cmdline: "C:\Windows\system32\taskkill.exe" /F /IM IPCTools.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • vcredist_x86_vs2005_en.exe (PID: 4924 cmdline: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe MD5: 4F1611F2D0AE799507F60C10FF8654C5)
      • msiexec.exe (PID: 1744 cmdline: msiexec /i vcredist.msi MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • vcredist_x86_vs2013_en.exe (PID: 6952 cmdline: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe MD5: 0FC525B6B7B96A87523DAA7A0013C69D)
      • vcredist_x86_vs2013_en.exe (PID: 4348 cmdline: "C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe" -burn.unelevated BurnPipe.{A826652D-AFD8-40B6-84B0-7105BE434658} {ED4ADFC9-BDFE-4680-B562-A7A4CCF98333} 6952 MD5: 0FC525B6B7B96A87523DAA7A0013C69D)
  • msiexec.exe (PID: 5220 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 4564 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 8341741E8479EC6D551F124E2FB1671E MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • rundll32.exe (PID: 6716 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • SrTasks.exe (PID: 7088 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB)
    • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe, ProcessId: 4924, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeAvira: detected
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\IPCTools\IPCTools\PlayDiag.dllReversingLabs: Detection: 37%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_01006205 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,4_2_01006205
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A87378 _memset,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,ReadFile,CryptHashData,ReadFile,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,GetLastError,CryptDestroyHash,CryptReleaseContext,11_2_00A87378
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A68101 CryptHashPublicKeyInfo,GetLastError,11_2_00A68101
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A68386 DecryptFileW,11_2_00A68386
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A67E2A _memset,CryptCATAdminCalcHashFromFileHandle,GetLastError,GetLastError,CryptCATAdminCalcHashFromFileHandle,GetLastError,WinVerifyTrust,WinVerifyTrust,WinVerifyTrust,11_2_00A67E2A

Compliance

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Found installer window with terms and condition text
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeWindow detected: Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL C++ 2005 RUNTIME LIBRARIESThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.By using the software you accept these terms. If you do not accept them do not use the software.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* disclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the software in the United States Washington state law governs the interpre
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeWindow detected: MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL C++ REDISTRIBUTABLE FOR VISUAL STUDIO 2013 These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any MicrosoftupdatessupplementsInternet-based services andsupport servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE PERPETUAL RIGHTS BELOW.1.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2.SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notdisclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;work around any technical limitations in the software;reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;publish the software for others to copy;rent lease or lend the software;transfer the software or this agreement to any third party; oruse the software for commercial software hosting services.3.BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4.DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5.EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6.SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7.ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8.APPLICABLE LAW.a.United States. If you acquired the software in the United States Washington state law governs the interpretation of this agreement and applies to claims for breach of it regardless of conflict of laws pri
Creates a software restore point
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDoneJump to behavior
Creates license or readme file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile created: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\license.rtf
PE / OLE file has a valid certificate
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeStatic PE information: certificate valid
Uses new MSVCR Dlls
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcr80.dllJump to behavior
Binary contains paths to debug symbols
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\HWDec__8a78b8\Bin\Win32\HWDec.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1801581634.00000000027C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcm80.i386.pdb source: msvcm80.dll.9.dr
Source: Binary string: E:\WinRenderD3D11\Release\WinRender.pdbY source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1802654851.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wextract.pdb source: vcredist_x86_vs2005_en.exe, vcredist_x86_vs2005_en.exe, 00000004.00000000.1885195627.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, vcredist_x86_vs2005_en.exe, 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixDepCA.pdb source: vcredist_x86_vs2013_en.exe, 0000000B.00000003.2218884543.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000003.2221638313.0000000000D54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SourceSvn\PC_Client\MP4V3\Release\MP4V3.pdb% source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1841583023.0000000002B05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\RenderEngine__8f3d5d\Bin\Win32\RenderEngine.pdbf source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1804750875.00000000027C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vcomp120.i386.pdb0' source: vcomp120.dll.9.dr
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\RenderEngine__8f3d5d\Bin\Win32\RenderEngine.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1804750875.00000000027C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp100.i386.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcr100.i386.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjPlayer.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1796289372.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\work\svn\client\PC_Client\AJTOOLS\run\RemoteConfig.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1833633290.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, RemoteConfig.dll.0.dr
Source: Binary string: vcomp120.i386.pdb source: vcomp120.dll.9.dr
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjRtspClientLib.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1823145898.00000000027CB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SourceSvn\PC_Client\MP4V3\Release\MP4V3.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1841583023.0000000002B05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdbH source: vcredist_x86_vs2013_en.exe, 0000000C.00000002.2926774939.000000006F8B5000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb source: vcredist_x86_vs2013_en.exe, 0000000B.00000000.1991637937.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000003.2218361520.0000000000D04000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000002.2924261560.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000000.1993010547.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: d:\jk_win7\workspace\CBB_DH3.RD002483_PlaySDK_windows\code_path\Lib\Win32\vs2005shared\dhplay.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, dhplay.dll.0.dr
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb@E source: vcredist_x86_vs2013_en.exe, 0000000B.00000003.2218361520.0000000000D04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjRtspClientLib.pdbS source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1823145898.00000000027CB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\PlayDiag__51c853\Bin\Win32\PlayDiag.pdb$ source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1803377811.00000000027C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\HWDec__8a78b8\Bin\Win32\HWDec.pdb1 source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1801581634.00000000027C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msdia80.pdb source: msdia80.dll.9.dr
Source: Binary string: MFCM80.i386.pdb source: mfcm80.dll.9.dr
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjNetSdkDll.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1822168495.00000000027CA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\WinRenderD3D11\Release\WinRender.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1802654851.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjPlayer.pdb" source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1796289372.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdb source: vcredist_x86_vs2013_en.exe, 0000000C.00000002.2926774939.000000006F8B5000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\PlayDiag__51c853\Bin\Win32\PlayDiag.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1803377811.00000000027C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb@ source: vcredist_x86_vs2013_en.exe, 0000000B.00000000.1991637937.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000002.2924261560.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000000.1993010547.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\work\svn\client\PC_Client\AJTOOLS\run\AjDevTools.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1792969669.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, IPCTools.exe.0.dr
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_package\code_path\Main\Lib\Win32\vs2005shared\play.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1819295504.00000000028CA000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeCode function: 0_2_00405B6C FindFirstFileW,FindClose,0_2_00405B6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeCode function: 0_2_0040652D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_0040652D
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_01002A96 FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,4_2_01002A96
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A68BE8 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,11_2_00A68BE8
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A866A3 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,11_2_00A866A3
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A85710 _memset,FindFirstFileW,FindClose,11_2_00A85710
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 12_2_6F8AA685 _memset,FindFirstFileW,FindClose,12_2_6F8AA685
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packagesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile opened: C:\ProgramData\Package Cache\NULLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A76994 InternetReadFile,WriteFile,WriteFile,GetLastError,GetLastError,11_2_00A76994
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1837159501.00000000027C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://%s/http://%s:%d//:HTTP:http:login.html?idChangeStream%d:%d-%d:%dselectedIndexevaltry
Source: dhplay.dll.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/PC/ADPCM/Trunk
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, dhplay.dll.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/PC/Audio_Codec/Audio_Mpeg2l2_Dec/Trunk
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, dhplay.dll.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/PC/Audio_Codec/Audio_Mpeg2l2_Dec/Trunkmalloc
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1819295504.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, dhplay.dll.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/PC/DEC_H26L/Trunk/H26L_Decoder_PC
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1819295504.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, dhplay.dll.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/PC/DEC_H26L/Trunk/H26L_Decoder_PCInput
Source: vcredist_x86_vs2013_en.exe, 0000000B.00000002.2923502909.0000000000CE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0X
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root.crl0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1792969669.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, IPCTools.exe.0.drString found in binary or memory: http://lame.sf.net
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1792969669.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, IPCTools.exe.0.drString found in binary or memory: http://lame.sf.net1.0LAME3.99rLAME3.99r53.99.5
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crt0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.com0&
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
Source: vcredist_x86_vs2013_en.exe, 0000000C.00000002.2922751862.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000003.1994068009.000000000065D000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000002.2925469599.00000000029D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: dhplay.dll.0.drString found in binary or memory: http://www.audiocoding.com/)
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000002.2924137747.00000000006F3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1668617871.00000000027D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.icamra.com/
Source: vcredist_x86_vs2013_en.exe, 0000000B.00000002.2923502909.0000000000CE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/03
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeCode function: 0_2_00404B88 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404B88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeCode function: 0_2_10001A21 GetDlgCtrlID,OpenClipboard,GetClipboardData,GlobalLock,lstrlenW,SendMessageW,GlobalUnlock,CloseClipboard,CallWindowProcW,0_2_10001A21
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1804750875.00000000027C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DirectDrawCreateExmemstr_d4f6a812-6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeCode function: 0_2_004033E9 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,0_2_004033E9
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_01002251 ExitWindowsEx,4_2_01002251
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_010019C3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,4_2_010019C3
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d20d4.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2354.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2CEA.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926823.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926823.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_a4c618fa.manifestJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926823.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_a4c618fa.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926823.0\ATL80.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86.manifestJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcr80.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcp80.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcm80.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b.manifestJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789.manifestJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHS.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHT.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ESP.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ENU.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80DEU.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80FRA.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ITA.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80JPN.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80KOR.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927261.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927261.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_452bf920.manifestJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927261.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_452bf920.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927261.0\vcomp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927276.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927276.0\8.0.50727.6195.policyJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927276.0\8.0.50727.6195.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927292.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927292.0\8.0.50727.6195.policyJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927292.0\8.0.50727.6195.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927308.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927308.0\8.0.50727.6195.policyJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927308.0\8.0.50727.6195.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927308.1Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927308.1\8.0.50727.6195.policyJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927308.1\8.0.50727.6195.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927323.0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927323.0\8.0.50727.6195.policyJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927323.0\8.0.50727.6195.catJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d20d7.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d20d7.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d20d8.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9838.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcamp120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcomp120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d20db.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d20db.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d20dc.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9EB1.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120chs.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120cht.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120deu.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120enu.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120esn.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120fra.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120ita.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120jpn.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120kor.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120rus.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d20df.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d20df.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI2354.tmpJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeCode function: 0_2_004069470_2_00406947
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeCode function: 0_2_004044510_2_00404451
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_01008D304_2_01008D30
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_010095484_2_01009548
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_010099824_2_01009982
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_010086B04_2_010086B0
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_010089C74_2_010089C7
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_010090EF4_2_010090EF
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: String function: 6F8AAFD3 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: String function: 00A8177A appears 60 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: String function: 00A7FA86 appears 653 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: String function: 00A7F6A2 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: String function: 00A8294E appears 460 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: String function: 6F8A10E3 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: String function: 00A8540B appears 73 times
Source: WEBConfig.dll.0.drStatic PE information: Resource name: None type: DOS executable (COM, 0x8C-variant)
Source: vcredist_x86_vs2005_en.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 2629972 bytes, 2 files, at 0x2c +A "vcredis1.cab" +A "vcredist.msi", ID 2384, number 1, 93 datablocks, 0x1503 compression
Source: mfc80ITA.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc80JPN.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc80CHT.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc120kor.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc80DEU.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc120enu.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc120esn.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc120fra.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc120ita.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc80ESP.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc80CHS.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc80FRA.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc80ENU.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc120rus.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc80KOR.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc120cht.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc120deu.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc120jpn.dll.9.drStatic PE information: No import functions for PE file found
Source: mfc120chs.dll.9.drStatic PE information: No import functions for PE file found
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1856812722.00000000027CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename7z.exe, vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1833633290.00000000027C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUCRemoteConfig.dll4 vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1819295504.00000000028CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1801581634.0000000002827000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHWDec.dll< vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1855542496.00000000027CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename7z.dll, vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1804750875.00000000027C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRenderEngine.dll: vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1802654851.00000000027C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinRender.dll: vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1841583023.00000000027C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WM/OriginalFilename vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1841583023.00000000027C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %sWM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptioncommentWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.00000000027C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp100.dll^ vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L"OriginalFilenamevcredist_x86.exe vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.0000000002D52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1837159501.0000000002A3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWEBConfig.dll4 vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: mfc120kor.dll.9.drStatic PE information: Section .rsrc
Source: mfc120enu.dll.9.drStatic PE information: Section .rsrc
Source: mfc120esn.dll.9.drStatic PE information: Section .rsrc
Source: mfc120fra.dll.9.drStatic PE information: Section .rsrc
Source: mfc120ita.dll.9.drStatic PE information: Section .rsrc
Source: mfc120rus.dll.9.drStatic PE information: Section .rsrc
Source: mfc120cht.dll.9.drStatic PE information: Section .rsrc
Source: mfc120deu.dll.9.drStatic PE information: Section .rsrc
Source: mfc120jpn.dll.9.drStatic PE information: Section .rsrc
Source: mfc120chs.dll.9.drStatic PE information: Section .rsrc
Source: classification engineClassification label: sus32.evad.winEXE@19/183@0/0
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_0100456A lstrcpyA,GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,GetLastError,FormatMessageA,GetVolumeInformationA,GetLastError,FormatMessageA,SetCurrentDirectoryA,SetCurrentDirectoryA,lstrcpynA,4_2_0100456A
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_010019C3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,4_2_010019C3
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A513BA GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,11_2_00A513BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeCode function: 0_2_00403FDF GetDlgItem,SetWindowTextW,SHAutoComplete,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00403FDF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeCode function: 0_2_00402218 CoCreateInstance,0_2_00402218
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_01004819 FindResourceA,LoadResource,DialogBoxIndirectParamA,FreeResource,4_2_01004819
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A6E774 ChangeServiceConfigW,GetLastError,11_2_00A6E774
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCToolsJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Users\Public\Desktop\IPCTools.lnkJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Users\user\AppData\Local\Temp\nsjBE03.tmpJump to behavior
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: vcredist_x86_vs2013_en.exe, 0000000B.00000003.2218884543.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000003.2221638313.0000000000D54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT `WixDependency`.`WixDependency`, `WixDependencyProvider`.`Component_`, `WixDependency`.`ProviderKey`, `WixDependency`.`MinVersion`, `WixDependency`.`MaxVersion`, `WixDependency`.`Attributes` FROM `WixDependencyProvider`, `WixDependency`, `WixDependencyRef` WHERE `WixDependency`.`WixDependency` = `WixDependencyRef`.`WixDependency_` AND `WixDependencyProvider`.`WixDependencyProvider` = `WixDependencyRef`.`WixDependencyProvider_`SELECT `WixDependencyProvider`.`WixDependencyProvider`, `WixDependencyProvider`.`Component_`, `WixDependencyProvider`.`ProviderKey`, `WixDependencyProvider`.`Attributes` FROM `WixDependencyProvider`Failed to ignored dependency "%ls" to the string dictionary.;Failed to create the string dictionary.Failed to get the string value of the IGNOREDEPENDENCIES property.IGNOREDEPENDENCIESUnknownFailed to set the dependency name "%ls" into the message record.Failed to set the dependency key "%ls" into the message record.The dependency "%ls" is missing or is not the required version.Found dependent "%ls", name: "%ls".Failed to set the number of dependencies into the message record.Failed to set the message identifier into the message record.Not enough memory to create the message record.wixdepca.cppUnexpected message response %d from user or bootstrapper application.Failed to create the dependency record for message %d.Failed to enumerate all of the rows in the dependency query view.Failed to get WixDependency.Attributes.Failed to get WixDependency.MaxVersion.Failed to get WixDependency.MinVersion.Failed to get WixDependency.ProviderKey.Failed to get WixDependencyProvider.Component_.Failed to get WixDependency.WixDependency.Failed dependency check for %ls.Skipping dependency check for %ls because the component %ls is not being (re)installed.Failed to open the query view for dependencies.Failed to initialize the unique dependency string list.Failed to check if the WixDependency table exists.Skipping the dependency check since no dependencies are authored.WixDependencyFailed to enumerate all of the rows in the dependency provider query view.Failed to get WixDependencyProvider.Attributes.Failed to get WixDependencyProvider.ProviderKey.Failed to get WixDependencyProvider.Component.Failed to get WixDependencyProvider.WixDependencyProvider.Failed dependents check for %ls.Skipping dependents check for %ls because the component %ls is not being uninstalled.Failed to open the query view for dependency providers.Failed to check if the WixDependencyProvider table exists.Skipping the dependents check since no dependency providers are authored.WixDependencyProviderSkipping the dependencies check since IGNOREDEPENDENCIES contains "ALL".Failed to check if "ALL" was set in IGNOREDEPENDENCIES.ALLFailed to get the ignored dependents.Failed to ensure required dependencies for (re)installing components.ALLUSERSFailed to initialize the registry functions.Failed to initialize.WixDependencyRequireFailed to ensure absent dependents for uninstalling com
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeReversingLabs: Detection: 47%
Source: vcredist_x86_vs2013_en.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /F /IM IPCTools.exe /T
Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeProcess created: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec /i vcredist.msi
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8341741E8479EC6D551F124E2FB1671E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeProcess created: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeProcess created: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe "C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe" -burn.unelevated BurnPipe.{A826652D-AFD8-40B6-84B0-7105BE434658} {ED4ADFC9-BDFE-4680-B562-A7A4CCF98333} 6952
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /F /IM IPCTools.exe /TJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeProcess created: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeProcess created: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec /i vcredist.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8341741E8479EC6D551F124E2FB1671EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeProcess created: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe "C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe" -burn.unelevated BurnPipe.{A826652D-AFD8-40B6-84B0-7105BE434658} {ED4ADFC9-BDFE-4680-B562-A7A4CCF98333} 6952Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: feclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeSection loaded: advpack.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: srclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: spp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: usoapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: sxproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: msisip.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: feclient.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeSection loaded: textshaping.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vss_ps.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: IPCTools.lnk.0.drLNK file: ..\..\..\Program Files (x86)\IPCTools\IPCTools\IPCTools.exe
Source: IPCTools.lnk0.0.drLNK file: ..\..\..\..\..\..\..\Program Files (x86)\IPCTools\IPCTools\IPCTools.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile written: C:\Users\user\AppData\Local\Temp\nsoBE71.tmp\ioSpecial.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeAutomated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeAutomated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeAutomated click: I agree to the license terms and conditions
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeAutomated click: Install
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeWindow detected: Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL C++ 2005 RUNTIME LIBRARIESThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.By using the software you accept these terms. If you do not accept them do not use the software.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* disclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the software in the United States Washington state law governs the interpre
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeWindow detected: MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL C++ REDISTRIBUTABLE FOR VISUAL STUDIO 2013 These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any MicrosoftupdatessupplementsInternet-based services andsupport servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE PERPETUAL RIGHTS BELOW.1.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2.SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notdisclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;work around any technical limitations in the software;reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;publish the software for others to copy;rent lease or lend the software;transfer the software or this agreement to any third party; oruse the software for commercial software hosting services.3.BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4.DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5.EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6.SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7.ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8.APPLICABLE LAW.a.United States. If you acquired the software in the United States Washington state law governs the interpretation of this agreement and applies to claims for breach of it regardless of conflict of laws pri
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeWindow detected: Number of UI elements: 19
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeStatic PE information: certificate valid
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeStatic file information: File size 22881736 > 1048576
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcr80.dllJump to behavior
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\HWDec__8a78b8\Bin\Win32\HWDec.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1801581634.00000000027C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcm80.i386.pdb source: msvcm80.dll.9.dr
Source: Binary string: E:\WinRenderD3D11\Release\WinRender.pdbY source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1802654851.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wextract.pdb source: vcredist_x86_vs2005_en.exe, vcredist_x86_vs2005_en.exe, 00000004.00000000.1885195627.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, vcredist_x86_vs2005_en.exe, 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixDepCA.pdb source: vcredist_x86_vs2013_en.exe, 0000000B.00000003.2218884543.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000003.2221638313.0000000000D54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SourceSvn\PC_Client\MP4V3\Release\MP4V3.pdb% source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1841583023.0000000002B05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\RenderEngine__8f3d5d\Bin\Win32\RenderEngine.pdbf source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1804750875.00000000027C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vcomp120.i386.pdb0' source: vcomp120.dll.9.dr
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\RenderEngine__8f3d5d\Bin\Win32\RenderEngine.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1804750875.00000000027C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp100.i386.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcr100.i386.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjPlayer.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1796289372.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\work\svn\client\PC_Client\AJTOOLS\run\RemoteConfig.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1833633290.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, RemoteConfig.dll.0.dr
Source: Binary string: vcomp120.i386.pdb source: vcomp120.dll.9.dr
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjRtspClientLib.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1823145898.00000000027CB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SourceSvn\PC_Client\MP4V3\Release\MP4V3.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1841583023.0000000002B05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdbH source: vcredist_x86_vs2013_en.exe, 0000000C.00000002.2926774939.000000006F8B5000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb source: vcredist_x86_vs2013_en.exe, 0000000B.00000000.1991637937.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000003.2218361520.0000000000D04000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000002.2924261560.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000000.1993010547.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: d:\jk_win7\workspace\CBB_DH3.RD002483_PlaySDK_windows\code_path\Lib\Win32\vs2005shared\dhplay.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, dhplay.dll.0.dr
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb@E source: vcredist_x86_vs2013_en.exe, 0000000B.00000003.2218361520.0000000000D04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjRtspClientLib.pdbS source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1823145898.00000000027CB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\PlayDiag__51c853\Bin\Win32\PlayDiag.pdb$ source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1803377811.00000000027C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\HWDec__8a78b8\Bin\Win32\HWDec.pdb1 source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1801581634.00000000027C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msdia80.pdb source: msdia80.dll.9.dr
Source: Binary string: MFCM80.i386.pdb source: mfcm80.dll.9.dr
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjNetSdkDll.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1822168495.00000000027CA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\WinRenderD3D11\Release\WinRender.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1802654851.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjPlayer.pdb" source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1796289372.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdb source: vcredist_x86_vs2013_en.exe, 0000000C.00000002.2926774939.000000006F8B5000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\PlayDiag__51c853\Bin\Win32\PlayDiag.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1803377811.00000000027C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb@ source: vcredist_x86_vs2013_en.exe, 0000000B.00000000.1991637937.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000002.2924261560.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000000.1993010547.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\work\svn\client\PC_Client\AJTOOLS\run\AjDevTools.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1792969669.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, IPCTools.exe.0.dr
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_package\code_path\Main\Lib\Win32\vs2005shared\play.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1819295504.00000000028CA000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeCode function: 0_2_00405B93 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405B93
Source: play.dll.0.drStatic PE information: section name: .rodata
Source: vcredist_x86_vs2013_en.exe.0.drStatic PE information: section name: .wixburn
Source: dhplay.dll.0.drStatic PE information: section name: .rodata
Source: dhplay.dll.0.drStatic PE information: section name: .rodata
Source: dhplay.dll.0.drStatic PE information: section name: .ctors
Source: dhplay.dll.0.drStatic PE information: section name: .dtors
Source: MP4V3.dll.0.drStatic PE information: section name: .text.un
Source: MP4V3.dll.0.drStatic PE information: section name: .eh_fram
Source: MP4V3.dll.0.drStatic PE information: section name: .drectve
Source: 7z.dll.0.drStatic PE information: section name: .sxdata
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A79B85 push ecx; ret 11_2_00A79B98
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 12_2_6F8AC354 pushad ; ret 12_2_6F8AC355
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 12_2_6F8AEE85 push ecx; ret 12_2_6F8AEE98
Source: msvcr100.dll.0.drStatic PE information: section name: .text entropy: 6.90903234258047
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120chs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120deu.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCTools\IPCTools\HWDec.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80FRA.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120ita.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120cht.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80u.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile created: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCTools\IPCTools\IPCTools.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80u.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCTools\IPCTools\RenderEngine.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ITA.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCTools\IPCTools\RemoteConfig.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHS.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCTools\IPCTools\msvcr100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80DEU.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCTools\IPCTools\7z.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120fra.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80KOR.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcamp120.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926823.0\ATL80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120esn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcr80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ENU.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCTools\IPCTools\msvcp100.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCTools\IPCTools\AjNetSdkDll.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCTools\IPCTools\WEBConfig.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80JPN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile created: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Users\user\AppData\Local\Temp\nsoBE71.tmp\InstallOptions.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927261.0\vcomp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCTools\IPCTools\7z.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120kor.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ESP.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHT.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCTools\IPCTools\PlayDiag.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCTools\IPCTools\MP4V3.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCTools\IPCTools\AjRtspClientLib.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcm80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2354.tmpJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCTools\IPCTools\dhplay.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Users\user\AppData\Local\Temp\nsoBE71.tmp\LangDLL.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120jpn.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCTools\IPCTools\AjPlayer.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcp80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcomp120.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCTools\IPCTools\play.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120enu.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\Program Files (x86)\IPCTools\IPCTools\WinRender.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120chs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80FRA.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120ita.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120cht.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927261.0\vcomp.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120kor.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ESP.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHT.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ITA.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHS.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2354.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcm80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80DEU.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120fra.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80KOR.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926823.0\ATL80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcamp120.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120jpn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcp80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120esn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcr80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ENU.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcomp120.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc120enu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80JPN.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeCode function: 0_2_10001E00 wsprintfW,lstrcpyW,GetPrivateProfileStringW,lstrcpyW,CharNextW,0_2_10001E00
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_010026E2 LocalFree,lstrcpyA,lstrcpyA,lstrcmpiA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,wsprintfA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,wsprintfA,LocalAlloc,GetFileAttributesA,4_2_010026E2
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile created: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\license.rtf
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestoreJump to behavior
Source: C:\Windows\System32\SrTasks.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IPCToolsJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IPCTools\IPCToolsJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IPCTools\IPCTools\IPCTools.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {f65db027-aff3-4070-886a-0d87064aabb1}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {f65db027-aff3-4070-886a-0d87064aabb1}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {f65db027-aff3-4070-886a-0d87064aabb1}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {f65db027-aff3-4070-886a-0d87064aabb1}Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc120chs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc120deu.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\HWDec.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80FRA.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc120ita.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc120cht.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\IPCTools.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80u.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\RenderEngine.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ITA.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\RemoteConfig.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHS.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\msvcr100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80DEU.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\7z.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc120fra.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80KOR.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162926823.0\ATL80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\vcamp120.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc120esn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ENU.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcr80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\msvcp100.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\WEBConfig.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\AjNetSdkDll.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80JPN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsoBE71.tmp\InstallOptions.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc120rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927261.0\vcomp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\7z.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc120kor.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ESP.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHT.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\PlayDiag.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\MP4V3.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\AjRtspClientLib.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2354.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcm80.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\dhplay.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsoBE71.tmp\LangDLL.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc120jpn.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\AjPlayer.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcp80.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\vcomp120.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\play.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc120enu.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeDropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\WinRender.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeEvaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeEvaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeEvaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeEvasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-3683
Source: C:\Windows\System32\SrTasks.exe TID: 1276Thread sleep time: -300000s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A7F195 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00A7F236h11_2_00A7F195
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A7F195 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00A7F22Fh11_2_00A7F195
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile Volume queried: C:\Program Files (x86) FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeFile Volume queried: C:\Program Files (x86) FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile Volume queried: C:\Windows FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeCode function: 0_2_00405B6C FindFirstFileW,FindClose,0_2_00405B6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeCode function: 0_2_0040652D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_0040652D
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_01002A96 FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,4_2_01002A96
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A68BE8 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,11_2_00A68BE8
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A866A3 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,11_2_00A866A3
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A85710 _memset,FindFirstFileW,FindClose,11_2_00A85710
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 12_2_6F8AA685 _memset,FindFirstFileW,FindClose,12_2_6F8AA685
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_010052D4 lstrcpyA,lstrcpyA,GetSystemInfo,lstrcpyA,CreateDirectoryA,RemoveDirectoryA,4_2_010052D4
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packagesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile opened: C:\ProgramData\Package Cache\NULLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULLJump to behavior
Source: dhplay.dll.0.drBinary or memory string: bottombottomlefttoptopleftcenterleftunspecifiedbt2020cbt2020ncycgcofccgbrbt2020-20bt2020-10iec61966-2-1bt1361eiec61966-2-4log316log100linearbt2020filmsmpte240msmpte170mbt470bgbt470mbt709reservedpctvbayer_grbg16bebayer_grbg16lebayer_gbrg16bebayer_gbrg16lebayer_rggb16bebayer_rggb16lebayer_bggr16bebayer_bggr16lebayer_grbg8bayer_gbrg8bayer_rggb8bayer_bggr8yuvj411pgbrap16legbrap16begbrapgbrp14legbrp14begbrp12legbrp12beyuv444p14leyuv444p14beyuv444p12leyuv444p12beyuv422p14leyuv422p14beyuv422p12leyuv422p12beyuv420p14leyuv420p14beyuv420p12leyuv420p12beyuva422pyuva444pbgr00bgrrgb00rgbbgra64lebgra64bergba64lergba64beya16leya16bevdayvyu422nv20benv20lenv16xyz12bexyz12levdpauyuva444p16leyuva444p16beyuva422p16leyuva422p16beyuva420p16leyuva420p16beyuva444p10leyuva444p10beyuva422p10leyuva422p10beyuva420p10leyuva420p10beyuva444p9leyuva444p9beyuva422p9leyuva422p9beyuva420p9leyuva420p9begbrp16legbrp16begbrp10legbrp10begbrp9legbrp9begbrpvda_vldyuv422p9leyuv422p9beyuv444p10leyuv444p10beyuv444p9leyuv444p9beyuv422p10leyuv422p10beyuv420p10leyuv420p10beyuv420p9leyuv420p9bebgr48lebgr48begray8aya8bgr444bebgr444lergb444bergb444ledxva2_vldvdpau_mpeg4yuv444p16beyuv444p16leyuv422p16beyuv422p16leyuv420p16beyuv420p16levaapi_vldvaapi_idctvaapi_mocobgr555lebgr555bebgr565lebgr565bergb555lergb555bergb565lergb565bergb48lergb48bevdpau_vc1vdpau_wmv3vdpau_mpeg2vdpau_mpeg1vdpau_h264yuvj440py16ley16beabgrrgbargb4_bytebgr4_bytexvmcidctxvmcmcpal8monobmonowgray8,y8gray
Source: SrTasks.exe, 00000013.00000003.2312940027.000002414544E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: SrTasks.exe, 00000013.00000003.2307151382.0000024145463000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b
Source: SrTasks.exe, 00000013.00000003.2307151382.0000024145463000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:\
Source: dhplay.dll.0.drBinary or memory string: xvmcidct
Source: SrTasks.exe, 00000013.00000003.2312940027.000002414544E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:88
Source: SrTasks.exe, 00000013.00000002.2315131839.0000024145463000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:!!
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1819295504.0000000002AC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bottombottomlefttoptopleftcenterleftunspecifiedbt2020cbt2020ncycgcofccgbrbt2020-20bt2020-10iec61966-2-1bt1361eiec61966-2-4log316log100linearbt2020filmsmpte240msmpte170mbt470bgbt470mbt709reservedpctvbayer_grbg16bebayer_grbg16lebayer_gbrg16bebayer_gbrg16lebayer_rggb16bebayer_rggb16lebayer_bggr16bebayer_bggr16lebayer_grbg8bayer_gbrg8bayer_rggb8bayer_bggr8yuvj411pgbrap16legbrap16begbrapgbrp14legbrp14begbrp12legbrp12beyuv444p14leyuv444p14beyuv444p12leyuv444p12beyuv422p14leyuv422p14beyuv422p12leyuv422p12beyuv420p14leyuv420p14beyuv420p12leyuv420p12beyuva422pyuva444pbgr00bgrrgb00rgbbgra64lebgra64bergba64lergba64beya16leya16bevdayvyu422nv20benv20lenv16xyz12bexyz12levdpauyuva444p16leyuva444p16beyuva422p16leyuva422p16beyuva420p16leyuva420p16beyuva444p10leyuva444p10beyuva422p10leyuva422p10beyuva420p10leyuva420p10beyuva444p9leyuva444p9beyuva422p9leyuva422p9beyuva420p9leyuva420p9begbrp16legbrp16begbrp10legbrp10begbrp9legbrp9begbrpvda_vldyuv422p9leyuv422p9beyuv444p10leyuv444p10beyuv444p9leyuv444p9beyuv422p10leyuv422p10beyuv420p10leyuv420p10beyuv420p9leyuv420p9bebgr48lebgr48begray8aya8bgr444bebgr444lergb444bergb444ledxva2_vldvdpau_mpeg4yuv444p16beyuv444p16leyuv422p16beyuv422p16leyuv420p16beyuv420p16levaapi_vldvaapi_idctvaapi_mocobgr555lebgr555bebgr565lebgr565bergb555lergb555bergb565lergb565bergb48lergb48bevdpau_vc1vdpau_wmv3vdpau_mpeg2vdpau_mpeg1vdpau_h264yuvj440py16ley16beabgrrgbargb4_bytebgr4_bytexvmcidctxvmcmcpal8monobmonowgray8,y8gray`it
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1841583023.00000000027C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yuv420pyuyv422rgb24bgr24yuv422pyuv444pyuv410pyuv411pgraygray8,y8monowmonobpal8yuvj420pyuvj422pyuvj444pxvmcmcxvmcidctuyvy422uyyvyy411bgr8bgr4bgr4_bytergb8rgb4rgb4_bytenv12nv21argbabgrgray16bey16begray16ley16leyuv440pyuvj440pyuva420pvdpau_h264vdpau_mpeg1vdpau_mpeg2vdpau_wmv3vdpau_vc1rgb48bergb48lergb565bergb565lergb555bergb555lebgr565bebgr565lebgr555bebgr555levaapi_mocovaapi_idctvaapi_vldyuv420p16leyuv420p16beyuv422p16leyuv422p16beyuv444p16leyuv444p16bevdpau_mpeg4dxva2_vldrgb444lergb444bebgr444lebgr444beya8gray8abgr48bebgr48leyuv420p9beyuv420p9leyuv420p10beyuv420p10leyuv422p10beyuv422p10leyuv444p9beyuv444p9leyuv444p10beyuv444p10leyuv422p9beyuv422p9levda_vldgbrpgbrp9begbrp9legbrp10begbrp10legbrp16begbrp16leyuva422pyuva444pyuva420p9beyuva420p9leyuva422p9beyuva422p9leyuva444p9beyuva444p9leyuva420p10beyuva420p10leyuva422p10beyuva422p10leyuva444p10beyuva444p10leyuva420p16beyuva420p16leyuva422p16beyuva422p16leyuva444p16beyuva444p16levdpauxyz12lexyz12benv16nv20lenv20bergba64bergba64lebgra64bebgra64leyvyu422vdaya16beya16legbrapgbrap16begbrap16leqsvmmald3d11va_vld0rgbrgb00bgrbgr0yuv420p12beyuv420p12leyuv420p14beyuv420p14leyuv422p12beyuv422p12leyuv422p14beyuv422p14leyuv444p12beyuv444p12leyuv444p14beyuv444p14legbrp12begbrp12legbrp14begbrp14leyuvj411pbayer_bggr8bayer_rggb8bayer_gbrg8bayer_grbg8bayer_bggr16lebayer_bggr16bebayer_rggb16lebayer_rggb16bebayer_gbrg16lebayer_gbrg16bebayer_grbg16lebayer_grbg16beyuv440p10leyuv440p10beyuv440p12leyuv440p12beayuv64leayuv64bevideotoolbox_vldp010lep010be
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1841583023.00000000027C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Screen Codec / VMware Video
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeAPI call chain: ExitProcess graph end nodegraph_0-4391
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A7A0AC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00A7A0AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeCode function: 0_2_00405B93 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405B93
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A8233B GetProcessHeap,RtlAllocateHeap,11_2_00A8233B
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_010064DE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_010064DE
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A7A0AC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00A7A0AC
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A78A42 SetUnhandledExceptionFilter,11_2_00A78A42
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A77EAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00A77EAA
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 12_2_6F8AC9C1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_6F8AC9C1
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 12_2_6F8AB88C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_6F8AB88C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /F /IM IPCTools.exe /TJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A82B14 _memset,_memset,_memset,_memset,_memset,_memset,InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,11_2_00A82B14
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_01001760 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,4_2_01001760
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1837159501.00000000027C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndIDS_DEV_HEARTBEAT_TIP%04d-%02d:%02d %02d:%02d:%02d%d-%d-%d %d:%d:%dERR_DEV_NOT_LOGINERR_DEV_NOT_CONNECTEDERR_IS_STARTAUDIO_ERRORIP_NET_DVR_StartVoiceComERR_NOT_FIND_DEVICEIP_NET_DVR_StartTalkERR_OPEN_AUDIOCAPTURE_FAILEncodeTypeSampleRateAudioplayer.html?noneplaybackli_idOnChangeStoreDevice%s;expires=Sun,22-Feb-2099 00:00:00 GMT?:\OnChangeAbilityInfoHiddenAdvPtzActionctrl_versionscfLoginl1tyl1tmOnPresetListChange#Call_PresetListChkBoxDel_PresetListChkBoxERR_AUDIO_PARAM_ERRORERR_NOT_STARTTALK_MODE_ERRORIP_NET_DVR_AddTalkhttp://%s/http://%s:%d//:HTTP:http:login.html?idChangeStream%d:%d-%d:%dselectedIndexevaltry{document.getElementById('cfgli_id').style.display='none';}catch(eevv){}scfRealEventnStreamTypePlayRealVideo&t=%dselectedIndexidChangeStreamm_pBrowserApp->ExecWB return code=0x%x===>>[%s:%d] scale=%d<<===CPlayerDlg::SetZoomValue<xml><cmd>setpreset</cmd><preset>%s</preset><flag>1</flag></xml><xml>
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\logo.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A535A5 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,CreateNamedPipeW,GetLastError,11_2_00A535A5
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exeCode function: 4_2_0100646B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,4_2_0100646B
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A59A5A GetUserNameW,GetLastError,11_2_00A59A5A
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeCode function: 11_2_00A87D79 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,11_2_00A87D79
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exeCode function: 0_2_0040609E GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_0040609E
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		11
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		1
Input Capture		12
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts4
Native API		21
Windows Service		1
Access Token Manipulation		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop Protocol1
Input Capture		2
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
Command and Scripting Interpreter		11
Registry Run Keys / Startup Folder		21
Windows Service		3
Obfuscated Files or Information		Security Account Manager1
Account Discovery		SMB/Windows Admin Shares2
Clipboard Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Service Execution		Login Hook3
Process Injection		1
Software Packing		NTDS4
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
Registry Run Keys / Startup Folder		1
DLL Side-Loading		LSA Secrets18
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials131
Security Software Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
Masquerading		DCSync1
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Virtualization/Sandbox Evasion		Proc Filesystem2
Process Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Access Token Manipulation		/etc/passwd and /etc/shadow1
System Owner/User Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron3
Process Injection		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Rundll32		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1467853 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 04/07/2024 Architecture: WINDOWS Score: 32 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 8 SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe 95 2->8         started        11 msiexec.exe 423 135 2->11         started        13 SrTasks.exe 2->13         started        15 rundll32.exe 2->15         started        process3 file4 39 C:\Users\user\...\vcredist_x86_vs2005_en.exe, PE32 8->39 dropped 41 C:\Program Files (x86)\IPCTools\...\play.dll, PE32 8->41 dropped 43 C:\Program Files (x86)\...\msvcr100.dll, PE32 8->43 dropped 51 18 other files (7 malicious) 8->51 dropped 17 vcredist_x86_vs2013_en.exe 36 18 8->17         started        20 taskkill.exe 1 8->20         started        22 vcredist_x86_vs2005_en.exe 1 4 8->22         started        45 C:\Windows\WinSxS\InstallTemp\...\vcomp.dll, PE32 11->45 dropped 47 C:\Windows\WinSxS\...\mfc80KOR.dll, PE32 11->47 dropped 49 C:\Windows\WinSxS\...\mfc80JPN.dll, PE32 11->49 dropped 53 29 other files (none is malicious) 11->53 dropped 24 msiexec.exe 11->24         started        26 conhost.exe 13->26         started        process5 file6 37 C:\ProgramData\...\vcredist_x86.exe, PE32 17->37 dropped 28 vcredist_x86_vs2013_en.exe 17->28         started        31 conhost.exe 20->31         started        33 msiexec.exe 5 22->33         started        process7 file8 55 C:\Users\user\AppData\...\vcredist_x86.exe, PE32 28->55 dropped 57 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 28->57 dropped 35 conhost.exe 31->35         started        process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe47%ReversingLabsWin32.Adware.RedCap
SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe100%AviraTR/Redcap.mmhzp

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll0%ReversingLabs
C:\Program Files (x86)\IPCTools\IPCTools\7z.dll0%ReversingLabs
C:\Program Files (x86)\IPCTools\IPCTools\7z.exe0%ReversingLabs
C:\Program Files (x86)\IPCTools\IPCTools\AjNetSdkDll.dll0%ReversingLabs
C:\Program Files (x86)\IPCTools\IPCTools\AjPlayer.dll0%ReversingLabs
C:\Program Files (x86)\IPCTools\IPCTools\AjRtspClientLib.dll0%ReversingLabs
C:\Program Files (x86)\IPCTools\IPCTools\HWDec.dll0%ReversingLabs
C:\Program Files (x86)\IPCTools\IPCTools\IPCTools.exe0%ReversingLabs
C:\Program Files (x86)\IPCTools\IPCTools\MP4V3.dll2%ReversingLabs
C:\Program Files (x86)\IPCTools\IPCTools\PlayDiag.dll38%ReversingLabs
C:\Program Files (x86)\IPCTools\IPCTools\RemoteConfig.dll0%ReversingLabs
C:\Program Files (x86)\IPCTools\IPCTools\RenderEngine.dll0%ReversingLabs
C:\Program Files (x86)\IPCTools\IPCTools\WEBConfig.dll0%ReversingLabs
C:\Program Files (x86)\IPCTools\IPCTools\WinRender.dll0%ReversingLabs
C:\Program Files (x86)\IPCTools\IPCTools\dhplay.dll0%ReversingLabs
C:\Program Files (x86)\IPCTools\IPCTools\msvcp100.dll0%ReversingLabs
C:\Program Files (x86)\IPCTools\IPCTools\msvcr100.dll3%ReversingLabs
C:\Program Files (x86)\IPCTools\IPCTools\play.dll0%ReversingLabs
C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsoBE71.tmp\InstallOptions.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsoBE71.tmp\LangDLL.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe0%ReversingLabs
C:\Windows\Installer\MSI2354.tmp0%ReversingLabs
C:\Windows\SysWOW64\mfc120chs.dll0%ReversingLabs
C:\Windows\SysWOW64\mfc120cht.dll0%ReversingLabs
C:\Windows\SysWOW64\mfc120deu.dll0%ReversingLabs
C:\Windows\SysWOW64\mfc120enu.dll0%ReversingLabs
C:\Windows\SysWOW64\mfc120esn.dll0%ReversingLabs
C:\Windows\SysWOW64\mfc120fra.dll0%ReversingLabs
C:\Windows\SysWOW64\mfc120ita.dll0%ReversingLabs
C:\Windows\SysWOW64\mfc120jpn.dll0%ReversingLabs
C:\Windows\SysWOW64\mfc120kor.dll0%ReversingLabs
C:\Windows\SysWOW64\mfc120rus.dll0%ReversingLabs
C:\Windows\SysWOW64\vcamp120.dll0%ReversingLabs
C:\Windows\SysWOW64\vcomp120.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162926823.0\ATL80.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcm80.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcp80.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcr80.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80u.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80u.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHS.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHT.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80DEU.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ENU.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ESP.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80FRA.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ITA.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80JPN.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80KOR.dll0%ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240704162927261.0\vcomp.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.symauth.com/rpa000%URL Reputationsafe
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
http://www.symauth.com/cps0(0%URL Reputationsafe
http://10.6.5.2/svnpl/CODEC/PC/Audio_Codec/Audio_Mpeg2l2_Dec/Trunk0%Avira URL Cloudsafe
http://lame.sf.net1.0LAME3.99rLAME3.99r53.99.50%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/PC/ADPCM/Trunk0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/PC/DEC_H26L/Trunk/H26L_Decoder_PC0%Avira URL Cloudsafe
http://%s/http://%s:%d//:HTTP:http:login.html?idChangeStream%d:%d-%d:%dselectedIndexevaltry0%Avira URL Cloudsafe
http://wixtoolset.org/schemas/thmutil/20100%Avira URL Cloudsafe
http://lame.sf.net0%Avira URL Cloudsafe
http://www.audiocoding.com/)0%Avira URL Cloudsafe
http://www.icamra.com/0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/PC/Audio_Codec/Audio_Mpeg2l2_Dec/Trunkmalloc0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/PC/DEC_H26L/Trunk/H26L_Decoder_PCInput0%Avira URL Cloudsafe
http://www.microsoft.0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://10.6.5.2/svnpl/CODEC/PC/ADPCM/Trunkdhplay.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
http://10.6.5.2/svnpl/CODEC/PC/Audio_Codec/Audio_Mpeg2l2_Dec/TrunkSecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, dhplay.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
http://lame.sf.netSecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1792969669.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, IPCTools.exe.0.drfalse
  • Avira URL Cloud: safe
unknown
http://www.icamra.com/SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000002.2924137747.00000000006F3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1668617871.00000000027D8000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://10.6.5.2/svnpl/CODEC/PC/Audio_Codec/Audio_Mpeg2l2_Dec/TrunkmallocSecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, dhplay.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
http://wixtoolset.org/schemas/thmutil/2010vcredist_x86_vs2013_en.exe, 0000000C.00000002.2922751862.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000003.1994068009.000000000065D000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000002.2925469599.00000000029D0000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://%s/http://%s:%d//:HTTP:http:login.html?idChangeStream%d:%d-%d:%dselectedIndexevaltrySecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1837159501.00000000027C7000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://10.6.5.2/svnpl/CODEC/PC/DEC_H26L/Trunk/H26L_Decoder_PCSecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1819295504.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, dhplay.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
http://www.symauth.com/rpa00SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.audiocoding.com/)dhplay.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
http://lame.sf.net1.0LAME3.99rLAME3.99r53.99.5SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1792969669.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, IPCTools.exe.0.drfalse
  • Avira URL Cloud: safe
unknown
http://www.microsoft.vcredist_x86_vs2013_en.exe, 0000000B.00000002.2923502909.0000000000CE2000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://nsis.sf.net/NSIS_ErrorErrorSecuriteInfo.com.Win32.Malware-gen.10020.18427.exefalse
  • URL Reputation: safe
unknown
http://10.6.5.2/svnpl/CODEC/PC/DEC_H26L/Trunk/H26L_Decoder_PCInputSecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1819295504.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, dhplay.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
http://www.symauth.com/cps0(SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1467853
Start date and time:2024-07-04 22:28:08 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 8m 5s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:22
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Detection:SUS
Classification:sus32.evad.winEXE@19/183@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 182
  • Number of non-executed functions: 235
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, VSSVC.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtCreateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • VT rate limit hit for: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe

Simulations

Behavior and APIs

TimeTypeDescription
16:29:52API Interceptor30x Sleep call for process: SrTasks.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dllzero.sfx.exeGet hashmaliciousUnknownBrowse
    zero.sfx.exeGet hashmaliciousHidden Macro 4.0, MasscanBrowse

      Created / dropped Files

      C:\Config.Msi\6d20d6.rbs

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):75555
      Entropy (8bit):5.588081104201739
      Encrypted:false
      SSDEEP:768:QAm2Cr7m60AQfAF++AjCjR5QmozU+nj2EXSqYRzh/ieCuLwA:Lmf7mBAgJ+AjCjR5Qmo32ECh5
      MD5:2F74F833D46DAAD5966EF7F5E500DC8C
      SHA1:53CDAD9E4EDF7196DF24F5642A57729FAC4CBEC0
      SHA-256:FB1C7A056767118DC02915600533DE971E3E198C971D2BC2A6F1FF8BD536F698
      SHA-512:5BD6DFA0380F8623EC36E46353D7F7BC0428E35D3A8F335F400F28BF6BE8E9B3672EABDF79576FA59B6B489DD8668D579F00449A28FF861DF2AC64B815603E3D
      Malicious:false
      Reputation:low
      Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}).Microsoft Visual C++ 2005 Redistributable..vcredist.msi.@.....@I....@.....@........&.{31076048-5B7B-4476-ABF0-15989228CB90}.....@.....@.....@.....@.......@.....@.....@.......@....).Microsoft Visual C++ 2005 Redistributable......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{A49F249F-0C91-497F-86DF-B2585E8E76B7}&.{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}.@......&.{EC50BE77-3064-11D5-A54A-0090278A1BB8}&.{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}.@......&.{946F6004-4E08-BCAB-E01F-C8B3B9A1E18E}&.{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}.@......&.{97F81AF1-0E47-DC99-A01F-C8B3B9A1E18E}&.{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}.@......&.{435421DE-102C-D1CB-C01F-C8B3B9A1E18E}&.{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}.@......&.{435421DE-102C-D1CB-B01F-C8B3B9A1E18E}&.{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}.@......&.

      C:\Config.Msi\6d20da.rbs

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):14057
      Entropy (8bit):5.489917813518996
      Encrypted:false
      SSDEEP:192:pdEDaVRVKBWYkGMFEpbpeRdkRI6AkIVikRI6AkyVBDEHot42npNaeX:pzHQHNJ
      MD5:C028FF6761223AA0CAAD1DF42C1E46D4
      SHA1:301D7815E22393CBA6ED33C703195396AFC63E66
      SHA-256:B9FAD99A24A05F910A76568A5FBA540B019813E4E94207AB14F67FF8A7D20801
      SHA-512:D97002DC25ACD0CE23B7EEF700F8F8BCF0254E1A74B040E0BBF04672CFA88AC6CC2310EB3814960CFF1A02B90A4467BD3E0D9E1395C307940DBA76396E2F5527
      Malicious:false
      Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}:.Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005..vc_runtimeMinimum_x86.msi.@.....@.R...@.....@........&.{E9934153-EAB1-4DA6-AA72-86C8BB1EDF2C}.....@.....@.....@.....@.......@.....@.....@.......@....:.Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{FE80AAC7-9373-345B-8C89-01D4359338F8}&.{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}.@......&.{0835C947-D6D2-4E52-AF14-0231D04E88EA}&.{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}.@......&.{74260D9F-D644-423B-B2D4-0291EA4BA8BE}&.{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}.@......&.{63B83B20-1AB9-4F49-B0B2-4489724CA96C}&.{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}.@......&.{E08DC543-ADA7-466B-B629-CE908DD9BDE3}&.{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}.@......&.{1A7754D3-744B-439A-B284-BD7A1C24FCFA}&.{

      C:\Config.Msi\6d20de.rbs

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):20505
      Entropy (8bit):5.350668619476107
      Encrypted:false
      SSDEEP:384:pz4VaeqQi1qb3k/CogAAl4f92jY0E1iKCy/v7NfkFTrqfkFTReEfvc:pt2jY0E1iKCk5d
      MD5:9F7B3993E4214C9ABD1E457C4EFFE9E0
      SHA1:5FFD522406566E85C82F756BDDA5706F1E9541E2
      SHA-256:69927B1B06662CDAE0ACF0450C1DDE85F5BD3FC8D750DAF0CB03CDE3ED0C4EB8
      SHA-512:593065FEDE0AFCADC1CE4184F85A2059745C35BCCBA8A75D3AFCE46B1913AA8F30BD6163E71C33C7742806B316754D653FF712BE5502E7A15B6AD07D67EA1C8B
      Malicious:false
      Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}=.Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005..vc_runtimeAdditional_x86.msi.@.....@.R...@.....@........&.{5703FD24-BF2D-4D14-AB2F-E415A0361E63}.....@.....@.....@.....@.......@.....@.....@.......@....=.Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{1D481A21-C43F-38B9-B0D1-E090FD2D2643}&.{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}.@......&.{7EA36934-F736-408F-BD04-A2A710E04773}&.{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}.@......&.{B5B46CD9-9426-401F-9C3B-646807EFE00B}&.{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}.@......&.{D4263C2B-DA4A-4000-A8E0-4BE8E46A9A3C}&.{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}.@......&.{271E5C92-3536-4282-9ABF-449A91B8C2D7}&.{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}.@......&.{8E4244B1-6F8F-4EA0-AC6A-346DE7C

      C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):641536
      Entropy (8bit):6.504376756975137
      Encrypted:false
      SSDEEP:12288:oSzVBMKcyU7EgA7cgys3UEv1ychglgDApuMaP8888888K:NBMKcyUEgEcqv1/1
      MD5:FF2511D54E4D2886C91B86CBD8F963FE
      SHA1:C7B1581DFEBEB65F01C09F61612F8AC3EAC9E525
      SHA-256:2C641445E916A49481ACBCF4DD6B9C1B2B0BD8B49CF9849A525E295D045559B5
      SHA-512:5D70C00C8DF26CB96EDF4667B4839D65F7195BD0BEF68ECBED911CA17B71CB528C59EC624D6D588FE16F78FD90D8F43B874354CBE4E64D1CF6CBB21CD864C3C9
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Joe Sandbox View:
      • Filename: zero.sfx.exe, Detection: malicious, Browse
      • Filename: zero.sfx.exe, Detection: malicious, Browse
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>...z...z...z....N.~....L.y...z......]Kl.b....Io.{...]Kk.{...]K|....]K......]Km.{...]Ki.{...Richz...................PE..L......M...........!.....J..........!\.......`.......................................4...............................W.......M..(............................p..xf..P...................................@...................dK.......................text....H.......J.................. ..`.data...|J...`...&...N..............@....rsrc................t..............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\7z.dll

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):941568
      Entropy (8bit):6.487811366250389
      Encrypted:false
      SSDEEP:24576:YBB6ZgFrIvD3zx0j2ZirQbEl5fnRrn7D8a7Eng:/gd0zG6ZifXRrn7oaQn
      MD5:AECEF77725F3EE0B84B6B8046EFE5AC0
      SHA1:EE72EBED1D5DB6B4B15CC5D31676AA5F17C8F5F8
      SHA-256:0548B55F7E6A4BB4C46D18D07C94EAA8675E88AE51458524AB1B3DF1711245DE
      SHA-512:13F912BB91886A89882F8802DFFA3C7B302707D112BBE5C8DE1FCE8D615AB1433B6EC1AF07B15133FBD099E67CCC2194A7A82200DB877CC34CF12D4A711939DE
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$r.A`.i.`.i.`.i...b.c.i...g.i.i...c.d.i...m.b.i...6.a.i.`.h...i...4.g.i.V5b...i..e..A.i..e..b.i...o.a.i..3m.a.i.Rich`.i.........................PE..L.....M...........!.........(......................................................................................P.......t...d........{...................`..@v......................................................L............................text.............................. ..`.rdata..Bi.......j..................@..@.data...P........\..................@....sxdata..............V..............@....rsrc....{.......|...X..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\7z.exe

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):168448
      Entropy (8bit):6.272895011985698
      Encrypted:false
      SSDEEP:3072:g20Ig0skKCnPiF2YuVvF193D17UCT1WxXG4JZHyL9AktY7+JJcfw:bA0sfCy2Ddp7h1KXJZHMtY7Og
      MD5:A1EFCEDC97C76B356F7FFA7CF909D733
      SHA1:8FBE4A34D3AFEBB12314207DF657993350ED2778
      SHA-256:34054651DA2B197A040B1906B3C28D52F136C62676F1BF0B967C1FAB7B2156CA
      SHA-512:CA5C5614EF246C7B9A901D2F03D6CA4EE31E54A7FBFED226F35C1DE62337D7F4755E9E8DEFC958D373D4C51D7C0541833A87892ADDDDE41C0B66BF0AD4EA7FF8
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................................!.....T.......Rich............PE..L...I..M........../.................&.............@..........................................................................i..x....... ............................................................................................................text............................... ..`.rdata..ld.......f..................@..@.data....G.......&...h..............@....rsrc... ...........................@..@................................................................................................................................................................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\AjNetSdkDll.dll

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):997376
      Entropy (8bit):6.789321281205287
      Encrypted:false
      SSDEEP:24576:rA4fdsOqHzc5Ka7uFEaSXzBkVIWBBygB52jZAwM+fcIwU:E4fT0LikVBgjZAQfcIwU
      MD5:E038F147718CEE1A5B138318C3F5CD2F
      SHA1:86CC269219BA4E8F469486FA0D6B52CE0DD88E43
      SHA-256:AF6BA9E8BCF890B22E8A0F45ED75D91D9E172B43AA982BC0720999612169C20A
      SHA-512:9B3D9642F03E2EC8A92EAEC476CEA5ABE9EB32049E546A9313C7CA31FD278EBE4F0402F9DF01BCEEC580D326027177EBE5F04E00E795066F931E7C5B9A84BA72
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......e:O.![!.![!.![!..x<. [!..x8.#[!...L.,[!.(#.. [!.(#..([!.(#..:[!.![ .1Y!....%[!.,....[!.,....[!.,....[!.g...n[!......[!..... [!.,... [!..... [!.Rich![!.........PE..L....w.f...........!.................<....................................................@..............................'..d............J...................@..\.......8............................)..@............................................text............................... ..`.rdata..............................@..@.data...............................@....rsrc....J.......L...f..............@..@.reloc..\....@......................@..B........................................................................................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\AjPlayer.dll

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):2887680
      Entropy (8bit):6.723865933377022
      Encrypted:false
      SSDEEP:49152:nfwugFTS8tR+uBV3eHQl4blmw/ldpgEH8jREJpHnTRKpGiTsVZc/:nfwugFTS8LTBBeHq4ow/ldpr8REJpHnP
      MD5:8D205BE03CF4333D6F8B62C298A9EB20
      SHA1:2D9E6000663C08F7DF0E24F12511157D6DDEF35C
      SHA-256:F5A975915C2C89B9C5C004B541532E9EA5785A53328C2804BB6E0A414911E896
      SHA-512:2C85F4031604E4FB99B9484A162799E578E201908F1C2C44015B66F358A074C4C8E7B658D680ED7EB35E11E49847A6006B0405EFFFC4220B62D4AA4B357B5D07
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.........".j.L.j.L.j.L.M.!.H.L.4..k.L..k..m.L.g.....L.g...U.L.g...e.L.4..`.L.4..h.L.4..H.L.M.7.h.L.,...U.L.c...o.L.j.M.^.L..U..c.L..U..k.L.g...k.L.j...k.L..U..k.L.Richj.L.................PE..L...o.Ef.........."!.....>..................P................................-...........@.........................0.(.......(......P*.X'....................+......\..8............................&.@............P...............................text....=.......>.................. ..`.rdata.......P.......B..............@..@.data...8....P(......8(.............@....rsrc...X'...P*..(....(.............@..@.reloc........+.......*.............@..B................................................................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\AjRtspClientLib.dll

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):338944
      Entropy (8bit):6.578422681091982
      Encrypted:false
      SSDEEP:6144:a3w2fPsl9tJv/b1ncj8+qL5PeCtESsEllz988Ule+vy+9bJ/IE79Ry1mN63F51YS:0w2fPsl9tVb1ncj8+qL5PeCtESsEllzP
      MD5:59D4CE9524C523753579EB5F12317E19
      SHA1:661B8D382B5FA8329BDAA3FE089CB74F67F619CA
      SHA-256:D804AA84860E94556DBAB73946FEE790210B65FCF8CF556C6D2FA005FAD18671
      SHA-512:B3FADEE6D27E2D9CD9F06FC25CB3E16D3F5200E0C2370D833ADE3679FF66D1B1B00B8B387DD7EEA4D1C592A0C1E88C93EDC3FCCA87DFBF78F248FD0608EF69C4
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........F...F...F...F...0...O.k.C.....?.E...K.'.Y...K......K...z....(..2....($.G...K.#.G....(&.G...RichF...........PE..L....7.d...........!.................K....................................................@.....................................<....@.......................P..h;......8...........................hE..@............................................text............................... ..`.rdata..t...........................@..@.data...........n..................@....rsrc........@......................@..@.reloc..h;...P...<..................@..B........................................................................................................................................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\china\Arming_area_please_leave.mp3

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:MPEG ADTS, layer III, v2, 32 kbps, 16 kHz, Monaural
      Category:dropped
      Size (bytes):11072
      Entropy (8bit):7.705184213743367
      Encrypted:false
      SSDEEP:192:h9QxEl9exDMYUV1DeOmK7n+3BvsuvAORovtrl:0GlmQYsDeSS3BvZIORoFrl
      MD5:C8A47C63748CA85ED91AC9BD8097D6CE
      SHA1:E16442D8E73D2271E3BF46C36C7154A48826D424
      SHA-256:59C438497EB24650064E2444F17C48626C277D3FE0908B0C27186E0183148A69
      SHA-512:A0E7DBB5EC4092B0A38A60CEAEF90894FF2F0163674612E547E033EBE7059A698B80C3387D2C422123946353FFA5C171C661CCAFE1355A9DEC24C4003936CFDB
      Malicious:false
      Preview:..H...Au..I....u..2>'./'N'S..5!..(...N...S.......6!.~..L.."H`@9R..9H'....b.,.P....aj...J.Y%B.*U......T..#....f............H.:V.(@..."..C......H.......H@........ Y.{..R.}E;......0.I"......J..!.Xt.....wB.G.^..z8H,%!..&B..L.rJ7.......!`D....k.)..J.XMt./..!i.Sp.;.9....D2.%.q.J\T..8+r..H.""..(..P..G.yql...6....9;...).....1.....:...4...!.BN........NL0....@........^.w...B.\.....t....d..0.].$...............o..A?....L.../Z..H..!.....h.kS)..\8..b..L.O2&...9...%.4a....q+....p<.b..-..,8.SE34.)M..M.B7.....H.0.......zi.j<.)nh.!......&.SS......5....I...X..9.`...h...H.."r....X.d.7............e{.O.Z..J......~H&&;...`..vO$....1.:.:...2...OACB.P44...zXgD..5.W.(...A`T.PhL...AU.....oN*...._....dm.(...H.. R>....{.."{%.i_.1.w$X......J..4..7J{...<..o.,...[..u.(R8.K.KI.S......|.;..:.#.R.v..4Y.h..d. D.;......T..Y#S1cD.i.<.....d*......<....H...R6...... .T..D....1a.....m....<.p ..n0..V..P.i.GV.LZ'.W..n/..x4..[C.F&."E.zW.'.4...q....p.4h/[......q.^.P..J..U..8A...h...

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\china\Arming_area_please_leave.txt

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
      Category:dropped
      Size (bytes):22
      Entropy (8bit):4.186704345910023
      Encrypted:false
      SSDEEP:3:QDu3HfdyJUv56n:QkHfd5cn
      MD5:B3776A3319A7600E5C1922D074E89F9A
      SHA1:779076C9201B3264BAA1D48AEBB9BD1BD1711D38
      SHA-256:F71A937C6691A601F3A72B211681FF1A434A18E8297F12193A04000E814C1C8A
      SHA-512:7952B2194E2F4CA151D41A8E341B18FF64DC51EF56721D21ED578AFA23596D30E463E3B30C92E25304FB4B7FA1B1D3FA4E1F6567232F490622F8B0F9888652CB
      Malicious:false
      Preview:..f..b:S.W,...=\._.y._

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\china\Garbage_sorting_reminder.mp3

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:MPEG ADTS, layer III, v2, 32 kbps, 16 kHz, Monaural
      Category:dropped
      Size (bytes):39008
      Entropy (8bit):7.5059393762660545
      Encrypted:false
      SSDEEP:768:v7v0nt6XJyJCYKZxudmd6yiFB8nNyu7eRxkA5RJnU:vb0noZ9WdGfiH8nNS4AzJnU
      MD5:BE2E2CB895C0E64F0C4636768268324D
      SHA1:40F8A5742155CA6C180FEDC5E373FB9A6BDEBAA9
      SHA-256:83EE091896FAFCFD61750606632F4ABE515487A6A8A69003395DE9BCCFBF1CBC
      SHA-512:1AD3FF3554260EF727506A4A8C09435A47C50ED6B2597F42825AA24C928919585B48C9AC0EA0BDB40670F08F896C0CC8EAB538D9EFD500CDA7989BA2171E1121
      Malicious:false
      Preview:..H.....H.@....Jc...d......L.H..fx..$..x....../...a Hp..'~.&..P.4....((...R..."........i_......av..nX7y..W..4No.,..AB..(.A.~@..'......M5!...p...H.4.......$@k.... ..x....7.......... b..p......r.P.b..9'........E......d..J.y|.9.......X..5K...B..7....}...l....$..u. N...#.Q.M..@.@*...H.3'........#A. ...h\+...r|O.e.J]u.J&.....D....w.N..S#....... t.p..2.S]5.........t.Y..%.2*EK...(.o.....( .?L.n.2.,....$..!.,..'.ud..H*L.G...H.. ."......H7.'u.m..p.&K%.. ....O.N..Eds..O........$.Vq.....u.n.s.hd..........{<.8.k.;.{......_w"HLD.9....*...,..4.........k.`.....H.."j.......h.I"ZD....Z."H.Y....T.2.F.l.......1(..-.?g|.(.........?1KZ5j\.I.X.z)M^..%..~z....r..W].,.o..~....!;.....M.uP.I.M;y`.E....%..H.. .6...V.........3+i...(1d.....$i.D...L.zM... .c..hhF.Y...k.Y2.:"..!.I...U..6.. ...G.(~..f..c.<~....{...q..D...HJo......zX#...Ba.p..!Q...H.....X`........y..d..$p(.9....8-e...V...W..m....G..2.$.(......4.N^gfk.2..L.......V..h..*..:..<.y2.Z%A...sC...%.M....jE......

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\china\Garbage_sorting_reminder.txt

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
      Category:dropped
      Size (bytes):14
      Entropy (8bit):3.6644977792004623
      Encrypted:false
      SSDEEP:3:QhyjuLg0:QhyqLg0
      MD5:82EE82636272EFDFEE8B87C31CD380D8
      SHA1:47FE434B60E60C4814DA86FFDC3466120D382E54
      SHA-256:A3724504B737DE8C63ECFE4DCB2111A21DC691DC5CAA3150EA7857F9F964A365
      SHA-512:0F73F6317E18098B96A0BA44D82CBA5256FF8ECA5469F82AEFBD0953089AD41CDBBE77B1004E2D7A52617D0B089F54E21400783E9D9E9D998DEBE347F05112A6
      Malicious:false
      Preview:...W>W.R{|.c..

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\china\Hazardous_area_do_not_approach.mp3

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:MPEG ADTS, layer III, v2, 32 kbps, 16 kHz, Monaural
      Category:dropped
      Size (bytes):10208
      Entropy (8bit):7.670255496203589
      Encrypted:false
      SSDEEP:192:YourSX37+lOBO5JjYc0GIF/SzDXyBRpFV3wMKgGVfglPu4RosMsM:YZ+n7+DJU/t9EsDFdw1gGVy7M
      MD5:6AC79B24B05C0B3086D11774A5408C85
      SHA1:CAF10CCEE41CF239A597B1EA2124ABACD32F9BA7
      SHA-256:47D02DF2D7E06B3E4491F8245F231B1BC1601D11229502043247FDAC233A9AEF
      SHA-512:EFB56CD58891D3AF30E9AA46B4818BABBD8A189A28A0B4078C6C7950CD8D6956C6434119E531BAA5E78055B8E69D9ED214465F4A0CC986F986A13658C0197E23
      Malicious:false
      Preview:..H....)..0..(..<..<S....1a..Q.:%...L.).:XFIr....pAE. ...!...........Y.......Q.zRN.J.........FT2tt.#"I.vv..+....*..H`...G.g..R..Z".+.A.\s..H...9...b..N.U..+.....2.!./....:........E.....m.[..9...:.. .`"R1.......B..:.Ue..N...>0aJ.......!.~..H..a..i..I.....Ny.I.!.BB+.#.b.pYT....H.*%."...L."..@...;.6P..BF.3.k..X..7Z.O..p....7.!....t.....6]......>C]=......=..w..w....&.A.7.K.....Q............?i...kb.'e...F.q....w...H..".2p......'+...e..0*.~1z.. ..g..eu..Lf....>bYQ.3.H..C... hbn~./.W...._..!W.....E.P.y:.|o..Y_.g\.:..w.....HaW.%....z&...w.AsK(..@..H..!.>........p...Mj1....nU%3}Z.yc5.`.8}R...Z1.s...;....Z.4..._,ll..I.b....H.3HC.."-........o....c.9.3.....Ec.a...+. . ...7.3G`.../.....H.. .B......@NW.P:J2lS.M.^......#...o......mF.._Ch^?..*....EZ..$.X.m4I.)H.@.0...B..PMW......[^(.6C]...9.;;b...B.g..H..K)oK...a.. .........H.. RR........;.I|...$.P....;..o...m.,..+!.>.3.l..^-....*.WF*1....8B...d.v."...Y..$..f..:.,&..I.5R..VX.}.....B...........00.

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\china\Hazardous_area_do_not_approach.txt

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
      Category:dropped
      Size (bytes):20
      Entropy (8bit):4.1219280948873624
      Encrypted:false
      SSDEEP:3:QUneZrOq:QUneZrOq
      MD5:1BDDE3496335ACA98828CBF0408C74FB
      SHA1:80C3C702A881499DE6DFF641CF5AA65CEE39D82A
      SHA-256:FBA59239D8BDD443CB28DF5E06C99296BB07B8B3E8B3D2024F1C11E6B4A62D5B
      SHA-512:E11E76AFD52B176A0C2FC8013527D6447AFC01C462AD238E3CCE0AC7C012EF41E1325E3B24BDC22A0DE6434056180F5879E1CC9F0D0F266D9935DDFD04E8668A
      Malicious:false
      Preview:..qSi.:S.W,....R`..

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\china\Private_area_no_entry.mp3

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:MPEG ADTS, layer III, v2, 32 kbps, 16 kHz, Monaural
      Category:dropped
      Size (bytes):8624
      Entropy (8bit):7.036474879624713
      Encrypted:false
      SSDEEP:96:18QWTH6+zFxz6UAO0CHSgim6vtQ3Zxh3nADPtgE4WNdE4dzSJ5WU00Vs+:uz6UAjm6vtMxhwg7WNdEsSJ5xVD
      MD5:3F9F58E7EB813DEEDD7AF6F5BFD50015
      SHA1:D7FDAB90E381F2AAB66E59569951A34E43669FEB
      SHA-256:FA613E7295357D53ABDBBA1F83D593D4D45EE9C2FFC7260B6D409AE35D8EA7E8
      SHA-512:716ECB2364DAA76AFB2BFACBECE1BAC161B80D1E4835D0154943157B5D4525D130AA8E82BBAACEE804ED84FE53AE7234A40CE7156818E19407DDE0FDDEDBA13B
      Malicious:false
      Preview:..H.....H.@...b.d=8..^...-.|.........$.xx~.w.\.(...~.)..)8....+.}.sp.A`*......?.y..'...x7.@..!..l......3778hN...6 r............q... 3...........H.4........).....$.c..(......@..D.n.@..h...O... ..;........"....D...|h......R.f.xW...... P.._..v=...f...........Nt.?.33334............H.3(..l..`.L..g..v.M...n..o.....+.....|.%..qq..Q...f.q...q...]qM.:... &..fj.+...(..-R.......,:Oi..8..._`Y....).q...I.....~.J.TEy&..mlWV_...H.. ..............O..'9......_.....o........U}....Y:..].u{..''-.M9.rb.[.....e&a.F...m.,aeP.#..0W..K.+...@.b...xV".......:z..L...X.`pVq....]..H.. S...H....is...Y,t)..(.S...~....?-.:K.7W.Z..Lw.._.......;...X. .k.T..Z..6.X.....Jq......p+v!9#.nF.....A`..6C...'*.o_i[R..K.k.o..<.)..H.. BV.........v)... ..E..p.@&V.I.(f. /..YI..R.........F!..2.....L...v...RL...mC.+$.....W=.1...>.4c..W.E...c.ve..9R....#...Z....d6.O.o.d..H.."Jv...........BE9....w..n.1~.....U....F1..x.K...|B...3f..w.;.%....C.,j....z..!.XC..K;..eC.<H.3.._x..?....q.4.......W..U....

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\china\Private_area_no_entry.txt

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
      Category:dropped
      Size (bytes):20
      Entropy (8bit):4.1219280948873624
      Encrypted:false
      SSDEEP:3:Qh/kci:QlVi
      MD5:B991010A26782209A35293C7667AECE9
      SHA1:BF5704E42E207C1DFC23DA599A166DFA1B335C8A
      SHA-256:B6A26D6E4D7F534D236A55A5F390A8D2FB35D9C3D7998D02B5BBF499C1FFD54C
      SHA-512:FAE5B2B9BB9409D9C03572A9C537BAACFBED006FE88640FE7674823EF694C98AE424F1FD6463AEA6A3601D716E5F2C4230FBF1CDEDA8AA5C48156607F710FB1D
      Malicious:false
      Preview:...y.N...W,..ybkeQ.Q

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\china\Welcome.mp3

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:MPEG ADTS, layer III, v2, 32 kbps, 16 kHz, Monaural
      Category:dropped
      Size (bytes):8768
      Entropy (8bit):7.206924164190771
      Encrypted:false
      SSDEEP:192:TZwzxklm4H3h5fG/jeUCu7P+c7QmHaGw:Nwul75fs5Cu7WczHa
      MD5:111A681594D4053CD6AE8B7568F219F9
      SHA1:D1EE1B1BD523D782EE3E212B2D4B2B5C966B2055
      SHA-256:62E63996FA8618133649FF8081CCFDDC811F2062E6E82539C68E5EE2F9EDCAF9
      SHA-512:AA1163935567B0FF69FA8C20DE1A07C2F1729874CAD8AE17518424855EC00EA4E20B94683DBE587615BCDCF40B74923437C089E8C288E984A884ACC101743543
      Malicious:false
      Preview:..H.....H.@.....c.F...?.prN.hL\.?..=Y.6ei.AF.H`...o.z..88...G...a.3s3....9B...D.M...v.@..........Ai....o!.........L...L..(p.p.n.(+.a..........H.4.......l.^.....h.H.H.b.dO..x!.......\8. EI.|..2......5?..y. ...2a.....&.R nE.0\....h....s...2,0...P..4&.:<...2 .f<_L|..............H.2("..........|.a..T.b.b|k.......R.drE"pg.....*.*".....5.ZF.F..>.0*.rA.[S..3.RSg..)..# ..'...W..ZL|.I..W.z.vn..>.O4..M\..0...k;.2:..-..`..H..![....h.j...VF...Hs.44.I....-O[.Q..,..C&...6cA.>p.}.T&.1.."..a..d..C.@H......H]..v...ji..$....K.^...4Y..u.J.K.b...S@.Z..@.....0-@L.....H.. b....`.....32....ffg.?333.i..zwz....~................yq.L.....$#.{.B..\6,.Y.LLLbi....NV.t...b.#.Wi..t..9%J..>.#..%......i<..@...4.Q8...H.. ............:5....j..4...O........%.k...a..)s...5...yy-...F..I`...D.*)D..|z*D.....wq.....W...T..2..0FR.m....<Pw....^7.W...A..C.....H..!"....]y..w..g.z....>...s...di....]..e......x.........+....WO.....6v....f.o[S......x.......Y. .*."J..yd..|=w.......K

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\china\Welcome.txt

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
      Category:dropped
      Size (bytes):16
      Entropy (8bit):4.0
      Encrypted:false
      SSDEEP:3:QXYmN:QXYc
      MD5:4045E016B336E7A2BB0E04D62F95E614
      SHA1:7E54FED0CA9623042E3BF3C9EE9B1CA8A4E57A4B
      SHA-256:40D17B4CD703AD897BD3076F7BCE57ABDE7F92930694959FEB1F5C7E96D7F2B3
      SHA-512:621E4955CDF6CEE9DE1E3BE10D435B1CAD4156E8471160A5AECDBAEFBF696F9F56E49CE8A1704F5FEED1B24D8208ED8F70F7C43BB62BB27A1AE5205DC42B1FA2
      Malicious:false
      Preview:...`}Y,."k.IQ4N

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\china\alarm_do_not_climb_high_dangers.mp3

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:MPEG ADTS, layer III, v2, 32 kbps, 16 kHz, Monaural
      Category:dropped
      Size (bytes):10496
      Entropy (8bit):7.27294581496909
      Encrypted:false
      SSDEEP:192:T9s9YQKuBV4vWXcQKgD11uUrVxLM53tsxMqoRurB8EVRCu:T9s9YavFXcQdDPDOvp0rB8oRL
      MD5:A9A1A59A8DF22D08C6117E0DA3802212
      SHA1:44E4BAE1903924875FF577BF6D5866DAF0FDF351
      SHA-256:235E821747026BFFA99BFA1DB98C1B7515AA3D495C25783E6E73729F5B750267
      SHA-512:63D7848D1C4CF033B38141ED41ECB8DB40162F96CA7644ECDBAF0D8CAB78890A10E7B40FA3FEAA2BF26E7364A91323119C8D35245478117F3597FE2165FABD85
      Malicious:false
      Preview:..H.....H.........O'~%8W..-..9../7..E.............@....y....f..w>X&9....nK.n@0#. z{.D.<y..#.3H ?6..x.O....Y{*.!......<..zf.8bm|.c".......<..H..CE.(.G..%r..Rp,..1.`..$.b`....C.w.H.Yl,.MZq...{.f.....d.D........L.../..Ep@..Ela.E.7&`.....p.=0{)I..w..?.m...L....r"PM.A....D..b.I....H.-....JL...).2..59.....C.9_..#r....-..n..o.(.. .`.Eo.@.......>.D...@..+ .*.r3B.:D.U....n .U.g.h..#.F.O..u..C1^....*qU..@....".....H.q3t...ZH...bH.k..k.5..t.FW...+....E{.e.........)M...b.W.ElY...M...K$.[^m+,.1\..Mk^.X.i |gH".gm.!..IB...../...h..>.n....$...jA...`.~..R..H.&&..t......q.> 4Aa....<...........~.......1..q....A....L.c.C.....r..5!.@.*&N....@..(8.......J.........Y>:.....pd..C....;.".....%....T.....H.. ..._.P...F.8.Q......%r...E1....g.@$.....w8x%.b..!..Xi..f".COeK...8...E.].......@..K.-....fW...g=3....X.5Z.1.w...9z.......%.."..f.:..H.. 3..V....C0lz.j...[....y...S$a.".|..y.....Y,}.R.....o.....Hxp......;..q#....2U.=.X{Q.....K+...*...........MmH..D..A..ey...P...

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\china\alarm_do_not_climb_high_dangers.txt

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
      Category:dropped
      Size (bytes):20
      Entropy (8bit):4.021928094887362
      Encrypted:false
      SSDEEP:3:Q7lSu8CX:QHH
      MD5:27AD09BCBDD7E5FAA6A5C3CF57BC79CC
      SHA1:A27A16BD776900F8AEECE0834D7D84D309969286
      SHA-256:DA3A32AB99B1F0193F3553B70C3D2E459A49C2894D620E5BCF07611E1EA7EAD3
      SHA-512:A82B0904E646FCE0F8FA21650C5554D3AC45C44488437C55E76A18400CD30E19FEF695C191716D857D2B862154512551276F218DB16972933E3A6698F0B1E507
      Malicious:false
      Preview:....YqSi.,....R.e,r

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\china\alarm_safety_water_depth_hazards.mp3

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:MPEG ADTS, layer III, v2, 32 kbps, 16 kHz, Monaural
      Category:dropped
      Size (bytes):10784
      Entropy (8bit):7.297911350906392
      Encrypted:false
      SSDEEP:192:xSXpbGyOliSPtP1pAW/3b/dVP8Y19/uSn46R2GbJAj0F:UXplORPH/3b//g2rjAe
      MD5:B88F207E3CC72B76C2A848BA56085158
      SHA1:8174C4D3FCEF0900F01C60BE11E3CC865980CE5A
      SHA-256:0F3571736A21DCFD5DCF191EC46C5963DB9745F5F50DCFF9810A3C958B7DF857
      SHA-512:14530B4FD00AB8C0E6E0C7689E6A69EED67B466FAFCF5545AC2DC3E18A314EA59468D0D66DFFCB0876E1035FF6C943C5A1D54DB1AED75353AC315B38AA3DF0D9
      Malicious:false
      Preview:..H.....H.... h.._\. ...+...8.N..=.M.?../....'byGwx..p.Ws...-.}7DW:...n..D...O...T.....N...t's..O...A...A....!a..RG...E ....rr.x......;{..;...H..#Y..0F.r..6@A......2.v,R.Ht..<=..B.,Z..gXDo....'*EPP...L.J:.....o........(.#bQ9..(.,8.HEqI..,..+|...I.MN..j('.A.......,.nf.t.0..r.....H.2...IOH...J..@R....0m..>.%Z..b.v.6.HN '1..al<.. fjB"..*.7.V2XF...*..$.,..T....]i.M\.. .+`..9.z1.,.....0.......S...|H.......n_.(....9\...H.S/..0..x.5.......(...y....2g.R.:..x..........L@.w.......Wc.:....K.5...4j........o;.5...!K..cW..)..j>5.l..........3.?.~........?|2_&..H.."*...X.....2W..t5.l...w..L....MC...8.{..i,=.K?..P...z...8.<.....;.&;.3.{.'..4...of."M+...b...x>..?hag.........~..p.h...TU....r.e..KP..H.. {N...M....d.<.W.|...*g.Q.aw.@...B:lP(d. .........gM..d"&.....M.#.mQ.p......gv...,.6..-=2Z..e'.q....2#.w.?w.............m....}.rjH..+..g..H.. ...V..//e.?...g...<..{...Y..v.@.).s.U.-_..j<.._..m.D.1Q...V..trX fh....A"xCcVr.>.;...u#o..lZ.......".c0.t....3b.....yU.[}Q.f.

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\china\alarm_safety_water_depth_hazards.txt

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
      Category:dropped
      Size (bytes):20
      Entropy (8bit):4.221928094887362
      Encrypted:false
      SSDEEP:3:Qa2aXkEN0n:Q9CkEmn
      MD5:D1F430A3936A1EE9137527271ABE85D7
      SHA1:201F7D9C1095AACEE3E70609E83B3901D73857E8
      SHA-256:3C51B5C9FA4E7128D909A5AB891CBFB0B859641E0CF62DE8F69D1AE58CFA34E2
      SHA-512:8521DED5C9FBF14DD70AAFDE7093F98190514463218B986009DC414AD5C739FD12EEC5734658E8848E10B531B665E667BEC28FC7E13564C0EE61A84AF634B739
      Malicious:false
      Preview:..4l.mqSi.,..l.a.[hQ

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\china\tone_Police_siren.mp3

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:MPEG ADTS, layer III, v2, 32 kbps, 22.05 kHz, Monaural
      Category:dropped
      Size (bytes):19749
      Entropy (8bit):7.86055109279703
      Encrypted:false
      SSDEEP:384:aDDeghywSJcX+OyXD+BkipQwWGFK3YivYpY7mKqRKdNadkrdTSIucvZLi/:uyqtSJa+bTd+QfGQojS7xhrdRlvZLi/
      MD5:2D86C27F9C9E492F6B05191F485AA990
      SHA1:CDC6664F3C2DE2E30E97B5A94FE36D836C0B7CD7
      SHA-256:54678ADD1F10AB9DC12294CBE9185E1CA87841F676E0F379BF4B29172D22F76D
      SHA-512:D41CAE006FEFD85D49A1F25827EB09266F730D7A6893C488327CA9D6C26246BD64A4E6F5D9B371B676290FFC9EAB2D53FC59BDE3BB757F3B7741B60775B9B300
      Malicious:false
      Preview:..@.....H........L./.i?...i.m?...)..9...........3;;;.8....?..SF..i.G....\p...h.l.S...v....?W..y..B...B.[.R%X..D........ ..F.z.C.........I.=|.p0.;Y...E..d..Ln..C.O..G.-1.[......~..ha.\.#..S.P...G.~.z..@.}.c"..G..(.@p+.Fc..]J.a8;.L.14Hq............Xq.Y47.....x.A3<..d.....j.'.?......a......Q.........B..%zZ._.y"....../2.......n..M.U.$H... ...^...B..@.....H.%...CR...(.W~.I.Qt..Rt.Z..LH.|\...-...C...@.T.........w......?" w9...V("...Z.P[..&...M..@...]M...d.(b.i...l...-...F@....l.3.gr7....x ........B.D.:..n6..o.......2.Pn.A`............_S......"."?1:F|D...?....j..(I..wg.(p*.u.~u|6..W..n....P.:=...;..@.'..^.N3...w.TI. d...g..O...`(..Y...k..Z1..G..udR...C+/2..K.T2..c.>..Aa.....;.RT..A....f8.>o.f....B......>.....:...r..]6....@.>.......5.n.5H.:...._9..}K.c.V..s..3\.?g..E..C.p....E?.A..@].i.......fm.t..@..."..62E&.....y-:..!..6A.&.P..!8E....<..i.......~.1..U!N.....9....Nw......*..Z..u'.t.z.......>.....B......2....M..iM..sU..h...:....J3................q..

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\china\tone_Police_siren.txt

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
      Category:dropped
      Size (bytes):12
      Entropy (8bit):3.418295834054489
      Encrypted:false
      SSDEEP:3:QDuYK:Qu
      MD5:57050A87F0A428EFC034A021D58BB879
      SHA1:C592A0F23CE15CF3D414B731645834F3F9A0E52E
      SHA-256:85BC1886A3AF0AA320054C9DBDBD19BEE1AAE445870B385A0BA6925374D2A533
      SHA-512:A31B8066299FBB13DC400C9B8976FB61D1A94DACA46F897E7879666B4CB3E5C983A03F4356B5A0BAC46C0526F3FD3891EE8BFCD064BBF193DBD8268BB6425DEC
      Malicious:false
      Preview:..f..b.0.1.

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\english\Danger_PleaseKeepAway.mp3

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:Audio file with ID3 version 2.4.0, contains: MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
      Category:dropped
      Size (bytes):32225
      Entropy (8bit):7.866308737026772
      Encrypted:false
      SSDEEP:768:h5wI0/KeT2Lpgz3Q2v3eQ4y842BsLLsWg4sh1G8NvmDehmw7Wj:hG7T2LCjQs3e28cfsQshF9hmwqj
      MD5:E3D9F99263D76CD9C9404D1200C8DEB6
      SHA1:C6B279836D6F9232DA304AC80540933360E397FC
      SHA-256:53A26FE95658253F8BAB3BA86B89F1C72EB5E39FB7C9BB939A1D9DEB673610F9
      SHA-512:560AD1C6B8A3DEBE82CDE7C7DE7D186C82F48FF6F10F257B7FB1971D0EF59B82A72BA78A2FEFD617E2C693526CF9E3B08AA818E081863F8D6F9EB0F5F4A85A18
      Malicious:false
      Preview:ID3......"TSSE.......Lavf58.3.100...............................................Info.......L..}............!$$'+..1588;?BEEILOOSVYY]`ccgjmmqtww{~.......................................................Lavc58.9.............$........}.......................................................................................................................................................................................................................................d..sBH.....2....".......`...`.........}e..[A.!7p..&.A....B..'D0.....lAG..v.N1...5..b..78_....wB../.S.4......^Q.......`@....... .;....../....v.....@......p?..:....X....;O........5......(......fjv...j.4..6...F%....c.|..{....Vdo+..S...1.........+{g.>...=U?........H.D.}j..'.]$.|.....j...n..yC..k.CYj.}...at.......4..(b,$..MT.....BD.....&./...j;..Z.......eT....7e.H.D.r..._;*..A....w..[Ms...-..O;.k..\.....d$..)..A..J.x..#.K|..!.i...`.....3..?v.T.....Y...6f[Z.'3.M..I....6cQfX...,.S.'...H....|...B.N.I<..........0z+...{

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\english\Danger_PleaseKeepAway.txt

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
      Category:dropped
      Size (bytes):48
      Entropy (8bit):2.9255548868930705
      Encrypted:false
      SSDEEP:3:QhHalRrAMWlAca+pEGln:QRaoXlAca+qGln
      MD5:DD2E031C56592C8C597574638EE5D118
      SHA1:15292271F814015D56A2D865B064345E6095D8BB
      SHA-256:4CA2D5625193E37FCC29D55DCDFC9349BC143C2FBC98B3153265BFD5CEB979D3
      SHA-512:9D587B0B4A9E7EF2F06713150731DF3513D75CFBBFD9BF26BD2E98368405991DE91191ED76D449855F6FE36CC996057796E720DE5D7AF90B70E3B9713C596ADD
      Malicious:false
      Preview:..D.a.n.g.e.r.,.p.l.e.a.s.e. .k.e.e.p. .a.w.a.y.

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\english\Warning_this_is_restrice_area.mp3

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:MPEG ADTS, layer III, v2, 32 kbps, 16 kHz, Monaural
      Category:dropped
      Size (bytes):13520
      Entropy (8bit):7.7446446500087
      Encrypted:false
      SSDEEP:192:l1bM38UFGJKNC3fll0G6GKFSZWoMV72nD5sZB7HVsFaOWm1hmxxKkeq99wu1Mcba:sTcJIGKxKuB7HVALfhq99d7
      MD5:CF6586F8B0D86674153A8CA106B8A969
      SHA1:8F47C01356D73DC658EB22C7C17BE8EDDA521714
      SHA-256:6F6A124458D412F00FE9A59AF0FC24D314DF5983008812D7E32610E5FD5310F9
      SHA-512:DC532D434B6A2253E214F553003B39902E246E8E329E5DF3F3E6A21AEE8AC8CBF9A94E25262421BF180D0EE953929A532687A5CF4885529140CBAD8A22400E0A
      Malicious:false
      Preview:..H.....H.@.........d..d..3...Q..9.I:......j5.x.6^'..h..............m.x..}L.@Ob.....67....91..P~.`...&n%...H...o.4_...jgB...LZ....4N.1...u3X....H.4l........6p.-.l..2&.o.2...5.4[.U....&.b...p\..8>.D\5.......kr.`,..f..:......B .48... 8.?......>.G@..<..Q......x6&...C....CSW.d!....0o....H.4*rf._.x...&..*.....J7.3.fi.Rh.a.|f%.Q..E.u....7.....4.g..M}Z.y.......n.V./y.......{I|c.....].Z.T(\4J..D..EFcMI=.F..H.*n..%..m..c..Ig..H.. j....0......U....!.W.Tm........k.}.......Ac.ff&.t.11.F.+........E.........`n+.../.C.Q..)........Cj..V...C.E.........\.....,.X...H......D.%...D..(g...$...@.e2Yi......Ek..A 6#..R2.+..B24.J.WF....S2....d..i......".'1 x8.@..L.Xh8..Z.^...,6\4...^....rN...k7..h..qr...H......~y...}6..d.R|........`...,.d.R......Rb..g.!(IN...d..?.....!..|.....Z..#...B..b...[w....5I......PLi{;.HWe.-....7?.q...;d)q=..>.u...H..!Z..v... ..$._.OW.c..`.9..!]R.U....w{/.....)H...f...f...E.c...G.jT.tR..GGI......Q.V4..U/..,.k..hX.N.......M.....A....RO..%6..

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\english\Warning_this_is_restrice_area.txt

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
      Category:dropped
      Size (bytes):102
      Entropy (8bit):3.0277151370299955
      Encrypted:false
      SSDEEP:3:Qy8RlMlklr5FfWMNbDpuriAElrLAMWlAca+pEGln:Qy2MlkprezihuXlAca+qGln
      MD5:7EBFD3D340A9AB2D2333F6AC34FCCCD9
      SHA1:843D3DD06325D685374545860E6927280EAAB616
      SHA-256:3C90E14AB08E1EA60EE2C21B5B47A5B8E7A7395E1E5B20F87E12F90CABCC3715
      SHA-512:9F4C0437F7B39C4D9AB603340FE1FBA7245C020F57CD204BE4A95169C0ECB9C951702C588E640EB81EEDF379168B176BD3072CB01B453DAF3046D1090C5C6B6E
      Malicious:false
      Preview:..W.a.r.n.i.n.g.,. .t.h.i.s. .i.s. .r.e.s.t.r.i.c.t.e.d. .a.r.e.a.,. .p.l.e.a.s.e. .k.e.e.p. .a.w.a.y.

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\english\tone_Police_siren.mp3

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:MPEG ADTS, layer III, v2, 32 kbps, 22.05 kHz, Monaural
      Category:dropped
      Size (bytes):19749
      Entropy (8bit):7.86055109279703
      Encrypted:false
      SSDEEP:384:aDDeghywSJcX+OyXD+BkipQwWGFK3YivYpY7mKqRKdNadkrdTSIucvZLi/:uyqtSJa+bTd+QfGQojS7xhrdRlvZLi/
      MD5:2D86C27F9C9E492F6B05191F485AA990
      SHA1:CDC6664F3C2DE2E30E97B5A94FE36D836C0B7CD7
      SHA-256:54678ADD1F10AB9DC12294CBE9185E1CA87841F676E0F379BF4B29172D22F76D
      SHA-512:D41CAE006FEFD85D49A1F25827EB09266F730D7A6893C488327CA9D6C26246BD64A4E6F5D9B371B676290FFC9EAB2D53FC59BDE3BB757F3B7741B60775B9B300
      Malicious:false
      Preview:..@.....H........L./.i?...i.m?...)..9...........3;;;.8....?..SF..i.G....\p...h.l.S...v....?W..y..B...B.[.R%X..D........ ..F.z.C.........I.=|.p0.;Y...E..d..Ln..C.O..G.-1.[......~..ha.\.#..S.P...G.~.z..@.}.c"..G..(.@p+.Fc..]J.a8;.L.14Hq............Xq.Y47.....x.A3<..d.....j.'.?......a......Q.........B..%zZ._.y"....../2.......n..M.U.$H... ...^...B..@.....H.%...CR...(.W~.I.Qt..Rt.Z..LH.|\...-...C...@.T.........w......?" w9...V("...Z.P[..&...M..@...]M...d.(b.i...l...-...F@....l.3.gr7....x ........B.D.:..n6..o.......2.Pn.A`............_S......"."?1:F|D...?....j..(I..wg.(p*.u.~u|6..W..n....P.:=...;..@.'..^.N3...w.TI. d...g..O...`(..Y...k..Z1..G..udR...C+/2..K.T2..c.>..Aa.....;.RT..A....f8.>o.f....B......>.....:...r..]6....@.>.......5.n.5H.:...._9..}K.c.V..s..3\.?g..E..C.p....E?.A..@].i.......fm.t..@..."..62E&.....y-:..!..6A.&.P..!8E....<..i.......~.1..U!N.....9....Nw......*..Z..u'.t.z.......>.....B......2....M..iM..sU..h...:....J3................q..

      C:\Program Files (x86)\IPCTools\IPCTools\ArmingUpload\english\tone_Police_siren.txt

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
      Category:dropped
      Size (bytes):36
      Entropy (8bit):2.8854317846806663
      Encrypted:false
      SSDEEP:3:QxaAlKT4PNMn:QYAQu6n
      MD5:12605715C798EB6E039C0F03BE909FDD
      SHA1:0D70E403B39D7081795F7E8F35C9719AD8C761BD
      SHA-256:5C5A4D8A112310BC9333B9D097CE548BE0098F8425269D4BF7689018406A25AD
      SHA-512:4ADA6102930E43144106DCDE6E9369FD4EF877C4FC9EBB57637E021CC9DBCEF983D53C3A53EB96B62277BDE05BF551363FE652B9467C8BC1F4F96E4ED06B2569
      Malicious:false
      Preview:..T.o.n.e. .P.o.l.i.c.e. .S.i.r.e.n.

      C:\Program Files (x86)\IPCTools\IPCTools\HWDec.dll

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):429056
      Entropy (8bit):6.54307792434627
      Encrypted:false
      SSDEEP:12288:Hs4UtDyF9yLQ3PnnQunIHHJ4/YYlNc30WF506NG/1ZtIRJ:bF9yLePnnQunIHHC/Y0M0WkMG/3tIR
      MD5:D4B164C9F9DEC0DA7B8D206FE761B088
      SHA1:5735658F72F1E5AB5DF21ACE44EE0DFB58A97635
      SHA-256:DD04222375D2E9918F3C888CCBA77B01A7A4CEA015E092E687895127813832D3
      SHA-512:1DD6772EC8B464C71660A5927397FA25699577F3A504956A31A0DE1DD0340B00646A2A9104AF94BA496F0664F08CA5DC8B04CE6857DB5211F518EC68993ECEFF
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z...z...z......z.....Qz......z..D....z..I...z..I...z..I...z.......z...z..xz..a...z..a....z..a.>..z...zV..z..a...z..Rich.z..................PE..L....2.d...........!................rv....................................................@.............................x...H........p..X........................L..P...p...................(...........@............................................text............................... ..`.rdata...$.......&..................@..@.data...._.......T..................@....tls.........`.......2..............@....rsrc...X....p.......4..............@..@.reloc...L.......N...>..............@..B........................................................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\IPCTools.exe

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):1761792
      Entropy (8bit):5.673289332942684
      Encrypted:false
      SSDEEP:49152:3k2lJt9gUpzc8OoqodZvSR3Kb47uYVbOyZ5kPNeAwzt:3jJt9gUp48FqodZvSR3Kb4ffGY
      MD5:2A4FA593E4F520D86D5DD5FDE91F462F
      SHA1:68511917A3E8B0A73100B7E72E2520BAAE93F003
      SHA-256:F56305BDA8C7CCDE7F882571461279069BD2F8AF4C6F3209AE8643C10B7C55AF
      SHA-512:B829B078425933988734E7785965EA8A045B255DB7C0071B4095309C85C373844C0B8C9DD89E24B779EA723FC6C03F0BE71748F9D345372571068458D1462C1E
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.....................................;c................,.......-.............].......................-.........M....._.......-.......................[.............Rich............PE..L...q.Lf..........".......................... ....@.......................................@..........................M..G....N....... ...............................1..8...........................`;..@............ ...............................text............................... ..`.rdata...a... ...b..................@..@.data...@............h..............@....rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\MP4V3.dll

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):4022272
      Entropy (8bit):6.423209775248513
      Encrypted:false
      SSDEEP:98304:sPnubiTDnSLNEe4qHBkFrIuw3WZldVTFMW+lxkPDD/6zqqpVw:SnuOTDnSLNEe4qHBk7w3WZldVTF0lxeI
      MD5:75DA6BD929667CA613360A28A88DF970
      SHA1:30A14716B0A14690D74B8A66A6B0665547E4E24C
      SHA-256:C31A1C24D8ACCA9CCC4B6CE1D775E32110CA04FEC5F3196F50E9F3E60ED4FCC5
      SHA-512:F0E6C7D77C5184E5F61FD6D9D57EF29FF8CC4412BA361973F9EEA32C324020D4D10CF564F7D97BF065EE879A016951EC3CD65AEE2EF4FCB0AA4C31369146B5DB
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 2%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......QFg..'...'...'......'...u.U'...u..'...'...&...u.('..._...'...'..k'......'......'...u..'......'..Rich.'..........................PE..L...,`_]...........!....../..f......#.,......./..............................@H...........@.........................`.7.......7.d....@G......................PG.....@./.8...........................X.7.@............./..............................text...c........................... ..`.text.und........................... ..`.rdata...4..../..6..../.............@..@.data....9....7.......7.............@....eh_framt.... C......j8.............@..@.drectve.....0G......t<.............@....rsrc........@G......x<.............@..@.reloc.......PG......z<.............@..B........................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\PlayDiag.dll

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):282112
      Entropy (8bit):6.606599088475292
      Encrypted:false
      SSDEEP:6144:z+vCk7KtScomaW3xQCoBuY8NAw9SvGk1QTS59uVaTuzg9fDdObE0nbrgcgab:z+6kWtScom13uIYqSxmS59aUdOrb9X
      MD5:500EE6497925B687BBC9C950299757F9
      SHA1:82C53B6009E8B97C14F4E55D66D3ABF79872EA78
      SHA-256:E7358914402337812103489C29936119C44C041E5E8CF9A03E2F20B6460045F0
      SHA-512:997A5D88C679698ED73F6F9673F472B5A380159BDD19F9A802C6C24CAB25B074FB04E4E6A7EB52503EE7CBC4A90D84E15B4583478B9D188121F81B62F0DE0959
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 38%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A|.a//.a//.a//..,..a//..*..a//..+..a//.....a//.a./.a//..,..a//..*..a//..+..a//?.&..a//?./..a//?../.a//?.-..a//Rich.a//........................PE..L...B2.d...........!.....&...2.......e.......@............................................@.........................p...D.......(....`.......................p.../..P...p...................(...........@............@...............................text....$.......&.................. ..`.rdata.......@.......*..............@..@.data....+... ......................@....tls.........P......................@....rsrc........`......................@..@.reloc.../...p...0..................@..B................................................................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\RemoteConfig.dll

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):1849344
      Entropy (8bit):6.606736091496822
      Encrypted:false
      SSDEEP:49152:EBDop5MnUyMnauNBlMTVPXHLc7pD0ty7bB+bNOL9Ma:2op5MnUyOautMTVPXrLy7bB+bNOJ
      MD5:DF8E8A1912FF771080713F499D9EAF5A
      SHA1:5B9D2B9C8F220507BE964946DFACBB9F6577A3BB
      SHA-256:81A41D14CFA72D51A4AE3FC9D8001AFA06920042191141C8F14EF732DC8B26BC
      SHA-512:79E9E3E6D37B5928AC0FE329AE7F0DE9E36FBE0C094F134A102264F59C70F382327296936D7CCCC2FA96E21FC157F3DEF8CA16FDD253B8533C49B24DEE05482D
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......0.*.t.D.t.D.t.D.S}?.v.D.}...u.D.}...x.D.y..5.D.y.._.D.y..D.2..K.D.}...U.D.t.E.z.D.Q..|.D.Q..u.D.y..u.D.t...u.D.Q..u.D.Richt.D.........................PE..L...a.Lf...........!.................f....................................................@.........................p...........T.......hB..........................`...8...............................@............................................text............................... ..`.rdata..............................@..@.data............`..................@....rsrc...hB.......D...$..............@..@.reloc...............h..............@..B........................................................................................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\RenderEngine.dll

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):1607680
      Entropy (8bit):6.895422760439287
      Encrypted:false
      SSDEEP:24576:GutrZbCAa45tL0xoUottQDlJCrP98f8UJYRjtnP6JyEunZyY8gu:ub45tLkotODXnMRjtQO0Y8gu
      MD5:8B88E99971B7E3DC7CE1342355FA636A
      SHA1:BAC684DC4E8C1AC01DE6AFFE1794CD1E0F8EC3A8
      SHA-256:D480DAC312BE03815DB58D1E572C86321378753DA63B1701E2A2159B7311889D
      SHA-512:D1BF7452F994F3FF1F655C1046738B7CC6B9E958F6E3CBF5F1B11808963B6F94E069DC0A4F7AD8FCD16E4DD15653BA3C741329B04DABFA5992923B2B4B133DA6
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......Lub.............*t../...*t.....*t....../.a.i...........u.............*t..............t..|...t..+...t......u..&...u......u..............u......Rich............................PE..L....2.d...........!.........&...............0............................................@..........................................`.......................p.......>..p....................>......p>..@............0..$............................text............................... ..`.rdata.......0......."..............@..@.data...X+... ...l..................@....tls.........P.......~..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\WEBConfig.dll

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):4698112
      Entropy (8bit):6.761353055932578
      Encrypted:false
      SSDEEP:49152:hIEEKMsP4/+zYr8lel38i87fMFbRCy2TSFogGN8aqFOGH8Tuc1nFSnzdxb0nlvmz:HQ/+y8lG38iKfMFVC/hMOGH2nFSnzL
      MD5:50CB71E2691788626EE622FC9CEA00EF
      SHA1:7AA4C2C5EA725F4FF500911A5709B2765D70D783
      SHA-256:C02688420083567368DC66F538F545A4F761DADBF1368F5194B6F196135F5F71
      SHA-512:1BF55E42E9F7742B0AB5EFE8FFD7EA5426B84E68E9C04731CC270C51C6F830044DDD6137757D3917B1B282E71AB0AF1791C1606FC6C38F3B70B3ABBB60119255
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|o.|o.|o..c|.|o.#..|o....|o.L_r.|o.Us0.|o.....|o.....|o.l_v.|o.Us2.|o.|n.9~o.....}o....~o....|o....|o....|o.Rich.|o.........PE..L...*.<f...........!......$...#...............$..............................@H.....................................0m/.....(A/.......3.h4...................PE..I....................................................$......@/.@....................text...2.$.......$................. ..`.rdata.......$.......$.............@..@.data........./......./.............@....rsrc...h4....3..@....2.............@..@.reloc.......PE.......D.............@..B................................................................................................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\WinRender.dll

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):652288
      Entropy (8bit):6.675017911129511
      Encrypted:false
      SSDEEP:12288:hh7wac9ZqNZpV1CrOP3+4Mjc8SjSQVDK6/BYsl5Sdc3BRRMPSD9V:hOXYNN1CrOPO4gcljSQw6/esl823O6h
      MD5:E6B9D382AABF804621FE3EF5FC006552
      SHA1:223D1D8DAABBF1345C50DE67B2E006B70D763BF6
      SHA-256:4A2078E2BB4E629F371807AF0EAEE4746AB75DDEFA6019AA90EBEF40FF225D57
      SHA-512:ADE989595F569BF69977C2371DBD2100F278A479FA4735FCD67597E9FB28D544674CD4F94A99B104218F9DD82C70B7A2F9023ADE2E70B7A0B3830F1BEA21B4C1
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i-...C...C...C.......C.P.....C..Z....C..Z...C..Z....C.......C...B.a.C.{.....C.{.....C.{.....C..Z....C.......C.{.....C.Rich..C.........PE..L....p.^...........!.........h.......E.......................................`............@..........................M.......N...................................g......8...............................@............................................text............................... ..`.rdata..............................@..@.data...,x...`...4...R..............@....rsrc...............................@..@.reloc...g.......h..................@..B................................................................................................................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\ajfileserver.7z

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:7-zip archive data, version 0.4
      Category:dropped
      Size (bytes):93658
      Entropy (8bit):7.998020064767417
      Encrypted:true
      SSDEEP:1536:/LbslYNxnAHVXPdy2mZ/btihQo1r9/j7xV9qKAGO/CnR8xmcNMNSbIUOjWHG0be:/fuYjUly2mZZGQo5HCRYcNUw4kGF
      MD5:B55CBEED5A42606580C13778DDAA6579
      SHA1:CC6F2F5BE730CE5B1A098072C8A6595FD8D85ECA
      SHA-256:F6B9D3ACA16F6F3018E803ED1022F4DBB706FB64FFD9887EA0701E2E6D91557B
      SHA-512:E4A261BC054E8652184618329FFC934962FAD5BFACBDF775413A47F17A7C3FEFE14E91DDBA87EFD93DED5C9838CB70A7DD336EBB1A8C66DC7B936D4EF881C1D9
      Malicious:false
      Preview:7z..'......0m..............e.....>o.....54L..i...P_.e.. ..>..c....5..-..|..b.{'.Z7....q..c..9..j...w.|7.......Pk...#Dl~.#.G3.?...#..>...o..E.{s.X|..(x).*.~....<|....6.!../....i..."..*#..L%#.^.]..N.o..}W@.P.......Ra.S.=`..pj.3...........5....WNk.V.Y.....a..C}....t...!...8..tR....4....b+.....`.J..A.v....3..y8D...Z... ..;&...U....Xn.....c.t.j..NQ........O@.[....k. ...5.%1z ..RR.V8..z.....iU...=..V.P....7F........ 72=D...D.`.9..fd.........;...w?.&..~.gp..*.q..)h.4...4...L....Q..wd....KdM. .6..q".F..O.....?.`....6A....D..'X.S..G.1Pwe._F...>.w!j.)....3..l.S#.&...=..#>..5iKx.C..e/..:.`B}..&...HDC'..c\E...._R.yVf.f.....G,G.~.=x.Kv5..`b..0...........)'PM......$B..r......0..}.)x...r..f............)....V,1....R%.+V.e..mX.....V7xsmS......9......g..a.....*.(.....K.m..{`.n.D6..=.:.A......a\LF..I........D.1R)W....'....=.R.].0.MhG......G.y.9\!@...'UP...|..dB.,..oMq.=..oJ. JS....EQ1.LXv......D....in"'R[.:.....T..9d..<...../..`.uE.s....C{..d.|..v{x

      C:\Program Files (x86)\IPCTools\IPCTools\dhplay.dll

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):6004736
      Entropy (8bit):6.813436132678682
      Encrypted:false
      SSDEEP:98304:FuNQZW04l2tRSlzhAmfeHpIzfgEiLCAmKgC3mM3mh4S5bp+wFKAMgrTHr0:IaZ94KRM7AmKgC3mM3mh0+tLr0
      MD5:1CC3857A965CDCB74F10B51A1F17FE9B
      SHA1:50BC6556772FC5F08A4E36358F67202785FD4A4F
      SHA-256:53194E5AB036A19691297B9D70F31AE72B60B79E9EFD6AF28F5ADD4D650B5CAC
      SHA-512:D6397E6F2642F77E545D9CEF1341BBF479EDA2908FED95666D24FF6D1B28980BAEC6F8AA1377B9A7D478924607622069A440B75A2C4B0F29C1A78617F75A912D
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........xo..<..<..<..<<..<..&<..<Hmh<..<.ok<...<..K<..<..<!..<.od<..<..<...<..<..<.o{<...<7..<..<.4.<r..<.ox<8..<.ol<..<.oj<..<.on<..<Rich..<................PE..L...p9.^...........!......D...........;.......E...............................b.......[.............................0.S.E'...S......._......................._.Lo....E...............................................E..............................text...6.D.......D................. ..`.rodata.......D.. ....D............. ..`.rdata..u.....E.......E.............@..@.data....`....S.......S.............@....rodata......`_......pX.............@..@.ctors.......p_.......X.............@..@.dtors........_.......X.............@..@.rsrc........._.......X.............@..@.reloc........_.......X.............@..B................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\display.xml

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:HTML document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):2786
      Entropy (8bit):4.782072099380971
      Encrypted:false
      SSDEEP:48:kn0XgZ3+gAm5DU3e343g65Xm3++531L3CRJYYhx3+3qHbUT3MR3NrOP3X3hg3F3k:kn0XgZ3+gAm5DUOIQmXm/5lLKJYIxua4
      MD5:9A3CFC226E3F465EA7FCFB16AAEA8260
      SHA1:6D9B8B5B67BE2FBD6BEB3943656689AD653FC554
      SHA-256:E4763E8E5F2B9C96EB0DACAE119AE76C9950A79F1332C10D0E9378AE807F9867
      SHA-512:B69CCDDB43D52CE52456CD8CB496B350C4B90EF45AF00900A3C5B49D4E54F3F4941FCD6B0A36681FCB04206DCB0BCBE26DB92DCFDC95B13DC7B3885AC5A58C0C
      Malicious:false
      Preview:<root>...<LAYOUT_BUTTONS_ON_TOP.........display="0" />...<IDC_BTN_BROWSER_DEFAULTCFG.......display="0" />...<IDC_EDIT_FILE_DEFAULTCFG........display="0" />...<IDC_BTN_CLEAR_ALL_CUST.........display="0" />...<IDC_BTN_UPLOAD_CFG...........display="1" />...<IDC_EDIT_FILE_CFG...........display="1" />...<IDC_BTN_BROWSER_CFG..........display="1" />...<IDC_BTN_UPGRADE............display="1" />...<IDC_EDIT_FILE.............display="1" />...<IDC_BTN_BROWSER............display="1" />...<IDC_BTN_UPGRADE_DIR..........display="1" />...<IDC_EDIT_FILE_DIR...........display="1" />...<IDC_BTN_BROWSER2............display="1" />...<ID_BATCH_DEFAULT..... .......display="1" />...<ID_BATCH_REBOOT_DEV.... ......display="1" />...<ID_BATCH_IP...... ........display="1" />...<ID_LOGIN_SETTING...... ......display="0" />...<ID_EXPORT_EXCEL...... ......display="1" />...<IDC_EDIT_DEFAULT_USER...... ...display="1" />...<ID_BATCH_SET_VIDEO .... ......display="1" />...<ID_BATCH_MAINTANCE .... ......display="1" />...<ID

      C:\Program Files (x86)\IPCTools\IPCTools\firmware_clean_all_cust.bin

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:data
      Category:dropped
      Size (bytes):1874
      Entropy (8bit):1.861331023908923
      Encrypted:false
      SSDEEP:6:4Za/J8JUhqGOdgRXHWWr5LnagYHakiAvj0v6kPBMMZ40g+n:OxdyJdaL0v6gOMHg+
      MD5:9BF134FF5A4D96E0DA4194AED73AAC62
      SHA1:80639ABBF42A7AB43D93918BB0534CD83AD444FB
      SHA-256:6D5B1B8F055569E9BA720D49537FEB66AF4F11F53E8C4E47FEF2BB1EE7F16251
      SHA-512:878A86BEC0DA1871701A5746FF94795A72365496B8CCADB8A54A0FAEA4843F09BEF65DED6CF382143D240EF0E01CF5EF4EA697EAB1178A4CB041A7A2EE7AE681
      Malicious:false
      Preview:ANJOY888>.2R...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................>...O..T....................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\ipc_search.ico

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:MS Windows icon resource - 7 icons, -128x-128, 32 bits/pixel, 96x96, 32 bits/pixel
      Category:dropped
      Size (bytes):140206
      Entropy (8bit):2.603562687267414
      Encrypted:false
      SSDEEP:384:F25WjHTSgWdhSQJP6KqaUeEtUBmDfaNdB:FtYhlyBcBuCnB
      MD5:904F8A39002F926B47523227C80BD075
      SHA1:933CB63AB94E4386BCE80E08BF49868BCFD24A05
      SHA-256:A94C98AFE0A8978EAC3622C6D73226E88ACF87CBEF86075E061D8333878339D7
      SHA-512:606406D4154E71C6805386CF550FBEE6D013A9A4330626767696E5A0E8A61C04CFBCF13D32B7F712220F937A20504A228331ECF72E314744FCDA8E08DA2C450D
      Malicious:false
      Preview:............ .(...v...``.... .........@@.... .(B..F...00.... ..%..n... .... ............... ............... .h...F...(............. ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\language.xml

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 text
      Category:dropped
      Size (bytes):1150
      Entropy (8bit):5.872460508968239
      Encrypted:false
      SSDEEP:24:2dkJc4eNU2UHjbvoPUxBKpJpBP9QuxtfpEiq/EDHH7qITgng9b:ckeNa/oPiKnPJppEiq2MC
      MD5:520093783CFF5CCAED47C53826D0C684
      SHA1:56C69BF9BFBECE4FC5B5BCFACA02488209178BF9
      SHA-256:02CFE373DD2272E16FE7972B58C0073AEF13359D61C0E6CFEA1A977EBCD68C72
      SHA-512:5115EFB0CA7884C598F25D260DB22493F5493638B42AF7E8801607C3F159AB3C13A0575821A5D716D5413A21906E969428FD251AB09914BF17739A60F3150100
      Malicious:false
      Preview:<?xml version="1.0" encoding="utf-8"?>.<Lang>..<Resources lan="zh-cn" name='....' filename="language_zh-cn.xml" TITLE="........." />..<Resources lan="zh-tw" name='....' filename="language_zh-tw.xml" TITLE="........." />..<Resources lan="en-us" name='English' filename="language_en-us.xml" TITLE="IPC Configuration Tools " />..<Resources lan="ko-ko" name='Korean' filename="language_ko-ko.xml" TITLE=".... ... .. .." />..<Resources lan="pl-pl" name='Polski' filename="language_pl-pl.xml" TITLE="Narz.dzie do Wyszukiwania / Konfiguracji / Aktualizacji" />..<Resources lan="Russian" name='Russian' filename="language_russian.xml" TITLE="..... .......... / ............ IP / .......... .........." />..<Resources lan="Mongolian" name='Mongolian' filename="language_mongolian.xml" TITLE="......... .... / IP ........ / ........ ........" />..<Res

      C:\Program Files (x86)\IPCTools\IPCTools\language_en-us.xml

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (315)
      Category:dropped
      Size (bytes):125307
      Entropy (8bit):5.375124697117199
      Encrypted:false
      SSDEEP:1536:08cyfJIwWEvFvSYUGXRNDALMsA82ksYIZClW8+N96rX:08cyGwWENvSYUGXS3CClr7
      MD5:9FEB84D9FDC5E034E2AC60887BC33801
      SHA1:73EBA9373452A751608609B8DC6A6D973BBD02DA
      SHA-256:5590C77FE5D56A929EC294334A8860CA4578F07D925DFC4ECB5546166C5E7FB3
      SHA-512:36D32CEB0C3D3F078AAA5CEA6D79D112514179EAF366519BB506F4BBB87908F711FDE4251FEE56C41A5AB4D44BA8FC91CE50E54138FEB5FB2BEA217971CDC594
      Malicious:false
      Preview:<?xml version="1.0" encoding="utf-8"?>.<Lang>..<Resources lan="en-us" name="English">...<IDS_FOCUS_MODE>Focus mode</IDS_FOCUS_MODE>...<IDS_LENS_clarity>Lens focus clarity</IDS_LENS_clarity>...<IDS_FOCUS_START>Start focus</IDS_FOCUS_START>...<IDS_FOCUS_EXIT>Stop focus</IDS_FOCUS_EXIT>...<IDS_FOCUS_BASE_LOAD>Load Base</IDS_FOCUS_BASE_LOAD>...<IDS_FOCUS_BASE_SET>Set as base</IDS_FOCUS_BASE_SET>...<IDS_FOCUS_BASE_SAVE>Save Base</IDS_FOCUS_BASE_SAVE>...<IDS_FOCUS_BASE_SAVETO>Save Base As</IDS_FOCUS_BASE_SAVETO>...<IDS_FOCUS_SET_ALL>Overall Settings</IDS_FOCUS_SET_ALL>...<IDS_FOCUS_VALUE>Focus value</IDS_FOCUS_VALUE>...<IDS_FOCUS_MATCH>Match</IDS_FOCUS_MATCH>...<IDS_FOCUS_BASE_VALUE>Baseline value</IDS_FOCUS_BASE_VALUE>...<IDS_FOCUS_CUR_VALUE>Current value</IDS_FOCUS_CUR_VALUE>...<IDS_AUTO_REFRESH>Auto refresh</IDS_AUTO_REFRESH>...<ID_EXPORT_RECORD>Export record</ID_EXPORT_RECORD>...<SUCCEED_EXPORTRECORD_REQ>Requested to export video successfully, please wait</SUCCEED_EXPORTRECORD_REQ>...<ID

      C:\Program Files (x86)\IPCTools\IPCTools\language_ko-ko.xml

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text
      Category:dropped
      Size (bytes):133104
      Entropy (8bit):5.791289578281458
      Encrypted:false
      SSDEEP:1536:oeSG770kSF4ksxDTukBh7XKNLMQ6Acf9v0yhPAteE1Q:oUSF4rDTuGhf9c0PAtFe
      MD5:83342666CA249D2A2B64B68BB405BC4A
      SHA1:D221F3C5E23B8FE02B05A7CF00EA2F816CFED7AC
      SHA-256:19139CDF0208D8B0E64FD699811B75DCE6314FE52D393411FE43D3010C0D4143
      SHA-512:51F9E347A69B4A06917D05F63A4B01FE1C72AF359CED2DBCF8ED24FD8B60485D5600000DC151736510F54AEC3C22611C98EA3E6C60607EC8E6F0718439B401B8
      Malicious:false
      Preview:.<?xml version="1.0" encoding="utf-8"?>.<Lang>..<Resources lan="ko-ko" name='Korean'>...<IDS_FOCUS_MODE>.. ..</IDS_FOCUS_MODE>...<IDS_LENS_clarity>.. .. ...</IDS_LENS_clarity>...<IDS_FOCUS_START>.. ...</IDS_FOCUS_START>...<IDS_FOCUS_EXIT>.. ..</IDS_FOCUS_EXIT>...<IDS_FOCUS_BASE_LOAD>... ..</IDS_FOCUS_BASE_LOAD>...<IDS_FOCUS_BASE_SET>.... ..</IDS_FOCUS_BASE_SET>...<IDS_FOCUS_BASE_SAVE>... ..</IDS_FOCUS_BASE_SAVE>...<IDS_FOCUS_BASE_SAVETO>.... .. .... ..</IDS_FOCUS_BASE_SAVETO>...<IDS_FOCUS_SET_ALL>.. ..</IDS_FOCUS_SET_ALL>...<IDS_FOCUS_VALUE>.. .</IDS_FOCUS_VALUE>...<IDS_FOCUS_MATCH>..</IDS_FOCUS_MATCH>...<IDS_FOCUS_BASE_VALUE>...</IDS_FOCUS_BASE_VALUE>...<IDS_FOCUS_CUR_VALUE>.. ..</IDS_FOCUS_CUR_VALUE>...<IDS_AUTO_REFRESH>.. ....</IDS_AUTO_REFRESH>...<ID_EXPORT_RECORD>.. ....</ID_EXPORT_RECORD>...<SUCCEED_EXPORTRECORD_REQ>... .

      C:\Program Files (x86)\IPCTools\IPCTools\language_mongolian.xml

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (351), with CRLF line terminators
      Category:dropped
      Size (bytes):169136
      Entropy (8bit):5.430573224180316
      Encrypted:false
      SSDEEP:3072:qFcb+Uc+8yKm8n8OFmSIXv45r5GAud8zi/Y9TXy0nxDgX53bleRT3FHQOEHCS71D:UUc+8yK9jIXv4B5GAud8zi/ETXy0nxDA
      MD5:ED207B809AAA56C33CAA3FA3E2EB406C
      SHA1:7ACD5FE3AB82118DBE0088199FA6BA0E19FBE098
      SHA-256:1D5677B586260764D3ED385E08CE7A5DAD6BB13AD429D2E506E699C89C3B2D45
      SHA-512:D174F153BD31955319CCD95886AA095F7DCF2CFA16CD22BC54D58605A1408FE2A8EA80D11232544FB057A9BA03737395C982F6BC664AA56D61142A3A09FAAE64
      Malicious:false
      Preview:<?xml version="1.0" encoding="utf-8"?>..<Lang>.. <Resources lan="Mongolian" name='Mongolian'>....<IDS_FOCUS_MODE>........ .....</IDS_FOCUS_MODE>....<IDS_LENS_clarity>....... ....... ... ......</IDS_LENS_clarity>....<IDS_FOCUS_START>....... ...........</IDS_FOCUS_START>....<IDS_FOCUS_EXIT>.......... .....</IDS_FOCUS_EXIT>....<IDS_FOCUS_BASE_LOAD>........ .....</IDS_FOCUS_BASE_LOAD>....<IDS_FOCUS_BASE_SET>...... ...... ..........</IDS_FOCUS_BASE_SET>....<IDS_FOCUS_BASE_SAVE>...... ........... ........</IDS_FOCUS_BASE_SAVE>....<IDS_FOCUS_BASE_SAVETO>...... .... ........</IDS_FOCUS_BASE_SAVETO>....<IDS_FOCUS_SET_ALL>.... ........</IDS_FOCUS_SET_ALL>....<IDS_FOCUS_VALUE>........ ....</IDS_FOCUS_VALUE>....<IDS_FOCUS_MATCH>.......</IDS_FOCUS_MATCH>....<IDS_FOCUS_BASE_VALUE>..... ....</IDS_FOCUS_BASE_VALUE>..

      C:\Program Files (x86)\IPCTools\IPCTools\language_pl-pl.xml

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (319)
      Category:dropped
      Size (bytes):132886
      Entropy (8bit):5.575071326531201
      Encrypted:false
      SSDEEP:1536:d7Tk8EkwOKk9sxzsmumkDNmsLPytsPI8S5Cj9ZCy2h7a9yQ2:dVwODS/jCj9ygl2
      MD5:6BB4B21E4757826CB82F90FA1181A945
      SHA1:6626B9EF3C6876B6C3E7B1FCBDD2C353A9D54BE5
      SHA-256:33CF3B88A276C8F8A251926AB81CA7DBF76B7A286145587E68F26CCECA6EA323
      SHA-512:381EBEBD9FD562CEB80BBE960B98ECFB6DD967A8807BD5FBAB3EAE591E2FDF3DE310E57D2C684093F7C202C905C5CBE4DEE4836639D67C6ABB4BE2995C8F6091
      Malicious:false
      Preview:<?xml version="1.0" encoding="utf-8"?>.<Lang>..<Resources lan="pl-pl" name='Polski'>...<IDS_FOCUS_MODE>Tryb ostro.ci</IDS_FOCUS_MODE>...<IDS_LENS_clarity>Przejrzysto.. ostro.ci obiektywu</IDS_LENS_clarity>...<IDS_FOCUS_START>Aktywuj fokus</IDS_FOCUS_START>...<IDS_FOCUS_EXIT>Wyjd. z fokusu</IDS_FOCUS_EXIT>...<IDS_FOCUS_BASE_LOAD>Wczytaj baz.</IDS_FOCUS_BASE_LOAD>...<IDS_FOCUS_BASE_SET>Ustaw jako baz.</IDS_FOCUS_BASE_SET>...<IDS_FOCUS_BASE_SAVE>Zapisz lini. bazow.</IDS_FOCUS_BASE_SAVE>...<IDS_FOCUS_BASE_SAVETO>Zapisz baz. jako</IDS_FOCUS_BASE_SAVETO>...<IDS_FOCUS_SET_ALL>Ustawienia og.lne</IDS_FOCUS_SET_ALL>...<IDS_FOCUS_VALUE>Warto.. fokusu</IDS_FOCUS_VALUE>...<IDS_FOCUS_MATCH>Dopasuj</IDS_FOCUS_MATCH>...<IDS_FOCUS_BASE_VALUE>Warto.. bazowa</IDS_FOCUS_BASE_VALUE>...<IDS_FOCUS_CUR_VALUE>Aktualna warto..</IDS_FOCUS_CUR_VALUE>...<IDS_AUTO_REFRESH>Automatyczne od.wie.anie</IDS_AUTO_REFRESH>.....<ID_EXPORT_RECORD>Eksportuj nagranie</ID_EXPORT_RECORD>...<SUCCEED_EXPORTRECOR

      C:\Program Files (x86)\IPCTools\IPCTools\language_pt-br.xml

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 text
      Category:dropped
      Size (bytes):133544
      Entropy (8bit):5.465840818221915
      Encrypted:false
      SSDEEP:1536:kCUcduLwoupNTPyL+FEDNJ+zv1TpjWqaPldsSbQRspUDEJ/ZXqISOyQI40xzXiW0:kCUcML8pZPyL+FEDj+zNF4lhUoyi
      MD5:962EE861516C3269FF007D6202895B8A
      SHA1:6118EE9383689A093E74BDA3D000BDA8EA4A468E
      SHA-256:51BABDA039FD8E4F436497AC1384EDEA46FFAF6BAECF62EC9E0D216F0CF2C7BE
      SHA-512:BEBEB0B7FEACAF4E86C2915DB8EAF43E1A4DB1277E5696C595D0718CE1A100478FBBF9019846AF0B90B62FEF3F6FB4EB8AE543C9A8F0F22FC181C6AAAF927C7E
      Malicious:false
      Preview:<?xml version="1.0" encoding="utf-8"?>...<Lang>....<Resources lan="pt-br" name="Portuguese">...<IDS_FOCUS_MODE>Modo de foco</IDS_FOCUS_MODE>...<IDS_LENS_clarity>Nitidez do foco da lente</IDS_LENS_clarity>...<IDS_FOCUS_START>Ativar foco</IDS_FOCUS_START>...<IDS_FOCUS_EXIT>Sair do foco</IDS_FOCUS_EXIT>...<IDS_FOCUS_BASE_LOAD>Base de carga</IDS_FOCUS_BASE_LOAD>...<IDS_FOCUS_BASE_SET>Definir como base</IDS_FOCUS_BASE_SET>...<IDS_FOCUS_BASE_SAVE>Salvar linha de base</IDS_FOCUS_BASE_SAVE>...<IDS_FOCUS_BASE_SAVETO>Salvar base como</IDS_FOCUS_BASE_SAVETO>...<IDS_FOCUS_SET_ALL>Configura..es gerais</IDS_FOCUS_SET_ALL>...<IDS_FOCUS_VALUE>Valor de foco</IDS_FOCUS_VALUE>...<IDS_FOCUS_MATCH>Correspond.ncia</IDS_FOCUS_MATCH>...<IDS_FOCUS_BASE_VALUE>Valor da linha de base</IDS_FOCUS_BASE_VALUE>...<IDS_FOCUS_CUR_VALUE>Valor atual</IDS_FOCUS_CUR_VALUE>...<IDS_AUTO_REFRESH>Atualiza..o autom.tica</IDS_AUTO_REFRESH>......<ID_EXPORT_RECORD>Exportar grava..o</ID_EXPORT_RECORD>...<SUCCEED_EXPORTRECORD

      C:\Program Files (x86)\IPCTools\IPCTools\language_russian.xml

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (362), with CRLF line terminators
      Category:dropped
      Size (bytes):171769
      Entropy (8bit):5.337966151082069
      Encrypted:false
      SSDEEP:3072:VcyfZ2vUs323EVa31uPaYwyt4g6o1Ofy1epUzAIbQfzzVuTg9KdN+qOWGH2q90+b:1f8ss32Pxbyh1epUzQfz3IdN+Qy90+GG
      MD5:3F42344681D7911C8FBA7BE87EF4E865
      SHA1:C2F94E57106903AA2CEC98C3F5A9911190683BC3
      SHA-256:FB73A9F7B29033AF7A8C535C25F488C643AF0132256FC082D4B8A4EC1E0F4C39
      SHA-512:7BC038D724E5AA1D092CD52AB978FD93833BA2B25E96C95341FF2EFAD03FA3B144592CA102AA61011BFFCE087190CB8615300C314C908EC1C21681C192F16F51
      Malicious:false
      Preview:<?xml version="1.0" encoding="utf-8"?>..<Lang>.. <Resources lan="Russian" name='Russian'>....<IDS_FOCUS_MODE>..... ...........</IDS_FOCUS_MODE>....<IDS_LENS_clarity>........ ........... .........</IDS_LENS_clarity>....<IDS_FOCUS_START>............ .....</IDS_FOCUS_START>....<IDS_FOCUS_EXIT>..... .. ......</IDS_FOCUS_EXIT>....<IDS_FOCUS_BASE_LOAD>.... ........</IDS_FOCUS_BASE_LOAD>....<IDS_FOCUS_BASE_SET>.......... ... .......</IDS_FOCUS_BASE_SET>....<IDS_FOCUS_BASE_SAVE>......... ....... ....</IDS_FOCUS_BASE_SAVE>....<IDS_FOCUS_BASE_SAVETO>......... .... ...</IDS_FOCUS_BASE_SAVETO>....<IDS_FOCUS_SET_ALL>..... .........</IDS_FOCUS_SET_ALL>....<IDS_FOCUS_VALUE>........ ......</IDS_FOCUS_VALUE>....<IDS_FOCUS_MATCH>............</IDS_FOCUS_MATCH>....<IDS_FOCUS_BASE_VALUE>....... ........</IDS_FOC

      C:\Program Files (x86)\IPCTools\IPCTools\language_zh-cn.xml

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 text
      Category:dropped
      Size (bytes):123601
      Entropy (8bit):5.772182077230396
      Encrypted:false
      SSDEEP:1536:OsYtF0otiDFHh27oEX8TYm8Kl0cRL+xMuCcicDEdTKeCm7fTvEf+abR:TYt5iZHdYRCu2CR2a
      MD5:9E9798B6A03736D9BE8906E1D908E975
      SHA1:E220D3A582F7C965716C2FB56D304851241DC077
      SHA-256:CC25504DB32C599E84DD06AB7BE31ACCC8B31658FE0339BFB28EFE82C60F881B
      SHA-512:4AAFAF5804D6478C8A181AE27310E97F715155C6BBA3D17FE28F43C7A8D91FE8F1E19CE757EAC0130E3FBD21DF8CDD79C602DF0635380E2CACF56A3F8AD83D24
      Malicious:false
      Preview:<?xml version="1.0" encoding="utf-8"?>.<Lang>. <Resources lan="zh-cn" name='....'>. <IDS_FOCUS_MODE>....</IDS_FOCUS_MODE>. <IDS_LENS_clarity>.......</IDS_LENS_clarity>. <IDS_FOCUS_START>....</IDS_FOCUS_START>. <IDS_FOCUS_EXIT>....</IDS_FOCUS_EXIT>. <IDS_FOCUS_BASE_LOAD>....</IDS_FOCUS_BASE_LOAD>. <IDS_FOCUS_BASE_SET>....</IDS_FOCUS_BASE_SET>. <IDS_FOCUS_BASE_SAVE>....</IDS_FOCUS_BASE_SAVE>. <IDS_FOCUS_BASE_SAVETO>....</IDS_FOCUS_BASE_SAVETO>. <IDS_FOCUS_SET_ALL>....</IDS_FOCUS_SET_ALL>. <IDS_FOCUS_VALUE>...</IDS_FOCUS_VALUE>. <IDS_FOCUS_MATCH>...</IDS_FOCUS_MATCH>. <IDS_FOCUS_BASE_VALUE>...</IDS_FOCUS_BASE_VALUE>. <IDS_FOCUS_CUR_VALUE>...</IDS_FOCUS_CUR_VALUE>. <IDS_AUTO_REFRESH>....</IDS_AUTO_REFRESH> .. <ID_EXPORT_RECORD>....</ID_EXPORT_RECORD>. <SUCCEED_EXPORTRECORD_REQ>............</SU

      C:\Program Files (x86)\IPCTools\IPCTools\language_zh-tw.xml

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 text
      Category:dropped
      Size (bytes):118743
      Entropy (8bit):5.819089000304476
      Encrypted:false
      SSDEEP:1536:2StP7DAJGrsX8pjRQqtWydyjVWd3NIvXoNTgC:2SVDAJ07dE4P
      MD5:B24557A5CD8FC7A23B54E3078B353FFA
      SHA1:CB5D8FB9EC75075A7300C1701DBA0EBE6A375EAB
      SHA-256:93C5F98DB82C2B82754BFB52344FD21FC8470835BA872B91FE4175EF4AD7F8A7
      SHA-512:21EB7DA7BE5F6986B87E6C5AFC4E80604BE5DBD8C2AC0D0A52BACC2D376300E569C7E54BD9C6FCC42898161837480BD5D8160E11CD7AEA57DDFB7B80F5AB03B5
      Malicious:false
      Preview:<?xml version="1.0" encoding="utf-8"?>.<Lang>..<Resources lan="zh-tw" name='....'>...<IDS_FOCUS_MODE>....</IDS_FOCUS_MODE>...<IDS_LENS_clarity>.......</IDS_LENS_clarity>...<IDS_FOCUS_START>....</IDS_FOCUS_START>...<IDS_FOCUS_EXIT>....</IDS_FOCUS_EXIT>...<IDS_FOCUS_BASE_LOAD>....</IDS_FOCUS_BASE_LOAD>...<IDS_FOCUS_BASE_SET>....</IDS_FOCUS_BASE_SET>...<IDS_FOCUS_BASE_SAVE>....</IDS_FOCUS_BASE_SAVE>...<IDS_FOCUS_BASE_SAVETO>....</IDS_FOCUS_BASE_SAVETO>...<IDS_FOCUS_SET_ALL>....</IDS_FOCUS_SET_ALL>...<IDS_FOCUS_VALUE>...</IDS_FOCUS_VALUE>...<IDS_FOCUS_MATCH>...</IDS_FOCUS_MATCH>...<IDS_FOCUS_BASE_VALUE>...</IDS_FOCUS_BASE_VALUE>...<IDS_FOCUS_CUR_VALUE>...</IDS_FOCUS_CUR_VALUE>...<IDS_AUTO_REFRESH>....</IDS_AUTO_REFRESH>.....<ID_EXPORT_RECORD>....</ID_EXPORT_RECORD>...<SUCCEED_EXPORTRECORD_REQ>............</SUCCEED_EXPORTRECORD_REQ>...<ID_LANG

      C:\Program Files (x86)\IPCTools\IPCTools\msvcp100.dll

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):428432
      Entropy (8bit):6.629710809585113
      Encrypted:false
      SSDEEP:12288:wNb8zxr1aWPaHX7dGP57rhUgiW6QR7t5qv3Ooc8UHkC2ej:wNb8Fpa6aHX7dGP5Kv3Ooc8UHkC2e
      MD5:5007A10C787CEFC9C7D60F0D5F179ECB
      SHA1:E7E282BF06DD1711BC1C22BBF2D825C1ED381526
      SHA-256:71AF6AFEEAEB425D6C0CF43E15498F2A4BDEAA8FDC7C54E6273D19F3C574C95A
      SHA-512:60DF78108ECC944FDDDC8FD795C4C173429B7B16AF155E78933AE882125F382D16D37B4F82ED22E63E0690415B4CD668934B0133027195E9E8F67C3C78B34B01
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e..d...d...d.......d.......d...d..Cd..K*...d.......d.......d.......d.......d.......d.......d.......d..Rich.d..........................PE..L...A._M.........."!.................<.............x................................@.....@.................................<...<.... ...............V...3...0..D;..p................................/..@...............p............................text...u........................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\msvcr100.dll

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):781200
      Entropy (8bit):6.916114265083694
      Encrypted:false
      SSDEEP:12288:iMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0e:NmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV
      MD5:C3FEAA2C62E083D971C63F80ECBFCD30
      SHA1:17C773FF8926FB87EFD2495CAF34726FA8905106
      SHA-256:67CA909275187E77D7946F172E8E7563A55D13D9BA57710A844D392C4F850C80
      SHA-512:9546EDA54E579688145906F0CEB394BFEE9825AF0DE65F47F90F2989318B706A19813FB4C29F1B594B4CC6C9C9BA79F10E548A5736C400B417C2627151A25961
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 3%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L..."._M.........."!.........................0.....x................................=.....@..........................H......d...(........................3......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\play.dll

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):11509760
      Entropy (8bit):6.396531576859113
      Encrypted:false
      SSDEEP:196608:MIyKEVRlLcXsPWoPWoMh5R5fJ9FvTODVGrJC9JGR5cQ5Fk3b2+l1xAUGJ0urwZ:8KEVRkR5fJ9FvTODVGrJC9JGR5cQizlD
      MD5:59444887F840BC04CA3605892F801B91
      SHA1:59931900CB662AF8428384F4DA45F66F85F3501D
      SHA-256:0A1137012C942B0C89056E2EB78A51EE114DD7D4D59B291071CB74B2F6235B78
      SHA-512:A47C1505559EB199139D252ABD45BAE3DF2A71CEC58057EFFD49914345CFD82E9ED46A67DA278CCC06A4B3E7A9ADAAB4310744EC477A35C885AE4AE77AB8A9ED
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........................BK......I.............n..............O........W.....N.j.....N.....I.......I......=.......I..d....I......I......I.....Rich...........PE..L....5.d...........!.....0r..`=......\b......@r.....................................`b..............................p...xM....................................Q...Er..............................................@r..............................text....#r......0r................. ..`.rdata....1..@r...1..@r.............@..@.data....Q...P...@...P..............@....rodata.`........ ..................@..@.rsrc..............................@..@.reloc.............................@..B........................................................................................................................................................................................................................

      C:\Program Files (x86)\IPCTools\IPCTools\registry.xml

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:XML 1.0 document, ASCII text, with no line terminators
      Category:dropped
      Size (bytes):81
      Entropy (8bit):4.861153243491817
      Encrypted:false
      SSDEEP:3:vFWWMNHU8LdgCBrChyEsUKJgAZLKm:TMVBdhzMSgAZum
      MD5:ED489D83E9F9E4D93F40B74959F5AD62
      SHA1:F6F62EB84F483941C90F20F248251BAB09DCC852
      SHA-256:5F97D6D95BCD2B5EA8108DB48F22AA5A0A3E3D15AE2DD471134DFC503CD38B4C
      SHA-512:062728D825481EEE72F9DB73163BC9F79BCD5C472CD0209F470AB2861A0EFB558C306D303A9443698754581D3DDB1EF07F5303A14F6B1691F8A2E8D2E50E3480
      Malicious:false
      Preview:<?xml version="1.0" encoding="utf-8"?><root>.<Registry name="IPCTools" /></root>'

      C:\Program Files (x86)\IPCTools\IPCTools\restore.mp3

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:MPEG ADTS, layer III, v2, 32 kbps, 16 kHz, Monaural
      Category:dropped
      Size (bytes):5904
      Entropy (8bit):7.8465560366371845
      Encrypted:false
      SSDEEP:96:igjkwLxv+uq/uWLB9uaZ0AQdfDNta2p0Zu1rYZmy4/uIGqcSac4UAbIBud/VQeNq:13LxvB+tuaqAQdraYYQQJQFvuJVQew
      MD5:DB54484D592AC77F52E1A738A86B6873
      SHA1:848DAA0104BEF95166D436BE787737802E57FD87
      SHA-256:8DA7387C132F3220BA6E6437DCB23537AE5017E6E82B76A3CD42B025EA7807C9
      SHA-512:106E2157B2F4599B5D2229668D48014DB003E6719C8F22C51D74E9A71C9B4496E46B842D000B250DAE7CA780EFF91B5DE6A20BBD8351C584B195D167D342E526
      Malicious:false
      Preview:..H....%T.I....4K..k!4`pN(](.....^j.M..g...73r.jZ...?..v...8..../..FDd.....Dh..1.y..YX..pL"..I.@.f.>.?.....&.5&.A...}.......l..B.....J....X....H...x...Ox.....=9.\.A.......D............3...@C..w)X>Q........... ....o..8.....>... ..#...L4.q8C`,...t...!.q.&..j.;..e.....D..O..6D~>..H.5*.*z_....d...Po.J..6...EM....>5.d\....7UKgK..t......2)..........l..U ..k..)..z$..S..&.4|....oN......@..uPZL.)g.R@.._..[..9..j9..Q.p<%.V.`..H.. .Jx..x..2..R~.J.>.K.k[....7.."....1U*.;.R.......Bnh..}O..y..y..i...5./}.{..n.3.......o[.k.x..........\.......>....uR"S...I$....].@.|..H.. *V..x..TJ.P.B..f..q .. .m.....]...z..W;.....8Gj].(........6{.......s..........^.?_.L....5.....&?......C...Y......%.LU`....TJb....H.. 2....X..(.Z...a.`X.....bV..'..:D.....H....w.I.f^<.{JDfG.o..q.....!..7.6.K.*...u.:.qK....h.l......*[.g...@....6...F....q.....%.1r..!..H..!"f........ .;&RW.Z2[..?^....~..q.....s(.}..x.l...,.O...m.\7f.A.......q.....}.*..*.....?.u&."K...+.rI+..;...2........[P.1..x...

      C:\Program Files (x86)\IPCTools\IPCTools\startprint.mp3

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:MPEG ADTS, layer III, v2, 32 kbps, 16 kHz, Monaural
      Category:dropped
      Size (bytes):3744
      Entropy (8bit):7.814653107820923
      Encrypted:false
      SSDEEP:96:1enE25lvulCN7TxWRkiH9KBphZP6NVoKyfS:1MucNPlmQBphZqVojfS
      MD5:0910F82446D1F2FAE715550956B26015
      SHA1:4DD6D408271F4F260008509348C40B23C1F90EF6
      SHA-256:2129E2C64EE8694C87B00DD92ACF19BB31B91BF21F132E314E7D1DE09D1C9B28
      SHA-512:A19DC0A69C4D13816A722E1969FFD60188F6CFE5E3B4B7028A3CF27A704BB56901C5F43A91CCF0559DB426BFD7D11A5D513F540915DF4BBE99F5EA76E5C3C2EA
      Malicious:false
      Preview:..H.....H.@.........P..w$..`... ...y. d....A-..XU.4.......=....w...\.4.1.J......%.........t.<.o/..._?.......<<.../........"..d8#...C...`0.4.~...H....A..h.e.r.i..@.\.w...#..f:...p..'...+..R.3..\)&.}......Q....Z..^.....q.Q.x.8L.q...[.6....6E.#J............$d....0i..5O..s.....t....?....H.4s._.x....U...+.Ds;$..X...Y....%...g..-............5..c.?.....b...Y .%.......J5.X.)"!|}..^b..Ke...7>.jr.v.^...#."... ]:_%...Bp...#.%1..H.E*.r.'...A..@G.."......".4O........P..* \<.6~..*..].Z.....7.z..mNj..[.my.fI&?p........Q./..R.kb...........p....TD..4....+.d.py..N..d...H..#R..^~....SPh..Rl*....>.h.B......L....+....B%..r.....4Z.%.7...W......)....U..x.M!Hu..&...7...'...=l.zC....I..b.2QZUg*X..%......F7.L..H.. ......H..@.F........dE7..I]..j..P..g...gW9..W.....@93..;.b.........!&Nh.z.3..x.6VG..y........../X.~q ....9...b...J.5.............I..H.. ...6.D.,e-L./.4...h..!.J.!3.X...l5..4B.M".....R..Q...s...]P.>...G...A...o.F!......NuYUYtc.p|....~..$.}x~.).S....+\B.E..t.z.m...

      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IPCTools\IPCTools\IPCTools.lnk

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Tue May 21 13:02:24 2024, mtime=Thu Jul 4 19:29:18 2024, atime=Tue May 21 13:02:24 2024, length=1761792, window=hide
      Category:dropped
      Size (bytes):2139
      Entropy (8bit):3.420498046772725
      Encrypted:false
      SSDEEP:24:8OKEhdOEbvL8iOb1AEaEMXd8DODOD1gd8DODzd8DODuq/cNcf/r8DODuq5UUfJZA:8O9hdOqDHEKdagdpdP/pPy5yF
      MD5:CAB84785ED63B3D0392EECC5194201DF
      SHA1:B1AB66BB075A2BE49633AB8917EC15244BD664AD
      SHA-256:B79FB75ACBE04EB77D53B0EF4BB323066D9588BDBEFDE7055F822BECD73584F1
      SHA-512:7CF2E71C08B575F9ADD33F30109BA46C4BF69B81387FE8AA3AAB201C9C413B59C8043F968DB746CBDE3679FC0807E185D99BB97E805E627D1D25A1C7A9EE4E7C
      Malicious:false
      Preview:L..................F.@.. .....Z......b..P.....Z..................................P.O. .:i.....+00.../C:\.....................1......X....PROGRA~2.........O.I.X......................V.....i...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....Z.1......X....IPCTools..B.......X...X............................i...I.P.C.T.o.o.l.s.....Z.1......X....IPCTools..B.......X...X.............................fq.I.P.C.T.o.o.l.s.....f.2......XLp .IPCTools.exe..J......XLp.X................................I.P.C.T.o.o.l.s...e.x.e.......d...............-.......c...........n........C:\Program Files (x86)\IPCTools\IPCTools\IPCTools.exe..G.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.P.C.T.o.o.l.s.\.I.P.C.T.o.o.l.s.\.I.P.C.T.o.o.l.s...e.x.e.(.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.P.C.T.o.o.l.s.\.I.P.C.T.o.o.l.s.7.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.P.C.T.o.o.l.s.\.I.P.C.T.o.o.l.s.\.i.p.c._.s.e.a.r.c.h...i.c.o....

      C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\state.rsm

      Download File
      Process:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
      File Type:data
      Category:dropped
      Size (bytes):720
      Entropy (8bit):2.532456551537105
      Encrypted:false
      SSDEEP:12:GZK34pgMClGttDq+xUFZMAKRJ+ftun2QKRKQ1o1spzAw:cKUgMClc2ZMAKRk9G1WE
      MD5:6AE0D26FC8D24AFFABBF25635766B9A3
      SHA1:E70550CDA5FA47F907FC3BFB8BA0E8023F3E3385
      SHA-256:64A19548DA496A3ECACF2A538FEA0062804136DD92D772AE41B9778B3D71E0DD
      SHA-512:E00D90C91D4989ABFCFF235B6A88523748417EB29CED9DF7FE1D145F3435678BE1F812BEE74CB327AC5078AA2742C8A4C07F60E9B96214ABC30B5641C065C515
      Malicious:false
      Preview:A.......................................................................................................................................................................................................................W.i.x.B.u.n.d.l.e.F.o.r.c.e.d.R.e.s.t.a.r.t.P.a.c.k.a.g.e.................W.i.x.B.u.n.d.l.e.L.a.s.t.U.s.e.d.S.o.u.r.c.e.............................W.i.x.B.u.n.d.l.e.N.a.m.e.....<...M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.3. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.8.6.). .-. .1.2...0...3.0.5.0.1.........W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.....<...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.v.c.r.e.d.i.s.t._.x.8.6._.v.s.2.0.1.3._.e.n...e.x.e.....................

      C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe

      Download File
      Process:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):461368
      Entropy (8bit):6.931191292112627
      Encrypted:false
      SSDEEP:12288:iymOcB+pwPprnVmLmDsC+FU+ZOSzDBtzY7UWfR2:iLOsDFncLmKDZOSz1FO5
      MD5:2335AB0C0E19C0EF416D07DF66FEE649
      SHA1:1E8794AFF453F7647A6C149F3D38F7A3FF4CCD1B
      SHA-256:F0E46C0F9B2991FA6D187C6B2BED28139C67804CC58CC45C77F06A6F217CB21A
      SHA-512:518580D7A0D8F9610C8EC0204AE879A91A24325FB5E45348E6F0769AA25A69525992BC0F722DF113993AA29A1A917DE8FBECFB39D547D6F25354C3488BF06A62
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.V...8...8...8.......8.....n.8......8......8...9.I.8.....l.8.......8.......8.......8.Rich..8.................PE..L....._S.....................,.......~............@..........................0............@.................................t!..,........7...............>......$2......................... ...........@............................................text...t........................... ..`.rdata..............................@..@.data... 0...@.......,..............@....wixburn8............<..............@..@.tls.................>..............@....rsrc....7.......8...@..............@..@.reloc...B.......D...x..............@..B........................................................................................................................................................................................................................................

      C:\Users\Public\Desktop\IPCTools.lnk

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Tue May 21 13:02:24 2024, mtime=Thu Jul 4 19:29:10 2024, atime=Tue May 21 13:02:24 2024, length=1761792, window=hide
      Category:dropped
      Size (bytes):2115
      Entropy (8bit):3.420490875846676
      Encrypted:false
      SSDEEP:24:8ow/KEhdOEbvL8iOb1AEaEMWCd8DODOD1gd8DODzd8DODuq/cNcf/r8DODuq5UUE:8oW9hdOqDHE2dagdpdP/pPy5yF
      MD5:38992B8C001FB3F5EDF51E02A451CD02
      SHA1:707901590861F94F716F2ECD90DD2E1B53193D52
      SHA-256:BD22AAC6E6EA124859ADB8837411E47E32B508D75274BBF85937CAFBEE6F3DF6
      SHA-512:BD06873ABF0A363E819782E8D5319E2BC4DC70A6C74FFBC7DE9B006C7F8C01E92DF820072F700AB8C5372CFC15D703231AE783ED8359E2E86F326C1162110A47
      Malicious:false
      Preview:L..................F.@.. .....Z.....n..P.....Z..................................P.O. .:i.....+00.../C:\.....................1......X....PROGRA~2.........O.I.X......................V.....i...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....Z.1......X....IPCTools..B.......X...X............................i...I.P.C.T.o.o.l.s.....Z.1......X....IPCTools..B.......X...X.............................fq.I.P.C.T.o.o.l.s.....f.2......XLp .IPCTools.exe..J......XLp.X................................I.P.C.T.o.o.l.s...e.x.e.......d...............-.......c...........n........C:\Program Files (x86)\IPCTools\IPCTools\IPCTools.exe..;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.P.C.T.o.o.l.s.\.I.P.C.T.o.o.l.s.\.I.P.C.T.o.o.l.s...e.x.e.(.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.P.C.T.o.o.l.s.\.I.P.C.T.o.o.l.s.7.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.P.C.T.o.o.l.s.\.I.P.C.T.o.o.l.s.\.i.p.c._.s.e.a.r.c.h...i.c.o.........%ProgramFiles%\IPCT

      C:\Users\user\AppData\Local\Temp\IXP000.TMP\vcredis1.cab

      Download File
      Process:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe
      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 253512 bytes, 1 file, at 0x2c +A "FL_msdia71_dll_2_____X86.3643236F_FC70_11D3_A536_0090278A1BB8", ID 4303, number 1, 20 datablocks, 0x1503 compression
      Category:dropped
      Size (bytes):253512
      Entropy (8bit):7.9985246310787526
      Encrypted:true
      SSDEEP:6144:jdHDtJKx9Q5+LMfpMjU3B0QPdCtngtpoEvdpYKJFj9gGmO:xti+YLYpM45PUtgvTvdfDj9YO
      MD5:CC064D4B81619991DE8131A86AD77681
      SHA1:88D80D86CC20C27D7D2A872AF719300BD2BB73F9
      SHA-256:913EE5A1CAE3E5A1872B3A5EFAAA00C58E4BEB692492B138F76967DA671B0477
      SHA-512:5AFF0EB26CFC187BF58721B2B6D73357D9F1E66D1AC5340AD9DDC08B40AD0EDA27A144CB3B650604637A7476C282DED83ED890DE98A73CCAF0CC021DA3A9EB25
      Malicious:false
      Preview:MSCF....H.......,...................z..................>{. .FL_msdia71_dll_2_____X86.3643236F_FC70_11D3_A536_0090278A1BB8.nGh..#..[.... .....P.. 1.@...N..3#.../...0I..:~.%..Jl.|.3......l.}.37._.l...o...3.E3.xw.............M....M9........9.n.V....y|.]...N..,{./Yh.;\...Jr..[.%U....M..1.H...0M%)H............".(..*.........2......Q..`.F......................WJ.....^....*.._..R.v.....V....Z:+.k.sk..:#..j._....SZ.s[<3E.BE.93%...k...._.....Nv]w...,....4.m..J...g'.r.U.8.K{M.RZ...?../....AT.+..Jg.KRC...F..%j...R>H=.5$.!._H..#.%...J...w....7.-..O.{..S.G..w,;.....R@#...g.<vo.{...f.'...\....3..9#.N.6..*!;.YI......u...n.K...8.2...TW.e..Mi.H....j'g.......3...O....Wq..gx.Cx..C....AJ.x.......L...........K.....+.n...7...vdQ..%p7a ..69P...../..2D...0(0....^.....-.re8aH..F.j...H. ......:.v...A5..-&6..V.pP..S....Xo.......g..P........._O.C.G..*...(.._.p.C^....T..6H.5.D.o]....[.%.P..&...akX..%;......I..El5.+J...$..B*..D...FZq(#..n.,..#...$.I..m...lL..#e*...P....V..7..........Q..

      C:\Users\user\AppData\Local\Temp\IXP000.TMP\vcredist.msi

      Download File
      Process:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe
      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, MSI Installer, Create Time/Date: Mon Jun 21 09:00:00 1999, Number of Pages: 200, Code page: 1252, Title: Installation Database, Subject: Microsoft Visual C++ 2005 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: Microsoft Visual C++ 2005 Redistributable RTL x86 enu; Copyright (C) Microsoft Corporation, All rights reserved., Template: Intel;0, Revision Number: {31076048-5B7B-4476-ABF0-15989228CB90}, Name of Creating Application: Visual Studio Setup Build Engine (BuildMod.DLL), Security: 2, Last Saved Time/Date: Fri May 13 19:14:52 2011, Number of Words: 2
      Category:dropped
      Size (bytes):2770944
      Entropy (8bit):7.898356017242934
      Encrypted:false
      SSDEEP:49152:BxtG+uBvEH/sbE3EyyBU5czkhwZawV4mC5kRuhg6MmqmPAhe75LzNyS:TuVOTWBdzkkawxSh4iAhm51yS
      MD5:B20BBEB818222B657DF49A9CFE4FED79
      SHA1:3F6508E880B86502773A3275BC9527F046D45502
      SHA-256:91BDD063F6C53126737791C9ECCF0B2F4CF44927831527245BC89A0BE06C0CB4
      SHA-512:F534BC7BF1597E728940E6C3B77F864ADFAA413BB1E080458326B692B0F96BDDF4FBD294EEED36D7764A3578E6C8E919488BBF63B8FE2D4355AB3EFD685424A4
      Malicious:false
      Preview:......................>...................+...............8...................y...z...........................c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...&...'...(...)...*...+...,...-...}...~...................................................................................................................................................................................................................................................................................R................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-.......6...0...1...2...3...4...5...X...7...?...e...:...;...<...=...>.../...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...S...`...T...U...V...W...Y...]...Z...[...\...^..._...a...f...i...b...c...d...g...$...h...j...l...n...k...m...o...p...r...q...t...s...u.......v.......w...x...........

      C:\Users\user\AppData\Local\Temp\MSId3100.LOG

      Download File
      Process:C:\Windows\SysWOW64\msiexec.exe
      File Type:Unicode text, UTF-16, little-endian text, with very long lines (370), with CRLF line terminators
      Category:dropped
      Size (bytes):840
      Entropy (8bit):3.7191709103647743
      Encrypted:false
      SSDEEP:24:QkHk3YKouLGxWFjmYkWQUEHg0RKOdnTU/UNnH:h6PogGxZYYe0YYU/U9
      MD5:88770C7475F8F1BCE845CEF76F0FEF68
      SHA1:732742916FF1678C139BC95C49734747F58E0299
      SHA-256:7B3B01677956443C199C51B914312949D8855FEC0EB11AA3ABDF94A9D5835C7C
      SHA-512:A7F31FE3FC324350373538A4469906A6E3EBB74C6D6CC96DAF2EBEC5E338648A07AAE9C148AA74D6B2627C693CD498810EE63608A4EF9289FAEFAC311F6BDD1D
      Malicious:false
      Preview:..E.r.r.o.r. .1.9.3.5...A.n. .e.r.r.o.r. .o.c.c.u.r.r.e.d. .d.u.r.i.n.g. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n. .o.f. .a.s.s.e.m.b.l.y. .'.M.i.c.r.o.s.o.f.t...V.C.8.0...A.T.L.,.t.y.p.e.=.".w.i.n.3.2.".,.v.e.r.s.i.o.n.=.".8...0...5.0.7.2.7...6.1.9.5.".,.p.u.b.l.i.c.K.e.y.T.o.k.e.n.=.".1.f.c.8.b.3.b.9.a.1.e.1.8.e.3.b.".,.p.r.o.c.e.s.s.o.r.A.r.c.h.i.t.e.c.t.u.r.e.=.".x.8.6.".'... .P.l.e.a.s.e. .r.e.f.e.r. .t.o. .H.e.l.p. .a.n.d. .S.u.p.p.o.r.t. .f.o.r. .m.o.r.e. .i.n.f.o.r.m.a.t.i.o.n... .H.R.E.S.U.L.T.:. .0.x.8.0.0.7.0.4.2.2... .a.s.s.e.m.b.l.y. .i.n.t.e.r.f.a.c.e.:. .I.A.s.s.e.m.b.l.y.C.a.c.h.e.I.t.e.m.,. .f.u.n.c.t.i.o.n.:. .C.o.m.m.i.t.,. .c.o.m.p.o.n.e.n.t.:. .{.9.7.F.8.1.A.F.1.-.0.E.4.7.-.D.C.9.9.-.A.0.1.F.-.C.8.B.3.B.9.A.1.E.1.8.E.}.....=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .0.4./.0.7./.2.0.2.4. . .1.6.:.2.9.:.2.9. .=.=.=.....

      C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20240704162930.log

      Download File
      Process:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
      File Type:ASCII text, with very long lines (320), with CRLF line terminators
      Category:dropped
      Size (bytes):6776
      Entropy (8bit):5.5856681244936714
      Encrypted:false
      SSDEEP:192:AlCgUKQzLjIzRy/YxM02s6YyfGsAt9AtWeWTm:GzUKQzwzRcYxwYy0tytjX
      MD5:3FFD3DF72B93DE4C7580E92504F1E808
      SHA1:2174B6CA4C040DD1286ECECCBC848D5B9E5A29C2
      SHA-256:106C3BBF553F0584EE672D6D8446957DC2C4A5223ABEF18DD22D5E1F22D371FC
      SHA-512:111C702770EBC0E6E47AA9F994B1FD0E9101E6528627678D604812329CCDA6DE87AED547E356A6F583A71ECB8C2509E3AC48C0E51834CEBBAC553DD812EF6DC5
      Malicious:false
      Preview:[10FC:173C][2024-07-04T16:29:30]i001: Burn v3.7.2829.0, Windows v6.3 (Build 9600: Service Pack 0), path: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe, cmdline: '-burn.unelevated BurnPipe.{A826652D-AFD8-40B6-84B0-7105BE434658} {ED4ADFC9-BDFE-4680-B562-A7A4CCF98333} 6952'..[10FC:173C][2024-07-04T16:29:30]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20240704162930.log'..[10FC:173C][2024-07-04T16:29:30]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe'..[10FC:173C][2024-07-04T16:29:30]i000: Setting string variable 'WixBundleName' to value 'Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501'..[10FC:173C][2024-07-04T16:29:31]i100: Detect begin, 2 packages..[10FC:173C][2024-07-04T16:29:31]i101: Detected package: vcRuntimeMinimum_x86, state: Absent, cached: None..[10FC:173C][2024-07-04T16:29:31]i101: Detected package: vcRuntimeAdditi

      C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20240704162930_0_vcRuntimeMinimum_x86.log

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Unicode text, UTF-16, little-endian text, with very long lines (588), with CRLF line terminators
      Category:dropped
      Size (bytes):179470
      Entropy (8bit):3.793796214649756
      Encrypted:false
      SSDEEP:1536:clahnjJhzgWkFbQTdTI0fAvaYSW5xRucENfeKXOEAW2dqT9HQVHMKqLaD/7mjMjh:cS2j78pTTTTWuM01xFQAo
      MD5:82964F23CC59B031C3F125B2BEA5D6F8
      SHA1:A9C41DD788615E9AFD6EFAFB8D8206FDC8847FE7
      SHA-256:73A382045371A5A5D5F8FD149F26AE65EB2651707695F303073A0BC8A6367A27
      SHA-512:01D949CCD2536BFB26E220D989CC4F73E5ED00486C54F33D00BC7A6528821747080512A543F8123E2F6EAB679CC376C73FC6B588636117875A7D9B0268C5A8D3
      Malicious:false
      Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.4./.0.7./.2.0.2.4. . .1.6.:.2.9.:.5.3. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.v.c.r.e.d.i.s.t._.x.8.6._.v.s.2.0.1.3._.e.n...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.2.8.:.0.4.). .[.1.6.:.2.9.:.5.3.:.5.8.6.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.2.8.:.0.4.). .[.1.6.:.2.9.:.5.3.:.5.8.6.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.2.8.:.0.4.). .[.1.6.:.2.9.:.5.3.:.5.8.6.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.1.3.A.4.E.E.1.2.-.2.3.E.A.-.3.3.7.1.-.9.1.E.E.-.E.F.B.3.6.D.D.F.F.F.3.E.}.v.1.2...0...2.1.0.0.5.\.p.a.c.k.a.g.e.s.\.v.c.R.u.n.t.i.m.e.M.i.n.i.m.u.m._.x.8.6.\.v.c._.r.u.

      C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20240704162930_1_vcRuntimeAdditional_x86.log

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Unicode text, UTF-16, little-endian text, with very long lines (588), with CRLF line terminators
      Category:dropped
      Size (bytes):209824
      Entropy (8bit):3.814090349807529
      Encrypted:false
      SSDEEP:3072:7Pwjwu4444444444444IqDn0li8CCe648aOtFE:UjO
      MD5:CBC0F6594EDB94A25CDCD0CB9539D930
      SHA1:4CFEAC492E59968BA548B3BA163E5786AA911BE1
      SHA-256:49C2D421B9AF585AEF8506DC6F5D2E4FB574E5BDEAB05B962AE9B17D9679ABEF
      SHA-512:9F8FA6A9A246F0B1A4C1BB3EFB0E961A84D36BD96DF3B290D7D11EDFE9EE918F528E103F8314C32405332EF3D297F0C0C9813D55AF0622408E58195519125404
      Malicious:false
      Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.4./.0.7./.2.0.2.4. . .1.6.:.2.9.:.5.4. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.v.c.r.e.d.i.s.t._.x.8.6._.v.s.2.0.1.3._.e.n...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.2.8.:.9.8.). .[.1.6.:.2.9.:.5.4.:.8.8.3.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.2.8.:.9.8.). .[.1.6.:.2.9.:.5.4.:.8.8.3.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.2.8.:.9.8.). .[.1.6.:.2.9.:.5.4.:.8.8.3.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.F.8.C.F.E.B.2.2.-.A.2.E.7.-.3.9.7.1.-.9.E.D.A.-.4.B.1.1.E.D.E.F.C.1.8.5.}.v.1.2...0...2.1.0.0.5.\.p.a.c.k.a.g.e.s.\.v.c.R.u.n.t.i.m.e.A.d.d.i.t.i.o.n.a.l._.x.8.6.\.v.c.

      C:\Users\user\AppData\Local\Temp\nsoBE71.tmp\InstallOptions.dll

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):15360
      Entropy (8bit):5.472540961454683
      Encrypted:false
      SSDEEP:192:VsIZHdT9uwYX94kYd2iCzHR+yK7imphLAykycpKPd5mj8ozxGUWumle:VsUHd9GN2d2iwl0impATIPdAj8Ov6
      MD5:6E663F1A0DE94BC05D64D020DA5D6F36
      SHA1:C5ABB0033776D6AB1F07E5B3568F7D64F90E5B04
      SHA-256:458B70E1745DC6E768D2338CCF3E6E86436488954CA3763472D8FFEC4E7177E4
      SHA-512:2A037C39F3A08D4A80494227990F36C4FEF2F73C4A6AD74DCC334317A1372234C25D08D8B80D79E126881A49FA4B3F2FFFE3604C959D9CECEB47ACC7192CC6A5
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z.h...h...h......h...h...h.......h.......h.......h...:...h.......h..Rich.h..........................PE..L......J...........!.........^...............0......................................................................P>..p....7..................................X....................................................0..4............................text............................... ..`.rdata.......0....... ..............@..@.data....E...@.......0..............@....rsrc................4..............@..@.reloc..z............6..............@..B................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\nsoBE71.tmp\LangDLL.dll

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):5120
      Entropy (8bit):4.168993497753568
      Encrypted:false
      SSDEEP:48:aTT4WeApYxYlxamAWHN+EuWkGWBBWAGr9SdLB8maofYZVSA:bWGSxamjHNDuWRWBBWvm6V
      MD5:8E806EA2E205DC508A2FB5ADDA3419DB
      SHA1:21BEAB4E309B139FDCCA7DD708DF8DBBFD2DD5A3
      SHA-256:86A55734B8802051BBBD0E8C9C506D0CA985BC5C99113E99B309469046133937
      SHA-512:6B362BDADD6801CEB6106485015A4AE6D227DC04C1397A730AC8FD44B00649876EE7CBD0D7690B41DCAA8451C94E9F5838DAA9FBC21F7306740DE89667468CC1
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................J.............=......,......*....../....Rich...........................PE..L......J...........!........."......D........ ...............................p......................................."..I.... ..P....P..`....................`....................................................... ..\............................text...F........................... ..`.rdata....... ......................@..@.data...P....0......................@....rsrc...`....P......................@..@.reloc..^....`......................@..B........................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\nsoBE71.tmp\ioSpecial.ini

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):1498
      Entropy (8bit):3.677645905162938
      Encrypted:false
      SSDEEP:24:Q+sxv5SADyqWCs7y6J9a49nspuR6nDLH17CxGsp0wC96jK6EDLH1KSjLPEUg/kvo:rsxwA+qQz9aX9/o/0lp/wSjLPEUg2OJr
      MD5:DB796B30585E95B2BEB87AB6753538EF
      SHA1:5D2C58C6AE9B608E11AE615A1EB3866343C28913
      SHA-256:70896D806F7DEB78E3E3FBC962653E747374B277B1C7EF80245C2056B64CE82E
      SHA-512:9A584C61B77409F0591FB81A778B75819B4685D87A94CC6C6BE4ABB95141824C1332769C0E63B31668E316C691488062A0440A61FD0A682E97E20B62CA442D9F
      Malicious:false
      Preview:..[.S.e.t.t.i.n.g.s.].....R.e.c.t.=.1.0.4.4.....N.u.m.F.i.e.l.d.s.=.3.....R.T.L.=.0.....N.e.x.t.B.u.t.t.o.n.T.e.x.t.=.....C.a.n.c.e.l.E.n.a.b.l.e.d.=.....S.t.a.t.e.=.0.....[.F.i.e.l.d. .1.].....T.y.p.e.=.b.i.t.m.a.p.....L.e.f.t.=.0.....R.i.g.h.t.=.1.0.9.....T.o.p.=.0.....B.o.t.t.o.m.=.1.9.3.....F.l.a.g.s.=.R.E.S.I.Z.E.T.O.F.I.T.....T.e.x.t.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.n.s.o.B.E.7.1...t.m.p.\.m.o.d.e.r.n.-.w.i.z.a.r.d...b.m.p.....H.W.N.D.=.6.6.6.5.4.....[.F.i.e.l.d. .2.].....T.y.p.e.=.l.a.b.e.l.....L.e.f.t.=.1.2.0.....R.i.g.h.t.=.3.1.5.....T.o.p.=.1.0.....T.e.x.t.=.W.e.l.c.o.m.e. .t.o. .t.h.e. .I.P.C.T.o.o.l.s. .V.5...8...4._.2.0.2.4.0.5.2.1. .S.e.t.u.p.....B.o.t.t.o.m.=.3.8.....H.W.N.D.=.6.6.6.5.6.....[.F.i.e.l.d. .3.].....T.y.p.e.=.l.a.b.e.l.....L.e.f.t.=.1.2.0.....R.i.g.h.t.=.3.1.5.....T.o.p.=.4.5.....B.o.t.t.o.m.=.1.8.5.....T.e.x.t.=.S.e.t.u.p. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n. .o.f. .I.P.C.T.o.o.

      C:\Users\user\AppData\Local\Temp\nsoBE71.tmp\modern-wizard.bmp

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118
      Category:dropped
      Size (bytes):26494
      Entropy (8bit):1.9568109962493656
      Encrypted:false
      SSDEEP:24:Qwika6aSaaDaVYoG6abuJsnZs5GhI11BayNXPcDrSsUWcSphsWwlEWqCl6aHAX2x:Qoi47a5G8SddzKFIcsOz3Xz
      MD5:CBE40FD2B1EC96DAEDC65DA172D90022
      SHA1:366C216220AA4329DFF6C485FD0E9B0F4F0A7944
      SHA-256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
      SHA-512:62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
      Malicious:false
      Preview:BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

      C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):2710520
      Entropy (8bit):7.993091498829919
      Encrypted:true
      SSDEEP:49152:OqGRIgg2SirwkF9xdtb43lyGKCafpKkiwnaDahmPzpY4FPyazw:OxxLFfY/KCCpKk9aWMzZyaM
      MD5:4F1611F2D0AE799507F60C10FF8654C5
      SHA1:56AE8221E8024C8DEED430E01A6160795C64CF53
      SHA-256:8648C5FC29C44B9112FE52F9A33F80E7FC42D10F3B5B42B2121542A13E44ADFD
      SHA-512:F9A9F31010BCD890C1755AC3DE2F6821A707AAEAE2644CF083124DBDFDEE86BD46206762E2487B942120970CA2CED2A87931B778E9FE4AE087D67B1865DD4B1A
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............C...C...Cu.C...C...C0..Cu.C...Cu.C...Cu.C...CRich...C................PE..L....{.A......................(.....\d.......................................p)......L*..................................................(..........8)..#..........0...................................................0............................text...,........................... ..`.data...............................@....rsrc.....(.......(.................@..@...A@......AM......AZ......Ad......An......Ay......A............ADVAPI32.dll.KERNEL32.dll.NTDLL.DLL.GDI32.dll.USER32.dll.COMCTL32.dll.VERSION.dll.......................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe

      Download File
      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):6503984
      Entropy (8bit):7.986886773014506
      Encrypted:false
      SSDEEP:98304:hQEKzHx15bWUuBrNatjJh2eNUrzKRL/RaIswn7aBOC5qZxVqFb2iExMc7FvxwGvf:WRDnuBotjJh2emr8L/YIsG7MOgqHG64
      MD5:0FC525B6B7B96A87523DAA7A0013C69D
      SHA1:DF7F0A73BFA077E483E51BFB97F5E2ECEEDFB6A3
      SHA-256:A22895E55B26202EAE166838EDBE2EA6AAD00D7EA600C11F8A31EDE5CBCE2048
      SHA-512:729251371ED208898430040FE48CABD286A5671BD7F472A30E9021B68F73B2D49D85A0879920232426B139520F7E21321BA92646985216BF2F733C64E014A71D
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.V...8...8...8.......8.....n.8......8......8...9.I.8.....l.8.......8.......8.......8.Rich..8.................PE..L....._S.....................,.......~............@..........................0........c...@.................................t!..,........7..........x.b..>......$2......................... ...........@............................................text...t........................... ..`.rdata..............................@..@.data... 0...@.......,..............@....wixburn8............<..............@..@.tls.................>..............@....rsrc....7.......8...@..............@..@.reloc...B.......D...x..............@..B........................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\BootstrapperApplicationData.xml

      Download File
      Process:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (560), with CRLF line terminators
      Category:dropped
      Size (bytes):5968
      Entropy (8bit):3.74889207964087
      Encrypted:false
      SSDEEP:96:X0eVJbgV2V4hLveBFAn6ueLqsZ+0wPycjn6qLoe6c4qkV0wMLvycNL415rtna5rE:X001KsgBFEvFwxLodhkzLa0L4NEBLFLA
      MD5:4E9AD8FEE683402B9FB3381549B7F98B
      SHA1:343E5E117C821AEF323B7EAF8138B91DF6EA424E
      SHA-256:148F262B214F5E472BA32DB9824342BBDA91D6F4C751A2DA0BBC2B70E2794BD2
      SHA-512:A28DF0A08B2F2C377B465E840D7C249FE766B8EE744F70F09D65905D85995251F811CEB4DED42D447CD28DD021C0662F9E5F1AC03C57F7F1767E485648DB3C2B
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.U.x.B.l.o.c.k.e.r. .S.h.o.r.t.N.a.m.e.=.".M.i.n.i.m.u.m.O.S.L.e.v.e.l.". .T.y.p.e.=.".S.t.o.p.". .C.o.n.d.i.t.i.o.n.=.".N.O.T.(.(.V.e.r.s.i.o.n.N.T. .&.g.t.;. .v.6...1.). .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.6...1. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).).". .D.i.s.p.l.a.y.T.e.x.t.=.".#.l.o.c...M.i.n.i.m.u.m.O.S.L.e.v.e.l.". ./.>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T. .&.g.t.;.=. .v.6...0. .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...1. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .2.). .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...2. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.

      C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\license.rtf

      Download File
      Process:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
      File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
      Category:dropped
      Size (bytes):6841
      Entropy (8bit):5.231818976502303
      Encrypted:false
      SSDEEP:192:qMIJdg+CSWA2NLtMqAEwRceNlC8xiYOlTGyDtsFSpM52:IIATECl1i95Zw2
      MD5:1E47EE7B71B22488068343DF4CE30534
      SHA1:DEAEE13F21AB70B57F44F0AA3128EC7AD9E3816A
      SHA-256:8518F0420972C1DBE8A323FFC6F57863AF0B80C6A3B27FD0C6FC9BDABB7E2D13
      SHA-512:C4C653BFD1FC493B0EFD8F9C75495287818179DC35969D1FB1927FAAC3FF9189FDE1131C5ABBCC3963F707412A7F8AD05A9E6855B7D47D6DF1F80D25D67BE9ED
      Malicious:false
      Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 6.2.9200}{\*\mmathPr\mnaryLim0\mdispDef1\mwrapIndent1440 }\viewkind4\uc1 ..\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT SOFTWARE LICENSE TERMS\par....\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120 MICROSOFT VISUAL C++ REDISTRIBUTABLE FOR VISUAL STUDIO 2013 \par....\pard\nowidctlpar\sb120\sa120\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft\par....\pard\nowidctlpar\fi-360\li360\sb120\sa120\f1\'b7\tab\f0 updates,\par..\f1\'b7\tab\f0 supplements,\par..\f1\'b7\tab\f0 Internet-based services, and\par..\f1\'b7\tab\f0 support services\pa

      C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\logo.png

      Download File
      Process:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
      File Type:PNG image data, 64 x 64, 8-bit colormap, non-interlaced
      Category:dropped
      Size (bytes):1861
      Entropy (8bit):6.868587546770907
      Encrypted:false
      SSDEEP:24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
      MD5:D6BD210F227442B3362493D046CEA233
      SHA1:FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
      SHA-256:335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
      SHA-512:464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
      Malicious:false
      Preview:.PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#|i${j$|n*~n*.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.

      C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\thm.wxl

      Download File
      Process:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):2952
      Entropy (8bit):5.052095286906672
      Encrypted:false
      SSDEEP:48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
      MD5:FBFCBC4DACC566A3C426F43CE10907B6
      SHA1:63C45F9A771161740E100FAF710F30EED017D723
      SHA-256:70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
      SHA-512:063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
      Malicious:false
      Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B

      C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\thm.xml

      Download File
      Process:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):5881
      Entropy (8bit):5.175177119212422
      Encrypted:false
      SSDEEP:96:wHdQG+3VzHfz96zYFJKFBiUxn7s82rf3nswO:wHAz8
      MD5:0056F10A42638EA8B4BEFC614741DDD6
      SHA1:61D488CFBEA063E028A947CB1610EE372D873C9F
      SHA-256:6B1BA0DEA830E556A58C883290FAA5D49C064E546CBFCD0451596A10CC693F87
      SHA-512:5764EC92F65ACC4EBE4DE1E2B58B8817E81E0A6BC2F6E451317347E28D66E1E6A3773D7F18BE067BBB2CB52EF1FA267754AD2BF2529286CF53730A03409D398E
      Malicious:false
      Preview:<?xml version="1.0" encoding="utf-8"?>..<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Height="64" FontId="1" Visible="yes" DisablePrefix="yes">#(loc.Title)</Text>.... <Page Name="Help">.. <Text X="11" Y="80" Width="-11" Height="30" FontId="2" DisablePrefix="yes">#(loc.HelpHeader)</T

      C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll

      Download File
      Process:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):120320
      Entropy (8bit):6.262646414883502
      Encrypted:false
      SSDEEP:1536:hwWD51FEDj4FBanDsDS7uO+Y3HBfPGST4BetdSnIDnDWZykftV4bvPbkYI9:NGDjrL7f35FTvtdJOZptV4bbkYS
      MD5:A52E5220EFB60813B31A82D101A97DCB
      SHA1:56E16E4DF0944CB07E73A01301886644F062D79B
      SHA-256:E7C8E7EDD9112137895820E789BAAAECA41626B01FB99FEDE82968DDB66D02CF
      SHA-512:D6565BA18B5B9795D6BDE3EF94D8F7CD77BF8BB69BA3FE7ADEFB80FC7C5D888CDFDC79238D86A0839846AEA4A1E51FC0CAED3D62F7054885E8B15FAD9F6C654E
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................x=....x...... .....0.....n..x.....x8....x9....x>...Rich..........................PE..L......R...........!.....2..........1........P...............................0.......1....@.............................................l...........................0S..............................`...@............P...............................text...M0.......2.................. ..`.rdata..yd...P...f...6..............@..@.data..../..........................@....rsrc...l...........................@..@.reloc..B ......."..................@..B................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe

      Download File
      Process:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):461368
      Entropy (8bit):6.931191292112627
      Encrypted:false
      SSDEEP:12288:iymOcB+pwPprnVmLmDsC+FU+ZOSzDBtzY7UWfR2:iLOsDFncLmKDZOSz1FO5
      MD5:2335AB0C0E19C0EF416D07DF66FEE649
      SHA1:1E8794AFF453F7647A6C149F3D38F7A3FF4CCD1B
      SHA-256:F0E46C0F9B2991FA6D187C6B2BED28139C67804CC58CC45C77F06A6F217CB21A
      SHA-512:518580D7A0D8F9610C8EC0204AE879A91A24325FB5E45348E6F0769AA25A69525992BC0F722DF113993AA29A1A917DE8FBECFB39D547D6F25354C3488BF06A62
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.V...8...8...8.......8.....n.8......8......8...9.I.8.....l.8.......8.......8.......8.Rich..8.................PE..L....._S.....................,.......~............@..........................0............@.................................t!..,........7...............>......$2......................... ...........@............................................text...t........................... ..`.rdata..............................@..@.data... 0...@.......,..............@....wixburn8............<..............@..@.tls.................>..............@....rsrc....7.......8...@..............@..@.reloc...B.......D...x..............@..B........................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\cab54A5CABBE7274D8A22EB58060AAB7623

      Download File
      Process:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
      File Type:Microsoft Cabinet archive data, many, 980926 bytes, 5 files, at 0x44 +A "F_CENTRAL_msvcp120_x86" +A "F_CENTRAL_msvcr120_x86", flags 0x4, number 1, extra bytes 20 in head, 66 datablocks, 0x1 compression
      Category:dropped
      Size (bytes):997054
      Entropy (8bit):7.998241664100315
      Encrypted:true
      SSDEEP:12288:obKhh4wRyjIryAelsIwEuomOyqKywY+BNnVgOUq6iqOnJB9I3PWbURdqWxb2tiS/:obKFRyjI4fLuvX96ixnLaf5rAi7zNUp
      MD5:12AD6C51AA6F9DA5CCB2E2B55ABF1910
      SHA1:F35A335989ABFAAA10B265A2BAE8809D7CA835AA
      SHA-256:32B7F3223DAB68F489286F2D4253B634EED0E67754176370291F7E13AE6008A2
      SHA-512:8EB51AB4A76C09FB70408BF36132C33DD247CDDD178D6B2CA15FC13E583C54C73B4DBF09BCED81B893EFFE757A05F9C0EDBF7A15F6351136D66583ABB78DD426
      Malicious:false
      Preview:MSCF............D................................?..............B.............EC.. .F_CENTRAL_msvcp120_x86...........EC.. .F_CENTRAL_msvcr120_x86.....@.....EC.. .F_CENTRAL_vcamp120_x86...........EC.. .F_CENTRAL_vccorlib120_x86...........EC.. .F_CENTRAL_vcomp120_x86.X..OD0..CK.Z{x.U.... ......Rh.@...`.@:.]..#.TwW....:.....a...?p.....q...VQpE............>pD.Yv..U.]..&......w..{.....0.c....9..2...<.........^...f..._P..r....%"..hT..*..E..U...R......|o.......j..)./T..F.T*G..V^#pE.`.5.......WU..X.`@.<-XO|.7...g\.XW5/Qv.]=.OF.c9...b....+q$.3).EZb.r.....=.1.h.j_.....6.prq.V.^...5.M..].....L.:...^....u.0.;.v..-..9...Km.........Ho#3.. .X.....{!Ud......nxb.-.]I..A;_.a.A..Xw92o....P..6`........7.....o.`........a.^P.....@.A.........A.!............}...g.......FP......4.0........A......Aq........!....j.-.......4..r.....;.+.....3...u{=....rf.hmb-.,...qZ.,.rfv..3.....x...}.lo.}...{dr...;}7....K.Wp...l~....L...<....^u..............D....|.<...kc..t...S}e.W.

      C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\cabB3E1576D1FEFBB979E13B1A5379E0B16

      Download File
      Process:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
      File Type:Microsoft Cabinet archive data, 4916768 bytes, 14 files, at 0x44 +A "F_CENTRAL_mfc120_x86" +A "F_CENTRAL_mfc120chs_x86", flags 0x4, number 1, extra bytes 20 in head, 296 datablocks, 0x1 compression
      Category:dropped
      Size (bytes):4932896
      Entropy (8bit):7.998852405602732
      Encrypted:true
      SSDEEP:98304:CPDJ5hAeLcePRtKu3LJs4QGHYl3afvVoqjXxK47Idv6Y7Ffxa/2CNy3:gDJ5hAe4eacLJJQOy3Mv6qtey2mHNM
      MD5:CFCBFA2494A3E3AB9215AA6E5872ED14
      SHA1:0A4D5018ACE1D4336C0DF051CFCCB2F6268CB8A8
      SHA-256:215A9436ED61CAFAC64849DBF5C66FF3D3AA0EE5FF977684523DCE8E59E9CB59
      SHA-512:CE0A9EAF2B46D9339E6AD892EACE32F426900D2448D9373904DFA042E20B1B891F8C93E5B6B6CBBD00471E4A74619C54E541BE862F7CC8F82230437C31292E51
      Malicious:false
      Preview:MSCF.... .K.....D........................... .K..?..........l...(.....C.......EC.. .F_CENTRAL_mfc120_x86.......C...EC.. .F_CENTRAL_mfc120chs_x86.....@7D...EC.. .F_CENTRAL_mfc120cht_x86..$....D...EC.. .F_CENTRAL_mfc120deu_x86.......F...EC.. .F_CENTRAL_mfc120enu_x86.. ..8.G...EC.. .F_CENTRAL_mfc120esn_x86..$.../H...EC.. .F_CENTRAL_mfc120fra_x86......TI...EC.. .F_CENTRAL_mfc120ita_x86.....0qJ...EC.. .F_CENTRAL_mfc120jpn_x86......CK...EC.. .F_CENTRAL_mfc120kor_x86.......L...EC.. .F_CENTRAL_mfc120rus_x86...C.()M...EC.. .F_CENTRAL_mfc120u_x86..D........EC.. .F_CENTRAL_mfcm120_x86..D..hT....EC.. .F_CENTRAL_mfcm120u_x86.........CK.|.xTE.v.....H@v.!../.......U.:I.4.t.....EYd...d......DVE..EA.....\...T..=U..7M..3...M...[..rk;..V.$u.|V.1.....v&...o...`....5........l.]`q..;.#....\..fw....%.0.-,>=+..g..^.jSU..g.x...n.11....a......]..x..,!/<...`[.'.....t..{EY...F....3Ey...W.!8.[@..m[F.c)...scz.[w.5i\-......].+t!wF0....D....@U.d.s$Nt..J........,.%..l..g.[..%;-..X..Z...%..y.......5

      C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\vcRuntimeAdditional_x86

      Download File
      Process:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2013 x86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005., Template: Intel;1033, Revision Number: {5703FD24-BF2D-4D14-AB2F-E415A0361E63}, Create Time/Date: Sat Oct 5 11:36:30 2013, Last Saved Time/Date: Sat Oct 5 11:36:30 2013, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.1623.0), Security: 2
      Category:dropped
      Size (bytes):143360
      Entropy (8bit):5.789241614671289
      Encrypted:false
      SSDEEP:3072:KVwJyjFGJvLIcXcSqviQICInggZvkNmez8:ESIcXgvi3zu
      MD5:D0A78FCAC0B92A149FE51C76371C989A
      SHA1:EDC4CB1484DDC7A5633EFAD60EA0899445AC1CA0
      SHA-256:FF206329EF1E41C038A12CA1E10634C647A8F1022E2130B7C49D91DBD48FB79A
      SHA-512:AFC617447B63E515BF17870704DFED6586E0070BCAED8787CFC4F2D7F19290DC1DF12A2FF3F76E15B8A6188698A8B5DD7742B2226C2371F627C16BB766D8DD58
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\vcRuntimeMinimum_x86

      Download File
      Process:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2013 x86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005., Template: Intel;1033, Revision Number: {E9934153-EAB1-4DA6-AA72-86C8BB1EDF2C}, Create Time/Date: Sat Oct 5 11:36:36 2013, Last Saved Time/Date: Sat Oct 5 11:36:36 2013, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.1623.0), Security: 2
      Category:dropped
      Size (bytes):143360
      Entropy (8bit):5.730016728994943
      Encrypted:false
      SSDEEP:3072:MVyJyjFGJvLIcXcSqviQICInggRKyNmNX8:ESIcXgvi36D
      MD5:E3E632C282F2B368BCA82AACB80ACEAF
      SHA1:04A046E2EBB681B53F46DB1EC1434FAEF8B17618
      SHA-256:1937F3FEA43918D3FB8B8BB74FD1210467F9186AD06729DE82F8F0448AE65509
      SHA-512:B9FC13D5BFAF1EA72BFF323302AA6C89AFE52C6AAD469B01D78B28422DC66CD6B7423D42200795905DE0B673466CF65800FBBBF0496D6CF2C4FC8E48E0412BF5
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Installer\6d20d4.msi

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, MSI Installer, Create Time/Date: Mon Jun 21 09:00:00 1999, Number of Pages: 200, Code page: 1252, Title: Installation Database, Subject: Microsoft Visual C++ 2005 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: Microsoft Visual C++ 2005 Redistributable RTL x86 enu; Copyright (C) Microsoft Corporation, All rights reserved., Template: Intel;0, Revision Number: {31076048-5B7B-4476-ABF0-15989228CB90}, Name of Creating Application: Visual Studio Setup Build Engine (BuildMod.DLL), Security: 2, Last Saved Time/Date: Fri May 13 19:14:52 2011, Number of Words: 2
      Category:dropped
      Size (bytes):2770944
      Entropy (8bit):7.898356017242934
      Encrypted:false
      SSDEEP:49152:BxtG+uBvEH/sbE3EyyBU5czkhwZawV4mC5kRuhg6MmqmPAhe75LzNyS:TuVOTWBdzkkawxSh4iAhm51yS
      MD5:B20BBEB818222B657DF49A9CFE4FED79
      SHA1:3F6508E880B86502773A3275BC9527F046D45502
      SHA-256:91BDD063F6C53126737791C9ECCF0B2F4CF44927831527245BC89A0BE06C0CB4
      SHA-512:F534BC7BF1597E728940E6C3B77F864ADFAA413BB1E080458326B692B0F96BDDF4FBD294EEED36D7764A3578E6C8E919488BBF63B8FE2D4355AB3EFD685424A4
      Malicious:false
      Preview:......................>...................+...............8...................y...z...........................c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...&...'...(...)...*...+...,...-...}...~...................................................................................................................................................................................................................................................................................R................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-.......6...0...1...2...3...4...5...X...7...?...e...:...;...<...=...>.../...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...S...`...T...U...V...W...Y...]...Z...[...\...^..._...a...f...i...b...c...d...g...$...h...j...l...n...k...m...o...p...r...q...t...s...u.......v.......w...x...........

      C:\Windows\Installer\6d20d7.msi

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, MSI Installer, Create Time/Date: Mon Jun 21 09:00:00 1999, Number of Pages: 200, Code page: 1252, Title: Installation Database, Subject: Microsoft Visual C++ 2005 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: Microsoft Visual C++ 2005 Redistributable RTL x86 enu; Copyright (C) Microsoft Corporation, All rights reserved., Template: Intel;0, Revision Number: {31076048-5B7B-4476-ABF0-15989228CB90}, Name of Creating Application: Visual Studio Setup Build Engine (BuildMod.DLL), Security: 2, Last Saved Time/Date: Fri May 13 19:14:52 2011, Number of Words: 2
      Category:dropped
      Size (bytes):2770944
      Entropy (8bit):7.898356017242934
      Encrypted:false
      SSDEEP:49152:BxtG+uBvEH/sbE3EyyBU5czkhwZawV4mC5kRuhg6MmqmPAhe75LzNyS:TuVOTWBdzkkawxSh4iAhm51yS
      MD5:B20BBEB818222B657DF49A9CFE4FED79
      SHA1:3F6508E880B86502773A3275BC9527F046D45502
      SHA-256:91BDD063F6C53126737791C9ECCF0B2F4CF44927831527245BC89A0BE06C0CB4
      SHA-512:F534BC7BF1597E728940E6C3B77F864ADFAA413BB1E080458326B692B0F96BDDF4FBD294EEED36D7764A3578E6C8E919488BBF63B8FE2D4355AB3EFD685424A4
      Malicious:false
      Preview:......................>...................+...............8...................y...z...........................c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...&...'...(...)...*...+...,...-...}...~...................................................................................................................................................................................................................................................................................R................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-.......6...0...1...2...3...4...5...X...7...?...e...:...;...<...=...>.../...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...S...`...T...U...V...W...Y...]...Z...[...\...^..._...a...f...i...b...c...d...g...$...h...j...l...n...k...m...o...p...r...q...t...s...u.......v.......w...x...........

      C:\Windows\Installer\6d20d8.msi

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2013 x86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005., Template: Intel;1033, Revision Number: {E9934153-EAB1-4DA6-AA72-86C8BB1EDF2C}, Create Time/Date: Sat Oct 5 11:36:36 2013, Last Saved Time/Date: Sat Oct 5 11:36:36 2013, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.1623.0), Security: 2
      Category:dropped
      Size (bytes):143360
      Entropy (8bit):5.730016728994943
      Encrypted:false
      SSDEEP:3072:MVyJyjFGJvLIcXcSqviQICInggRKyNmNX8:ESIcXgvi36D
      MD5:E3E632C282F2B368BCA82AACB80ACEAF
      SHA1:04A046E2EBB681B53F46DB1EC1434FAEF8B17618
      SHA-256:1937F3FEA43918D3FB8B8BB74FD1210467F9186AD06729DE82F8F0448AE65509
      SHA-512:B9FC13D5BFAF1EA72BFF323302AA6C89AFE52C6AAD469B01D78B28422DC66CD6B7423D42200795905DE0B673466CF65800FBBBF0496D6CF2C4FC8E48E0412BF5
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Installer\6d20db.msi

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2013 x86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005., Template: Intel;1033, Revision Number: {E9934153-EAB1-4DA6-AA72-86C8BB1EDF2C}, Create Time/Date: Sat Oct 5 11:36:36 2013, Last Saved Time/Date: Sat Oct 5 11:36:36 2013, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.1623.0), Security: 2
      Category:dropped
      Size (bytes):143360
      Entropy (8bit):5.730016728994943
      Encrypted:false
      SSDEEP:3072:MVyJyjFGJvLIcXcSqviQICInggRKyNmNX8:ESIcXgvi36D
      MD5:E3E632C282F2B368BCA82AACB80ACEAF
      SHA1:04A046E2EBB681B53F46DB1EC1434FAEF8B17618
      SHA-256:1937F3FEA43918D3FB8B8BB74FD1210467F9186AD06729DE82F8F0448AE65509
      SHA-512:B9FC13D5BFAF1EA72BFF323302AA6C89AFE52C6AAD469B01D78B28422DC66CD6B7423D42200795905DE0B673466CF65800FBBBF0496D6CF2C4FC8E48E0412BF5
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Installer\6d20dc.msi

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2013 x86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005., Template: Intel;1033, Revision Number: {5703FD24-BF2D-4D14-AB2F-E415A0361E63}, Create Time/Date: Sat Oct 5 11:36:30 2013, Last Saved Time/Date: Sat Oct 5 11:36:30 2013, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.1623.0), Security: 2
      Category:dropped
      Size (bytes):143360
      Entropy (8bit):5.789241614671289
      Encrypted:false
      SSDEEP:3072:KVwJyjFGJvLIcXcSqviQICInggZvkNmez8:ESIcXgvi3zu
      MD5:D0A78FCAC0B92A149FE51C76371C989A
      SHA1:EDC4CB1484DDC7A5633EFAD60EA0899445AC1CA0
      SHA-256:FF206329EF1E41C038A12CA1E10634C647A8F1022E2130B7C49D91DBD48FB79A
      SHA-512:AFC617447B63E515BF17870704DFED6586E0070BCAED8787CFC4F2D7F19290DC1DF12A2FF3F76E15B8A6188698A8B5DD7742B2226C2371F627C16BB766D8DD58
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Installer\6d20df.msi

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2013 x86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005., Template: Intel;1033, Revision Number: {5703FD24-BF2D-4D14-AB2F-E415A0361E63}, Create Time/Date: Sat Oct 5 11:36:30 2013, Last Saved Time/Date: Sat Oct 5 11:36:30 2013, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.1623.0), Security: 2
      Category:dropped
      Size (bytes):143360
      Entropy (8bit):5.789241614671289
      Encrypted:false
      SSDEEP:3072:KVwJyjFGJvLIcXcSqviQICInggZvkNmez8:ESIcXgvi3zu
      MD5:D0A78FCAC0B92A149FE51C76371C989A
      SHA1:EDC4CB1484DDC7A5633EFAD60EA0899445AC1CA0
      SHA-256:FF206329EF1E41C038A12CA1E10634C647A8F1022E2130B7C49D91DBD48FB79A
      SHA-512:AFC617447B63E515BF17870704DFED6586E0070BCAED8787CFC4F2D7F19290DC1DF12A2FF3F76E15B8A6188698A8B5DD7742B2226C2371F627C16BB766D8DD58
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Installer\MSI2354.tmp

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):28672
      Entropy (8bit):3.741623752383387
      Encrypted:false
      SSDEEP:192:XOdG/6G4nnykxsdYZ+mrv2ySzLUHypLGgjuXFw5acHKBNtHjhuHWrkA9uBP1WWzT:P6GuZBrvkzAHyxxHKBdaA2dWWzm0ZH
      MD5:85221B3BCBA8DBE4B4A46581AA49F760
      SHA1:746645C92594BFC739F77812D67CFD85F4B92474
      SHA-256:F6E34A4550E499346F5AB1D245508F16BF765FF24C4988984B89E049CA55737F
      SHA-512:060E35C4DE14A03A2CDA313F968E372291866CC4ACD59977D7A48AC3745494ABC54DF83FFF63CF30BE4E10FF69A3B3C8B6C38F43EBD2A8D23D6C86FBEE7BA87D
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........CnuS".&S".&S".&t.}&P".&S".&.".&t.{&X".&t.m&^".&t.z&R".&t.n&R".&t.x&R".&RichS".&........................PE..L...\..C...........!.....@... .......6.......P....@..........................p......I................................B.......=..x............................`......0...............................x...@............................................text....2.......@.................. ..`.data...h....P.......P..............@....reloc..<....`.......`..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Installer\MSI2CEA.tmp

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):68727
      Entropy (8bit):5.553199815542959
      Encrypted:false
      SSDEEP:1536:udpFmB4NG/Pvea+EvA1KQTiUs+AjCjR5QioH2E4/hv:QmBt0y2E8v
      MD5:7AE7304D3CDC27017ACFFF4D7DCB12A5
      SHA1:099AEC56A82BF66FCEFAEBBEEA68835D2BB5495A
      SHA-256:3598C81FC7D367E3BE8B2222BFEF38B9ADF7AE770489DA8740F68E0EADDFC5CB
      SHA-512:E888D4CBC0DBD4E3AC4D764FB60A254D87D729C01FC9909878117F6D461F42E35A14D9FB5741F2322627336783925BDE48BCF0C673A5E9B191CD2993AD451A7E
      Malicious:false
      Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}).Microsoft Visual C++ 2005 Redistributable..vcredist.msi.@.....@I....@.....@........&.{31076048-5B7B-4476-ABF0-15989228CB90}.....@.....@.....@.....@.......@.....@.....@.......@....).Microsoft Visual C++ 2005 Redistributable......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{A49F249F-0C91-497F-86DF-B2585E8E76B7}?.02:\SOFTWARE\Microsoft\DevDiv\VC\Servicing\8.0\RED\1033\Install.@.......@.....@.....@......&.{EC50BE77-3064-11D5-A54A-0090278A1BB8}1.02:\SOFTWARE\Microsoft\DevDiv\VC\Servicing\8.0\SP.@.......@.....@.....@......&.{946F6004-4E08-BCAB-E01F-C8B3B9A1E18E}...@.......@.....@.....@......&.{97F81AF1-0E47-DC99-A01F-C8B3B9A1E18E}..>ATL80.dll\Microsoft.VC80.ATL,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86

      C:\Windows\Installer\MSI9838.tmp

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):6063
      Entropy (8bit):5.747017818594749
      Encrypted:false
      SSDEEP:96:5dzNpwHNpvppKju867NY5J5J5J5J58Ub8hWkgWTS5Wxi8baNpbH8M8eeNpheW4Ae:5dDyf7nTWkgWTeWHu4eVg29WtziL
      MD5:7DFB64EA52B90BA3AA72544C645E1E70
      SHA1:F3687947D7493FD2A81D529D0206E9E50DB40942
      SHA-256:0A6B496C9B136097FB9716F51F4E2C6B13B20BC418B9AE44EE1EC11CBC117055
      SHA-512:95DF9B8632F86C3978351E94699603B3A17EACB15C0C152CF2DD6FC0D60515CB369228855ADAD6AF5D23D39CD6BB5FB12F00453C443429DE8B477EEB5BDF4DAA
      Malicious:false
      Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}:.Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005..vc_runtimeMinimum_x86.msi.@.....@.R...@.....@........&.{E9934153-EAB1-4DA6-AA72-86C8BB1EDF2C}.....@.....@.....@.....@.......@.....@.....@.......@....:.Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{FE80AAC7-9373-345B-8C89-01D4359338F8}@.02:\SOFTWARE\Microsoft\VisualStudio\12.0\VC\Runtimes\x86\Version.@.......@.....@.....@......&.{0835C947-D6D2-4E52-AF14-0231D04E88EA} .C:\Windows\SysWOW64\msvcr120.dll.@.......@.....@.....@......&.{74260D9F-D644-423B-B2D4-0291EA4BA8BE} .C:\Windows\SysWOW64\msvcp120.dll.@.......@.....@.....@......&.{63B83B20-1AB9-4F49-B0B2-4489724CA96C}#.C:\Windows\SysWOW64\vccorlib120.dll.@.......@.....@.....@......&.

      C:\Windows\Installer\MSI9EB1.tmp

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):10008
      Entropy (8bit):5.6917996606615855
      Encrypted:false
      SSDEEP:192:4zynAr7SfdqW5fhnzwliQ+JbTe+Ae+Ao+G5ase+Ft44aWRmB1:4zynAr7SfdqW5fhnzwsQeecCZbF6rWRs
      MD5:91F91B83E7350D90B0AAC6FE4FC0605B
      SHA1:2D7C79BE454989E8470D63A39766E3E51FE7D8B3
      SHA-256:D413917B711B7E6042D016BBDB0D53CA6322E77331C98F6034112E32D9209248
      SHA-512:B696D41A7C83ADCF61670BBC8F01EDE37D2CC0C003939ED6BB1D8ACC2497497DF631899F2741F2AD4080947E2450A2D657F395519BC6329274DB7311B77D82C2
      Malicious:false
      Preview:...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}=.Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005..vc_runtimeAdditional_x86.msi.@.....@.R...@.....@........&.{5703FD24-BF2D-4D14-AB2F-E415A0361E63}.....@.....@.....@.....@.......@.....@.....@.......@....=.Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{1D481A21-C43F-38B9-B0D1-E090FD2D2643}@.02:\SOFTWARE\Microsoft\VisualStudio\12.0\VC\Runtimes\x86\Version.@.......@.....@.....@......&.{7EA36934-F736-408F-BD04-A2A710E04773}..C:\Windows\SysWOW64\mfc120.dll.@.......@.....@.....@......&.{B5B46CD9-9426-401F-9C3B-646807EFE00B}..C:\Windows\SysWOW64\mfc120u.dll.@.......@.....@.....@......&.{D4263C2B-DA4A-4000-A8E0-4BE8E46A9A3C}..C:\Windows\SysWOW64\mfcm120.dll.@.......@.....@.....@......

      C:\Windows\Installer\SourceHash{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):20480
      Entropy (8bit):1.2073470970730036
      Encrypted:false
      SSDEEP:12:JSbX72FjAsXAlfLIlHuRpZhG7777777777777777777777777ZDHFSD58bAzsvnY:JBUIwEy58basUuO6cF
      MD5:CA5EE92C903F16BD220F010E94552532
      SHA1:AAE823F3D555353BA6D559407FBC8C6788BBF5BA
      SHA-256:CE0F7B82D0FB8CCD8B310B46E3052C7C38E32C13B03D30F720C534F057F6E910
      SHA-512:03ADBF663CF91C74596F45871A24EA3F313C4E692C243C9E3300D23F735A055D0F14A4CA1A25C2842EC2A1572062F8D43CA5F3F97EBA276DB02FF99E63FA5FCD
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Installer\SourceHash{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):20480
      Entropy (8bit):1.200875850275576
      Encrypted:false
      SSDEEP:12:JSbX72FjYXsXAlfLIlHuRpqBhG7777777777777777777777777ZDHFZyYpX9xA3:J+SUIwZuY987F
      MD5:1563DE437CCDC846B0774FFEFA4235C3
      SHA1:66E81603FBD90C4296B72DA6B2A9C2740E1DB8DA
      SHA-256:9B14354772C01EFB0828691B357374DAB49E39115E749A215C1D598CA6F3C51E
      SHA-512:F1E756CCAC8942A87D9203EF84042C322AEFDAB7109169E67F607078784392054E5077457E88E07082427AAAAA0FEAE09C7C4A1C40D994A6DE84FA1D7FBAF3F1
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Installer\SourceHash{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):20480
      Entropy (8bit):1.208602863734517
      Encrypted:false
      SSDEEP:12:JSbX72FjhsXAlfLIlHuRpWBhG7777777777777777777777777ZDHF4DTXJECNKn:JqUIwUiiEaKQcF
      MD5:CB68EFA839E6318D26CA5C3D865E40E3
      SHA1:C1EE20898B18817B2B9768DBC77CB453586CE1B2
      SHA-256:A0D1FE9777EB48978B4E120700C3B97C979BEF984CEB7B93643A74D8233EEDA0
      SHA-512:4461369BA833FC3E2E5D7B4914010F6F5067987AD1C8E19B1BC2803F2E99440F33831A8004352B7B63B973F8A214C66F9D94C7AD4BB5530DCAD7410B94235FBB
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Installer\inprogressinstallinfo.ipi

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):20480
      Entropy (8bit):1.5485852868093724
      Encrypted:false
      SSDEEP:48:uE8PhBuRc06WXidFT5RdH6RLBLEASmRSo9idSIV8Z6c:ubhB1zFT9HaLBLEAVR4J8Z6c
      MD5:180EC6C8714C92DD80CB732F679B9E6B
      SHA1:4686E0C9DBD07A5A616F5ABC1EDABFD1E7DA3A2B
      SHA-256:77291357502CBF716BFEF1CC11DF37346BDD99B1F7CAB5476EDB7C20B78B21D0
      SHA-512:36859292A425F04277D356072DD577F3E44DC654D1D90FB7EB7E96EB95872DAAAD649B49D74D8DECD285DF2298F047E2830119C1E0F7FA49F84519D12C063387
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
      Category:dropped
      Size (bytes):432221
      Entropy (8bit):5.375170911386842
      Encrypted:false
      SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauu:zTtbmkExhMJCIpEr3
      MD5:CE615BA6EC13575E7F4C7243E5E58842
      SHA1:C07AF92DDB342BF27A3D5AB13379A5C3512540E6
      SHA-256:F2A3E373B28192A32C553A3F6BDF31D92CDD39734B2AAABC9C0E1CA2020FE5C3
      SHA-512:7E800D0EB714F8FA1DEA5B2038C5972C85EE8D7CC5C26943B4998B2E1CDBE61C40EB9817A17A40CA65277172D748E73BE0AF633703D41946B55038D4D0600B5D
      Malicious:false
      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

      C:\Windows\SysWOW64\mfc120chs.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):46248
      Entropy (8bit):6.134571748867257
      Encrypted:false
      SSDEEP:768:WdzvsXN+ptLkrHyTby9XVLK8iLkbHbppuW5Z5:Cz0XN+ptLUHCbyBVLK85eKZ5
      MD5:1D343669E50F2CF53901C0B1A85D67F8
      SHA1:18955A82D87302066BE07E1DDD2E2C83FAD3A3BE
      SHA-256:68EC84B251DFB616E48141D674F423E70489B2B749164C0CC5C809C259F4E2AF
      SHA-512:F8D7B9BF92FA111D10C2827B88E0072EB483D25EF57274AA6D6DD49DDC7275D9637195D1BF30ED7EAE005B417591A65969C40846C63F96E960F90E27FE06A684
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9y.9y.9y..(..8y..(..8y.Rich9y.........PE..L.....OR.........."!.........t...........................................................@............................................. s...........v...>...........................................................................................rsrc... s.......t..................@..@....................................................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

      C:\Windows\SysWOW64\mfc120cht.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):46248
      Entropy (8bit):6.179706372945047
      Encrypted:false
      SSDEEP:768:4efucVI4TA7kn4TJVM3i/EhKg+8iDUpDSHRSa:FucVI4TA4noVM3XhKg+8uUyRSa
      MD5:928EF91C2BCC8F82725CDB1A5ED711D9
      SHA1:72DBE1129AE70BF08BF508B02DFDE428C05C9212
      SHA-256:BB8111CFEE6EB4A9F113EA1CB1C573DE990A987635B7111821C73D6CBFDBE38B
      SHA-512:F6454427AE2D655AF8396CDD33742768AD5C0677E6278D47BC5E5FB5C1E1DAE9610AA92271FA8E6ADB781DC6CE382ADFC14C78682FC23449D378F7C4F9AEAE39
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9y.9y.9y..(..8y..(..8y.Rich9y.........PE..L.....OR.........."!.........t......................................................b?....@.............................................Hs...........v...>...........................................................................................rsrc...Hs.......t..................@..@....................................................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

      C:\Windows\SysWOW64\mfc120deu.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):74920
      Entropy (8bit):4.756155783917953
      Encrypted:false
      SSDEEP:1536:0VPidQr0UZqnn0BDLWPu6V4aGCWRZ+e0petNSaQhp0vcsjsr8gWt8C1dCuf9y85i:0VidQr0UZqnnSLWPu6V4aGCWRZX0bhpX
      MD5:B82A4BA3EBAEBD8810F2304C0535DA4C
      SHA1:54611D7788ABCBAF2C3460F457AD8A76806DE5DE
      SHA-256:9248457F55D091F97D282F14D3D55BC28CBA5024B69050209DF0F0A8806F8B5A
      SHA-512:AA8ADFCCD9CD6865B9F63D74EC45AEAC62E2D84DE7A8DDC4AAC53B4D5BE402E02EF8107D579DAD305A56B9638464C323AC636E4659EA84E8E687F07E2ECF7F0A
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9y.9y.9y..(..8y..(..8y.Rich9y.........PE..L.....OR.........."!......................................................................@.............................................H................>...........................................................................................rsrc...H...........................@..@....................................................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

      C:\Windows\SysWOW64\mfc120enu.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):65192
      Entropy (8bit):4.900787098406691
      Encrypted:false
      SSDEEP:768:xyijcBEhCgyEO6B1CLPLNq5f/nWHBNheOU2fd5N+8iUbH1rV:xRzfyEO6B8PLNYf/nWHNTdT+8J1rV
      MD5:BC61781863211ABBC7C15248CCFAF9A0
      SHA1:00C5A5F79A64393CE56147D2A0F19E250BF284EC
      SHA-256:9E222C509F5D1E7D451A37220B9C6574DEC36FB1C5042426278478E640CF0052
      SHA-512:C076A8197AFCBB98027175D42658CB9408B92CC5D1DFB8CC7BA92B2CE926300A9CCE5A1AB5A0B0178042232EE91DD2AE21F0DF722EF1249033145F3ADE1BC000
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9y.9y.9y..(..8y..(..8y.Rich9y.........PE..L.....OR.........."!................................................................y'....@..............................................................>...........................................................................................rsrc...............................@..@....................................................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

      C:\Windows\SysWOW64\mfc120esn.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):73896
      Entropy (8bit):4.729865858952854
      Encrypted:false
      SSDEEP:768:Hw0KnBU6fN6rg/PKuCOCF3OKWRElJRZRIvpy8i2m7JHfQ0:Zwq6fN68/PKuFm3OKWkRZRIk8L0ff
      MD5:0F79E653D7F5180678E457CE39813F0E
      SHA1:1502BEC70A4F611976336F3B2B0976520465D6C9
      SHA-256:AE5EEB021006B52F66D9594F3FE7B26C934E41ECF24D252871E46442AFF39B55
      SHA-512:332BCC256AD78F201F49135BFEE4DC1B2D87C2B98E4D63159750C3356A711F02D07B4E10CDD0F02CE39CDEF39F55F95BE60281E01A279B51CB382D088E0D2E1F
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9y.9y.9y..(..8y..(..8y.Rich9y.........PE..L.....OR.........."!......................................................................@..............................................................>...........................................................................................rsrc...............................@..@....................................................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

      C:\Windows\SysWOW64\mfc120fra.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):74920
      Entropy (8bit):4.7398849390733115
      Encrypted:false
      SSDEEP:768:+26iNYajZELmOYImN8YxAaTafCp5eFQZmZUjyyyyyyyyyyyyyyyUGQFUbWo2Neem:+NuqLmOQA2SCHj0jo8K7W
      MD5:F09B21C8959133053E94A4AF14D6B46F
      SHA1:5100D71973CFB310F89DA5E53DB7B87AE7311992
      SHA-256:0FA0A1FD83269C78C322BF8BE59F8A8BB93143AE5731CB263F2F2C91175EAE47
      SHA-512:FDED7775E1679CEE895AFB43BC7110C212548A76B95A819F32F54F97FDCCB1E0756093B4BA2DC45147F3E4D5AC357B21625E75AED821232F2C776E23DBA9D852
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9y.9y.9y..(..8y..(..8y.Rich9y.........PE..L.....OR.........."!................................................................*.....@.............................................x................>...........................................................................................rsrc...x...........................@..@....................................................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

      C:\Windows\SysWOW64\mfc120ita.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):72872
      Entropy (8bit):4.73664045671538
      Encrypted:false
      SSDEEP:768:3uE6XaCyqbK15MS1igDGxNIlW3gyCQQQjeqS1hDsiiUWTVP8ijvH9c:mass5MS1igSxNIlW37oETF8U9c
      MD5:FFA0B900C2C0401D902465591E165E16
      SHA1:7D73D542296B53562F424946D02E8C73D08171B2
      SHA-256:B175C54C7FAF7B29BA8EE5C3EB647E05FD8AC5E6CBFE638A27815F621795F2EB
      SHA-512:7AAEEC584EADB80150C10A1121EB63E89B6845BDF0497B66F78AC03A6FC9CE3B075613B55D01A3EC348E26853A1A1BB201D8C217CF7A4CA0398FD8AE6E23786D
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9y.9y.9y..(..8y..(..8y.Rich9y.........PE..L.....OR.........."!......................................................................@.............................................`................>...........................................................................................rsrc...`...........................@..@....................................................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

      C:\Windows\SysWOW64\mfc120jpn.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):53928
      Entropy (8bit):5.970860603810259
      Encrypted:false
      SSDEEP:768:panVn/eGtJxtr10/euKRHIWQ8iphTwHj+2T1y+:0np/eg/uMW8lzT1y+
      MD5:4BA51DA48F1BA2222664017724251775
      SHA1:09B4B1F07C8DA202355CBB4A7D4139A308B9C948
      SHA-256:776D3E99FA205289D1B85A5EAD9ED1A412526CBD6428A9B2E7BC857DC4734646
      SHA-512:ACE2ACCF29FE99FF58E083A14BAECF521F3C206A9BACCAF9122D78C0A3C6A2AF0A2A5103685B00294A7F252BFDD516409814EFAB8DD6807C2279557F51CA0B25
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9y.9y.9y..(..8y..(..8y.Rich9y.........PE..L.....OR.........."!................................................................+.....@..............................................................>...........................................................................................rsrc...............................@..@....................................................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

      C:\Windows\SysWOW64\mfc120kor.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):53416
      Entropy (8bit):6.097205008917309
      Encrypted:false
      SSDEEP:768:EzO54LQTNtQraHniJNB2I7CvqR8i2Hv+r:b51TNthniJv2I7CvqR8Hv+r
      MD5:6201122886A4557A3E97647F95FB34AC
      SHA1:AD8831969784C168C861D15708528E2D359EAB96
      SHA-256:07CC905FCDBE661903851F371584388AB338C9CC2DEE3FE0F91D3562E7B68078
      SHA-512:91299874BEF31D3333BEED2096E0987BC8F7263412DF34A53C8FC553779119688AFCFF32902641032B551F2BC490751F0646B78B75B0CD05B05DDC273F58DC33
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9y.9y.9y..(..8y..(..8y.Rich9y.........PE..L.....OR.........."!................................................................+S....@..............................................................>...........................................................................................rsrc...............................@..@....................................................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

      C:\Windows\SysWOW64\mfc120rus.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):70824
      Entropy (8bit):5.28547454088543
      Encrypted:false
      SSDEEP:768:oZq/gFXOv9GuqN9TMIVhtZ3FckD+SkP8i7iHrEr:d6XOv9OhTVI8frEr
      MD5:DFB441CA61002365F2DB2EF8769455E4
      SHA1:F189F4B46CC8530F3A53D9BB7BB0749893BE2A04
      SHA-256:D4E11F22D3C71CD99EE3731777B1943FF3A6B828C1EEAAFAEA0AFFF56646E7DC
      SHA-512:AF785EB2F5928DD35A09F428F0C8F995784AE737A4FADC7DB887D687042652B3E01FE32C84697C744BE712287578845B42603ABEDF41B9721C710C7E4AB21391
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9y.9y.9y..(..8y..(..8y.Rich9y.........PE..L.....OR.........."!................................................................U.....@..............................................................>...........................................................................................rsrc...............................@..@....................................................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

      C:\Windows\SysWOW64\vcamp120.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):339616
      Entropy (8bit):6.476536011761002
      Encrypted:false
      SSDEEP:6144:ODyAW5+4f+wKjFqfEz2v2ut90DOXmYRlk6Zg:yW/GwKj6EUDL0KP7C
      MD5:3BCA5A693F9F772FC8F92A61E45320FC
      SHA1:C84A6BB36D9D4CDE3BECF4135CF8BDD0E43F68EE
      SHA-256:25FD2EB39C27717838D115B44A53C89D028C0E00967C7FCE4474E832E108DB7F
      SHA-512:D43F62D92A851DFDFDB1578D3D7943E44B4D69F40441CB30BBB8983CADD3AB55C43E60F59FCC105B8E9A8BAE2B4610FFB76EC69EC201E1250A3FBC3F6B6AE798
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b..a&..2&..2&..2`.{2"..2`.y2#..2`.F2(..2`.G2!..2.cm2-..2&..2...2`.C2,..2`.z2'..2`.}2'..2&.12'..2`.x2'..2Rich&..2................PE..L.....OR.........."!.....>...................P............................... ............@.........................0...-7..t...........8$...............>.......?..P...............................``..@...............t............................text...]=.......>.................. ..`.data...t4...P...2...B..............@....idata...............t..............@..@.rsrc...8$.......&..................@..@.reloc...?.......@..................@..B........................................................................................................................................................................................................................................................................................................

      C:\Windows\SysWOW64\vcomp120.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):119456
      Entropy (8bit):6.615804595453349
      Encrypted:false
      SSDEEP:3072:a11AajtOJq44zQHMSdTq0HDzVub/xLy+82rH:K1iqBMzHu/xLZH
      MD5:27BC360D67F269A61BB052E10C9FCEEB
      SHA1:8D81406C8DD3ED8894D8AEE07DD718DCFD2035C5
      SHA-256:FC12360FF09830BF08B7A2A238016EEA2B9E9475CBEA4C22043B264E76B3420C
      SHA-512:2807AF25E00EA11C0ACFAE20D44EE0F02B2331C469F14F5D42814805AE16B7B2A11FBCD7F9046F3E11ADC434133057DADAB62BECA63EB70793FD755F3F827755
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N..]............L...+...L. .....L...c....84.........i...L.......L.#.....L.$.....L.!.....Rich............PE..L....OR.........."!.....T...Z..............p...................................... .....@..........................T......X...<........................>..........P...............................pO..@...............X............................text...5R.......T.................. ..`.data...h/...p.......X..............@....idata...............j..............@..@.rsrc................t..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF0D0B5FB702FA3DCB.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):32768
      Entropy (8bit):0.10343497915702723
      Encrypted:false
      SSDEEP:6:xPLG7iVCnLG7iVrKOzPLHKO27DUyHXJEM9TEkssGiNKcBlIVky6l80t/:50i8n0itFzDHF4DTXJECNKqp801
      MD5:B5F71D86463E8127906D2F043DE873CB
      SHA1:EC9FCB57A19E02016EB06A875A9D40C58713A5F9
      SHA-256:82A11C1DCA0E561A30D834C95B90A3E82B8BBDFD001B3DC68CC19687C7A342AD
      SHA-512:1B9D96ABDBAC664745D1145D499817524F6F8C72DA8A6660C61494C32D54C7D4A3579EF288BC29C717D8BC0DFEE7312166A37977763061BD347341B34B8D7000
      Malicious:false
      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF0EC8608B9E5C127E.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF128E55B9BE3CB8F4.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF1DC5004F568B4844.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:modified
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF295472261A3FD9BD.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):20480
      Entropy (8bit):1.6076836844100257
      Encrypted:false
      SSDEEP:48:98PhXuRc06WXJsFT5R92v/eSMo9k9SeSB29mfd80Z1P:ghX1PFT6/eQeqxZ
      MD5:A77A2401D918E79103DD7D0CA82EBD94
      SHA1:8E3543A29058FB667CC48831D4023979661A059E
      SHA-256:475F3F44B0DDA89B536C2F4AD7DFC617EEA6B268722271B9E2661486917DD56E
      SHA-512:A11AB69F096C6E7FBE9D655A2CE51603B17C6DD6B36C4855607E31279604A55946833D1A5957DBDCDB89693C6BEA169A3471070DF002024FE905CE953B5C6C18
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF31FC46B418A22292.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):32768
      Entropy (8bit):1.2356815922299842
      Encrypted:false
      SSDEEP:48:4wE5uFLb0FXiYT5TAd/Emqi16U1SmRSo9idSIpZbEmqi:495NtT94HX1VR4lZ
      MD5:FF02D43847C78877FE340EB15927AE15
      SHA1:6E9A011622D3C0B914923C58DD8EDFA0B27AAAF9
      SHA-256:110795E1F3E7C0C96481D893BAEE7BCB4C04840A036865CBE8F17F611B993217
      SHA-512:781932E7398B14D82974A14D27E8F9519D57D50B16ECA299901E5A7C62FF75E84C55E39E1608BB2679A6166ACC0D160B731ED9A913EA455339C6FB529D2C8C90
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF3B93F582E315F895.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF414678F2701A1AC3.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):32768
      Entropy (8bit):1.2356815922299842
      Encrypted:false
      SSDEEP:48:4wE5uFLb0FXiYT5TAd/Emqi16U1SmRSo9idSIpZbEmqi:495NtT94HX1VR4lZ
      MD5:FF02D43847C78877FE340EB15927AE15
      SHA1:6E9A011622D3C0B914923C58DD8EDFA0B27AAAF9
      SHA-256:110795E1F3E7C0C96481D893BAEE7BCB4C04840A036865CBE8F17F611B993217
      SHA-512:781932E7398B14D82974A14D27E8F9519D57D50B16ECA299901E5A7C62FF75E84C55E39E1608BB2679A6166ACC0D160B731ED9A913EA455339C6FB529D2C8C90
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF43E18F71882F45C3.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF57E255BAA2F21910.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):20480
      Entropy (8bit):1.5485852868093724
      Encrypted:false
      SSDEEP:48:uE8PhBuRc06WXidFT5RdH6RLBLEASmRSo9idSIV8Z6c:ubhB1zFT9HaLBLEAVR4J8Z6c
      MD5:180EC6C8714C92DD80CB732F679B9E6B
      SHA1:4686E0C9DBD07A5A616F5ABC1EDABFD1E7DA3A2B
      SHA-256:77291357502CBF716BFEF1CC11DF37346BDD99B1F7CAB5476EDB7C20B78B21D0
      SHA-512:36859292A425F04277D356072DD577F3E44DC654D1D90FB7EB7E96EB95872DAAAD649B49D74D8DECD285DF2298F047E2830119C1E0F7FA49F84519D12C063387
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF670E07D4926FAB6D.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):32768
      Entropy (8bit):0.10235320659675191
      Encrypted:false
      SSDEEP:12:50i8n0itFzDHFSD58bAzsvnIH1oOBDr01:mF0mly58basUuO6
      MD5:B0543A0543CAA4B3BE838914865B700F
      SHA1:449ECEEDE342197F6742CDD4AC70A5AEBC83E2CC
      SHA-256:7E0F07110CE1E890ABA58AE658C93AF34F2336CE5D4477F7B25D690CF52E79C7
      SHA-512:22CAE6296067C48EAAF77B298FDDC7BD9DC5234755308AD8681BC7E07E3143F00DB73C7C11701E798A8EF0FA0DCE5FC6D293162BEB7B9ACE5DD2E986958AD9FD
      Malicious:false
      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF675C29C7E70E2FC2.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):32768
      Entropy (8bit):1.2356815922299842
      Encrypted:false
      SSDEEP:48:4wE5uFLb0FXiYT5TAd/Emqi16U1SmRSo9idSIpZbEmqi:495NtT94HX1VR4lZ
      MD5:FF02D43847C78877FE340EB15927AE15
      SHA1:6E9A011622D3C0B914923C58DD8EDFA0B27AAAF9
      SHA-256:110795E1F3E7C0C96481D893BAEE7BCB4C04840A036865CBE8F17F611B993217
      SHA-512:781932E7398B14D82974A14D27E8F9519D57D50B16ECA299901E5A7C62FF75E84C55E39E1608BB2679A6166ACC0D160B731ED9A913EA455339C6FB529D2C8C90
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF6B02453BB7FFCA53.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF74326E5B42649FBC.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF7BDF82FE44019C8C.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF85AD642656776D4A.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF89319D1C3029050D.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):20480
      Entropy (8bit):1.5485852868093724
      Encrypted:false
      SSDEEP:48:uE8PhBuRc06WXidFT5RdH6RLBLEASmRSo9idSIV8Z6c:ubhB1zFT9HaLBLEAVR4J8Z6c
      MD5:180EC6C8714C92DD80CB732F679B9E6B
      SHA1:4686E0C9DBD07A5A616F5ABC1EDABFD1E7DA3A2B
      SHA-256:77291357502CBF716BFEF1CC11DF37346BDD99B1F7CAB5476EDB7C20B78B21D0
      SHA-512:36859292A425F04277D356072DD577F3E44DC654D1D90FB7EB7E96EB95872DAAAD649B49D74D8DECD285DF2298F047E2830119C1E0F7FA49F84519D12C063387
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF943D361E6FD8BA36.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):73728
      Entropy (8bit):0.12895701941165924
      Encrypted:false
      SSDEEP:24:cZ6cpqYaazipVjipVsS0W1V29RgNlGyXkT+qdMClpMClmVj1LFGm1LF:cZ6ckVmSRSmRSo9imFdH6RLBL
      MD5:1946DE301B61439D347ECAC91CD3A158
      SHA1:7353F316CDE8E7B42FD01355716F3D31D241297A
      SHA-256:2563F96787C6005128646458DAF4F2A405868A076D4ABB062F9ECF95F20E4253
      SHA-512:6190E45EC7D4E2408952C7AACBF2B125D50B9B4743EA85328981C09C4DBBAA8BCFFDCBA42C4EAF1B0E1C8D11898B9BED4BF85326554B1F8138D0BC67926C6FF2
      Malicious:false
      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF9981C9EAE3B4C966.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):32768
      Entropy (8bit):1.2395905184428009
      Encrypted:false
      SSDEEP:48:y65uPLb0FXisT5TedH6RLBLEASmRSo9idSIV8Z6c:h5jRT9CHaLBLEAVR4J8Z6c
      MD5:8390C377571BB3F5B99F90305BA6B3BD
      SHA1:DD4BBA8266D489139662F2FC29F02D95CE0BFC4E
      SHA-256:F11759263571C323A14FB2C9907661F5BBF5E71B05B08E9534A541E92CAC0FC5
      SHA-512:0BDDB3717F8F5BC45599D2BAB121EACEFC1F535DF6B09ACDDEF8FC0653E5A780968FC835FA0AD5F6A5A9E6789A2BF81C655158278206008DF94879D531D9B540
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DF9CAC639F5B4DD1C5.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):32768
      Entropy (8bit):0.09798775819634128
      Encrypted:false
      SSDEEP:6:xPLG7iVCnLG7iVrKOzPLHKOos2XYpVV9xAFk+UanTUlYVky6lElw:50i8n0itFzDHFZyYpX9xAe9aY5Elw
      MD5:7756E5BFBD52FDC490E74309485F2BB7
      SHA1:ECBB13B72AA12A77FF69909D4BD420707CB30BBB
      SHA-256:29EEE28AEBDAA0856EC5C8AA4807A66108986C13C576582965D72484BDB885EA
      SHA-512:19ADAA496B72CBDD6A833C6AB6ED092053063EC4623AA7777038C75EEA349F03ECE6E3D48FA2646A21988F497CB5D092BC91FE80C87FE1F332A3D82B6463D7C1
      Malicious:false
      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DFAA888D2F3211F178.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):32768
      Entropy (8bit):1.2839146058077076
      Encrypted:false
      SSDEEP:48:voPuEO+CFXJhT5k92v/eSMo9k9SeSB29mfd80Z1P:APC5Td/eQeqxZ
      MD5:3AEE8EAA5B593D302FCF63F0B16DB6A3
      SHA1:5311579AB3FB86FC3B4D3270885BD8FFB4364ECF
      SHA-256:011163CA25D50B9FB1F442550C2BDE4B958C6D4E65083AE16E2BD6BB92105A81
      SHA-512:973298BB33548B78F5B396CD09E4E0FE6AA4FCF797361318A6D70455F8B931E44427F2AAF1D8608CCAAE402B86320865EC7C2C806EE2AFAAAD86AD38BC08AC17
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DFC57CACC7B4BADA46.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):32768
      Entropy (8bit):1.2395905184428009
      Encrypted:false
      SSDEEP:48:y65uPLb0FXisT5TedH6RLBLEASmRSo9idSIV8Z6c:h5jRT9CHaLBLEAVR4J8Z6c
      MD5:8390C377571BB3F5B99F90305BA6B3BD
      SHA1:DD4BBA8266D489139662F2FC29F02D95CE0BFC4E
      SHA-256:F11759263571C323A14FB2C9907661F5BBF5E71B05B08E9534A541E92CAC0FC5
      SHA-512:0BDDB3717F8F5BC45599D2BAB121EACEFC1F535DF6B09ACDDEF8FC0653E5A780968FC835FA0AD5F6A5A9E6789A2BF81C655158278206008DF94879D531D9B540
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DFC9459F4C5961BEB2.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):32768
      Entropy (8bit):1.2395905184428009
      Encrypted:false
      SSDEEP:48:y65uPLb0FXisT5TedH6RLBLEASmRSo9idSIV8Z6c:h5jRT9CHaLBLEAVR4J8Z6c
      MD5:8390C377571BB3F5B99F90305BA6B3BD
      SHA1:DD4BBA8266D489139662F2FC29F02D95CE0BFC4E
      SHA-256:F11759263571C323A14FB2C9907661F5BBF5E71B05B08E9534A541E92CAC0FC5
      SHA-512:0BDDB3717F8F5BC45599D2BAB121EACEFC1F535DF6B09ACDDEF8FC0653E5A780968FC835FA0AD5F6A5A9E6789A2BF81C655158278206008DF94879D531D9B540
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DFCB681BCD25FB9DD2.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):32768
      Entropy (8bit):1.2839146058077076
      Encrypted:false
      SSDEEP:48:voPuEO+CFXJhT5k92v/eSMo9k9SeSB29mfd80Z1P:APC5Td/eQeqxZ
      MD5:3AEE8EAA5B593D302FCF63F0B16DB6A3
      SHA1:5311579AB3FB86FC3B4D3270885BD8FFB4364ECF
      SHA-256:011163CA25D50B9FB1F442550C2BDE4B958C6D4E65083AE16E2BD6BB92105A81
      SHA-512:973298BB33548B78F5B396CD09E4E0FE6AA4FCF797361318A6D70455F8B931E44427F2AAF1D8608CCAAE402B86320865EC7C2C806EE2AFAAAD86AD38BC08AC17
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DFD6DF29FE878886D8.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):20480
      Entropy (8bit):1.5435117948961163
      Encrypted:false
      SSDEEP:48:18PhBuRc06WXiJFT5Pd/Emqi16U1SmRSo9idSIpZbEmqi:YhB1HFTDHX1VR4lZ
      MD5:6E0C488A5C502AF3C2FC5C7D5BF9702F
      SHA1:EC6D2F8AC1BCC56A9915E11587AF6BEB011B24FC
      SHA-256:AE8F298DF5A81469405043E581B7C2AC960FF48913D9F0E3538232803AAA4870
      SHA-512:18BD11BA76507538CEFF75D744BD35C0E815FF5E4DB6638D933627A6900A9C3ED0E5C85B36A60F3D906828352A7654D2F4CCF4A3C9A11601B83BE7EE0B9FD2A4
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DFD6E1C177B4F6F167.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):73728
      Entropy (8bit):0.12678635425281393
      Encrypted:false
      SSDEEP:24:kEmqWVdZiCYsjipVjipVsS0W1V29RgNlGyXm+RdMClBEmqWV1MClmVjLm:kEmqidZ3dSRSmRSo9iK+d/Emqi16
      MD5:7DD0879BF9FD4D82A4947C7AAB54F156
      SHA1:183867D2405ACBD2412FD6A606C7601E0B9FA232
      SHA-256:48337DB0FE72091C59757DA80B69E7858519B30CC1EAA5307ACFF4D025C8A8EB
      SHA-512:8D858201FCF63DC651A5FACC3560BE9D2DD6F31234D8CA5116E19EFB1193309ACF8F919DB243136E19CB3C3C557E184F07CC73FFBBCD4E1A1A3B709FAD32A588
      Malicious:false
      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DFE46A57D61B65357A.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):73728
      Entropy (8bit):0.15201312339931744
      Encrypted:false
      SSDEEP:24:FR94cZ1ReZFbcipV729mZxdVZFbcipVRYV29LwGM3Sk9t+d9A1:OcZ1RUeSB29mfdreSMo9k9tw92
      MD5:0C9EC277BAD44039850E5EE0651182DA
      SHA1:DA85F9D6FE94B2413D2B466CC19990D46777BA89
      SHA-256:C92653A03582D8C471E040F8BFCA6E4437651F7C37C1D9221B48FF6FFE874CFD
      SHA-512:D614F37BBDD7C960A0164791B24607D442407278791886C991DAB8365A5895DC5C409CF31C2276EBE6507F9F3DB5AF50373269494EB348CEB41D0193936A81D8
      Malicious:false
      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DFE912E947C19AF2F3.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DFEAF171339255A7AF.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DFEC8F688D3BA16A1C.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):20480
      Entropy (8bit):1.5435117948961163
      Encrypted:false
      SSDEEP:48:18PhBuRc06WXiJFT5Pd/Emqi16U1SmRSo9idSIpZbEmqi:YhB1HFTDHX1VR4lZ
      MD5:6E0C488A5C502AF3C2FC5C7D5BF9702F
      SHA1:EC6D2F8AC1BCC56A9915E11587AF6BEB011B24FC
      SHA-256:AE8F298DF5A81469405043E581B7C2AC960FF48913D9F0E3538232803AAA4870
      SHA-512:18BD11BA76507538CEFF75D744BD35C0E815FF5E4DB6638D933627A6900A9C3ED0E5C85B36A60F3D906828352A7654D2F4CCF4A3C9A11601B83BE7EE0B9FD2A4
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DFF36962FDF9CE9496.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\Temp\~DFF3B7CC65AFBC7454.TMP

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162926823.0\ATL80.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):97280
      Entropy (8bit):6.5212651414408125
      Encrypted:false
      SSDEEP:1536:qskNTnYQzkuvliN+9sdYhfv3rkT+za16/rhmE9dV87mKxGXmwJMl72co9:q1TnY4kclz9sdO/79dVMmXmwJw
      MD5:D5E459BED3DB9CF7FC6CC1455F177D2D
      SHA1:E2847ABAF79AC97B5D530E0E1A2DA74E7DC67BF5
      SHA-256:FCAB2130FAB57B6728C50D5B9E9924F001C43538DE4F675DE03537FF0D9B84BD
      SHA-512:F8A090BFE74B5FD112DED3F1269ADA31F94AA00816CB345F96DE68948E4759082D43185852B9E061A5DED4D8E3FA66D4BDF0F5C89CB3148918B0580AA644390D
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."..xft.+ft.+ft.+.{.+dt.+A..+mt.+.{.+et.+ft.+.t.+A..+}t.+A..+mt.+A..+gt.+A..+gt.+A..+gt.+Richft.+................PE..L......M...........!..............................c|......................................@..........................G......<A..(....`..H#..........................`...............................84..@...............(....5.......................text...~........................... ..`.rdata...N.......P..................@..@.data........P.......<..............@....rsrc...H#...`...$...@..............@..@.reloc...............d..............@..B........................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162926823.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_a4c618fa.cat

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):7318
      Entropy (8bit):7.373122570110644
      Encrypted:false
      SSDEEP:96:YCe05G79D743UDXOTdXAdTMrYVDa//rDG5UdmqTDvboxlRM0hD743SinGfgjdoKM:5e05pfJrNGSnws/nGfe4pBjSs2I
      MD5:BA3D94DFAB205D6FC0FBBED6940842C0
      SHA1:5D8BF309358910AF9FA6E2954E9FF9E08742F35F
      SHA-256:D4106AA2A6EB6FB48440CD9728D01CD829D94A69DA0A493EC2A4364F835F8695
      SHA-512:32840D8074732771CAB7D4F49F8C4B19B9147F6FD9F889DBE8A8F1027AA5EAA47BEACAD82A020F6ECBF2323BD45976550AFAAB20AA2701FE9297BEBB4BE24390
      Malicious:false
      Preview:0.....*.H..........0......1.0...+......0..u..+.....7.....f0..b0...+.....7....../?..&M..UBx....110514013756Z0...+.....7.....0...0....RD.A.F.8.9.1.D.9.7.8.2.5.9.3.A.0.A.0.5.D.5.F.F.8.3.E.1.F.6.D.F.A.B.7.A.6.E.C.3.F...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............x%...]_.>.m....?0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....M.i.c.r.o.s.o.f.t...V.C.8.0...A.T.L...m.a.n...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............x%...]_.>.m....?0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......d0...0..........a..].....Q0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...110214210559Z..120514210559Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft Develo

      C:\Windows\WinSxS\InstallTemp\20240704162926823.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_a4c618fa.manifest

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):466
      Entropy (8bit):5.360783828704132
      Encrypted:false
      SSDEEP:12:TMHdt7IBeBFJ3/3XO53SNK+yGuCgVuNnyEG7jpZG:2dtMEDJ/eiNK+yrCg4NnY7j2
      MD5:8F90207A9E223214EC04CCF005F097F1
      SHA1:DAF891D9782593A0A05D5FF83E1F6DFAB7A6EC3F
      SHA-256:D00269BABDB5F3EB1CDD535260124B4B5FA599F2AF8605BA468949D64F6EACBF
      SHA-512:EF4615354860E4DDFA2DD4AA3A2EBBF34568C416246BEBB6B4C03509E17CED071AA725704B8D4EDC18950C851879BEB8EC1AD09843F3B4D18A5BC3152BE5918D
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable/>.. <assemblyIdentity type="win32" name="Microsoft.VC80.ATL" version="8.0.50727.6195" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <file name="ATL80.dll" hash="b5037a793da006b9cbf7497aad5886358a578095" hashalg="SHA1"/>..</assembly>..

      C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcm80.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Category:dropped
      Size (bytes):479232
      Entropy (8bit):6.025843933949589
      Encrypted:false
      SSDEEP:6144:O6KTZsHDwx0TCAQpFTfnPyFVrCqq/KrnahQ+Nnq0B/aNOjMQpyn:ksHDG0TM6sKGhQ2nq0iQ
      MD5:1D109ED0D660654EA7FF1574558031C4
      SHA1:04C690EB322E236A9BED2937A04430C6FDA3B13D
      SHA-256:7DCB3C45938D31854E46B5E5B0E16D538E29230D1BC81086D40C8DB3BDF510BC
      SHA-512:806CB75368B38AD6E7DE3C41E600F537DADF11C2DEF3B5171818945F2EE5A495CB143198E4EB80D0DF5F964D8BBAE09630869A8A6CDACF67D2C3690DF457275A
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-9/.iXA.iXA.iXA..W..mXA.iX@..XA.N.:.lXA...?.hXA.N.<.hXA.N.,.fXA.N./..XA.N.;.hXA.N.=.hXA.N.9.hXA.RichiXA.........PE..L...I..M...........!.........@......DT............L|......................................@.............................c ..d...d......................................................................@...............................H............text....x.......................... ..`.rdata..cX.......`..................@..@.data............ ..................@....rsrc...............................@..@.reloc..N$.......0... ..............@..B........................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcp80.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):554832
      Entropy (8bit):6.428532379402239
      Encrypted:false
      SSDEEP:12288:rZY4lOHMwLwXBt+iaKst/Ua/hUgiW6QR7t5j3Ooc8NHkC2eW9:rZY4lOHMM8wifstjj3Ooc8NHkC2e6
      MD5:0B3595A4FF0B36D68E5FC67FD7D70FDC
      SHA1:973614AC9622D5EA9CDD68FEBCE3258D196408B6
      SHA-256:372AF797353F9335915CD06D4076BAB8410775DCAF2DAC0593197D7C41BBFFB2
      SHA-512:E191DE0236E05E0BB198C51E2F630B56B833B868383E7AB0BBFD91010FA57A9402364E1082C0F267B1E24789F6D7E6D0253D2A932369F469588EEC6ADA3F48BE
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y..fv..y..y..#y.....y..2...y.....y.....y......y.....y.....y.....y..Rich.y..........PE..L...l..M...........!.....@... ...............P....B|.........................p............@.............................L...T...<....................`..P.... ..H2...S..............................Pe..@............P.. ............................text...V>.......@.................. ..`.rdata......P.......P..............@..@.data...l&....... ..................@....rsrc...............................@..@.reloc..NA... ...P..................@..B........................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcr80.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):632656
      Entropy (8bit):6.85450359191272
      Encrypted:false
      SSDEEP:12288:Kxzh9hH5RVKTp0G+vphr46CIFt0yZmGyYGK:Kph9hHzVKOpRFHmGyYt
      MD5:C9564CF4976E7E96B4052737AA2492B4
      SHA1:43851FE4644C0A1EB31FE80F427777F1F0015EFA
      SHA-256:C3AC989C8489A23BB96400B1856F5325FFC67E844F04651EA5D61BC20A991C6D
      SHA-512:8E9817AB398A86AF6982D39FED018FF5282F60C5330DBEF6417CFBE73731D8503C63DA32107D948CC1EBA14DD30AAB614C7C858300E4F79CA418DC42D353F9C8
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.........@................!......;.............d.......................Rich...................PE..L......M...........!.....0...p......+#.......@.....x......................................@..........................q...~..Pc..<....`..................P....p..P3...B...............................F..@............@...............................text....'.......0.................. ..`.rdata......@.......@..............@..@.data...Li.......P..................@....rsrc........`.......@..............@..@.reloc...7...p...@...P..............@..B........................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162926855.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86.cat

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):7318
      Entropy (8bit):7.368381521009752
      Encrypted:false
      SSDEEP:96:Y0SNG79D743UDXOTdXAdTMrYVDa//rDG5UdmqTDvboxlRM0hD743SinGfgjdoKZO:Y0qpfJrNGSnws/nGfe4pBjSsTEUfwc
      MD5:18E56040841C2096B1AF7107943D15BF
      SHA1:C0FDAF3E13ECD412C584FE574A8A18C16B45A1EA
      SHA-256:EF5447E606A2355C0BB9FD9A9AF318B45359A7BF6ECEBECDD09517E67239C599
      SHA-512:DB587A4FB1ACD0AA219B87046C7C4801AC9E1A1837E330261409580C310E940438E60FBD2311B2CE1438DA48BFF293BB8311C605BBC9078B975CFACA4E72DDC1
      Malicious:false
      Preview:0.....*.H..........0......1.0...+......0..u..+.....7.....f0..b0...+.....7......_..G_M..?..Z.>..110514090603Z0...+.....7.....0...0....R5.2.E.B.6.B.2.4.9.0.A.1.D.6.0.A.0.D.B.F.9.F.9.2.3.3.4.9.3.7.B.A.1.9.6.B.A.E.4.4...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........R.k$........3I7..k.D0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....M.i.c.r.o.s.o.f.t...V.C.8.0...C.R.T...m.a.n...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........R.k$........3I7..k.D0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......d0...0..........a..].....Q0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...110214210559Z..120514210559Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft Develo

      C:\Windows\WinSxS\InstallTemp\20240704162926855.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86.manifest

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (504), with CRLF line terminators
      Category:dropped
      Size (bytes):1870
      Entropy (8bit):5.418875744198016
      Encrypted:false
      SSDEEP:48:3SlK+hFg44j09kkKffzWf+C09kkKAgzR09kkKd1zY:ClthBCXkyClXkFgFXkm8
      MD5:188E68005ED62F32248032C65CB4DE96
      SHA1:52EB6B2490A1D60A0DBF9F92334937BA196BAE44
      SHA-256:AA8E944ADFEED4B29CC9262C63F43ED752F8EF44D52FD868E41BDF1EA974D1B0
      SHA-512:9EF823BF26A08B2D697F2D88ABD92D7C54B25BE8D65F6F3A832E9D53472D1252B62EF5E04BCA0534FA6F8586633E9E73F91FECA07D11728CF7B07E7434CF20D9
      Malicious:false
      Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.6195" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="msvcr80.dll" hash="4be3fcf046c4941d7b439da6eb642431b5ff497a" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>Q4Uf5GRMCh6zH+gPQnd38fABXvo=</dsig:DigestValue></asmv2:hash></file>.. <file name="msvcp80.dll" hash="f96d6d587819a28ad84cd32783968c7f75169a49" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xm

      C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):1101824
      Entropy (8bit):6.523952124484787
      Encrypted:false
      SSDEEP:24576:glVttwOcUHZ3uy12zbYSYUgzzYiJ1wMK:sVttwOc2EzbYSYUgzc0TK
      MD5:1F5AFD468EB5E09E9ED75A087529EAB5
      SHA1:B69201B0705139F025A583034436D761C1E62E09
      SHA-256:8204DBCC054C1E54B6065BACB78C55716681AD91759E25111B4E4797E51D0AA3
      SHA-512:3C21730B4DFF6FA22AB273B2987D8CB5C9C01BCA4657734E793BF37B5B94106CF1043D7CE6CDB51EC6F3D4E9D6799E0C844A07976DA47882432CAE18B3406D76
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......T.t...'...'...'..'...'...'...'..'...'..'...'...'F..'7s.'...'.q.'...'7s.'...'7s.'0..'7s.'...'7s.'..'7s.'...'7s.'...'7s.'...'Rich...'........................PE..L......M...........!.....p...p.......V.............x................................E.....@..............................e......x...................................0...................................@...............D............................text....o.......p.................. ..`.data....i.......P..................@....rsrc...............................@..@.reloc..n8.......@..................@..B................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80u.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):1093120
      Entropy (8bit):6.51834867272897
      Encrypted:false
      SSDEEP:24576:2rA15w5Uxp2IJgvJRLc/9v23kkph9cgqhSm:XbwRIJgvJRLc/5YkyhCFh
      MD5:E2C48CD0132D4D1DC7D0DF9A6BEF686A
      SHA1:A091B626BE276C742E8D8F86988ED07F1E9083D4
      SHA-256:52D1A8AA992AF2F727DA4B16522D604648D700997B1620CCB67D05838C127674
      SHA-512:8CC0186B55168DE98DF803CBB999A5DE22FA47B9276EC89A67CB932BBA924DEF18D8241F194FA0F75D92A8D106B3B39DE57722D36E3C7452B5C7384F26CAAF11
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................b......?.......b.......b................l.....6n......l......l......l......l.|....l......l......l.....Rich....................PE..L......M...........!.....p...\......"W.............x................................6.....@.........................`....e..<...x......................................................................@...............8...D........................text...Gn.......p.................. ..`.data....k.......J...t..............@....rsrc...............................@..@.reloc..Z7.......8...v..............@..B........................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Category:dropped
      Size (bytes):69632
      Entropy (8bit):5.392272304481052
      Encrypted:false
      SSDEEP:768:vo3+LxGdzu9COyOi9aBlbmY7qkaylyQniy8E62JdvQ+BLmG1mOAPq+Me3:IuQQm6myqkaplZ2Ju+BTYOAC+Me3
      MD5:83362EE950AD18ADB85B54409155C378
      SHA1:74D11BBF3DA8AA217D1E83425A67621B126371C5
      SHA-256:BE1FAA17B466E56DA8259CDC1F1B02EE0DEB4C5E022E6EB3B82643EF508C8BEA
      SHA-512:7B657EDB50D8E4B634C0961040CC951CB0FEAA5D1D22D8AADF0620E469D64E7C2BD623FC82CE2C8CA3DAF438FBA8CCEDACA878E2C019C6D4FE993669E6764AF2
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z#Z..M...M...M.......M.......M...L.v.M...6...M.O.3...M... ...M...0...M...#...M...7...M...1...M...5...M.Rich..M.................PE..L..."..M...........!.........@...... .............U|......................... ............@.............................................................................................................@...............<...............H............text............................... ..`.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80u.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Category:dropped
      Size (bytes):57856
      Entropy (8bit):6.02030538120033
      Encrypted:false
      SSDEEP:1536:362a7ld3JfSy2BcrkgmQFvjDOUsglIfuOAm7VcV:ghd3JfN22rhmQJjDbsnGOAmBcV
      MD5:26AAFEE5C30020C99120EE113D751F7E
      SHA1:828B8DA62B265D99A2BE741ED54D4AB7DE61F833
      SHA-256:AB8BB84E0131A72114B3EB399F120B9CEDD0250FB91A6CD528B4E3E98EF913CD
      SHA-512:B9FE5A19749147AA2406C0780360D871FA95EE06692354A8C6866959D888AA7C051C41B3F07162ADBF95919308B4C83764A1A1323EE888BC34F99B190BD2999E
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_...>._.>._.>._.1._.>._.1._.>._.>._A>._..._.>._E.._.>._..._.>._..._.>._..._.>._..._.>._..._.>._..._.>._Rich.>._........................PE..L...5..M...........!.........,....................e|......................... .......\....@.........................p...................................................................................@...............,...............H............text...1........................... ..`.data...............................@....rsrc...............................@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162926964.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b.cat

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):7318
      Entropy (8bit):7.370990226843742
      Encrypted:false
      SSDEEP:96:hcS08G79D743UDXOTdXAdTMrYVDa//rDG5UdmqTDvboxlRM0hD743SinGfgjdoKW:hcS08pfJrNGSnws/nGfe4pBjSslfqWX
      MD5:B0EE1BE78206C74429A021688BB34C58
      SHA1:F0951DBC13499134373A17AAA0A242759824EDBC
      SHA-256:DB8EE01212450D7D7A787865F7DF29EC48F12EBB1264DF17AFA2C4CAE12224EF
      SHA-512:4D82ED69F600BD33E1CAF583996EBCAB596F7791B3511B3FF29BC8418EFC4EA59CE9762C240B4D590778BD9E29E16153ABF16125B00CB8CF5EBEC5721DFEABAA
      Malicious:false
      Preview:0.....*.H..........0......1.0...+......0..u..+.....7.....f0..b0...+.....7.....T.i....B..QOg..<..110514090605Z0...+.....7.....0...0....R1.2.5.D.C.6.C.2.F.4.8.4.5.3.7.5.C.2.D.4.E.2.5.E.D.0.F.F.6.0.9.A.0.C.B.F.D.5.7.2...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........]...Su...^..`....r0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....M.i.c.r.o.s.o.f.t...V.C.8.0...M.F.C...m.a.n...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........]...Su...^..`....r0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......d0...0..........a..].....Q0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...110214210559Z..120514210559Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft Develo

      C:\Windows\WinSxS\InstallTemp\20240704162926964.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b.manifest

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (504), with CRLF line terminators
      Category:dropped
      Size (bytes):2372
      Entropy (8bit):5.397359381610857
      Encrypted:false
      SSDEEP:48:3SlK+ag4909kkKKzzF09kkKIz7nl09kkK7zp709kkKvhzY:Clti9XkXVXkB/lXkSl7XkCh8
      MD5:F79C2E87AEFEDB361FE85B75D147D02F
      SHA1:125DC6C2F4845375C2D4E25ED0FF609A0CBFD572
      SHA-256:E424EF35E909C5863C2668B34F316E9BA507A29C924DFD0970219B0F1898C619
      SHA-512:851BC6F4497BFA4B133FB1A7A3D0E806AEB8F4A5852439F632C128C9387BA4C769FA18DC2BF1BAE6ADAB9E917E1BD9E42BA9AACA92E64F28A0FB82FECEABB02A
      Malicious:false
      Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC80.MFC" version="8.0.50727.6195" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="mfc80.dll" hash="48ac38e27b9666515a92c5e97834d48d40764681" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>tpIBsHBROfAlpYMDRDbXYcHmLgk=</dsig:DigestValue></asmv2:hash></file>.. <file name="mfc80u.dll" hash="cf19ab729dce5f8169380752f43748935e85f57d" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns

      C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHS.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):40960
      Entropy (8bit):3.7209987163864344
      Encrypted:false
      SSDEEP:384:NDNemsol/tAGqyVUIrvJWOWRzJwxV0fwItnFiHyt6S26r81Jd5AJd:NZXsKAGDTrvs6x4wItnFfL26r81nE
      MD5:4A3ACBDE55EB9BB30895B06F21650614
      SHA1:2B763BD66E3A3DE4EB331155445E08798F120087
      SHA-256:83B6804E66E0BE5DAE2E948988FB269777EC91234F5A508C3FE830D79E6876FB
      SHA-512:9C50AD27160037F98C0B68A6D037431614632D631048570C8C8AE9679B1494BB35DB5564D03868DA0D78225B320D7740117E97F4F3ABA7BC69386B9AC993734D
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L......M...........!..............................6]................................L,....@..............................................~...........................................................................................................rsrc....~..........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHT.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):45056
      Entropy (8bit):3.5286093544199826
      Encrypted:false
      SSDEEP:384:CDNumStwO/tAGqyVB+dvEAWhWRrMUn5xm9za2JokMw6TERPB1ECA:CZHSGMAGDadvNDn5x4pqwPPB1EC
      MD5:DC4091EA96CE9E94F291AA7FFF7F2DB6
      SHA1:A5924ABCFE23187D5316F995FE7B618B1EAED3F4
      SHA-256:6A4A6B2293E306040609F42B07AFD251C80E8C33800CC4C9A04B51630226D8F0
      SHA-512:0C5AECD8C0070C8B298BF3A4A6C3CC11CB73CC7D84FCA868BE5ECBCBC6D8BFF6C56028E2BA534B5F61432761EE368885D7D2A0E99BE85E39EA60FFDBBC1B6869
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L......M...........!..............................6].................................\....@..........................................................................................................................................................rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80DEU.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):3.0912501343733023
      Encrypted:false
      SSDEEP:1536:A1AGDh+vM+zesi870vYtNerHI4Lhp0vcsjsr:A1AGDhx+zesi870hLhp0vcsjsr
      MD5:4E8B1E9567B3CD76CA628C9026AE1125
      SHA1:C3DCF34C6EA0111034A4D903310BA5B3E7B181AA
      SHA-256:FD39AB4518DE31A44563C68C2A84E3C94594C1D53EDAA0A15F6148043E4300CB
      SHA-512:02215A72BE80A6B428434FF86D04797FCB8C77CB4520A149C1123EB35D1E56A4633B53B01A6C78376D60FB92977A93FA6144275E0518F461C8F6DD71F98F82FF
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L......M...........!..............................6]......................................@..........................................................................................................................................................rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ENU.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):57344
      Entropy (8bit):3.050881194742072
      Encrypted:false
      SSDEEP:384:/DNXnSkNsq/tAGqyV5KOvRWIWRSBrxiFc+hV9RLNq/HRK/+nnWT59Dl:/ZX3s4AGDCOvuSB4V9RLNqfRKGnWHB
      MD5:28A09777D2D952122567A8A82F1A2C7B
      SHA1:AF2E9CD4A0321F310C87DEAF9170DBC32C4B3F94
      SHA-256:772260DF36AE85A0619C51402DE416E0C329976B724C8E9C4F8C013CBB7C7289
      SHA-512:669DF5234BB735649F839715C2DC3FB2206CD27EE639821C25730D3800ABC9DBC9EE764D9F7A8CD639A23AFFAAD09CC0F97000513FFDDF95E3995F7A06F66681
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L......M...........!..............................6].................................S....@.............................................(............................................................................................................rsrc...(...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ESP.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):61440
      Entropy (8bit):3.0970267364496755
      Encrypted:false
      SSDEEP:768:XZTQAGDf3vIPor0GBFCDCLhedUPYVbS/:9QAGDPvIPor0GBFMkhedUkS
      MD5:D07AAC2BC04602D886C3A925EB209D15
      SHA1:D7F2F3EB4D854E84481229A7CF5B7BBC27E1AE8C
      SHA-256:A28EECF6002085273575E887832B8B77FB5321A19412FB7EBA580EBDAEC1044F
      SHA-512:593B8A3810F81B8E705DE1B7D07A9C3C602E53C9B8246D67E70E218B4BBD3F4E3E0C347893B4CF65490D8387310690B37FE643BFA935C50EDA9BD0989B42FF4B
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L......M...........!..............................6]......................................@..........................................................................................................................................................rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80FRA.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):61440
      Entropy (8bit):3.1663160507988235
      Encrypted:false
      SSDEEP:768:QZweyAGDSRvYOrkh2A6NTi7e3RAaTaPCeyGdZmBSg3T1SyyyyyyyyyyyyyyyafyL:IyAGD+vYObA2SCeB0Ug4
      MD5:6A8E515791ACB27F18D08A895974E953
      SHA1:E4FE0C307BEB45180B0327575EB3D824AF20F5E0
      SHA-256:269229464378EF4DE681739AE57E4E6F8C5D23F06AC701DDCA0E3580B5D2FC72
      SHA-512:68B3DEFD72F014B3ED804CE0C2249F56D8A081E2DEF5E818142C386510EE85B0803B9B5EE72B11B4C8872E247E07DBDBAA5B229EADAE69AF06886DBB3CED09DF
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L......M...........!..............................6].................................1....@.............................................(............................................................................................................rsrc...(...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ITA.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):61440
      Entropy (8bit):3.10315798498821
      Encrypted:false
      SSDEEP:768:vZ0odoAGDI6vJRG57PxtINJ8Il8QcPOCeFO/:yo+AGDHvJRc7PxtINJ8gIPp
      MD5:5225673E3F28A251CC8449EFA7C82F03
      SHA1:27F132E5490AE64921A601162E21EB613726BAC2
      SHA-256:4E7467582D0D22366DE5BCD73E8BFB15DCD28D7A6A8DCBDA78E81FD175F6176F
      SHA-512:11AC795790B39EB5B831FDA432B518B8A6609F7A52BFE28C5BA3BB7370F3D30F8AEFB6872F5560403D75E39A23052534225E2136EC63528701D93A59F20C3536
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L......M...........!..............................6]......................................@.............................................(............................................................................................................rsrc...(...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80JPN.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):49152
      Entropy (8bit):3.790558537093
      Encrypted:false
      SSDEEP:384:ZDNCysmq/tAGqyVVp7vheFWiWRjJkQbXDr10Jh8I2Bb4:ZZXsPAGDN7vQMjJkkr10IIc4
      MD5:194D495897DD9D46A3C9BEFEF6CF863D
      SHA1:C7ADB52B5F3D9033F1CF58C95C3C967C4D670B5B
      SHA-256:9DCB5EB5FBF87AB36BC26F2E5FEB14F5911C08BB52487A135CC41B2160ABD10D
      SHA-512:CA9C19BF4ED4B31E29FC763BC3AF58D2FE723604B96ED57A2C922CD99AAC5010D6D8FF6204DE7DD1D52888710638D554FF4371864F0BA1C910AB72F1FC7CB431
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L......M...........!..............................6].....................................@.............................................8............................................................................................................rsrc...8...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80KOR.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):49152
      Entropy (8bit):3.7254244871507964
      Encrypted:false
      SSDEEP:384:fDNSnxGr/tAGqyV0/NvrWYWRgKu/KV0YfmtT2XYm66tHggFK417RTNbU/Ltl3tSM:fZSE5AGD0NvwiriHqN
      MD5:ADC1E6A231011CB4A4322061F2B13800
      SHA1:976889857A64171713029A86538B6A2AA5E6C449
      SHA-256:E0D59FE3C09DC18151486CCDBB64C8158D0D4911B59CC90E0760F0FE5B8B2631
      SHA-512:B218E913BE1E0883050349556541D27431A05282872B99EA05098E3E8FAE1ED185517A76998677715D43B343DBBE7A5E203FD68962DF23D19481294E8E205518
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L......M...........!..............................6]................................-n....@.........................................................................................................................................................rsrc..............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162927136.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789.cat

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):7331
      Entropy (8bit):7.360042889604393
      Encrypted:false
      SSDEEP:96:+rGkG79D743UDXOTdXAdTMrYe0Da9DMURgDvboMsz3DM0hD743SinGfgjdoKZDMh:aGkpfJr+ks/nGfe4pBjSkxmbBQ
      MD5:D14805929182D6DBE0026C166F5AC457
      SHA1:50753B5772F25269940F5F7DCAA9CC68C35D2B55
      SHA-256:EC631DAE1D6F771523BF6AF2E0751649563281982D902BB6BF59364209F16E64
      SHA-512:E037D42C4E1FC65B6CD1360292DFBF466F22EB71D50BB1FDE33FADC20BC21A4ED29EC59395D3BF6488CA93E114A62037C4960B4CC68E9B73F686231AD16E1D76
      Malicious:false
      Preview:0.....*.H..........0......1.0...+......0..|..+.....7.....m0..i0...+.....7.........kY.N.(..- 5C..110514030422Z0...+.....7.....0..&0....RB.2.E.2.E.5.1.A.6.F.C.F.A.6.0.7.B.1.3.7.6.4.E.8.8.D.1.D.B.1.B.E.B.9.E.5.0.6.2.F...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............o...7d......./0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....4M.i.c.r.o.s.o.f.t...V.C.8.0...M.F.C.L.O.C...m.a.n...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............o...7d......./0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......d0...0..........a..].....Q0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...110214210559Z..120514210559Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft

      C:\Windows\WinSxS\InstallTemp\20240704162927136.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789.manifest

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):1240
      Entropy (8bit):5.335245429307696
      Encrypted:false
      SSDEEP:24:2dtMEDJ/eiNK+EICg4NnZHu3nRqO7eSAfCRakAYyyO1wchmd4Iqw:ciEDJdK+0g4/0Rqv/OFbOrG4Jw
      MD5:A96C1A792597529A4252A12FCE28D71C
      SHA1:B2E2E51A6FCFA607B13764E88D1DB1BEB9E5062F
      SHA-256:7FDC0B814CAE706A97F75DF902E07D5E95A2DA216DAD20D3CB5A2BE8D248468E
      SHA-512:DCEFFC6842B50E8EB0762A386A0EF6540D5BC568B8D209A23BB97BFFCE763CB436EA05692A4F53E6CD61F4624CDF9481012E52F99297457E64BEA81B98873A72
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable/>.. <assemblyIdentity type="win32" name="Microsoft.VC80.MFCLOC" version="8.0.50727.6195" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <file name="mfc80CHS.dll" hash="1ba0977cbaf48ff4bdde0b16152e56624014c9e2" hashalg="SHA1"/>.. <file name="mfc80CHT.dll" hash="fdd5669954d688d9151083225956979744e7f9a7" hashalg="SHA1"/>.. <file name="mfc80DEU.dll" hash="bf463e75f5812a01b303f421744e1017dce0183b" hashalg="SHA1"/>.. <file name="mfc80ENU.dll" hash="b4378b4baf70defee749a3b095e54083aa5bc25f" hashalg="SHA1"/>.. <file name="mfc80ESP.dll" hash="7ff18e6af2e1791208af24299e1914676952985a" hashalg="SHA1"/>.. <file name="mfc80FRA.dll" hash="1a40ac3e7bc9144fa1d3f2670059ba6873e3cab3" hashalg="SHA1"/>.. <file name="mfc80ITA.dll" hash="5c5ed292c71bad4fdfe76abe3

      C:\Windows\WinSxS\InstallTemp\20240704162927261.0\vcomp.dll

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):5.519437507936552
      Encrypted:false
      SSDEEP:768:9sPMRLY1I4yOKgDbRzsFTHHnH5id+SUnVsZL2jmPGfly/AOMp:2oL8IQKCRiZidjcSLSdA/y
      MD5:73DBAA64D589F3262615550DD6881FEE
      SHA1:BD0F7710E18E27A61D6B98A476E2048813F9E63B
      SHA-256:24025F2734201FE69A679194C6611A1603C4E7592809B6A185334E7D8BCC038A
      SHA-512:AA4B2AA582A5CFDB2D19DD5DB777D70656B577E72ABB198CEBA03603B37B2D1204E4BF5A29CF039FF9F6F191DA80E08E9F75D0AE1047F40EDB1A15B5A5B72CFF
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=...n...n...n.W.n...n.W.n.n6..n.n...n...n.W.n...n.W.n...n.W.n...n.W.n...nRich...n........................PE..L...)..M...........!.........P.......g.............r......................................@.........................@..........<...................................0..................................@............................................text............................... ..`.rdata........... ..................@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

      C:\Windows\WinSxS\InstallTemp\20240704162927261.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_452bf920.cat

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):7331
      Entropy (8bit):7.369849205267706
      Encrypted:false
      SSDEEP:96:4FG1G79D743UDXOTdXAdTMrYVDa//rDG5UdmqTDvboxlRM0hD743SinGfgjdoKZ3:4FG1pfJrNGSnws/nGfe4pBjSkdjw
      MD5:A518B9698BFF3816CAF1E2D7412A629C
      SHA1:6D6B9C1B4923136BE88789BD02B3D2935B59BBDD
      SHA-256:D802B081436DA1CC95F13B9D5567A6233BB5F82FAE9297E23E967D449E70260D
      SHA-512:4356E355267EC7C42A354E17D6E298C883FB8ADACDE94EE2188EA1F62E67C2B75E6430F7203CAAF097CCB42A7E4847C00CCC0A95B2DE0CFF457235125D5A88C9
      Malicious:false
      Preview:0.....*.H..........0......1.0...+......0..|..+.....7.....m0..i0...+.....7......3.....O..........110514031702Z0...+.....7.....0..&0....R1.D.E.0.C.5.4.F.0.6.E.9.E.D.3.F.0.D.C.7.C.E.E.2.B.C.D.2.C.4.A.9.D.D.B.A.1.0.9.E...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........O...?.........0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....4M.i.c.r.o.s.o.f.t...V.C.8.0...O.p.e.n.M.P...m.a.n...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........O...?.........0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......d0...0..........a..].....Q0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...110214210559Z..120514210559Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft

      C:\Windows\WinSxS\InstallTemp\20240704162927261.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_452bf920.manifest

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):469
      Entropy (8bit):5.3534741698072486
      Encrypted:false
      SSDEEP:12:TMHdt7IBeBFJ3/3XO53SNK+tKCgVuNnyEbYnwkUG:2dtMEDJ/eiNK+8Cg4NnhYnwkH
      MD5:984EABF1F9878AAACA749D547D700AD9
      SHA1:1DE0C54F06E9ED3F0DC7CEE2BCD2C4A9DDBA109E
      SHA-256:F3F918AF785D0C497C93CA1959541BFD65040BB4C8934D419A689E331B94A0C7
      SHA-512:447DF7555DED851E946AB0BFAC3D86F3C666BAE4EE8F6EE1686B610F3CCF34ED6B1B4EF25FF8930B70B5A1CCFF9D35B5E92454F65C8A37A2078EAE5925195A6E
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable/>.. <assemblyIdentity type="win32" name="Microsoft.VC80.OpenMP" version="8.0.50727.6195" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <file name="vcomp.dll" hash="278ed8d9109deaf37b7430b928f9b0aa956b3d4d" hashalg="SHA1"/>..</assembly>..

      C:\Windows\WinSxS\InstallTemp\20240704162927276.0\8.0.50727.6195.cat

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):7340
      Entropy (8bit):7.368093646044191
      Encrypted:false
      SSDEEP:96:oT/Y5G79D743UDXOTdXAdTMrYVDa//rDG5UdmqTDvboxlRM0hD743SinGfgjdoKG:oT/gpfJrNGSnws/nGfe4pBjS8Ph4ni
      MD5:2EC75E994BC827BA135BA24AACDC8351
      SHA1:6FD68C5F7554A8AF565AE70E7F2AA7974EC0EBEE
      SHA-256:DEDB067D2D11F8F1007365F028CFAF2A0B2C3F61C8D6C9C51810C4EC6C11F511
      SHA-512:58EEA8BBDAE1E3AAEEBDBEC8249494F052A0429FDD55315DCA5D56DAD2BA7096D07DDF30FC2BBD572AF6C1E23F045CB03FD4D2F8AEA7F5215D410E19DFAF620C
      Malicious:false
      Preview:0.....*.H..........0......1.0...+......0..s..+.....7.....d0..`0...+.....7......l.....M."...4M>..110514013757Z0...+.....7.....0...0...,8...0...5.0.7.2.7...6.1.9.5...p.o.l.i.c.y...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........:).h.-..`.9Y%z]..&E0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RA.E.3.A.2.9.D.7.6.8.E.4.2.D.9.F.E.5.6.0.8.8.3.9.5.9.2.5.7.A.5.D.B.6.C.3.2.6.4.5...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........:).h.-..`.9Y%z]..&E0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......d0...0..........a..].....Q0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...110214210559Z..120514210559Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft Develope

      C:\Windows\WinSxS\InstallTemp\20240704162927276.0\8.0.50727.6195.policy

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):804
      Entropy (8bit):5.209307942358243
      Encrypted:false
      SSDEEP:24:2dtMEDJ5iN+nyrCg4NnjiNK+2g4NnM23+LAA23KAAQR:ciEDJw0yug4EK+2g4607AQR
      MD5:C42FB80CF323059A678A0699819BFCD7
      SHA1:AE3A29D768E42D9FE560883959257A5DB6C32645
      SHA-256:33550E0AB4CF946411E934A46D922BB996DDA93668554D4DE024C98C14F15B70
      SHA-512:6A396FC24D5E0BCAEE09673E0D86E99D066D32E66C6BD1DD8BCBD32F66233FCABF007CFEC2AEF39D8AEAF070EDA1F88ACB78C29BAFAEEF788A104BA6D0CD3239
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.... <assemblyIdentity type="win32-policy" name="policy.8.0.Microsoft.VC80.ATL" version="8.0.50727.6195" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.VC80.ATL" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <bindingRedirect oldVersion="8.0.41204.256-8.0.50608.0" newVersion="8.0.50727.6195"/>.. <bindingRedirect oldVersion="8.0.50727.42-8.0.50727.6195" newVersion="8.0.50727.6195"/>.. </dependentAssembly>.. </dependency>....</assembly>..

      C:\Windows\WinSxS\InstallTemp\20240704162927292.0\8.0.50727.6195.cat

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):7340
      Entropy (8bit):7.371390920349153
      Encrypted:false
      SSDEEP:96:+gGP6JiP6G79D743UDXOTdXAdTMrYe0Da9DMURgDvboMsz3DM0hD743SinGfgjds:+gdJZpfJr+ks/nGfe4pBjS8KU
      MD5:A0B91C5271C038EE9CC9C7D5437CDE91
      SHA1:D986DC5A1D979F453AEA7241AC94AA6866FDC668
      SHA-256:04349A39EEF3BD9D4B1DE9B5BDA2BD6FC4F517CCB57C0CEAEB7291D5B68A401E
      SHA-512:179F532DADA3F7BF89498678B7CC30EA766EA8109FCA9A015856FFAD5774C2A01ECD9E55C7DED27DE85F85AF017F4336893A3BD4A9CD6B43713755E76E1BC228
      Malicious:false
      Preview:0.....*.H..........0......1.0...+......0..s..+.....7.....d0..`0...+.....7......i..D..M.......A..110514013658Z0...+.....7.....0...0....R0.6.8.3.1.6.2.B.9.F.0.8.C.7.5.A.9.A.E.E.8.A.B.4.6.2.6.B.A.1.1.A.7.4.C.4.8.E.F.5...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........+...Z..bk..t..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0...,8...0...5.0.7.2.7...6.1.9.5...p.o.l.i.c.y...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........+...Z..bk..t..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......d0...0..........a..].....Q0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...110214210559Z..120514210559Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft Develope

      C:\Windows\WinSxS\InstallTemp\20240704162927292.0\8.0.50727.6195.policy

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):804
      Entropy (8bit):5.204332817980133
      Encrypted:false
      SSDEEP:24:2dtMEDJ5iN+nhQCg4NnjiNK+hcg4NnM23+LAA23KAAQR:ciEDJw0hFg4EK+hcg4607AQR
      MD5:506D067F2C986C31D26CA54A106DC0F1
      SHA1:0683162B9F08C75A9AEE8AB4626BA11A74C48EF5
      SHA-256:E446FC3432A5D83EB96142CE40F4CC8ED417872539893ACE445F7236FF4DD187
      SHA-512:79F87D44EA7C3DE16BA0D395BC07E4F870ED03C6FE87F75651F7A3D823470FA44F8B500A4487B2BD283F67B7ED91C2E082E26785CCB174F420F61429EB1EC860
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.... <assemblyIdentity type="win32-policy" name="policy.8.0.Microsoft.VC80.CRT" version="8.0.50727.6195" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <bindingRedirect oldVersion="8.0.41204.256-8.0.50608.0" newVersion="8.0.50727.6195"/>.. <bindingRedirect oldVersion="8.0.50727.42-8.0.50727.6195" newVersion="8.0.50727.6195"/>.. </dependentAssembly>.. </dependency>....</assembly>..

      C:\Windows\WinSxS\InstallTemp\20240704162927308.0\8.0.50727.6195.cat

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):7340
      Entropy (8bit):7.364551359983345
      Encrypted:false
      SSDEEP:192:U8iwKpfJrNGSnws/nGfe4pBjS8LL+zb5T:4USnw0GftpBjTL+B
      MD5:7D6E726F120320F4821EBDBDBD3C85ED
      SHA1:CD9BC7F950DA33BAFE152C2122C797854CFD75D8
      SHA-256:BF39559E406FA59F9E7B0BA2902CD016800E24198D53D97943C97F1B5716B8BA
      SHA-512:BCC321EFD17B3151901D438F6C8ED3DC745F846DCE9C2058374A380285C70E93F70E8133C1A3A57614B96AFA8BB7469F8FE1651288808B2162C20B2FA9E8AB3F
      Malicious:false
      Preview:0.....*.H..........0......1.0...+......0..s..+.....7.....d0..`0...+.....7......q.L PYH.S.I1+.P..110514030422Z0...+.....7.....0...0...,8...0...5.0.7.2.7...6.1.9.5...p.o.l.i.c.y...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........2..b.L..,..B...{.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RB.2.3.2.E.6.A.8.E.E.6.2.F.9.4.C.A.7.F.9.2.C.0.D.A.E.4.2.9.7.F.7.D.B.8.7.7.B.0.F...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........2..b.L..,..B...{.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......d0...0..........a..].....Q0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...110214210559Z..120514210559Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft Develope

      C:\Windows\WinSxS\InstallTemp\20240704162927308.0\8.0.50727.6195.policy

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):804
      Entropy (8bit):5.205881465365502
      Encrypted:false
      SSDEEP:24:2dtMEDJ5iN+nfCg4NnjiNK+Rg4NnM23+LAA23KAAQR:ciEDJw0ag4EK+Rg4607AQR
      MD5:A5E87AAC0F9748C664C5538ADE2C40D5
      SHA1:B232E6A8EE62F94CA7F92C0DAE4297F7DB877B0F
      SHA-256:957FCA4D0BFBCA1660436F7812D6F6E803B237E9DCE651F1F6BB856FA3077A71
      SHA-512:856D9FD9A8DB20F3F0668E3D51090C5E61D1F6333E6CB2A4A3148C424C7342EBF1DBF6DF78FC640D0039E89AFCBC562421CAC674E20E45D62EBC66FCA549D1DD
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.... <assemblyIdentity type="win32-policy" name="policy.8.0.Microsoft.VC80.MFC" version="8.0.50727.6195" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.VC80.MFC" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <bindingRedirect oldVersion="8.0.41204.256-8.0.50608.0" newVersion="8.0.50727.6195"/>.. <bindingRedirect oldVersion="8.0.50727.42-8.0.50727.6195" newVersion="8.0.50727.6195"/>.. </dependentAssembly>.. </dependency>....</assembly>..

      C:\Windows\WinSxS\InstallTemp\20240704162927308.1\8.0.50727.6195.cat

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):7346
      Entropy (8bit):7.3715916759888716
      Encrypted:false
      SSDEEP:96:rNcMh6G79D743UDXOTdXAdTMrYe0Da9DMURgDvboMsz3DM0hD743SinGfgjdoKZl:rNfh6pfJr+ks/nGfe4pBjSk0jyfC
      MD5:43A69419B31545CDD4A3505F3B3B192C
      SHA1:70C124D5AC7BD4E12D4B5D1CB002DA6B5BDD5EEC
      SHA-256:754510064B4349644326F5C9633AAA980DB143C46BBDD44E9D64A7BA3C524882
      SHA-512:B31C9BD8D4F0DF1F3947D8F33A36CBEB7E50147966FAC776EE11934104016E93AA1FB06F1E42106E28BE3CE38433B74E8D88F0C04EE1127C5D1B16F9084EC2D9
      Malicious:false
      Preview:0.....*.H..........0......1.0...+......0..s..+.....7.....d0..`0...+.....7.......P7.K.O..TJ.\....110514030423Z0...+.....7.....0...0...,8...0...5.0.7.2.7...6.1.9.5...p.o.l.i.c.y...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........^..e..Go.?.;.....k.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RE.1.5.E.0.9.1.0.6.5.8.8.0.8.4.7.6.F.F.B.3.F.D.7.3.B.1.7.C.1.8.C.B.9.C.F.6.B.A.D...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........^..e..Go.?.;.....k.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......d0...0..........a..].....Q0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...110214210559Z..120514210559Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft Develope

      C:\Windows\WinSxS\InstallTemp\20240704162927308.1\8.0.50727.6195.policy

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):810
      Entropy (8bit):5.234115027957584
      Encrypted:false
      SSDEEP:24:2dtMEDJ5iN+nEICg4NnjiNK+3g4NnM23+LAA23KAAQR:ciEDJw00g4EK+3g4607AQR
      MD5:1C27A7F7D8EC9D6787DD79DDB1F7AD96
      SHA1:E15E0910658808476FFB3FD73B17C18CB9CF6BAD
      SHA-256:7A27AC14852D08D8DF398B4EDD656FF260492D5E113C1BFAE9DE119A5AE7B374
      SHA-512:3112B2C7350AAC8B7EA0EFAEF4B68BE737E0BDC81D485783E12118751F70C1A2DC11392F28B86371BE73FFF2A9E36A5BBD0211C2928DFC022B1370ECB8528D93
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.... <assemblyIdentity type="win32-policy" name="policy.8.0.Microsoft.VC80.MFCLOC" version="8.0.50727.6195" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.VC80.MFCLOC" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <bindingRedirect oldVersion="8.0.41204.256-8.0.50608.0" newVersion="8.0.50727.6195"/>.. <bindingRedirect oldVersion="8.0.50727.42-8.0.50727.6195" newVersion="8.0.50727.6195"/>.. </dependentAssembly>.. </dependency>....</assembly>..

      C:\Windows\WinSxS\InstallTemp\20240704162927323.0\8.0.50727.6195.cat

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:data
      Category:dropped
      Size (bytes):7346
      Entropy (8bit):7.367369034954777
      Encrypted:false
      SSDEEP:96:kHaJwaG79D743UDXOTdXAdTMrYe0Da9DMURgDvboMsz3DM0hD743SinGfgjdoKZo:saJwapfJr+ks/nGfe4pBjSkRVZ
      MD5:25147AD0E140E1A5D1571959FD18E337
      SHA1:9F3714C6A901034897E4F0A633DE2E4C1A0B9AD8
      SHA-256:BD3A30BE9BFCFBE814A1D495B2692FAF9A3A98560D1431CBE60A64AF3B69326F
      SHA-512:736250D3B1ABD9C3F459D18D442676BD477167AC7DF25E734A74CD327FBFCECBCEE664EE9FBBA983B2861356FCFDB13ACA2A64DC66EB9E9CC4468767B178DF73
      Malicious:false
      Preview:0.....*.H..........0......1.0...+......0..s..+.....7.....d0..`0...+.....7.......8.n..L.[}.T.....110514031702Z0...+.....7.....0...0....R1.1.2.6.8.9.7.7.6.A.C.0.7.2.A.A.C.8.C.A.4.7.4.A.D.C.4.0.A.1.4.8.D.9.2.8.D.7.7.2...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........&.wj.r...GJ.@.H.(.r0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0...,8...0...5.0.7.2.7...6.1.9.5...p.o.l.i.c.y...1..0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........&.wj.r...GJ.@.H.(.r0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......d0...0..........a..].....Q0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA0...110214210559Z..120514210559Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1E0C..U...<Microsoft Develope

      C:\Windows\WinSxS\InstallTemp\20240704162927323.0\8.0.50727.6195.policy

      Download File
      Process:C:\Windows\System32\msiexec.exe
      File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
      Category:dropped
      Size (bytes):810
      Entropy (8bit):5.212048265391459
      Encrypted:false
      SSDEEP:24:2dtMEDJ5iN+n8Cg4NnjiNK+wg4NnM23+LAA23KAAQR:ciEDJw0Jg4EK+wg4607AQR
      MD5:6DAEA6599188C59D5DCAB27D6959B31D
      SHA1:112689776AC072AAC8CA474ADC40A148D928D772
      SHA-256:04B850ADAE1D1E58E980E4FAEE571F5D76155206D6ABF542937A7EEFE1D42E05
      SHA-512:E7B07B5B13F0C62180D8FEFA99D3952B2F07017434D8CA21034C055384C103F2B21ADF698EBC50D4FAE664EAB216BAFFC59C478A7F2F99FAE7C99E859DC9437A
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.... <assemblyIdentity type="win32-policy" name="policy.8.0.Microsoft.VC80.OpenMP" version="8.0.50727.6195" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.VC80.OpenMP" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <bindingRedirect oldVersion="8.0.41204.256-8.0.50608.0" newVersion="8.0.50727.6195"/>.. <bindingRedirect oldVersion="8.0.50727.42-8.0.50727.6195" newVersion="8.0.50727.6195"/>.. </dependentAssembly>.. </dependency>....</assembly>..

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
      Entropy (8bit):7.9971174517933825
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      File size:22'881'736 bytes
      MD5:877d291ad79381cb54de729ac307b613
      SHA1:f57f2b08e73a780ab677cb8a9e8b81e6a9081bd9
      SHA256:f6037690187d1989a891542c29907786e4f4e4a406a0f8b0e3b3049dff4c1af4
      SHA512:11a9812cd5339ae459d0fd3860ad716c33d4a0da88ffa7ab21d631c6804f1b30d13cd86cbeb55f5c16e1f1b9ea593f898b2ae06134cb7d2fcda90488444108f1
      SSDEEP:393216:4Bb85zi6TdPsexXp7gHIClfz0xknseP/U5ttPoGSKNeagF67oTNVEX1nR:4Bb8NXdfXp7BCGk7ctFoNW7obE9R
      TLSH:E637334787A4DC64E232007DCD2C97CAAE497D26732AFC12FAD97A4E95B49D4C20F14B
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7........................PE..L...B..J.................d.

      File Icon

      Icon Hash:f06c56b2969e88d1

      Static PE Info

      General

      Entrypoint:0x4033e9
      Entrypoint Section:.text
      Digitally signed:true
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE
      Time Stamp:0x4AA7AC42 [Wed Sep 9 13:23:14 2009 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:5
      OS Version Minor:0
      File Version Major:5
      File Version Minor:0
      Subsystem Version Major:5
      Subsystem Version Minor:0
      Import Hash:bf95d1fc1d10de18b32654b123ad5e1f

      Authenticode Signature

      Signature Valid:true
      Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
      Signature Validation Error:The operation completed successfully
      Error Number:0
      Not Before, Not After
      • 24/11/2022 00:00:00 23/11/2025 23:59:59
      Subject Chain
      • CN=\u6df1\u5733\u5e02\u5b89\u4f73\u5a01\u89c6\u4fe1\u606f\u6280\u672f\u6709\u9650\u516c\u53f8, O=\u6df1\u5733\u5e02\u5b89\u4f73\u5a01\u89c6\u4fe1\u606f\u6280\u672f\u6709\u9650\u516c\u53f8, S=\u5e7f\u4e1c\u7701, C=CN
      Version:3
      Thumbprint MD5:634E7C8816743712E42BAF9D29CD522A
      Thumbprint SHA-1:D38A7488FAE374D5D521D40A11BD0241D89E1098
      Thumbprint SHA-256:5BB65F4586A033A832C8976BF4C47C97DDD8DA067A6F2BD317E9B97A2F14BC45
      Serial:0084A0FD54A4982BA876A8A7AD4B712461

      Entrypoint Preview

      Instruction
      sub esp, 000002D4h
      push ebx
      push ebp
      push esi
      push edi
      push 00000020h
      xor ebp, ebp
      pop esi
      mov dword ptr [esp+18h], ebp
      mov dword ptr [esp+10h], 00408570h
      mov dword ptr [esp+14h], ebp
      call dword ptr [00408030h]
      push 00008001h
      call dword ptr [004080B4h]
      push ebp
      call dword ptr [004082B0h]
      push 00000008h
      mov dword ptr [00470678h], eax
      call 00007F25687DDDFCh
      push ebp
      push 000002B4h
      mov dword ptr [00470590h], eax
      lea eax, dword ptr [esp+38h]
      push eax
      push ebp
      push 0040856Ch
      call dword ptr [00408180h]
      push 00408554h
      push 00468580h
      call 00007F25687DDCCAh
      call dword ptr [004080B0h]
      push eax
      mov edi, 004C10A0h
      push edi
      call 00007F25687DDCB8h
      push ebp
      call dword ptr [00408130h]
      cmp word ptr [004C10A0h], 0022h
      mov dword ptr [00470598h], eax
      mov eax, edi
      jne 00007F25687DB69Ah
      push 00000022h
      pop esi
      mov eax, 004C10A2h
      push esi
      push eax
      call 00007F25687DD98Ch
      push eax
      call dword ptr [00408250h]
      mov esi, eax
      mov dword ptr [esp+1Ch], esi
      jmp 00007F25687DB721h
      push 00000020h
      pop ebx
      cmp ax, bx
      jne 00007F25687DB699h
      inc esi
      inc esi
      cmp word ptr [esi], bx
      je 00007F25687DB68Bh

      Rich Headers

      Programming Language:
      • [ C ] VS2005 build 50727
      • [IMP] VS2005 build 50727
      • [ C ] VS2008 SP1 build 30729
      • [RES] VS2008 build 21022
      • [LNK] VS2008 SP1 build 30729

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x89f00xb4.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0xfe0000x24280.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x15cf9e00x2be8
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2c0.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x62400x64001a752074fcd11165f6f148ea63ebe068False0.656640625data6.421737576039348IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x80000x18ca0x1a007eb0899a4b6211f8bc545228417d92adFalse0.42427884615384615data4.878367399492845IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0xa0000x6667c0x200b0b1d7c362f8cc76541b7fce5014e602False0.193359375data1.3587162613330246IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .ndata0x710000x8d0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0xfe0000x242800x244009b9685a62b4faa785739a946acf64a23False0.12337688577586207data2.7046010168143297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_ICON0xfe5680x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.01583757245948184
      RT_ICON0x10ed900x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.15406243430733654
      RT_ICON0x1182380x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.21911903637222485
      RT_ICON0x11c4600x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.2871369294605809
      RT_ICON0x11ea080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.3946998123827392
      RT_ICON0x11fab00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.48770491803278687
      RT_ICON0x1204380x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5930851063829787
      RT_DIALOG0x1208a00x120dataEnglishUnited States0.5138888888888888
      RT_DIALOG0x1209c00x202dataEnglishUnited States0.4085603112840467
      RT_DIALOG0x120bc80xf8dataEnglishUnited States0.6290322580645161
      RT_DIALOG0x120cc00xeedataEnglishUnited States0.6260504201680672
      RT_DIALOG0x120db00x10cdataEnglishUnited States0.5111940298507462
      RT_DIALOG0x120ec00x1eedataEnglishUnited States0.3866396761133603
      RT_DIALOG0x1210b00xe4dataEnglishUnited States0.6359649122807017
      RT_DIALOG0x1211980xdadataEnglishUnited States0.6376146788990825
      RT_DIALOG0x1212780x110dataEnglishUnited States0.5183823529411765
      RT_DIALOG0x1213880x1f2dataEnglishUnited States0.39759036144578314
      RT_DIALOG0x1215800xe8dataEnglishUnited States0.6508620689655172
      RT_DIALOG0x1216680xdedataEnglishUnited States0.6486486486486487
      RT_DIALOG0x1217480x10cdataEnglishUnited States0.5111940298507462
      RT_DIALOG0x1218580x1eedataEnglishUnited States0.38866396761133604
      RT_DIALOG0x121a480xe4dataEnglishUnited States0.6447368421052632
      RT_DIALOG0x121b300xdadataEnglishUnited States0.6422018348623854
      RT_GROUP_ICON0x121c100x68dataEnglishUnited States0.7692307692307693
      RT_VERSION0x121c780x240dataEnglishUnited States0.4930555555555556
      RT_MANIFEST0x121eb80x3c8XML 1.0 document, ASCII text, with very long lines (968), with no line terminatorsEnglishUnited States0.5196280991735537

      Imports

      DLLImport
      KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, MulDiv, lstrlenA, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
      USER32.dllScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, FindWindowExW, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, IsWindow
      GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
      SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
      ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
      ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
      VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:16:28:57
      Start date:04/07/2024
      Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe"
      Imagebase:0x400000
      File size:22'881'736 bytes
      MD5 hash:877D291AD79381CB54DE729AC307B613
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:false

      General

      Target ID:1
      Start time:16:29:10
      Start date:04/07/2024
      Path:C:\Windows\SysWOW64\taskkill.exe
      Wow64 process (32bit):true
      Commandline:"C:\Windows\system32\taskkill.exe" /F /IM IPCTools.exe /T
      Imagebase:0xcf0000
      File size:74'240 bytes
      MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate
      Has exited:true

      General

      Target ID:2
      Start time:16:29:10
      Start date:04/07/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff7699e0000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:4
      Start time:16:29:19
      Start date:04/07/2024
      Path:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe
      Imagebase:0x1000000
      File size:2'710'520 bytes
      MD5 hash:4F1611F2D0AE799507F60C10FF8654C5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Antivirus matches:
      • Detection: 0%, ReversingLabs
      Reputation:low
      Has exited:true

      General

      Target ID:7
      Start time:16:29:21
      Start date:04/07/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff7699e0000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:8
      Start time:16:29:22
      Start date:04/07/2024
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):true
      Commandline:msiexec /i vcredist.msi
      Imagebase:0x860000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:9
      Start time:16:29:23
      Start date:04/07/2024
      Path:C:\Windows\System32\msiexec.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\msiexec.exe /V
      Imagebase:0x7ff659c20000
      File size:69'632 bytes
      MD5 hash:E5DA170027542E25EDE42FC54C929077
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:10
      Start time:16:29:24
      Start date:04/07/2024
      Path:C:\Windows\SysWOW64\msiexec.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 8341741E8479EC6D551F124E2FB1671E
      Imagebase:0x860000
      File size:59'904 bytes
      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:11
      Start time:16:29:30
      Start date:04/07/2024
      Path:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
      Imagebase:0xa50000
      File size:6'503'984 bytes
      MD5 hash:0FC525B6B7B96A87523DAA7A0013C69D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Antivirus matches:
      • Detection: 0%, ReversingLabs
      Reputation:moderate
      Has exited:false

      General

      Target ID:12
      Start time:16:29:30
      Start date:04/07/2024
      Path:C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe" -burn.unelevated BurnPipe.{A826652D-AFD8-40B6-84B0-7105BE434658} {ED4ADFC9-BDFE-4680-B562-A7A4CCF98333} 6952
      Imagebase:0xa50000
      File size:6'503'984 bytes
      MD5 hash:0FC525B6B7B96A87523DAA7A0013C69D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate
      Has exited:false

      General

      Target ID:13
      Start time:16:29:32
      Start date:04/07/2024
      Path:C:\Windows\System32\rundll32.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      Imagebase:0x7ff60fea0000
      File size:71'680 bytes
      MD5 hash:EF3179D498793BF4234F708D3BE28633
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:19
      Start time:16:29:52
      Start date:04/07/2024
      Path:C:\Windows\System32\SrTasks.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
      Imagebase:0x7ff7e3720000
      File size:59'392 bytes
      MD5 hash:2694D2D28C368B921686FE567BD319EB
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate
      Has exited:true

      General

      Target ID:20
      Start time:16:29:52
      Start date:04/07/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff7699e0000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:26.6%
        Dynamic/Decrypted Code Coverage:8.8%
        Signature Coverage:18.7%
        Total number of Nodes:1698
        Total number of Limit Nodes:70
        execution_graph 4860 4025c1 4871 40154d 4860->4871 4862 4025cb 4863 40145c 18 API calls 4862->4863 4864 4025d5 4863->4864 4865 4025e2 RegQueryValueExW 4864->4865 4868 401721 4864->4868 4866 402603 4865->4866 4867 402609 4865->4867 4866->4867 4875 4059d3 wsprintfW 4866->4875 4867->4868 4870 4025b6 RegCloseKey 4867->4870 4870->4868 4872 40155e 4871->4872 4873 40145c 18 API calls 4872->4873 4874 401585 RegOpenKeyExW 4873->4874 4874->4862 4875->4867 3740 4018c3 3746 40145c 3740->3746 3744 4018d2 3745 405901 2 API calls 3744->3745 3745->3744 3747 401462 3746->3747 3756 40609e 3747->3756 3750 401493 3752 405901 3750->3752 3753 40590e GetTickCount GetTempFileNameW 3752->3753 3754 405948 3753->3754 3755 405944 3753->3755 3754->3744 3755->3753 3755->3754 3773 4060ab 3756->3773 3757 406315 3758 401487 3757->3758 3790 405a8c lstrcpynW 3757->3790 3758->3750 3774 405abb 3758->3774 3760 40616c GetVersion 3760->3773 3761 4062df lstrlenW 3761->3773 3762 40609e 10 API calls 3762->3761 3766 4061eb GetSystemDirectoryW 3766->3773 3767 405abb 5 API calls 3767->3773 3768 4061fe GetWindowsDirectoryW 3768->3773 3769 40609e 10 API calls 3769->3773 3770 406278 lstrcatW 3770->3773 3771 406232 SHGetSpecialFolderLocation 3772 40624a SHGetPathFromIDListW CoTaskMemFree 3771->3772 3771->3773 3772->3773 3773->3757 3773->3760 3773->3761 3773->3762 3773->3766 3773->3767 3773->3768 3773->3769 3773->3770 3773->3771 3783 405955 RegOpenKeyExW 3773->3783 3788 4059d3 wsprintfW 3773->3788 3789 405a8c lstrcpynW 3773->3789 3781 405ac8 3774->3781 3775 405b44 CharPrevW 3779 405b3e 3775->3779 3776 405b31 CharNextW 3776->3779 3776->3781 3777 405b66 3777->3750 3779->3775 3779->3777 3780 405b1d CharNextW 3780->3781 3781->3776 3781->3779 3781->3780 3782 405b2c CharNextW 3781->3782 3791 405787 3781->3791 3782->3776 3784 405989 RegQueryValueExW 3783->3784 3785 4059ce 3783->3785 3786 4059ab RegCloseKey 3784->3786 3785->3773 3786->3785 3788->3773 3789->3773 3790->3758 3792 40578d 3791->3792 3793 4057a3 3792->3793 3794 405794 CharNextW 3792->3794 3793->3781 3794->3792 4876 402c43 4877 40145c 18 API calls 4876->4877 4878 402c4b 4877->4878 4883 405c44 GlobalAlloc lstrlenW 4878->4883 4880 402c51 4910 4059d3 wsprintfW 4880->4910 4882 402c58 4884 405c7a 4883->4884 4885 405ccc 4883->4885 4886 405ca7 GetVersionExW 4884->4886 4911 405aae CharUpperW 4884->4911 4885->4880 4886->4885 4887 405cd6 4886->4887 4888 405ce5 4887->4888 4889 405cfc LoadLibraryA 4887->4889 4888->4885 4891 405e1d GlobalFree 4888->4891 4889->4885 4892 405d1a GetProcAddress GetProcAddress GetProcAddress 4889->4892 4893 405e33 LoadLibraryA 4891->4893 4894 405f75 FreeLibrary 4891->4894 4897 405d42 4892->4897 4901 405e8d 4892->4901 4893->4885 4896 405e4d GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4893->4896 4894->4885 4895 405ee9 FreeLibrary 4908 405ec2 4895->4908 4896->4901 4898 405d82 4897->4898 4899 405d66 FreeLibrary GlobalFree 4897->4899 4897->4901 4898->4891 4902 405d94 lstrcpyW OpenProcess 4898->4902 4904 405de7 CloseHandle CharUpperW lstrcmpW 4898->4904 4899->4885 4900 405f82 4903 405f87 CloseHandle FreeLibrary 4900->4903 4901->4895 4901->4908 4902->4898 4902->4904 4905 405f9c CloseHandle 4903->4905 4904->4898 4904->4901 4905->4903 4906 405f1d lstrcmpW 4906->4905 4906->4908 4907 405f4e CloseHandle 4907->4908 4908->4900 4908->4906 4908->4907 4909 405f6c CloseHandle 4908->4909 4909->4894 4910->4882 4911->4884 3795 402145 3796 402158 3795->3796 3800 40220a 3795->3800 3797 40145c 18 API calls 3796->3797 3798 402160 3797->3798 3799 40145c 18 API calls 3798->3799 3801 40216a 3799->3801 3802 402181 LoadLibraryExW 3801->3802 3803 402174 GetModuleHandleW 3801->3803 3802->3800 3804 402191 3802->3804 3803->3802 3803->3804 3813 405bfd GlobalAlloc WideCharToMultiByte 3804->3813 3806 40219a 3807 4021a0 3806->3807 3808 4021dd 3806->3808 3811 4021b0 3807->3811 3816 401435 3807->3816 3819 404a47 3808->3819 3811->3800 3812 4021fe FreeLibrary 3811->3812 3812->3800 3814 405c35 GlobalFree 3813->3814 3815 405c28 GetProcAddress 3813->3815 3814->3806 3815->3814 3817 404a47 25 API calls 3816->3817 3818 401443 3817->3818 3818->3811 3820 404a60 3819->3820 3825 404b04 3819->3825 3821 404a7e lstrlenW 3820->3821 3824 40609e 18 API calls 3820->3824 3822 404aa7 3821->3822 3823 404a8c lstrlenW 3821->3823 3827 404aba 3822->3827 3828 404aad SetWindowTextW 3822->3828 3823->3825 3826 404a9e lstrcatW 3823->3826 3824->3821 3825->3811 3826->3822 3827->3825 3829 404ac0 SendMessageW SendMessageW SendMessageW 3827->3829 3828->3827 3829->3825 4912 401646 4913 401446 18 API calls 4912->4913 4914 40164d Sleep 4913->4914 4916 402c58 4914->4916 4917 401e46 4918 401446 18 API calls 4917->4918 4919 401e4d IsWindow 4918->4919 3830 401ac7 3831 401a8b 3830->3831 3832 401a7d 3830->3832 3833 40145c 18 API calls 3832->3833 3834 401a82 3833->3834 3836 40652d 3834->3836 3875 406016 3836->3875 3839 406562 3841 4066a2 3839->3841 3889 405a8c lstrcpynW 3839->3889 3840 40654b DeleteFileW 3870 4066f5 3840->3870 3841->3870 3903 405b6c FindFirstFileW 3841->3903 3843 40658a 3844 4065a0 3843->3844 3845 406596 lstrcatW 3843->3845 3890 405fe9 lstrlenW 3844->3890 3846 4065a6 3845->3846 3849 4065b6 lstrcatW 3846->3849 3851 4065be lstrlenW FindFirstFileW 3846->3851 3849->3851 3851->3841 3857 4065e5 3851->3857 3853 405787 CharNextW 3853->3857 3855 4058b2 2 API calls 3856 4066d5 RemoveDirectoryW 3855->3856 3858 4066e0 3856->3858 3859 4066ff 3856->3859 3857->3853 3862 40667f FindNextFileW 3857->3862 3865 40663c 3857->3865 3894 405a8c lstrcpynW 3857->3894 3863 404a47 25 API calls 3858->3863 3858->3870 3861 404a47 25 API calls 3859->3861 3861->3870 3862->3857 3864 406697 FindClose 3862->3864 3866 4066ee 3863->3866 3864->3841 3865->3862 3869 40652d 63 API calls 3865->3869 3872 404a47 25 API calls 3865->3872 3873 404a47 25 API calls 3865->3873 3895 4058b2 GetFileAttributesW 3865->3895 3898 4064fa 3865->3898 3867 4064fa 42 API calls 3866->3867 3867->3870 3869->3865 3870->3831 3872->3862 3873->3865 3909 405a8c lstrcpynW 3875->3909 3877 406027 3910 4057db CharNextW CharNextW 3877->3910 3880 405abb 5 API calls 3886 40603d 3880->3886 3881 406076 lstrlenW 3882 40607d 3881->3882 3881->3886 3884 405fba 3 API calls 3882->3884 3883 405b6c 2 API calls 3883->3886 3885 406083 GetFileAttributesW 3884->3885 3887 406033 3885->3887 3886->3881 3886->3883 3886->3887 3888 405fe9 2 API calls 3886->3888 3887->3839 3887->3840 3888->3881 3889->3843 3891 405ff8 3890->3891 3892 40600a 3891->3892 3893 405ffe CharPrevW 3891->3893 3892->3846 3893->3891 3893->3892 3894->3857 3896 4058c1 SetFileAttributesW 3895->3896 3897 4058cf DeleteFileW 3895->3897 3896->3897 3897->3865 3916 405b93 GetModuleHandleA 3898->3916 3902 406522 3902->3865 3904 405b82 FindClose 3903->3904 3905 405b8d 3903->3905 3904->3905 3905->3870 3906 405fba lstrlenW CharPrevW 3905->3906 3907 405fe3 3906->3907 3908 405fd7 lstrcatW 3906->3908 3907->3855 3908->3907 3909->3877 3911 4057f8 3910->3911 3912 40580a 3910->3912 3911->3912 3913 405805 CharNextW 3911->3913 3914 405787 CharNextW 3912->3914 3915 40582e 3912->3915 3913->3915 3914->3912 3915->3880 3915->3887 3917 405bb8 GetProcAddress 3916->3917 3918 405bad LoadLibraryA 3916->3918 3919 405bc5 3917->3919 3918->3917 3918->3919 3919->3902 3920 40632f lstrcpyW 3919->3920 3921 406354 3920->3921 3922 40637d GetShortPathNameW 3920->3922 3946 4058d2 GetFileAttributesW CreateFileW 3921->3946 3924 4064f4 3922->3924 3925 406396 3922->3925 3924->3902 3925->3924 3927 40639e WideCharToMultiByte 3925->3927 3926 40635d CloseHandle GetShortPathNameW 3926->3924 3928 406375 3926->3928 3927->3924 3929 4063bb WideCharToMultiByte 3927->3929 3928->3922 3928->3924 3929->3924 3930 4063d3 wsprintfA 3929->3930 3931 40609e 18 API calls 3930->3931 3932 4063ff 3931->3932 3947 4058d2 GetFileAttributesW CreateFileW 3932->3947 3934 40640c 3934->3924 3935 406419 GetFileSize GlobalAlloc 3934->3935 3936 4064ea CloseHandle 3935->3936 3937 40643a ReadFile 3935->3937 3936->3924 3937->3936 3938 406454 3937->3938 3938->3936 3948 405838 lstrlenA 3938->3948 3941 406481 3943 405838 4 API calls 3941->3943 3942 40646d lstrcpyA 3944 40648f 3942->3944 3943->3944 3945 4064c2 SetFilePointer WriteFile GlobalFree 3944->3945 3945->3936 3946->3926 3947->3934 3949 405879 lstrlenA 3948->3949 3950 405881 3949->3950 3951 405852 lstrcmpiA 3949->3951 3950->3941 3950->3942 3951->3950 3952 405870 CharNextA 3951->3952 3952->3949 4920 406947 4922 4067d0 4920->4922 4921 4070ff 4922->4921 4923 406857 GlobalAlloc 4922->4923 4924 40684e GlobalFree 4922->4924 4925 4068c6 GlobalFree 4922->4925 4926 4068cf GlobalAlloc 4922->4926 4923->4921 4923->4922 4924->4923 4925->4926 4926->4921 4926->4922 4927 403b48 4928 403b55 lstrcpynA lstrlenA 4927->4928 4929 403ba5 4927->4929 4928->4929 4930 403b86 4928->4930 4930->4929 4931 403b92 GlobalFree 4930->4931 4931->4929 4932 402648 4933 40154d 19 API calls 4932->4933 4934 402652 4933->4934 4935 401446 18 API calls 4934->4935 4936 40265c 4935->4936 4937 402684 RegEnumValueW 4936->4937 4938 402678 RegEnumKeyW 4936->4938 4940 401721 4936->4940 4939 40269d 4937->4939 4937->4940 4938->4939 4939->4940 4941 4025b6 RegCloseKey 4939->4941 4941->4940 4942 4026c8 4943 40145c 18 API calls 4942->4943 4944 4026d0 4943->4944 4949 4058d2 GetFileAttributesW CreateFileW 4944->4949 4946 4026dc 4950 4059d3 wsprintfW 4946->4950 4948 402c58 4949->4946 4950->4948 4195 401cc9 4196 401d26 4195->4196 4197 401cd6 4195->4197 4198 401d49 GlobalAlloc 4196->4198 4199 401d2a 4196->4199 4200 40609e 18 API calls 4197->4200 4202 401cf3 4197->4202 4201 40609e 18 API calls 4198->4201 4207 401721 4199->4207 4214 405a8c lstrcpynW 4199->4214 4200->4202 4201->4207 4212 405a8c lstrcpynW 4202->4212 4205 401d3c GlobalFree 4205->4207 4206 401d08 4213 405a8c lstrcpynW 4206->4213 4210 401d17 4215 405a8c lstrcpynW 4210->4215 4212->4206 4213->4210 4214->4205 4215->4207 4469 10001b0c SetWindowLongW SendMessageW ShowWindow 4470 10001b69 KiUserCallbackDispatcher IsDialogMessageW 4469->4470 4471 10001b88 IsDialogMessageW 4470->4471 4472 10001baf 4470->4472 4471->4472 4473 10001b99 TranslateMessage DispatchMessageW 4471->4473 4472->4470 4474 10001bb7 4472->4474 4473->4472 4475 10001bc4 SetWindowLongW DestroyWindow 4474->4475 4499 100010db 4474->4499 4477 10001be9 ShowWindow 4475->4477 4478 10001bfe 4475->4478 4477->4478 4479 1000100f GlobalFree 4478->4479 4480 10001c09 4479->4480 4481 1000100f GlobalFree 4480->4481 4482 10001c14 4481->4482 4483 1000100f GlobalFree 4482->4483 4484 10001c1f 4483->4484 4485 1000100f GlobalFree 4484->4485 4486 10001c2a 4485->4486 4487 1000100f GlobalFree 4486->4487 4496 10001c35 4487->4496 4488 10001c84 4489 1000100f GlobalFree 4488->4489 4490 10001c8f 4489->4490 4493 10002b9d 2 API calls 4490->4493 4492 1000100f GlobalFree 4492->4496 4494 10001cb6 4493->4494 4495 10001c66 DeleteObject 4495->4496 4496->4488 4496->4492 4496->4495 4497 10001c75 DestroyIcon 4496->4497 4498 10001c82 4496->4498 4497->4496 4498->4488 4523 10001000 GlobalAlloc 4499->4523 4501 100013a1 wsprintfW WritePrivateProfileStringW 4502 1000100f GlobalFree 4501->4502 4503 100010fa 4502->4503 4503->4475 4504 10001346 SendMessageW wsprintfW 4513 100010f2 4504->4513 4505 1000123f SendMessageW 4507 10001271 GetWindowTextW 4505->4507 4518 10001252 4505->4518 4506 1000115e lstrlenW 4506->4513 4509 1000120d wsprintfW WritePrivateProfileStringW 4507->4509 4507->4518 4508 1000100f GlobalFree 4508->4518 4509->4513 4510 1000100f GlobalFree 4510->4513 4511 10001000 GlobalAlloc 4511->4513 4512 10001000 GlobalAlloc 4512->4518 4513->4501 4513->4503 4513->4504 4513->4505 4513->4506 4513->4510 4513->4511 4514 100011a7 SendMessageW 4513->4514 4515 100011c4 SendMessageW 4514->4515 4517 100011d3 4514->4517 4515->4517 4516 1000100f GlobalFree 4516->4509 4517->4515 4517->4516 4519 100011e5 SendMessageW lstrcatW 4517->4519 4520 100011d9 lstrcatW 4517->4520 4518->4503 4518->4507 4518->4508 4518->4509 4518->4512 4521 10001312 CharNextW CharNextW 4518->4521 4522 100012e6 CharNextW lstrcpynW 4518->4522 4519->4517 4520->4519 4521->4518 4522->4521 4523->4513 4951 401acc 4952 40145c 18 API calls 4951->4952 4953 401ad4 lstrlenW 4952->4953 4954 402c51 4953->4954 4957 4059d3 wsprintfW 4954->4957 4956 402c58 4957->4956 4958 10002a8c 4959 10002ac4 4958->4959 4960 10002ab9 4958->4960 4967 10002168 4959->4967 4961 10002b9d 2 API calls 4960->4961 4963 10002ac3 4961->4963 4965 10002b62 2 API calls 4966 10002ad3 4965->4966 4966->4966 4968 10002191 4967->4968 4974 100021a1 4967->4974 4969 10002b62 2 API calls 4968->4969 4971 10002197 4969->4971 4970 10002a71 4972 10002b62 2 API calls 4970->4972 4973 10002b9d 2 API calls 4971->4973 4972->4971 4976 10002a60 4973->4976 4974->4970 4975 10001e00 13 API calls 4974->4975 4977 100021d4 4975->4977 4976->4963 4976->4965 4977->4970 4979 100021dc GetDlgItem 4977->4979 4980 10002202 GetDlgItem GetDlgItem GetDlgItem 4979->4980 4981 100021f2 4979->4981 4983 10001085 SetWindowTextW 4980->4983 4982 10002b62 2 API calls 4981->4982 4982->4971 4984 10002231 4983->4984 4985 10001085 SetWindowTextW 4984->4985 4986 10002242 4985->4986 4987 10001085 SetWindowTextW 4986->4987 4988 10002253 4987->4988 4989 10002263 EnableWindow 4988->4989 4990 1000226c 4988->4990 4989->4990 4991 100022a0 4990->4991 4992 10002276 EnableWindow 4990->4992 4994 100022c3 SendMessageW CreateDialogParamW 4991->4994 4995 100022aa ShowWindow 4991->4995 4993 10002287 GetSystemMenu EnableMenuItem 4992->4993 4993->4991 4997 10002a64 4994->4997 4998 100022ff GetWindowRect MapWindowPoints SetWindowPos SendMessageW 4994->4998 4995->4994 5000 10002b62 2 API calls 4997->5000 4999 10002a0e 4998->4999 5007 10002367 4998->5007 5002 10002a1f 4999->5002 5039 1000106e SendMessageW 4999->5039 5000->4971 5003 10001085 SetWindowTextW 5002->5003 5004 10002a2d wsprintfW 5003->5004 5006 10002b9d 2 API calls 5004->5006 5005 100023ae MapDialogRect 5005->5007 5006->4976 5007->4999 5007->5005 5008 100024f0 CreateWindowExW wsprintfW wsprintfW WritePrivateProfileStringW 5007->5008 5010 1000280d SendMessageW 5007->5010 5011 10002968 SendMessageW 5007->5011 5013 10001d8e CharNextW 5007->5013 5014 10001085 SetWindowTextW 5007->5014 5015 100025c0 SetWindowLongW 5007->5015 5016 10002622 GetModuleHandleW LoadIconW 5007->5016 5017 100025e7 LoadImageW 5007->5017 5018 1000279e SendMessageW 5007->5018 5019 1000101f 3 API calls 5007->5019 5021 1000264a GetObjectW 5007->5021 5024 1000100f GlobalFree 5007->5024 5025 100028b1 CharNextW 5007->5025 5026 1000267c CreateCompatibleDC SelectObject GetDIBits CreateRectRgn 5007->5026 5027 1000289f SendMessageW 5007->5027 5028 10002778 SetWindowRgn DeleteObject DeleteObject 5007->5028 5029 1000294d SendMessageW 5007->5029 5032 10002735 CreateRectRgn CombineRgn DeleteObject 5007->5032 5033 100028dc 5007->5033 5037 10001000 GlobalAlloc 5007->5037 5008->5007 5009 10002584 SendMessageW 5008->5009 5009->5007 5010->5007 5011->5007 5012 10002980 GetWindowLongW SetWindowLongW 5011->5012 5012->5007 5013->5007 5014->5007 5015->5007 5016->5007 5017->5007 5018->5007 5022 100027b8 GetClientRect SetWindowPos 5018->5022 5019->5007 5021->5007 5021->5018 5022->5007 5024->5007 5025->5007 5026->5007 5026->5028 5027->5007 5030 1000100f GlobalFree 5028->5030 5029->5007 5029->5033 5030->5018 5031 100028e5 SendMessageW 5031->5033 5032->5007 5033->5007 5033->5011 5033->5029 5033->5031 5034 1000290a CharNextW 5033->5034 5035 10002923 SendMessageW 5033->5035 5038 1000106e SendMessageW 5033->5038 5034->5033 5035->5033 5036 10002935 SendMessageW 5035->5036 5036->5033 5037->5007 5038->5007 5039->5002 5040 4016ce 5041 4016d7 5040->5041 5043 4016ec 5040->5043 5042 4016e9 ShowWindow 5041->5042 5041->5043 5042->5043 5044 402350 5045 40145c 18 API calls 5044->5045 5046 402357 5045->5046 5047 40145c 18 API calls 5046->5047 5048 402361 5047->5048 5049 40145c 18 API calls 5048->5049 5050 40236b 5049->5050 5051 405b6c 2 API calls 5050->5051 5052 402373 5051->5052 5053 402385 lstrlenW lstrlenW 5052->5053 5055 404a47 25 API calls 5052->5055 5057 402c58 5052->5057 5054 404a47 25 API calls 5053->5054 5056 4023c4 SHFileOperationW 5054->5056 5055->5052 5056->5052 5056->5057 5058 404451 GetDlgItem GetDlgItem 5059 4044a7 7 API calls 5058->5059 5066 4046bf 5058->5066 5060 40454b DeleteObject 5059->5060 5061 40453f SendMessageW 5059->5061 5062 404556 5060->5062 5061->5060 5064 40458d 5062->5064 5068 40609e 18 API calls 5062->5068 5063 4047a4 5065 404849 5063->5065 5075 4047f3 SendMessageW 5063->5075 5099 4046b2 5063->5099 5067 40389b 19 API calls 5064->5067 5070 404852 SendMessageW 5065->5070 5071 40485e 5065->5071 5066->5063 5069 40472f 5066->5069 5111 404323 SendMessageW 5066->5111 5074 4045a1 5067->5074 5077 40456f SendMessageW SendMessageW 5068->5077 5069->5063 5078 404796 SendMessageW 5069->5078 5070->5071 5072 404887 5071->5072 5079 404870 ImageList_Destroy 5071->5079 5080 404877 5071->5080 5082 4049f1 5072->5082 5093 40141d 2 API calls 5072->5093 5105 4048b9 5072->5105 5081 40389b 19 API calls 5074->5081 5083 404808 SendMessageW 5075->5083 5075->5099 5076 403926 8 API calls 5084 404a40 5076->5084 5077->5062 5078->5063 5079->5080 5080->5072 5085 404880 GlobalFree 5080->5085 5089 4045b2 5081->5089 5087 404a06 ShowWindow GetDlgItem ShowWindow 5082->5087 5082->5099 5090 40481b 5083->5090 5085->5072 5086 40467f GetWindowLongW SetWindowLongW 5088 404699 5086->5088 5087->5099 5091 4046b7 5088->5091 5092 40469f ShowWindow 5088->5092 5089->5086 5097 40460e SendMessageW 5089->5097 5098 404679 5089->5098 5100 404650 SendMessageW 5089->5100 5101 40463c SendMessageW 5089->5101 5094 40482c SendMessageW 5090->5094 5110 4038f4 SendMessageW 5091->5110 5109 4038f4 SendMessageW 5092->5109 5093->5105 5094->5065 5097->5089 5098->5086 5098->5088 5099->5076 5100->5089 5101->5089 5102 4049c8 InvalidateRect 5102->5082 5103 4049de 5102->5103 5106 403ee7 21 API calls 5103->5106 5104 4048e7 SendMessageW 5108 4048fd 5104->5108 5105->5104 5105->5108 5106->5082 5107 404976 SendMessageW SendMessageW 5107->5108 5108->5102 5108->5107 5109->5099 5110->5066 5112 404380 SendMessageW 5111->5112 5113 404346 GetMessagePos ScreenToClient SendMessageW 5111->5113 5114 404378 5112->5114 5113->5114 5115 40437d 5113->5115 5114->5069 5115->5112 5123 4017d3 5124 40145c 18 API calls 5123->5124 5125 4017db 5124->5125 5126 40145c 18 API calls 5125->5126 5127 4017e5 5126->5127 5128 40145c 18 API calls 5127->5128 5129 4017ef MoveFileW 5128->5129 5130 4017ac 5129->5130 5131 4017ff 5129->5131 5132 401435 25 API calls 5130->5132 5135 401721 5130->5135 5133 405b6c 2 API calls 5131->5133 5131->5135 5132->5135 5134 40180f 5133->5134 5134->5135 5136 4064fa 42 API calls 5134->5136 5136->5130 5137 406d54 5139 4067d0 5137->5139 5138 4070ff 5139->5138 5139->5139 5140 406857 GlobalAlloc 5139->5140 5141 40684e GlobalFree 5139->5141 5142 4068c6 GlobalFree 5139->5142 5143 4068cf GlobalAlloc 5139->5143 5140->5138 5140->5139 5141->5140 5142->5143 5143->5138 5143->5139 5144 10001095 5145 100010d5 5144->5145 5146 1000109c GetWindowTextW 5144->5146 5146->5145 5147 100010c3 SendMessageW 5146->5147 5147->5145 4622 4018d7 4623 40145c 18 API calls 4622->4623 4624 4018df 4623->4624 4625 401905 4624->4625 4626 4018fd 4624->4626 4662 405a8c lstrcpynW 4625->4662 4661 405a8c lstrcpynW 4626->4661 4629 401910 4630 405fba 3 API calls 4629->4630 4632 401916 lstrcatW 4630->4632 4631 401903 4633 405abb 5 API calls 4631->4633 4632->4631 4649 401922 4633->4649 4634 405b6c 2 API calls 4634->4649 4636 4058b2 2 API calls 4636->4649 4637 40193e CompareFileTime 4637->4649 4638 4019f8 4640 404a47 25 API calls 4638->4640 4639 4019cf 4641 404a47 25 API calls 4639->4641 4659 4019e4 4639->4659 4643 401a02 4640->4643 4641->4659 4642 405a8c lstrcpynW 4642->4649 4644 402ee7 37 API calls 4643->4644 4645 401a17 4644->4645 4646 401a2b SetFileTime 4645->4646 4648 401a3a FindCloseChangeNotification 4645->4648 4646->4648 4647 40609e 18 API calls 4647->4649 4650 401a4b 4648->4650 4648->4659 4649->4634 4649->4636 4649->4637 4649->4638 4649->4639 4649->4642 4649->4647 4657 405721 MessageBoxIndirectW 4649->4657 4660 4058d2 GetFileAttributesW CreateFileW 4649->4660 4651 401a50 4650->4651 4652 401a63 4650->4652 4653 40609e 18 API calls 4651->4653 4654 40609e 18 API calls 4652->4654 4655 401a58 lstrcatW 4653->4655 4656 401a6b 4654->4656 4655->4656 4658 405721 MessageBoxIndirectW 4656->4658 4657->4649 4658->4659 4660->4649 4661->4631 4662->4629 5148 4023d8 5149 401ce5 5148->5149 5152 4023e3 5148->5152 5150 40609e 18 API calls 5149->5150 5151 401cf3 5150->5151 5158 405a8c lstrcpynW 5151->5158 5154 401d08 5159 405a8c lstrcpynW 5154->5159 5156 401d17 5160 405a8c lstrcpynW 5156->5160 5158->5154 5159->5156 5160->5152 5161 401e59 5162 401446 18 API calls 5161->5162 5163 401e61 5162->5163 5164 401446 18 API calls 5163->5164 5165 401e6a GetDlgItem 5164->5165 5166 402c51 5165->5166 5169 4059d3 wsprintfW 5166->5169 5168 402c58 5169->5168 5170 40285a 5171 402860 5170->5171 5172 402873 5170->5172 5173 401446 18 API calls 5171->5173 5174 40145c 18 API calls 5172->5174 5176 402868 5173->5176 5175 40287b lstrlenW 5174->5175 5175->5176 5177 40289f WriteFile 5176->5177 5178 401721 5176->5178 5177->5178 5179 1000191d GetDlgCtrlID 5180 10001933 5179->5180 5181 100019f1 5180->5181 5182 10001953 5180->5182 5185 10001937 5180->5185 5183 10001988 CallWindowProcW 5181->5183 5186 100019fd LoadCursorW 5181->5186 5184 100019ba MapWindowPoints PtInRect 5182->5184 5188 10001958 5182->5188 5183->5185 5184->5185 5186->5183 5187 10001a12 SetCursor 5186->5187 5187->5185 5188->5183 5188->5185 4769 403fdf 4770 404020 4769->4770 4771 404013 4769->4771 4773 404029 GetDlgItem 4770->4773 4779 40409b 4770->4779 4847 405705 GetDlgItemTextW 4771->4847 4775 40403d 4773->4775 4774 40401a 4777 405abb 5 API calls 4774->4777 4778 404051 SetWindowTextW 4775->4778 4782 4057db 4 API calls 4775->4782 4776 404173 4833 404308 4776->4833 4837 405705 GetDlgItemTextW 4776->4837 4777->4770 4785 40389b 19 API calls 4778->4785 4779->4776 4783 40609e 18 API calls 4779->4783 4779->4833 4781 403926 8 API calls 4786 40431c 4781->4786 4787 404047 4782->4787 4788 404105 SHBrowseForFolderW 4783->4788 4784 40419f 4789 406016 18 API calls 4784->4789 4790 40406f 4785->4790 4787->4778 4796 405fba 3 API calls 4787->4796 4788->4776 4792 40411d CoTaskMemFree 4788->4792 4793 4041a5 4789->4793 4791 40389b 19 API calls 4790->4791 4795 40407d 4791->4795 4794 405fba 3 API calls 4792->4794 4838 405a8c lstrcpynW 4793->4838 4797 40412a 4794->4797 4836 4038f4 SendMessageW 4795->4836 4796->4778 4800 404161 SetDlgItemTextW 4797->4800 4805 40609e 18 API calls 4797->4805 4800->4776 4801 4041bc 4803 405b93 3 API calls 4801->4803 4802 404085 4804 405b93 3 API calls 4802->4804 4814 4041c4 4803->4814 4806 40408c 4804->4806 4807 404149 lstrcmpiW 4805->4807 4809 404094 SHAutoComplete 4806->4809 4806->4833 4807->4800 4810 40415a lstrcatW 4807->4810 4808 404205 4848 405a8c lstrcpynW 4808->4848 4809->4779 4810->4800 4811 4041d1 GetDiskFreeSpaceExW 4811->4814 4822 40425a 4811->4822 4813 40420e 4815 4057db 4 API calls 4813->4815 4814->4808 4814->4811 4817 405fe9 2 API calls 4814->4817 4816 404214 4815->4816 4818 404218 4816->4818 4819 40421d GetDiskFreeSpaceW 4816->4819 4817->4814 4818->4819 4820 404272 4819->4820 4821 404238 MulDiv 4819->4821 4820->4822 4821->4822 4823 4042b7 4822->4823 4839 403ee7 4822->4839 4825 4042da 4823->4825 4827 40141d 2 API calls 4823->4827 4849 4038e1 KiUserCallbackDispatcher 4825->4849 4826 4042a8 4828 4042b9 SetDlgItemTextW 4826->4828 4829 4042ad 4826->4829 4827->4825 4828->4823 4831 403ee7 21 API calls 4829->4831 4831->4823 4832 4042f6 4832->4833 4834 404303 4832->4834 4833->4781 4850 4038bd 4834->4850 4836->4802 4837->4784 4838->4801 4840 403f07 4839->4840 4841 40609e 18 API calls 4840->4841 4842 403f47 4841->4842 4843 40609e 18 API calls 4842->4843 4844 403f52 4843->4844 4845 40609e 18 API calls 4844->4845 4846 403f62 lstrlenW wsprintfW SetDlgItemTextW 4845->4846 4846->4826 4847->4774 4848->4813 4849->4832 4851 4038d0 SendMessageW 4850->4851 4852 4038cb 4850->4852 4851->4833 4852->4851 5189 401adf 5190 401446 18 API calls 5189->5190 5191 401ae7 5190->5191 5192 401446 18 API calls 5191->5192 5193 401af2 5192->5193 5194 40145c 18 API calls 5193->5194 5195 401afc 5194->5195 5196 401b11 lstrlenW 5195->5196 5197 401b4a 5195->5197 5198 401b1b 5196->5198 5198->5197 5202 405a8c lstrcpynW 5198->5202 5200 401b33 5200->5197 5201 401b40 lstrlenW 5200->5201 5201->5197 5202->5200 5203 401661 SetForegroundWindow 5204 402c58 5203->5204 5205 10001a21 GetDlgCtrlID 5206 10001a33 5205->5206 5207 10001a37 5206->5207 5208 10001af2 CallWindowProcW 5206->5208 5209 10001a57 OpenClipboard 5206->5209 5208->5207 5209->5208 5210 10001a68 GetClipboardData 5209->5210 5211 10001a77 GlobalLock 5210->5211 5212 10001ae8 CloseClipboard 5210->5212 5213 10001a85 lstrlenW 5211->5213 5214 10001ae7 5211->5214 5212->5207 5220 10001000 GlobalAlloc 5213->5220 5214->5212 5216 10001add GlobalUnlock 5216->5214 5217 10001ac6 SendMessageW 5219 1000100f GlobalFree 5217->5219 5218 10001a99 5218->5216 5218->5217 5219->5216 5220->5218 5228 401be3 5229 401446 18 API calls 5228->5229 5230 401bea 5229->5230 5231 401446 18 API calls 5230->5231 5232 401aae 5231->5232 5240 401b68 5241 40145c 18 API calls 5240->5241 5242 401b70 5241->5242 5243 40145c 18 API calls 5242->5243 5244 401b7a 5243->5244 5245 401b82 lstrcmpiW 5244->5245 5246 401b98 lstrcmpW 5244->5246 5247 401aae 5245->5247 5246->5247 4216 4033e9 #17 SetErrorMode OleInitialize 4217 405b93 3 API calls 4216->4217 4218 40342c SHGetFileInfoW 4217->4218 4287 405a8c lstrcpynW 4218->4287 4220 403457 GetCommandLineW 4288 405a8c lstrcpynW 4220->4288 4222 403469 GetModuleHandleW 4223 403481 4222->4223 4224 405787 CharNextW 4223->4224 4225 403490 CharNextW 4224->4225 4239 4034a2 4225->4239 4226 40353a 4227 403559 GetTempPathW 4226->4227 4289 403334 4227->4289 4229 40356f 4231 403573 GetWindowsDirectoryW lstrcatW 4229->4231 4232 403597 DeleteFileW 4229->4232 4230 405787 CharNextW 4230->4239 4234 403334 11 API calls 4231->4234 4297 4030ef GetTickCount GetModuleFileNameW 4232->4297 4236 40358f 4234->4236 4235 4035ab 4237 403614 4235->4237 4240 405787 CharNextW 4235->4240 4283 403624 4235->4283 4236->4232 4236->4283 4325 4053cc 4237->4325 4239->4226 4239->4230 4243 40353c 4239->4243 4250 4035c2 4240->4250 4379 405a8c lstrcpynW 4243->4379 4244 40372a 4246 4037ad 4244->4246 4248 405b93 3 API calls 4244->4248 4245 40363d 4389 405721 4245->4389 4252 403739 4248->4252 4253 403653 lstrcatW lstrcmpiW 4250->4253 4254 4035ec 4250->4254 4255 405b93 3 API calls 4252->4255 4257 40366f CreateDirectoryW SetCurrentDirectoryW 4253->4257 4253->4283 4256 406016 18 API calls 4254->4256 4260 403742 4255->4260 4261 4035fa 4256->4261 4258 403692 4257->4258 4259 403687 4257->4259 4394 405a8c lstrcpynW 4258->4394 4393 405a8c lstrcpynW 4259->4393 4264 405b93 3 API calls 4260->4264 4261->4283 4380 405a8c lstrcpynW 4261->4380 4267 40374b 4264->4267 4266 4036a0 4395 405a8c lstrcpynW 4266->4395 4270 403799 ExitWindowsEx 4267->4270 4274 403759 GetCurrentProcess 4267->4274 4268 403609 4381 405a8c lstrcpynW 4268->4381 4270->4246 4273 4037a6 4270->4273 4272 4036af 4276 40609e 18 API calls 4272->4276 4280 40371e 4272->4280 4282 4064fa 42 API calls 4272->4282 4284 40609e 18 API calls 4272->4284 4286 403709 CloseHandle 4272->4286 4396 4056c0 CreateProcessW 4272->4396 4399 40141d 4273->4399 4277 403769 4274->4277 4278 4036c8 DeleteFileW 4276->4278 4277->4270 4278->4272 4279 4036d5 CopyFileW 4278->4279 4279->4272 4281 4064fa 42 API calls 4280->4281 4281->4283 4282->4272 4382 4033bf 4283->4382 4284->4272 4286->4272 4287->4220 4288->4222 4290 405abb 5 API calls 4289->4290 4291 403340 4290->4291 4292 40334a 4291->4292 4293 405fba 3 API calls 4291->4293 4292->4229 4294 403352 CreateDirectoryW 4293->4294 4295 405901 2 API calls 4294->4295 4296 403366 4295->4296 4296->4229 4402 4058d2 GetFileAttributesW CreateFileW 4297->4402 4299 40312f 4319 40313f 4299->4319 4403 405a8c lstrcpynW 4299->4403 4301 403155 4302 405fe9 2 API calls 4301->4302 4303 40315b 4302->4303 4404 405a8c lstrcpynW 4303->4404 4305 403166 GetFileSize 4310 40317d 4305->4310 4322 403262 4305->4322 4307 40326b 4309 4032a7 GlobalAlloc 4307->4309 4307->4319 4418 402ed0 SetFilePointer 4307->4418 4419 402ed0 SetFilePointer 4309->4419 4313 403325 4310->4313 4310->4319 4321 402e3a 6 API calls 4310->4321 4310->4322 4405 402e9e ReadFile 4310->4405 4316 402e3a 6 API calls 4313->4316 4314 4032c2 4420 402ee7 4314->4420 4315 403288 4318 402e9e ReadFile 4315->4318 4316->4319 4320 403293 4318->4320 4319->4235 4320->4309 4320->4319 4321->4310 4407 402e3a 4322->4407 4324 4032fc SetFilePointer 4324->4319 4326 405b93 3 API calls 4325->4326 4327 4053e2 4326->4327 4328 4053e8 4327->4328 4329 4053fa 4327->4329 4462 4059d3 wsprintfW 4328->4462 4330 405955 3 API calls 4329->4330 4331 40542b 4330->4331 4332 40544a lstrcatW 4331->4332 4334 405955 3 API calls 4331->4334 4335 4053f8 4332->4335 4334->4332 4453 4039d0 4335->4453 4338 406016 18 API calls 4339 40547b 4338->4339 4340 405517 4339->4340 4342 405955 3 API calls 4339->4342 4341 406016 18 API calls 4340->4341 4343 405522 4341->4343 4345 4054ad 4342->4345 4344 405532 LoadImageW 4343->4344 4346 40609e 18 API calls 4343->4346 4347 4055e7 4344->4347 4348 40555d RegisterClassW 4344->4348 4345->4340 4349 4054d2 lstrlenW 4345->4349 4353 405787 CharNextW 4345->4353 4346->4344 4352 40141d 2 API calls 4347->4352 4350 4055a2 SystemParametersInfoW CreateWindowExW 4348->4350 4351 4055f1 4348->4351 4354 4054e0 lstrcmpiW 4349->4354 4355 405506 4349->4355 4350->4347 4351->4283 4356 4055ed 4352->4356 4357 4054cd 4353->4357 4354->4355 4358 4054f0 GetFileAttributesW 4354->4358 4359 405fba 3 API calls 4355->4359 4356->4351 4361 4039d0 19 API calls 4356->4361 4357->4349 4360 4054fc 4358->4360 4362 40550c 4359->4362 4360->4355 4363 405fe9 2 API calls 4360->4363 4364 4055fe 4361->4364 4463 405a8c lstrcpynW 4362->4463 4363->4355 4366 405690 4364->4366 4367 40560a ShowWindow LoadLibraryW 4364->4367 4368 404b1c 5 API calls 4366->4368 4369 405630 GetClassInfoW 4367->4369 4370 405629 LoadLibraryW 4367->4370 4371 405696 4368->4371 4372 405643 GetClassInfoW RegisterClassW 4369->4372 4373 40565d DialogBoxParamW 4369->4373 4370->4369 4375 4056b2 4371->4375 4376 40569a 4371->4376 4372->4373 4374 40141d 2 API calls 4373->4374 4374->4351 4377 40141d 2 API calls 4375->4377 4376->4351 4378 40141d 2 API calls 4376->4378 4377->4351 4378->4351 4379->4227 4380->4268 4381->4237 4383 4033d7 4382->4383 4384 4033c9 CloseHandle 4382->4384 4465 4037df 4383->4465 4384->4383 4387 40652d 72 API calls 4388 4033e8 OleUninitialize 4387->4388 4388->4244 4388->4245 4390 405736 4389->4390 4391 40364b ExitProcess 4390->4391 4392 40574c MessageBoxIndirectW 4390->4392 4392->4391 4393->4258 4394->4266 4395->4272 4397 4056fb 4396->4397 4398 4056ef CloseHandle 4396->4398 4397->4272 4398->4397 4400 40139b 2 API calls 4399->4400 4401 401432 4400->4401 4401->4246 4402->4299 4403->4301 4404->4305 4406 402ebf 4405->4406 4406->4310 4408 402e43 4407->4408 4409 402e5b 4407->4409 4412 402e53 4408->4412 4413 402e4c DestroyWindow 4408->4413 4410 402e63 4409->4410 4411 402e6b GetTickCount 4409->4411 4441 405bca 4410->4441 4415 402e79 CreateDialogParamW ShowWindow 4411->4415 4416 402e9c 4411->4416 4412->4307 4413->4412 4415->4416 4416->4307 4418->4315 4419->4314 4422 402f00 4420->4422 4421 402f2b 4423 402e9e ReadFile 4421->4423 4422->4421 4452 402ed0 SetFilePointer 4422->4452 4425 402f36 4423->4425 4426 402f3a 4425->4426 4427 403080 4425->4427 4428 402f4f GetTickCount 4425->4428 4426->4319 4426->4324 4429 403084 4427->4429 4430 4030a8 4427->4430 4437 402f62 4428->4437 4431 402e9e ReadFile 4429->4431 4430->4426 4432 402e9e ReadFile 4430->4432 4434 4030c7 WriteFile 4430->4434 4431->4426 4432->4430 4433 402e9e ReadFile 4433->4437 4434->4426 4434->4430 4436 402fc4 GetTickCount 4436->4437 4437->4426 4437->4433 4437->4436 4438 402fed MulDiv wsprintfW 4437->4438 4440 403031 WriteFile 4437->4440 4445 40679e 4437->4445 4439 404a47 25 API calls 4438->4439 4439->4437 4440->4426 4440->4437 4442 405be7 PeekMessageW 4441->4442 4443 402e69 4442->4443 4444 405bdd DispatchMessageW 4442->4444 4443->4307 4444->4442 4446 4067be 4445->4446 4447 4067c6 4445->4447 4446->4437 4447->4446 4448 406857 GlobalAlloc 4447->4448 4449 40684e GlobalFree 4447->4449 4450 4068c6 GlobalFree 4447->4450 4451 4068cf GlobalAlloc 4447->4451 4448->4446 4448->4447 4449->4448 4450->4451 4451->4446 4451->4447 4452->4421 4454 4039e4 4453->4454 4464 4059d3 wsprintfW 4454->4464 4456 403a58 4457 40609e 18 API calls 4456->4457 4458 403a64 SetWindowTextW 4457->4458 4459 403a7f 4458->4459 4460 403a9a 4459->4460 4461 40609e 18 API calls 4459->4461 4460->4338 4461->4459 4462->4335 4463->4340 4464->4456 4466 4037ed 4465->4466 4467 4033dc 4466->4467 4468 4037f2 FreeLibrary GlobalFree 4466->4468 4467->4387 4468->4467 4468->4468 4524 401f6c 4532 401446 4524->4532 4526 401f73 4527 401446 18 API calls 4526->4527 4528 401f7d 4527->4528 4529 401f90 EnableWindow 4528->4529 4530 401f85 ShowWindow 4528->4530 4531 402c58 4529->4531 4530->4531 4533 40609e 18 API calls 4532->4533 4534 401455 4533->4534 4534->4526 4554 100016ad 4555 10001733 CallWindowProcW 4554->4555 4557 100016c3 4554->4557 4556 10001786 4555->4556 4561 10001752 4555->4561 4557->4555 4558 10001727 4557->4558 4563 100016ec SendMessageW 4557->4563 4559 100010db 20 API calls 4558->4559 4560 1000172c 4559->4560 4560->4555 4561->4556 4562 1000176e PostMessageW 4561->4562 4562->4556 4564 10001703 4563->4564 4564->4557 4565 1000178f 4564->4565 4566 100017c5 4565->4566 4567 10001795 GetWindowTextW MessageBoxW 4565->4567 4570 1000106e SendMessageW 4566->4570 4567->4566 4569 100017cd 4569->4556 4570->4569 4571 4023ee 4572 402400 4571->4572 4573 4023f9 4571->4573 4575 40145c 18 API calls 4572->4575 4577 402411 4572->4577 4574 40145c 18 API calls 4573->4574 4574->4572 4575->4577 4576 402421 4579 40145c 18 API calls 4576->4579 4577->4576 4578 40145c 18 API calls 4577->4578 4578->4576 4580 40242b WritePrivateProfileStringW 4579->4580 4581 4026ef GlobalAlloc 4582 402717 4581->4582 4583 402708 4581->4583 4585 40145c 18 API calls 4582->4585 4584 401446 18 API calls 4583->4584 4587 402710 4584->4587 4586 40271f WideCharToMultiByte lstrlenA 4585->4586 4586->4587 4588 402760 4587->4588 4589 402755 WriteFile 4587->4589 4589->4588 5248 40166f 5249 401678 5248->5249 5251 40168c 5248->5251 5250 401446 18 API calls 5249->5250 5250->5251 5252 40276f 5253 401446 18 API calls 5252->5253 5255 402779 5253->5255 5254 4027b0 ReadFile 5254->5255 5261 402811 5254->5261 5255->5254 5256 402813 5255->5256 5257 4027da MultiByteToWideChar 5255->5257 5259 402823 5255->5259 5255->5261 5262 4059d3 wsprintfW 5256->5262 5257->5255 5257->5259 5260 40283f SetFilePointer 5259->5260 5259->5261 5260->5261 5262->5261 5263 401ef0 GetDC GetDeviceCaps 5264 401446 18 API calls 5263->5264 5265 401f0d MulDiv 5264->5265 5266 401446 18 API calls 5265->5266 5267 401f23 5266->5267 5268 40609e 18 API calls 5267->5268 5269 401f5c CreateFontIndirectW 5268->5269 5270 402c51 5269->5270 5273 4059d3 wsprintfW 5270->5273 5272 402c58 5273->5272 4590 4070f1 4594 4067d0 4590->4594 4591 4070ff 4592 406857 GlobalAlloc 4592->4591 4592->4594 4593 40684e GlobalFree 4593->4592 4594->4591 4594->4592 4594->4593 4595 4068c6 GlobalFree 4594->4595 4596 4068cf GlobalAlloc 4594->4596 4595->4596 4596->4591 4596->4594 5274 403bf3 5275 403c0e 5274->5275 5283 403d3b 5274->5283 5279 403c48 5275->5279 5305 403b05 WideCharToMultiByte 5275->5305 5276 403da6 5277 403db0 GetDlgItem 5276->5277 5278 403e78 5276->5278 5280 403e39 5277->5280 5281 403dca 5277->5281 5284 403926 8 API calls 5278->5284 5286 40389b 19 API calls 5279->5286 5280->5278 5289 403e4b 5280->5289 5281->5280 5288 403df0 6 API calls 5281->5288 5283->5276 5283->5278 5285 403d77 GetDlgItem SendMessageW 5283->5285 5287 403e73 5284->5287 5310 4038e1 KiUserCallbackDispatcher 5285->5310 5291 403c88 5286->5291 5288->5280 5293 403e61 5289->5293 5294 403e51 SendMessageW 5289->5294 5292 40389b 19 API calls 5291->5292 5296 403c95 CheckDlgButton 5292->5296 5293->5287 5297 403e67 SendMessageW 5293->5297 5294->5293 5295 403da1 5298 4038bd SendMessageW 5295->5298 5308 4038e1 KiUserCallbackDispatcher 5296->5308 5297->5287 5298->5276 5300 403cb3 GetDlgItem 5309 4038f4 SendMessageW 5300->5309 5302 403cc9 SendMessageW 5303 403ce6 GetSysColor 5302->5303 5304 403cef SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5302->5304 5303->5304 5304->5287 5306 403b42 5305->5306 5307 403b24 GlobalAlloc WideCharToMultiByte 5305->5307 5306->5279 5307->5306 5308->5300 5309->5302 5310->5295 5311 406c75 5312 406d27 5311->5312 5313 4067d0 5311->5313 5313->5312 5314 406857 GlobalAlloc 5313->5314 5315 40684e GlobalFree 5313->5315 5316 4068c6 GlobalFree 5313->5316 5317 4068cf GlobalAlloc 5313->5317 5314->5312 5314->5313 5315->5314 5316->5317 5317->5312 5317->5313 4597 401d76 4598 401446 18 API calls 4597->4598 4599 401d7e 4598->4599 4600 401446 18 API calls 4599->4600 4601 401d89 4600->4601 4602 401d9a 4601->4602 4603 40145c 18 API calls 4601->4603 4604 40145c 18 API calls 4602->4604 4608 401dab 4602->4608 4603->4602 4604->4608 4605 401db4 4609 401446 18 API calls 4605->4609 4606 401dff 4607 40145c 18 API calls 4606->4607 4610 401e07 4607->4610 4608->4605 4608->4606 4611 401dbc 4609->4611 4612 40145c 18 API calls 4610->4612 4613 401446 18 API calls 4611->4613 4614 401e11 FindWindowExW 4612->4614 4615 401dc6 4613->4615 4619 401e31 4614->4619 4616 401dd0 SendMessageTimeoutW 4615->4616 4617 401def SendMessageW 4615->4617 4616->4619 4617->4619 4618 402c58 4619->4618 4621 4059d3 wsprintfW 4619->4621 4621->4618 5318 401e76 5319 401446 18 API calls 5318->5319 5320 401e87 SetWindowLongW 5319->5320 5321 402c58 5320->5321 5322 4024f8 5323 4024fc 5322->5323 5324 40145c 18 API calls 5323->5324 5325 40251d 5324->5325 5326 40145c 18 API calls 5325->5326 5327 402528 RegCreateKeyExW 5326->5327 5328 402554 5327->5328 5329 402c58 5327->5329 5330 402570 5328->5330 5331 40145c 18 API calls 5328->5331 5332 40257d 5330->5332 5334 401446 18 API calls 5330->5334 5333 402566 lstrlenW 5331->5333 5335 402599 RegSetValueExW 5332->5335 5336 402ee7 37 API calls 5332->5336 5333->5330 5334->5332 5337 4025b0 RegCloseKey 5335->5337 5336->5335 5337->5329 5339 402979 5340 40296c 5339->5340 5340->5339 5341 401446 18 API calls 5340->5341 5342 40298e 5341->5342 5343 402995 SetFilePointer 5342->5343 5344 4029a6 5343->5344 5345 402c58 5343->5345 5347 4059d3 wsprintfW 5344->5347 5347->5345 5355 401a7b 5356 401a7d 5355->5356 5357 40145c 18 API calls 5356->5357 5358 401a82 5357->5358 5359 40652d 72 API calls 5358->5359 5360 401a8b 5359->5360 5361 40207d 5362 40145c 18 API calls 5361->5362 5363 402085 5362->5363 5364 405b6c 2 API calls 5363->5364 5365 40208b 5364->5365 5366 40209a 5365->5366 5370 4059d3 wsprintfW 5365->5370 5371 4059d3 wsprintfW 5366->5371 5369 402c58 5370->5366 5371->5369 5372 4015fd 5373 404a47 25 API calls 5372->5373 5374 401605 5372->5374 5373->5374 4751 401ffe 4752 40145c 18 API calls 4751->4752 4753 402005 4752->4753 4754 404a47 25 API calls 4753->4754 4755 40200f 4754->4755 4756 4056c0 2 API calls 4755->4756 4757 402015 4756->4757 4758 402066 FindCloseChangeNotification 4757->4758 4759 402026 WaitForSingleObject 4757->4759 4762 401721 4757->4762 4758->4762 4761 402038 4759->4761 4763 40204a GetExitCodeProcess 4761->4763 4765 405bca 2 API calls 4761->4765 4763->4758 4764 40205d 4763->4764 4768 4059d3 wsprintfW 4764->4768 4767 40203f WaitForSingleObject 4765->4767 4767->4761 4768->4758 5375 401000 5376 401037 BeginPaint GetClientRect 5375->5376 5377 40100c DefWindowProcW 5375->5377 5378 4010fc 5376->5378 5382 401182 5377->5382 5380 401073 CreateBrushIndirect FillRect DeleteObject 5378->5380 5381 401105 5378->5381 5380->5378 5383 401170 EndPaint 5381->5383 5384 40110b CreateFontIndirectW 5381->5384 5383->5382 5384->5383 5385 40111b 6 API calls 5384->5385 5385->5383 5386 10001cc1 5387 10001cf0 5386->5387 5388 10001ce5 5386->5388 5389 10002b9d 2 API calls 5388->5389 5390 10001cef 5389->5390 5391 401707 5392 40145c 18 API calls 5391->5392 5393 40170f SetFileAttributesW 5392->5393 5394 401721 5393->5394 4112 404b88 4113 404d35 4112->4113 4114 404ba9 GetDlgItem GetDlgItem GetDlgItem 4112->4114 4116 404d66 4113->4116 4117 404d3e GetDlgItem CreateThread FindCloseChangeNotification 4113->4117 4158 4038f4 SendMessageW 4114->4158 4119 404d80 ShowWindow ShowWindow 4116->4119 4120 404db6 4116->4120 4122 404d94 4116->4122 4117->4116 4181 404b1c OleInitialize 4117->4181 4118 404c1d 4126 404c24 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4118->4126 4163 4038f4 SendMessageW 4119->4163 4167 403926 4120->4167 4121 404df2 4121->4120 4134 404dfd SendMessageW 4121->4134 4122->4121 4123 404da5 4122->4123 4124 404dcb ShowWindow 4122->4124 4164 403874 4123->4164 4130 404deb 4124->4130 4131 404ddd 4124->4131 4132 404c93 4126->4132 4133 404c77 SendMessageW SendMessageW 4126->4133 4129 404d2e 4136 403874 SendMessageW 4130->4136 4135 404a47 25 API calls 4131->4135 4137 404ca6 4132->4137 4138 404c98 SendMessageW 4132->4138 4133->4132 4134->4129 4139 404e16 CreatePopupMenu 4134->4139 4135->4130 4136->4121 4159 40389b 4137->4159 4138->4137 4141 40609e 18 API calls 4139->4141 4143 404e26 AppendMenuW 4141->4143 4142 404cb6 4144 404cf3 GetDlgItem SendMessageW 4142->4144 4145 404cbf ShowWindow 4142->4145 4146 404e39 GetWindowRect 4143->4146 4147 404e4c 4143->4147 4144->4129 4150 404d16 SendMessageW SendMessageW 4144->4150 4148 404cd5 ShowWindow 4145->4148 4151 404ce2 4145->4151 4149 404e53 TrackPopupMenu 4146->4149 4147->4149 4148->4151 4149->4129 4152 404e71 4149->4152 4150->4129 4162 4038f4 SendMessageW 4151->4162 4154 404e8d SendMessageW 4152->4154 4154->4154 4155 404eaa OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4154->4155 4156 404ecf SendMessageW 4155->4156 4156->4156 4157 404efa GlobalUnlock SetClipboardData CloseClipboard 4156->4157 4157->4129 4158->4118 4160 40609e 18 API calls 4159->4160 4161 4038a6 SetDlgItemTextW 4160->4161 4161->4142 4162->4144 4163->4122 4165 403881 SendMessageW 4164->4165 4166 40387b 4164->4166 4165->4120 4166->4165 4168 40393b GetWindowLongW 4167->4168 4178 4039c4 4167->4178 4169 40394c 4168->4169 4168->4178 4170 40395b GetSysColor 4169->4170 4171 40395e 4169->4171 4170->4171 4172 403964 SetTextColor 4171->4172 4173 40396e SetBkMode 4171->4173 4172->4173 4174 403986 GetSysColor 4173->4174 4175 40398c 4173->4175 4174->4175 4176 403993 SetBkColor 4175->4176 4177 40399d 4175->4177 4176->4177 4177->4178 4179 4039b0 DeleteObject 4177->4179 4180 4039b7 CreateBrushIndirect 4177->4180 4178->4129 4179->4180 4180->4178 4188 40390b 4181->4188 4183 404b66 4184 40390b SendMessageW 4183->4184 4185 404b78 OleUninitialize 4184->4185 4186 404b3f 4186->4183 4191 40139b 4186->4191 4189 403923 4188->4189 4190 403914 SendMessageW 4188->4190 4189->4186 4190->4189 4193 4013a2 4191->4193 4192 401410 4192->4186 4193->4192 4194 4013dd MulDiv SendMessageW 4193->4194 4194->4193 5395 40188d 5396 40145c 18 API calls 5395->5396 5397 401895 SearchPathW 5396->5397 5398 4018b2 5397->5398 5399 40248e 5400 4024c0 5399->5400 5401 402494 5399->5401 5403 40145c 18 API calls 5400->5403 5402 40154d 19 API calls 5401->5402 5404 40249b 5402->5404 5405 4024c8 5403->5405 5406 401721 5404->5406 5407 40145c 18 API calls 5404->5407 5410 401497 RegOpenKeyExW 5405->5410 5409 4024ad RegDeleteValueW RegCloseKey 5407->5409 5409->5406 5416 40150f 5410->5416 5418 4014c3 5410->5418 5411 4014e9 RegEnumKeyW 5412 4014fb RegCloseKey 5411->5412 5411->5418 5413 405b93 3 API calls 5412->5413 5415 40150b 5413->5415 5414 401520 RegCloseKey 5414->5416 5415->5416 5419 40153b RegDeleteKeyW 5415->5419 5416->5406 5417 401497 3 API calls 5417->5418 5418->5411 5418->5412 5418->5414 5418->5417 5419->5416 5420 401610 5421 401605 5420->5421 5422 40161b PostQuitMessage 5420->5422 5422->5421 5423 401a90 5424 40145c 18 API calls 5423->5424 5425 401a98 5424->5425 5426 405721 MessageBoxIndirectW 5425->5426 5427 401721 5426->5427 5428 100017d1 5429 10001837 5428->5429 5430 100017df 5428->5430 5433 10001832 5429->5433 5434 1000184b DrawTextW 5429->5434 5431 1000181b 5430->5431 5436 100017e6 5430->5436 5443 1000144c 5431->5443 5437 1000188b 5434->5437 5435 10001803 SendMessageW 5435->5433 5436->5433 5436->5435 5438 100018e8 5437->5438 5439 100018a8 GetWindowLongW 5437->5439 5438->5433 5442 100018fa DrawFocusRect 5438->5442 5440 100018c6 DrawTextW 5439->5440 5441 100018b7 SetTextColor 5439->5441 5440->5438 5441->5440 5442->5433 5445 1000145e 5443->5445 5444 100014b7 5444->5433 5445->5444 5446 10001681 5445->5446 5447 10001667 5445->5447 5448 100014e7 5445->5448 5446->5444 5449 10001689 SendMessageW 5446->5449 5447->5446 5452 1000166f ShellExecuteW 5447->5452 5450 100014f0 5448->5450 5451 100015ab 5448->5451 5449->5444 5450->5446 5454 10001569 SHBrowseForFolderW 5450->5454 5455 1000152d lstrlenW SHGetDesktopFolder 5450->5455 5453 100015b7 GetWindowTextW 5451->5453 5452->5446 5456 10001602 GetCurrentDirectoryW 5453->5456 5454->5446 5457 1000157d SHGetPathFromIDListW 5454->5457 5460 1000155a 5455->5460 5458 10001623 GetOpenFileNameW 5456->5458 5459 1000161b GetSaveFileNameW 5456->5459 5461 1000159f CoTaskMemFree 5457->5461 5462 1000158f SetWindowTextW 5457->5462 5465 10001629 5458->5465 5459->5465 5460->5454 5461->5446 5462->5461 5463 1000164e SetWindowTextW SetCurrentDirectoryW 5463->5446 5464 10001636 CommDlgExtendedError 5464->5446 5464->5465 5465->5446 5465->5456 5465->5463 5465->5464 4663 402218 4664 40145c 18 API calls 4663->4664 4665 402220 4664->4665 4666 40145c 18 API calls 4665->4666 4667 40222b 4666->4667 4668 40145c 18 API calls 4667->4668 4669 402235 4668->4669 4670 40145c 18 API calls 4669->4670 4671 402240 4670->4671 4672 40145c 18 API calls 4671->4672 4674 40224b 4672->4674 4673 402260 CoCreateInstance 4676 402280 4673->4676 4674->4673 4675 40145c 18 API calls 4674->4675 4675->4673 4677 402c18 SendMessageW 4678 402c34 InvalidateRect 4677->4678 4679 402c58 4677->4679 4678->4679 5466 10002ad8 5467 10002b0c 5466->5467 5468 10002b21 5467->5468 5469 10002b15 5467->5469 5471 10002168 71 API calls 5468->5471 5470 10002b9d 2 API calls 5469->5470 5472 10002b1f 5470->5472 5473 10002b26 5471->5473 4680 404f19 4681 404f31 4680->4681 4682 40506d 4680->4682 4681->4682 4683 404f3d 4681->4683 4684 4050be 4682->4684 4685 40507e GetDlgItem GetDlgItem 4682->4685 4686 404f48 SetWindowPos 4683->4686 4687 404f5b 4683->4687 4689 405118 4684->4689 4697 40139b 2 API calls 4684->4697 4688 40389b 19 API calls 4685->4688 4686->4687 4691 404f60 ShowWindow 4687->4691 4692 404f78 4687->4692 4693 4050a8 SetClassLongW 4688->4693 4690 40390b SendMessageW 4689->4690 4710 405068 4689->4710 4707 40512a 4690->4707 4691->4692 4694 404f80 DestroyWindow 4692->4694 4695 404f9a 4692->4695 4696 40141d 2 API calls 4693->4696 4747 40537c 4694->4747 4698 404fb0 4695->4698 4699 404f9f SetWindowLongW 4695->4699 4696->4684 4700 4050f0 4697->4700 4703 404fbc GetDlgItem 4698->4703 4719 405027 4698->4719 4699->4710 4700->4689 4704 4050f4 SendMessageW 4700->4704 4701 40141d 2 API calls 4701->4707 4702 40537e DestroyWindow EndDialog 4702->4747 4708 404fec 4703->4708 4709 404fcf SendMessageW IsWindowEnabled 4703->4709 4704->4710 4705 403926 8 API calls 4705->4710 4706 4053ad ShowWindow 4706->4710 4707->4701 4707->4702 4707->4710 4711 40609e 18 API calls 4707->4711 4716 40389b 19 API calls 4707->4716 4723 40389b 19 API calls 4707->4723 4738 4052be KiUserCallbackDispatcher 4707->4738 4712 404ff9 4708->4712 4713 405040 SendMessageW 4708->4713 4714 40500c 4708->4714 4722 404ff1 4708->4722 4709->4708 4709->4710 4711->4707 4712->4713 4712->4722 4713->4719 4717 405014 4714->4717 4718 405029 4714->4718 4715 403874 SendMessageW 4715->4719 4716->4707 4720 40141d 2 API calls 4717->4720 4721 40141d 2 API calls 4718->4721 4719->4705 4720->4722 4721->4722 4722->4715 4722->4719 4724 4051a5 GetDlgItem 4723->4724 4725 4051c3 ShowWindow KiUserCallbackDispatcher 4724->4725 4726 4051ba 4724->4726 4748 4038e1 KiUserCallbackDispatcher 4725->4748 4726->4725 4728 4051ed KiUserCallbackDispatcher 4731 405201 4728->4731 4729 405206 GetSystemMenu EnableMenuItem SendMessageW 4730 405236 SendMessageW 4729->4730 4729->4731 4730->4731 4731->4729 4749 4038f4 SendMessageW 4731->4749 4750 405a8c lstrcpynW 4731->4750 4734 405264 lstrlenW 4735 40609e 18 API calls 4734->4735 4736 40527a SetWindowTextW 4735->4736 4737 40139b 2 API calls 4736->4737 4737->4707 4739 4052d8 CreateDialogParamW 4738->4739 4738->4747 4740 40530b 4739->4740 4739->4747 4741 40389b 19 API calls 4740->4741 4742 405316 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4741->4742 4743 40139b 2 API calls 4742->4743 4744 40535c 4743->4744 4744->4710 4745 405364 ShowWindow 4744->4745 4746 40390b SendMessageW 4745->4746 4746->4747 4747->4706 4747->4710 4748->4728 4749->4731 4750->4734 5474 401f9b 5475 40145c 18 API calls 5474->5475 5476 401fa2 5475->5476 5477 40145c 18 API calls 5476->5477 5478 401fac 5477->5478 5479 40145c 18 API calls 5478->5479 5480 401fb7 5479->5480 5481 40145c 18 API calls 5480->5481 5482 401fc1 5481->5482 5483 401435 25 API calls 5482->5483 5484 401fc8 ShellExecuteW 5483->5484 5485 401ff9 5484->5485 5486 401c1c 5487 401446 18 API calls 5486->5487 5488 401c26 5487->5488 5489 401446 18 API calls 5488->5489 5490 401c30 5489->5490 5493 4059d3 wsprintfW 5490->5493 5492 402c58 5493->5492 5494 403e9d 5495 403ed6 5494->5495 5496 403ead 5494->5496 5497 403926 8 API calls 5495->5497 5498 40389b 19 API calls 5496->5498 5499 403ee2 5497->5499 5500 403eba SetDlgItemTextW 5498->5500 5500->5495 5501 403a9f 5502 403acb 5501->5502 5503 403aaf 5501->5503 5505 403ad1 SHGetPathFromIDListW 5502->5505 5506 403afe 5502->5506 5512 405705 GetDlgItemTextW 5503->5512 5508 403ae1 5505->5508 5509 403ae8 SendMessageW 5505->5509 5507 403abc SendMessageW 5507->5502 5510 40141d 2 API calls 5508->5510 5509->5506 5510->5509 5512->5507 5513 401ba0 5514 40145c 18 API calls 5513->5514 5515 401ba8 ExpandEnvironmentStringsW 5514->5515 5516 401bbb 5515->5516 5518 401bcd 5515->5518 5517 401bc1 lstrcmpW 5516->5517 5516->5518 5517->5518 5519 4043a1 5520 4043c6 5519->5520 5521 4043af 5519->5521 5523 4043d4 IsWindowVisible 5520->5523 5529 4043eb 5520->5529 5522 4043b5 5521->5522 5537 40442f 5521->5537 5524 40390b SendMessageW 5522->5524 5526 4043e1 5523->5526 5523->5537 5527 4043bf 5524->5527 5525 404435 CallWindowProcW 5525->5527 5528 404323 5 API calls 5526->5528 5528->5529 5529->5525 5538 405a8c lstrcpynW 5529->5538 5531 40441a 5539 4059d3 wsprintfW 5531->5539 5533 404421 5534 40141d 2 API calls 5533->5534 5535 404428 5534->5535 5540 405a8c lstrcpynW 5535->5540 5537->5525 5538->5531 5539->5533 5540->5537 5541 401822 5542 40145c 18 API calls 5541->5542 5543 401829 GetFullPathNameW 5542->5543 5545 401840 5543->5545 5550 401863 5543->5550 5544 40187b GetShortPathNameW 5546 402c58 5544->5546 5547 405b6c 2 API calls 5545->5547 5545->5550 5548 401853 5547->5548 5548->5550 5551 405a8c lstrcpynW 5548->5551 5550->5544 5550->5546 5551->5550 5552 401625 5553 40162b 5552->5553 5554 40139b 2 API calls 5553->5554 5555 401634 5554->5555 5556 401ca6 5557 40145c 18 API calls 5556->5557 5558 401cae 5557->5558 5559 401446 18 API calls 5558->5559 5560 401cb8 wsprintfW 5559->5560 5561 402c58 5560->5561 3953 10002168 3954 10002191 3953->3954 3960 100021a1 3953->3960 4066 10002b62 3954->4066 3956 10002a71 3958 10002b62 2 API calls 3956->3958 3957 10002197 3959 10002b9d 2 API calls 3957->3959 3958->3957 3962 10002a60 3959->3962 3960->3956 4023 10001e00 3960->4023 3965 100021dc GetDlgItem 3966 10002202 GetDlgItem GetDlgItem GetDlgItem 3965->3966 3967 100021f2 3965->3967 4063 10001085 3966->4063 3968 10002b62 2 API calls 3967->3968 3968->3957 3971 10001085 SetWindowTextW 3972 10002242 3971->3972 3973 10001085 SetWindowTextW 3972->3973 3974 10002253 3973->3974 3975 10002263 EnableWindow 3974->3975 3976 1000226c 3974->3976 3975->3976 3977 100022a0 3976->3977 3978 10002276 EnableWindow 3976->3978 3980 100022c3 SendMessageW CreateDialogParamW 3977->3980 3981 100022aa ShowWindow 3977->3981 3979 10002287 GetSystemMenu EnableMenuItem 3978->3979 3979->3977 3983 10002a64 3980->3983 3984 100022ff GetWindowRect MapWindowPoints SetWindowPos SendMessageW 3980->3984 3981->3980 3986 10002b62 2 API calls 3983->3986 3985 10002a0e 3984->3985 3993 10002367 3984->3993 3988 10002a1f 3985->3988 4082 1000106e SendMessageW 3985->4082 3986->3957 3989 10001085 SetWindowTextW 3988->3989 3990 10002a2d wsprintfW 3989->3990 4083 10002b9d 3990->4083 3991 100023ae MapDialogRect 3991->3993 3993->3985 3993->3991 3994 100024f0 CreateWindowExW wsprintfW wsprintfW WritePrivateProfileStringW 3993->3994 3996 1000280d SendMessageW 3993->3996 3997 10002968 SendMessageW 3993->3997 4000 10001085 SetWindowTextW 3993->4000 4001 100025c0 SetWindowLongW 3993->4001 4002 10002622 GetModuleHandleW LoadIconW 3993->4002 4003 100025e7 LoadImageW 3993->4003 4004 1000279e SendMessageW 3993->4004 4007 1000264a GetObjectW 3993->4007 4010 1000100f GlobalFree 3993->4010 4011 100028b1 CharNextW 3993->4011 4012 1000267c CreateCompatibleDC SelectObject GetDIBits CreateRectRgn 3993->4012 4013 1000289f SendMessageW 3993->4013 4014 10002778 SetWindowRgn DeleteObject DeleteObject 3993->4014 4015 1000294d SendMessageW 3993->4015 4018 10002735 CreateRectRgn CombineRgn DeleteObject 3993->4018 4019 100028dc 3993->4019 4070 10001d8e 3993->4070 4074 10001000 GlobalAlloc 3993->4074 4078 1000101f lstrlenW 3993->4078 3994->3993 3995 10002584 SendMessageW 3994->3995 3995->3993 3996->3993 3997->3993 3998 10002980 GetWindowLongW SetWindowLongW 3997->3998 3998->3993 4000->3993 4001->3993 4002->3993 4003->3993 4004->3993 4008 100027b8 GetClientRect SetWindowPos 4004->4008 4007->3993 4007->4004 4008->3993 4010->3993 4011->3993 4012->3993 4012->4014 4013->3993 4075 1000100f 4014->4075 4015->3993 4015->4019 4017 100028e5 SendMessageW 4017->4019 4018->3993 4019->3993 4019->3997 4019->4015 4019->4017 4020 1000290a CharNextW 4019->4020 4021 10002923 SendMessageW 4019->4021 4081 1000106e SendMessageW 4019->4081 4020->4019 4021->4019 4022 10002935 SendMessageW 4021->4022 4022->4019 4086 10001411 4023->4086 4026 10001411 4 API calls 4027 10001e27 4026->4027 4028 10001411 4 API calls 4027->4028 4029 10001e36 4028->4029 4030 10001411 4 API calls 4029->4030 4031 10001e45 4030->4031 4091 1000142f GetPrivateProfileIntW 4031->4091 4033 10001e57 4092 1000142f GetPrivateProfileIntW 4033->4092 4035 10001e6b 4093 1000142f GetPrivateProfileIntW 4035->4093 4037 10001e7c 4094 1000142f GetPrivateProfileIntW 4037->4094 4039 10001e8d 4095 1000142f GetPrivateProfileIntW 4039->4095 4041 10001e9e 4096 1000142f GetPrivateProfileIntW 4041->4096 4043 10001eae 4061 10001ec8 4043->4061 4103 10001000 GlobalAlloc 4043->4103 4045 10002160 4045->3956 4045->3965 4046 10001ef9 wsprintfW 4097 100013e1 GetPrivateProfileStringW 4046->4097 4048 10001d0a lstrcmpiW 4048->4061 4049 100013e1 GetPrivateProfileStringW 4049->4061 4052 10001411 GlobalAlloc lstrlenW lstrcpyW GetPrivateProfileStringW 4052->4061 4053 10001f9b lstrcpyW 4053->4061 4054 10001d8e CharNextW 4054->4061 4055 10001d8e CharNextW 4056 10001ffc GetPrivateProfileStringW 4055->4056 4056->4061 4057 1000142f GetPrivateProfileIntW 4057->4061 4059 1000202d lstrcpyW 4059->4061 4060 1000204c CharNextW 4060->4061 4061->4045 4061->4046 4061->4048 4061->4049 4061->4052 4061->4054 4061->4055 4061->4057 4061->4060 4062 1000101f GlobalAlloc lstrlenW lstrcpyW 4061->4062 4098 10001d3e 4061->4098 4104 10001000 GlobalAlloc 4061->4104 4105 10001000 GlobalAlloc 4061->4105 4062->4061 4064 10001092 4063->4064 4065 1000108c SetWindowTextW 4063->4065 4064->3971 4065->4064 4067 10002b97 4066->4067 4068 10002b6b 4066->4068 4067->3957 4068->4067 4069 10002b70 lstrcpyW GlobalFree 4068->4069 4069->4067 4071 10001df6 4070->4071 4073 10001d97 4070->4073 4071->3993 4072 10001dd7 CharNextW 4072->4073 4073->4071 4073->4072 4074->3993 4076 10001016 GlobalFree 4075->4076 4077 1000101c 4075->4077 4076->4077 4077->4004 4111 10001000 GlobalAlloc 4078->4111 4080 10001033 lstrcpyW 4080->3993 4081->3993 4082->3988 4084 10002be0 4083->4084 4085 10002ba6 GlobalAlloc lstrcpynW 4083->4085 4084->3962 4085->4084 4106 100013e1 GetPrivateProfileStringW 4086->4106 4088 1000141a 4089 10001428 4088->4089 4090 1000101f 3 API calls 4088->4090 4089->4026 4090->4089 4091->4033 4092->4035 4093->4037 4094->4039 4095->4041 4096->4043 4097->4061 4099 10001d4c 4098->4099 4100 10001d5c CharNextW 4099->4100 4102 10001d84 4099->4102 4107 10001d0a 4099->4107 4100->4099 4102->4061 4103->4061 4104->4053 4105->4059 4106->4088 4108 10001d31 4107->4108 4109 10001d16 4107->4109 4108->4099 4109->4108 4110 10001d18 lstrcmpiW 4109->4110 4110->4108 4110->4109 4111->4080 5562 4028ab 5563 401446 18 API calls 5562->5563 5566 4028b5 5563->5566 5564 402838 5565 4028ee ReadFile 5565->5564 5565->5566 5566->5564 5566->5565 5567 402946 5566->5567 5567->5564 5568 401446 18 API calls 5567->5568 5569 40298e 5568->5569 5570 402995 SetFilePointer 5569->5570 5570->5564 5571 4029a6 5570->5571 5573 4059d3 wsprintfW 5571->5573 5573->5564 4535 40172d 4536 40145c 18 API calls 4535->4536 4537 401735 4536->4537 4538 4057db 4 API calls 4537->4538 4539 40173d 4538->4539 4540 401786 4539->4540 4541 405787 CharNextW 4539->4541 4542 4017aa 4540->4542 4543 40178c 4540->4543 4544 40174b CreateDirectoryW 4541->4544 4546 401435 25 API calls 4542->4546 4545 401435 25 API calls 4543->4545 4544->4539 4547 401761 GetLastError 4544->4547 4548 401793 4545->4548 4552 4017b1 4546->4552 4547->4539 4549 40176e GetFileAttributesW 4547->4549 4553 405a8c lstrcpynW 4548->4553 4549->4539 4551 40179e SetCurrentDirectoryW 4551->4552 4553->4551 5574 4026ae 5575 4026bc 5574->5575 5576 4026bd FindCloseChangeNotification 5575->5576 5577 402c58 5576->5577 5578 402a2f 5579 40145c 18 API calls 5578->5579 5581 402a3c 5579->5581 5580 402a53 5583 4058b2 2 API calls 5580->5583 5581->5580 5582 40145c 18 API calls 5581->5582 5582->5580 5584 402a59 5583->5584 5604 4058d2 GetFileAttributesW CreateFileW 5584->5604 5586 402a66 5587 402a72 GlobalAlloc 5586->5587 5588 402b0f 5586->5588 5589 402b06 CloseHandle 5587->5589 5590 402a8b 5587->5590 5591 402b16 DeleteFileW 5588->5591 5592 402b29 5588->5592 5589->5588 5605 402ed0 SetFilePointer 5590->5605 5591->5592 5594 402a92 5595 402e9e ReadFile 5594->5595 5596 402a9b GlobalAlloc 5595->5596 5597 402aab 5596->5597 5598 402add WriteFile GlobalFree 5596->5598 5600 402ee7 37 API calls 5597->5600 5599 402ee7 37 API calls 5598->5599 5601 402b04 5599->5601 5603 402ab9 5600->5603 5601->5589 5602 402ad4 GlobalFree 5602->5598 5603->5602 5604->5586 5605->5594 5606 402b2f 5607 401446 18 API calls 5606->5607 5610 402b36 5607->5610 5608 402b85 5612 40609e 18 API calls 5608->5612 5609 402b78 5611 401446 18 API calls 5609->5611 5610->5608 5610->5609 5613 401721 5610->5613 5611->5613 5612->5613 5614 4020af 5615 40145c 18 API calls 5614->5615 5616 4020b7 GetFileVersionInfoSizeW 5615->5616 5617 4020dd GlobalAlloc 5616->5617 5618 402c58 5616->5618 5617->5618 5619 4020f1 GetFileVersionInfoW 5617->5619 5620 402101 VerQueryValueW 5619->5620 5621 402132 GlobalFree 5619->5621 5620->5621 5623 40211a 5620->5623 5621->5618 5627 4059d3 wsprintfW 5623->5627 5625 402126 5628 4059d3 wsprintfW 5625->5628 5627->5625 5628->5621 5629 4029af 5633 4059ec 5629->5633 5632 402c58 5634 4029bd FindClose 5633->5634 5634->5632 5635 403832 5636 40383d 5635->5636 5637 403841 5636->5637 5638 403844 GlobalAlloc 5636->5638 5638->5637 5639 403bb2 5640 403bbc 5639->5640 5641 403bbf lstrcpynW lstrlenW 5639->5641 5640->5641 5642 402db4 5643 402dc6 SetTimer 5642->5643 5644 402ddf 5642->5644 5643->5644 5645 402e34 5644->5645 5646 402df9 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5644->5646 5646->5645 5647 4017b6 5648 40145c 18 API calls 5647->5648 5649 4017bd 5648->5649 5650 405b6c 2 API calls 5649->5650 5651 4017c3 5650->5651 5652 402bb6 5653 401446 18 API calls 5652->5653 5655 402bbd 5653->5655 5654 40609e 18 API calls 5656 401721 5654->5656 5655->5654 5655->5656 5657 401639 5658 404a47 25 API calls 5657->5658 5659 401641 5658->5659 5660 40243c 5661 40145c 18 API calls 5660->5661 5662 402454 5661->5662 5663 40145c 18 API calls 5662->5663 5664 40245e 5663->5664 5665 40145c 18 API calls 5664->5665 5666 402469 GetPrivateProfileStringW lstrcmpW 5665->5666

        Executed Functions

        Function 00404B88 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 290windowclipboardmemoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 173 404b88-404ba3 174 404d35-404d3c 173->174 175 404ba9-404c75 GetDlgItem * 3 call 4038f4 call 403fb0 GetClientRect GetSystemMetrics SendMessageW * 2 173->175 177 404d66-404d73 174->177 178 404d3e-404d60 GetDlgItem CreateThread FindCloseChangeNotification 174->178 197 404c93-404c96 175->197 198 404c77-404c91 SendMessageW * 2 175->198 180 404d94-404d9b 177->180 181 404d75-404d7e 177->181 178->177 185 404df2-404df6 180->185 186 404d9d-404da3 180->186 183 404d80-404d8f ShowWindow * 2 call 4038f4 181->183 184 404db6-404dbf call 403926 181->184 183->180 194 404dc4-404dc8 184->194 185->184 191 404df8-404dfb 185->191 187 404da5-404db1 call 403874 186->187 188 404dcb-404ddb ShowWindow 186->188 187->184 195 404deb-404ded call 403874 188->195 196 404ddd-404de6 call 404a47 188->196 191->184 199 404dfd-404e10 SendMessageW 191->199 195->185 196->195 202 404ca6-404cbd call 40389b 197->202 203 404c98-404ca4 SendMessageW 197->203 198->197 204 404e16-404e37 CreatePopupMenu call 40609e AppendMenuW 199->204 205 404d2e-404d30 199->205 210 404cf3-404d14 GetDlgItem SendMessageW 202->210 211 404cbf-404cd3 ShowWindow 202->211 203->202 212 404e39-404e4a GetWindowRect 204->212 213 404e4c-404e52 204->213 205->194 210->205 217 404d16-404d2c SendMessageW * 2 210->217 214 404ce2 211->214 215 404cd5-404ce0 ShowWindow 211->215 216 404e53-404e6b TrackPopupMenu 212->216 213->216 218 404ce8-404cee call 4038f4 214->218 215->218 216->205 219 404e71-404e88 216->219 217->205 218->210 221 404e8d-404ea8 SendMessageW 219->221 221->221 222 404eaa-404ecd OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 221->222 223 404ecf-404ef8 SendMessageW 222->223 223->223 224 404efa-404f14 GlobalUnlock SetClipboardData CloseClipboard 223->224 224->205
        APIs
        • GetDlgItem.USER32(?,00000403), ref: 00404BEA
        • GetDlgItem.USER32(?,000003EE), ref: 00404BF9
        • GetClientRect.USER32(?,?), ref: 00404C36
        • GetSystemMetrics.USER32(00000015), ref: 00404C3E
        • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 00404C5F
        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00404C70
        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00404C83
        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00404C91
        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00404CA4
        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00404CC6
        • ShowWindow.USER32(?,00000008), ref: 00404CDA
        • GetDlgItem.USER32(?,000003EC), ref: 00404CFB
        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00404D0B
        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00404D20
        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00404D2C
        • GetDlgItem.USER32(?,000003F8), ref: 00404C08
          • Part of subcall function 004038F4: SendMessageW.USER32(00000028,?,00000001,00405254), ref: 00403902
        • GetDlgItem.USER32(?,000003EC), ref: 00404D4B
        • CreateThread.KERNELBASE(00000000,00000000,Function_00004B1C,00000000), ref: 00404D59
        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00404D60
        • ShowWindow.USER32(00000000), ref: 00404D87
        • ShowWindow.USER32(?,00000008), ref: 00404D8C
        • ShowWindow.USER32(00000008), ref: 00404DD3
        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404E05
        • CreatePopupMenu.USER32 ref: 00404E16
        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00404E2B
        • GetWindowRect.USER32(?,?), ref: 00404E3E
        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00404E60
        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00404E9B
        • OpenClipboard.USER32(00000000), ref: 00404EAB
        • EmptyClipboard.USER32 ref: 00404EB1
        • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00404EBD
        • GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00404EC7
        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00404EDB
        • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00404EFD
        • SetClipboardData.USER32(0000000D,00000000), ref: 00404F08
        • CloseClipboard.USER32 ref: 00404F0E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
        • String ID: bD${
        • API String ID: 4154960007-3613428639
        • Opcode ID: 837ed28261cb21d9fdd33db1fc29c1f20fdebf5a0da9cd8c2b80fd9e379c66be
        • Instruction ID: cc077772ac82400a15c7aaa2e3341ab319f48cf7f4dbfdc554f8cc3b51ede946
        • Opcode Fuzzy Hash: 837ed28261cb21d9fdd33db1fc29c1f20fdebf5a0da9cd8c2b80fd9e379c66be
        • Instruction Fuzzy Hash: 48B14AB0900208FFDB11AF61DE85EAE7B79FF44355F00813AFA45BA1A0CB748A519F59
        Function 10001E00 Relevance: 66.7, APIs: 5, Strings: 33, Instructions: 241stringCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
          • Part of subcall function 1000142F: GetPrivateProfileIntW.KERNEL32(?,?,10001E57,NumFields), ref: 10001443
        • wsprintfW.USER32 ref: 10001F1C
        • lstrcpyW.KERNEL32(00000000,All Files|*.*), ref: 10001FA0
        • GetPrivateProfileStringW.KERNEL32(1000855C,Filter,All Files|*.*,All Files|*.*,00002000,00000000), ref: 10002017
          • Part of subcall function 10001000: GlobalAlloc.KERNEL32(00000040,?,10001033,?), ref: 10001006
        • lstrcpyW.KERNEL32(00000000,All Files|*.*), ref: 10002032
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2927234580.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000000.00000002.2927199836.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927275326.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927321116.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927362794.000000001000A000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
        Similarity
        • API ID: PrivateProfilelstrcpy$AllocGlobalStringwsprintf
        • String ID: ...$All Files|*.*$All Files|*.*$BOTTOM$BackButtonText$BackEnabled$CancelButtonText$CancelEnabled$CancelShow$Field %d$Filter$Flags$HWND$HWND2$LEFT$ListItems$MaxLen$MinLen$NextButtonText$NumFields$RIGHT$ROOT$RTL$Rect$Settings$State$T$TEXT$TOP$TYPE$Title$TxtColor$ValidateText
        • API String ID: 3510956051-2700349506
        • Opcode ID: 74814eab59a37cd4291aacab44264521a28409fb92b12d977459fc4dd46b868d
        • Instruction ID: 552bb8bf59d0b84d0ee65c249c25792107186ba20af8b2563b6319c8bef8be22
        • Opcode Fuzzy Hash: 74814eab59a37cd4291aacab44264521a28409fb92b12d977459fc4dd46b868d
        • Instruction Fuzzy Hash: F69188B4800B11AFE711DF758C8599BBBF8FB487C07408929F2859762EDB34E6448B95
        Function 004033E9 Relevance: 58.1, APIs: 22, Strings: 11, Instructions: 307filestringcomCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 417 4033e9-40347f #17 SetErrorMode OleInitialize call 405b93 SHGetFileInfoW call 405a8c GetCommandLineW call 405a8c GetModuleHandleW 424 403481-403484 417->424 425 403489-40349d call 405787 CharNextW 417->425 424->425 428 40352e-403534 425->428 429 4034a2-4034a8 428->429 430 40353a 428->430 432 4034b1-4034b5 429->432 433 4034aa-4034af 429->433 431 403559-403571 GetTempPathW call 403334 430->431 443 403573-403591 GetWindowsDirectoryW lstrcatW call 403334 431->443 444 403597-4035b1 DeleteFileW call 4030ef 431->444 434 4034b7-4034bb 432->434 435 4034bc-4034c0 432->435 433->432 433->433 434->435 437 4034c2-4034c8 435->437 438 40351d-40352a call 405787 435->438 441 4034ca-4034d2 437->441 442 4034de-4034f0 call 403368 437->442 438->428 452 40352c-40352d 438->452 447 4034d4-4034d7 441->447 448 4034d9 441->448 457 4034f2-4034fa 442->457 458 403506-40351b call 403368 442->458 443->444 455 403628-403637 call 4033bf OleUninitialize 443->455 444->455 456 4035b3-4035b9 444->456 447->442 447->448 448->442 452->428 472 40372a-403730 455->472 473 40363d-40364d call 405721 ExitProcess 455->473 459 403618-40361f call 4053cc 456->459 460 4035bb-4035c4 call 405787 456->460 462 403501 457->462 463 4034fc-4034ff 457->463 458->438 469 40353c-403554 call 4071fe call 405a8c 458->469 471 403624 459->471 475 4035dc-4035de 460->475 462->458 463->458 463->462 469->431 471->455 476 403732-40374f call 405b93 * 3 472->476 477 4037ad-4037b5 472->477 481 4035e0-4035ea 475->481 482 4035c6-4035d8 call 403368 475->482 509 403751-403753 476->509 510 403799-4037a4 ExitWindowsEx 476->510 483 4037b7 477->483 484 4037bb 477->484 489 403653-40366d lstrcatW lstrcmpiW 481->489 490 4035ec-4035fc call 406016 481->490 482->481 497 4035da-4035db 482->497 483->484 489->455 494 40366f-403685 CreateDirectoryW SetCurrentDirectoryW 489->494 490->455 500 4035fe-403614 call 405a8c * 2 490->500 495 403692-4036b2 call 405a8c * 2 494->495 496 403687-40368d call 405a8c 494->496 517 4036b7-4036d3 call 40609e DeleteFileW 495->517 496->495 497->475 500->459 509->510 511 403755-403757 509->511 510->477 514 4037a6-4037a8 call 40141d 510->514 511->510 515 403759-40376b GetCurrentProcess 511->515 514->477 515->510 522 40376d-40378f 515->522 523 403714-40371c 517->523 524 4036d5-4036e5 CopyFileW 517->524 522->510 523->517 525 40371e-403725 call 4064fa 523->525 524->523 526 4036e7-403707 call 4064fa call 40609e call 4056c0 524->526 525->455 526->523 536 403709-403710 CloseHandle 526->536 536->523
        APIs
        • #17.COMCTL32 ref: 00403408
        • SetErrorMode.KERNELBASE(00008001), ref: 00403413
        • OleInitialize.OLE32(00000000), ref: 0040341A
          • Part of subcall function 00405B93: GetModuleHandleA.KERNEL32(?,?,00000020,0040342C,00000008), ref: 00405BA3
          • Part of subcall function 00405B93: LoadLibraryA.KERNELBASE(?,?,00000020,0040342C,00000008), ref: 00405BAE
          • Part of subcall function 00405B93: GetProcAddress.KERNEL32(00000000,?), ref: 00405BBF
        • SHGetFileInfoW.SHELL32(0040856C,00000000,?,000002B4,00000000), ref: 00403442
          • Part of subcall function 00405A8C: lstrcpynW.KERNEL32(?,?,00002004,00403457,00468580,NSIS Error), ref: 00405A99
        • GetCommandLineW.KERNEL32(00468580,NSIS Error), ref: 00403457
        • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",00000000), ref: 0040346A
        • CharNextW.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",00000020), ref: 00403491
        • GetTempPathW.KERNEL32(00002004,004D50C8,00000000,00000020), ref: 00403564
        • GetWindowsDirectoryW.KERNEL32(004D50C8,00001FFF), ref: 00403579
        • lstrcatW.KERNEL32(004D50C8,\Temp), ref: 00403585
        • DeleteFileW.KERNELBASE(004D10C0), ref: 0040359C
        • OleUninitialize.OLE32(?), ref: 0040362D
        • ExitProcess.KERNEL32 ref: 0040364D
        • lstrcatW.KERNEL32(004D50C8,~nsu.tmp), ref: 00403659
        • lstrcmpiW.KERNEL32(004D50C8,004CD0B8,004D50C8,~nsu.tmp), ref: 00403665
        • CreateDirectoryW.KERNEL32(004D50C8,00000000), ref: 00403671
        • SetCurrentDirectoryW.KERNEL32(004D50C8), ref: 00403678
        • DeleteFileW.KERNEL32(004321C8,004321C8,?,00475008,0040850C,956,?), ref: 004036C9
        • CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe,004321C8,00000001), ref: 004036DD
        • CloseHandle.KERNEL32(00000000,004321C8,004321C8,?,004321C8,00000000), ref: 0040370A
        • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403760
        • ExitWindowsEx.USER32(00000002,00000000), ref: 0040379C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
        • String ID: /D=$ _?=$"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe"$956$C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
        • API String ID: 2435955865-3368151265
        • Opcode ID: ef4d1003a62755a9552ca011e9b1fc42e044afc92acaaf820046f6ef2b5562f5
        • Instruction ID: 7fcecf3ab292f4a0ff641e3f8455ccdae43a0b13c086a67e821500fbe2ebd556
        • Opcode Fuzzy Hash: ef4d1003a62755a9552ca011e9b1fc42e044afc92acaaf820046f6ef2b5562f5
        • Instruction Fuzzy Hash: 50A1C270500710BAD620AF619D4AF2B3EACEF44349F10483FF585B61D2DB7C8A458BAE
        Function 00403FDF Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 272stringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 672 403fdf-404011 673 404020-404027 672->673 674 404013-40401b call 405705 call 405abb 672->674 676 404029-40403f GetDlgItem call 4057a6 673->676 677 40409b-4040a2 673->677 674->673 688 404051-40408e SetWindowTextW call 40389b * 2 call 4038f4 call 405b93 676->688 689 404041-404049 call 4057db 676->689 680 4040a8-4040ae 677->680 681 40417a-404181 677->681 684 4040b0-4040be 680->684 685 4040cb-4040d0 680->685 686 404190-4041a7 call 405705 call 406016 681->686 687 404183-40418a 681->687 690 4040c4 684->690 691 40430e-404320 call 403926 684->691 685->681 692 4040d6-40411b call 40609e SHBrowseForFolderW 685->692 710 4041b0-4041c9 call 405a8c call 405b93 686->710 711 4041a9 686->711 687->686 687->691 688->691 730 404094-404099 SHAutoComplete 688->730 689->688 705 40404b-40404c call 405fba 689->705 690->685 706 404173 692->706 707 40411d-404137 CoTaskMemFree call 405fba 692->707 705->688 706->681 717 404161-404171 SetDlgItemTextW 707->717 718 404139-40413f 707->718 728 404207-404216 call 405a8c call 4057db 710->728 729 4041cb-4041cf 710->729 711->710 717->681 718->717 721 404141-404158 call 40609e lstrcmpiW 718->721 721->717 731 40415a-40415c lstrcatW 721->731 745 404218-40421a 728->745 746 40421d-404236 GetDiskFreeSpaceW 728->746 732 4041d1-4041e3 GetDiskFreeSpaceExW 729->732 733 404205 729->733 730->677 731->717 736 4041e5-4041e7 732->736 737 40425a-404270 732->737 733->728 740 4041e9 736->740 741 4041ec-404203 call 405fe9 736->741 739 404275 737->739 743 40427a-404284 call 403fb0 739->743 740->741 741->732 741->733 752 404291-40429a 743->752 753 404286-404288 743->753 745->746 749 404272 746->749 750 404238-404258 MulDiv 746->750 749->739 750->743 755 4042c7-4042d1 752->755 756 40429c-4042ab call 403ee7 752->756 753->752 754 40428a 753->754 754->752 758 4042d3-4042da call 40141d 755->758 759 4042dd-4042e3 755->759 764 4042b9-4042c2 SetDlgItemTextW 756->764 765 4042ad-4042b2 call 403ee7 756->765 758->759 762 4042e5 759->762 763 4042e8-4042f9 call 4038e1 759->763 762->763 771 404308 763->771 772 4042fb-404301 763->772 764->755 770 4042b7 765->770 770->755 771->691 772->771 773 404303 call 4038bd 772->773 773->771
        APIs
        • GetDlgItem.USER32(?,000003FB), ref: 0040402E
        • SetWindowTextW.USER32(?,?), ref: 0040405B
        • SHAutoComplete.SHLWAPI(?,00000001,00000007,?,?,00000014,?,?,00000001,?), ref: 00404099
        • SHBrowseForFolderW.SHELL32(?), ref: 00404113
        • CoTaskMemFree.OLE32(00000000), ref: 0040411E
        • lstrcmpiW.KERNEL32(Execute: ,00446220,00000000,?,?), ref: 00404150
        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040416C
        • lstrcatW.KERNEL32(?,Execute: ), ref: 0040415C
          • Part of subcall function 00405705: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403ABC), ref: 00405718
          • Part of subcall function 00405ABB: CharNextW.USER32(?,*?|<>/":,00000000,004D50C8,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",004D50C8,00000000,00403340,004D50C8,00000002,0040356F), ref: 00405B1E
          • Part of subcall function 00405ABB: CharNextW.USER32(?,?,?,00000000), ref: 00405B2D
          • Part of subcall function 00405ABB: CharNextW.USER32(?,004D50C8,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",004D50C8,00000000,00403340,004D50C8,00000002,0040356F), ref: 00405B32
          • Part of subcall function 00405ABB: CharPrevW.USER32(?,?,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",004D50C8,00000000,00403340,004D50C8,00000002,0040356F), ref: 00405B46
        • GetDiskFreeSpaceExW.KERNELBASE(0043A208,?,?,?,00000000,0043A208,?,?,000003FB,?), ref: 004041DE
        • GetDiskFreeSpaceW.KERNEL32(0043A208,?,?,0000040F,?,0043A208,0043A208,?,00000000,0043A208,?,?,000003FB,?), ref: 0040422E
        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404249
        • SetDlgItemTextW.USER32(00000000,00000400,0040856C), ref: 004042C2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: CharItemText$FreeNext$DiskSpace$AutoBrowseCompleteFolderPrevTaskWindowlstrcatlstrcmpi
        • String ID: bD$956$A$Execute:
        • API String ID: 936030579-2990685995
        • Opcode ID: 538dd0a69e1d074ddd90e464db0fb5aeb096c0c60dae2f219880834f2bfaf779
        • Instruction ID: 5022e851c4c0dfee7aa39c751ba07f12e6589130cc822631718c419351573184
        • Opcode Fuzzy Hash: 538dd0a69e1d074ddd90e464db0fb5aeb096c0c60dae2f219880834f2bfaf779
        • Instruction Fuzzy Hash: 52A19FB1A00209ABDF11AFA1CC85AAF7BB8EF44354F10407BF605B72D1D7789A419F69
        Function 0040609E Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 218stringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 816 40609e-4060a9 817 4060ab-4060ba 816->817 818 4060bc-4060d0 816->818 817->818 819 4060d2-4060df 818->819 820 4060e8-4060ee 818->820 819->820 821 4060e1-4060e4 819->821 822 4060f4-4060f5 820->822 823 406317-406320 820->823 821->820 824 4060f6-406103 822->824 825 406322-406326 call 405a8c 823->825 826 40632b-40632c 823->826 827 406315-406316 824->827 828 406109-406118 824->828 825->826 827->823 830 4062f3-4062f6 828->830 831 40611e-406123 828->831 832 406304-406308 830->832 833 4062f8-406302 830->833 831->830 834 406129-406166 831->834 835 406309-40630f 832->835 833->835 836 406286-40628f 834->836 837 40616c-406177 GetVersion 834->837 835->824 835->827 838 406291-406294 836->838 839 4062c8-4062d1 836->839 840 406195 837->840 841 406179-406181 837->841 845 4062a4-4062b3 call 405a8c 838->845 846 406296-4062a2 call 4059d3 838->846 843 4062d3-4062da call 40609e 839->843 844 4062df-4062f1 lstrlenW 839->844 842 40619c-4061a3 840->842 841->840 847 406183-406187 841->847 848 4061a5-4061a7 842->848 849 4061a8-4061aa 842->849 843->844 844->835 854 4062b8-4062be 845->854 846->854 847->840 852 406189-40618d 847->852 848->849 855 4061e6-4061e9 849->855 856 4061ac-4061c9 call 405955 849->856 852->840 858 40618f-406193 852->858 854->844 859 4062c0-4062c6 call 405abb 854->859 861 4061f9-4061fc 855->861 862 4061eb-4061f7 GetSystemDirectoryW 855->862 864 4061ce-4061d2 856->864 858->842 859->844 866 406268-40626a 861->866 867 4061fe-40620c GetWindowsDirectoryW 861->867 865 40626c-406270 862->865 869 406272-406276 864->869 870 4061d8-4061e1 call 40609e 864->870 865->859 865->869 866->865 871 40620e-406218 866->871 867->866 869->859 873 406278-406284 lstrcatW 869->873 870->865 874 406232-406248 SHGetSpecialFolderLocation 871->874 875 40621a-40621d 871->875 873->859 876 406263-406265 874->876 877 40624a-406261 SHGetPathFromIDListW CoTaskMemFree 874->877 875->874 879 40621f-406226 875->879 876->866 877->865 877->876 880 40622e-406230 879->880 880->865 880->874
        APIs
        • GetVersion.KERNEL32(Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,?,00000000,00404A7E,Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00000000,00422130,00000000,00000000), ref: 0040616F
        • GetSystemDirectoryW.KERNEL32(Execute: ,00002004), ref: 004061F1
          • Part of subcall function 00405A8C: lstrcpynW.KERNEL32(?,?,00002004,00403457,00468580,NSIS Error), ref: 00405A99
          • Part of subcall function 0040609E: SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406240
          • Part of subcall function 0040609E: SHGetPathFromIDListW.SHELL32(?,Execute: ), ref: 0040624E
          • Part of subcall function 0040609E: CoTaskMemFree.OLE32(?), ref: 00406259
        • GetWindowsDirectoryW.KERNEL32(Execute: ,00002004), ref: 00406204
        • lstrcatW.KERNEL32(Execute: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040627E
        • lstrlenW.KERNEL32(Execute: ,Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,?,00000000,00404A7E,Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00000000,00422130,00000000,00000000), ref: 004062E0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrcpynlstrlen
        • String ID: 956$Execute: $Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
        • API String ID: 3935908587-3389567074
        • Opcode ID: f35fa50dba9fa5446e01d0b4fb612381b0159b4c2c524df7005a62fdffcff390
        • Instruction ID: a73759585ec18bdf53df06193d5eadd526331b08e283b5dd7bd2a4e89e531c17
        • Opcode Fuzzy Hash: f35fa50dba9fa5446e01d0b4fb612381b0159b4c2c524df7005a62fdffcff390
        • Instruction Fuzzy Hash: 6071E131900211EADB20AF68CD44A7E37B4EB55314F12813FE947BA2E1D77D8DA18B99
        Function 0040652D Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 162filestringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1010 40652d-406549 call 406016 1013 406562-40656a 1010->1013 1014 40654b-40655d DeleteFileW 1010->1014 1016 40656c-40656e 1013->1016 1017 40657d-406594 call 405a8c 1013->1017 1015 406708-40670a 1014->1015 1018 4066b3-4066b8 1016->1018 1019 406574-406577 1016->1019 1026 4065a0-4065a1 call 405fe9 1017->1026 1027 406596-40659e lstrcatW 1017->1027 1021 406707 1018->1021 1022 4066ba-4066bd 1018->1022 1019->1017 1019->1018 1021->1015 1024 4066f7-4066fd 1022->1024 1025 4066bf-4066c7 call 405b6c 1022->1025 1024->1021 1025->1021 1035 4066c9-4066de call 405fba call 4058b2 RemoveDirectoryW 1025->1035 1028 4065a6-4065aa 1026->1028 1027->1028 1031 4065b6-4065bc lstrcatW 1028->1031 1032 4065ac-4065b4 1028->1032 1034 4065be-4065df lstrlenW FindFirstFileW 1031->1034 1032->1031 1032->1034 1036 4066a2 1034->1036 1037 4065e5-4065fa call 405787 1034->1037 1048 4066e0-4066e4 1035->1048 1049 4066ff-406702 call 404a47 1035->1049 1039 4066a4-4066a8 1036->1039 1046 406605-406609 1037->1046 1047 4065fc-406600 1037->1047 1039->1018 1042 4066aa-4066af 1039->1042 1042->1018 1051 406620-406630 call 405a8c 1046->1051 1052 40660b-406612 1046->1052 1047->1046 1050 406602 1047->1050 1048->1024 1054 4066e6-4066f5 call 404a47 call 4064fa 1048->1054 1049->1021 1050->1046 1062 406632-40663a 1051->1062 1063 406647-406656 call 4058b2 DeleteFileW 1051->1063 1056 406614-406618 1052->1056 1057 40667f-406691 FindNextFileW 1052->1057 1054->1021 1056->1051 1061 40661a-40661e 1056->1061 1057->1037 1060 406697-4066a0 FindClose 1057->1060 1060->1039 1061->1051 1061->1057 1062->1057 1065 40663c-406645 call 40652d 1062->1065 1072 406677-40667a call 404a47 1063->1072 1073 406658-40665c 1063->1073 1065->1057 1072->1057 1075 40665e-40666d call 404a47 call 4064fa 1073->1075 1076 40666f-406675 1073->1076 1075->1057 1076->1057
        APIs
        • DeleteFileW.KERNELBASE(?,?,004D50C8), ref: 0040654C
        • lstrcatW.KERNEL32(0045B8F8,\*.*), ref: 0040659C
        • lstrcatW.KERNEL32(?,004082C8), ref: 004065BC
        • lstrlenW.KERNEL32(?), ref: 004065BF
        • FindFirstFileW.KERNELBASE(0045B8F8,?), ref: 004065D3
        • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?), ref: 00406689
        • FindClose.KERNEL32(00000000), ref: 0040669A
        Strings
        • "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe", xrefs: 0040657D
        • \*.*, xrefs: 00406596
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
        • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe"$\*.*
        • API String ID: 2035342205-3208094775
        • Opcode ID: 0e24e07b7e8e67ce82a6f87a387cc229c53a24ab4361793dd41cb788d33d50c4
        • Instruction ID: 23ee1a1cc47faf5c86cb591f7cdd6bffcc4614202aed0ca53166a7a491faaf01
        • Opcode Fuzzy Hash: 0e24e07b7e8e67ce82a6f87a387cc229c53a24ab4361793dd41cb788d33d50c4
        • Instruction Fuzzy Hash: 8951C070800604AADB20AB71CD45AAF7A7CEF40358F12953BF857761D1DB7D8DA18A6C
        Function 00406947 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: d8b9bd239007d2a991e49b6820cb59db50545e486c1ca01f00f47c255dd93716
        • Instruction ID: 5c02f90b86abb068e99f0897f4ac9ec97012706b7e8864880665a7503c8d7d8d
        • Opcode Fuzzy Hash: d8b9bd239007d2a991e49b6820cb59db50545e486c1ca01f00f47c255dd93716
        • Instruction Fuzzy Hash: BBF17871904249DBDF18CF28C8946E93BB1FF44345F15812AFD5AAB281D338E996CF85
        Function 00405B93 Relevance: 4.5, APIs: 3, Instructions: 19libraryloaderCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleA.KERNEL32(?,?,00000020,0040342C,00000008), ref: 00405BA3
        • LoadLibraryA.KERNELBASE(?,?,00000020,0040342C,00000008), ref: 00405BAE
        • GetProcAddress.KERNEL32(00000000,?), ref: 00405BBF
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: AddressHandleLibraryLoadModuleProc
        • String ID:
        • API String ID: 310444273-0
        • Opcode ID: 0ccf96f21d4775823ebfa39c65d9289fef824585f99c9f9fa051364898666991
        • Instruction ID: 8eba8d962fe89f20eb5686202d750081ed43ed6bc4e4724aeefdc1c10d25eb8b
        • Opcode Fuzzy Hash: 0ccf96f21d4775823ebfa39c65d9289fef824585f99c9f9fa051364898666991
        • Instruction Fuzzy Hash: F7E0C232600B1197D6111F709E0896B777CEF89601302C43EF945F3051DB34B825ABBD
        Function 00405B6C Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
        Download Yara Rule
        APIs
        • FindFirstFileW.KERNELBASE(?,0045AEA8,004562A0,00406067,004562A0), ref: 00405B77
        • FindClose.KERNEL32(00000000), ref: 00405B83
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Find$CloseFileFirst
        • String ID:
        • API String ID: 2295610775-0
        • Opcode ID: 73a1733260ae4f655bf9dd8a68387c37ccaae6761a2e7059011e61be2104b62e
        • Instruction ID: 9c8c9209f0c089ba17c9f72a6865cedd31db745af4387da2dba4ded0e7f491b0
        • Opcode Fuzzy Hash: 73a1733260ae4f655bf9dd8a68387c37ccaae6761a2e7059011e61be2104b62e
        • Instruction Fuzzy Hash: FFD012315455205FC3001738AD0CC6B7A68DF153323108B37F8A5F11E0D7349C62CA9D
        Function 00402218 Relevance: 1.6, APIs: 1, Instructions: 120comCOMMON
        Download Yara Rule
        APIs
        • CoCreateInstance.OLE32(004089E0,00000000,00000001,004089C0,?,00000000), ref: 00402272
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: CreateInstance
        • String ID:
        • API String ID: 542301482-0
        • Opcode ID: 1c6d11ed87e058663f55421917ee5d98e983020a9fdeaece86056e24ac287b48
        • Instruction ID: a0d189aa544153a830f6f55207b19c3fa72ac38fca0abbf03623e2d11460f6c5
        • Opcode Fuzzy Hash: 1c6d11ed87e058663f55421917ee5d98e983020a9fdeaece86056e24ac287b48
        • Instruction Fuzzy Hash: 31415378A00204AFCB04EFA4C888E9E7B79EF48314F20456AF915EB3E1CB79D941CB54
        Function 10002168 Relevance: 98.7, APIs: 51, Strings: 5, Instructions: 718COMMON
        Download Yara Rule
        APIs
        • GetDlgItem.USER32(?), ref: 100021E9
          • Part of subcall function 10002B62: lstrcpyW.KERNEL32(?,?), ref: 10002B7B
          • Part of subcall function 10002B62: GlobalFree.KERNEL32 ref: 10002B8C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2927234580.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000000.00000002.2927199836.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927275326.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927321116.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927362794.000000001000A000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
        Similarity
        • API ID: FreeGlobalItemlstrcpy
        • String ID: Field %d$error creating dialog$error finding childwnd$error finding config$error finding mainwnd
        • API String ID: 962754457-942124188
        • Opcode ID: 39627ccdc196b4cb047fd6d931486be3613ca50af7d48c16479d5fb9c7f38baf
        • Instruction ID: 5d8d7bdbe6ca6fcb9a7df3888f4bd44ae8295e94ef714cba6e1b75d0e9b3d3de
        • Opcode Fuzzy Hash: 39627ccdc196b4cb047fd6d931486be3613ca50af7d48c16479d5fb9c7f38baf
        • Instruction Fuzzy Hash: 40527631900658EFEF56CF64CD84AAE3BA9FF083D0F11822AFD55962A9D771D980CB50
        Function 00404F19 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 314 404f19-404f2b 315 404f31-404f37 314->315 316 40506d-40507c 314->316 315->316 317 404f3d-404f46 315->317 318 4050cb-4050e0 316->318 319 40507e-4050c6 GetDlgItem * 2 call 40389b SetClassLongW call 40141d 316->319 320 404f48-404f55 SetWindowPos 317->320 321 404f5b-404f5e 317->321 323 405120-405125 call 40390b 318->323 324 4050e2-4050e5 318->324 319->318 320->321 326 404f60-404f72 ShowWindow 321->326 327 404f78-404f7e 321->327 331 40512a-405145 323->331 329 4050e7-4050f2 call 40139b 324->329 330 405118-40511a 324->330 326->327 332 404f80-404f95 DestroyWindow 327->332 333 404f9a-404f9d 327->333 329->330 351 4050f4-405113 SendMessageW 329->351 330->323 336 4053c0 330->336 337 405147-405149 call 40141d 331->337 338 40514e-405154 331->338 340 40539d-4053a3 332->340 342 404fb0-404fb6 333->342 343 404f9f-404fab SetWindowLongW 333->343 339 4053c2-4053c9 336->339 337->338 347 40515a-405165 338->347 348 40537e-405397 DestroyWindow EndDialog 338->348 340->336 345 4053a5-4053ab 340->345 349 405059-405068 call 403926 342->349 350 404fbc-404fcd GetDlgItem 342->350 343->339 345->336 353 4053ad-4053b6 ShowWindow 345->353 347->348 354 40516b-4051b8 call 40609e call 40389b * 3 GetDlgItem 347->354 348->340 349->339 355 404fec-404fef 350->355 356 404fcf-404fe6 SendMessageW IsWindowEnabled 350->356 351->339 353->336 384 4051c3-4051ff ShowWindow KiUserCallbackDispatcher call 4038e1 KiUserCallbackDispatcher 354->384 385 4051ba-4051c0 354->385 359 404ff1-404ff2 355->359 360 404ff4-404ff7 355->360 356->336 356->355 362 405022-405027 call 403874 359->362 363 405005-40500a 360->363 364 404ff9-404fff 360->364 362->349 365 405040-405053 SendMessageW 363->365 367 40500c-405012 363->367 364->365 366 405001-405003 364->366 365->349 366->362 370 405014-40501a call 40141d 367->370 371 405029-405032 call 40141d 367->371 380 405020 370->380 371->349 381 405034-40503e 371->381 380->362 381->380 388 405201-405202 384->388 389 405204 384->389 385->384 390 405206-405234 GetSystemMenu EnableMenuItem SendMessageW 388->390 389->390 391 405236-405247 SendMessageW 390->391 392 405249 390->392 393 40524f-40528d call 4038f4 call 405a8c lstrlenW call 40609e SetWindowTextW call 40139b 391->393 392->393 393->331 402 405293-405295 393->402 402->331 403 40529b-40529f 402->403 404 4052a1-4052a7 403->404 405 4052be-4052d2 KiUserCallbackDispatcher 403->405 404->336 406 4052ad-4052b3 404->406 405->340 407 4052d8-405305 CreateDialogParamW 405->407 406->331 408 4052b9 406->408 407->340 409 40530b-405362 call 40389b GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139b 407->409 408->336 409->336 414 405364-405377 ShowWindow call 40390b 409->414 416 40537c 414->416 416->340
        APIs
        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404F55
        • ShowWindow.USER32(?), ref: 00404F72
        • DestroyWindow.USER32 ref: 00404F86
        • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404FA2
        • GetDlgItem.USER32(?,?), ref: 00404FC3
        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404FD7
        • IsWindowEnabled.USER32(00000000), ref: 00404FDE
        • GetDlgItem.USER32(?,00000001), ref: 0040508D
        • GetDlgItem.USER32(?,00000002), ref: 00405097
        • SetClassLongW.USER32(?,000000F2,?), ref: 004050B1
        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405102
        • GetDlgItem.USER32(?,00000003), ref: 004051A8
        • ShowWindow.USER32(00000000,?), ref: 004051CA
        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004051DC
        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004051F7
        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040520D
        • EnableMenuItem.USER32(00000000), ref: 00405214
        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040522C
        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040523F
        • lstrlenW.KERNEL32(00446220,?,00446220,00468580), ref: 00405268
        • SetWindowTextW.USER32(?,00446220), ref: 0040527C
        • ShowWindow.USER32(?,0000000A), ref: 004053B0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Window$Item$MessageSend$Show$CallbackDispatcherLongMenuUser$ClassDestroyEnableEnabledSystemTextlstrlen
        • String ID: bD
        • API String ID: 1252290697-3782611806
        • Opcode ID: 7034c599670912a2a3670d570489ed0184364186bc3d40a96d346ae6494d419a
        • Instruction ID: 6837ad429d883923c5186e5106f8e9e4f70e1bb04f853eff51a0522768fd5a3f
        • Opcode Fuzzy Hash: 7034c599670912a2a3670d570489ed0184364186bc3d40a96d346ae6494d419a
        • Instruction Fuzzy Hash: F3C19C71540B04FBDB206F61EE49E2B3BA8EB45345F00053EF646B11F1CAB998519F6E
        Function 004053CC Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 227stringregistrylibraryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 537 4053cc-4053e6 call 405b93 540 4053e8-4053f8 call 4059d3 537->540 541 4053fa-405432 call 405955 537->541 549 405455-40547d call 4039d0 call 406016 540->549 545 405434-405445 call 405955 541->545 546 40544a-405450 lstrcatW 541->546 545->546 546->549 555 405483-405488 549->555 556 405517-405524 call 406016 549->556 555->556 557 40548e-4054a8 call 405955 555->557 561 405532-405557 LoadImageW 556->561 562 405526-40552d call 40609e 556->562 563 4054ad-4054b6 557->563 565 4055e7-4055ef call 40141d 561->565 566 40555d-40559c RegisterClassW 561->566 562->561 563->556 567 4054b8-4054bc 563->567 580 4055f1-4055f4 565->580 581 4055f9-405604 call 4039d0 565->581 570 4055a2-4055e2 SystemParametersInfoW CreateWindowExW 566->570 571 4056b9 566->571 568 4054d2-4054de lstrlenW 567->568 569 4054be-4054cf call 405787 567->569 574 4054e0-4054ee lstrcmpiW 568->574 575 405506-405512 call 405fba call 405a8c 568->575 569->568 570->565 577 4056bb-4056bf 571->577 574->575 579 4054f0-4054fa GetFileAttributesW 574->579 575->556 583 405500-405501 call 405fe9 579->583 584 4054fc-4054fe 579->584 580->577 590 405690-405691 call 404b1c 581->590 591 40560a-405627 ShowWindow LoadLibraryW 581->591 583->575 584->575 584->583 595 405696-405698 590->595 593 405630-405641 GetClassInfoW 591->593 594 405629-40562e LoadLibraryW 591->594 596 405643-405657 GetClassInfoW RegisterClassW 593->596 597 40565d-405680 DialogBoxParamW call 40141d 593->597 594->593 599 4056b2-4056b4 call 40141d 595->599 600 40569a-4056a0 595->600 596->597 601 405685-40568e call 4037c4 597->601 599->571 600->580 602 4056a6-4056ad call 40141d 600->602 601->577 602->580
        APIs
          • Part of subcall function 00405B93: GetModuleHandleA.KERNEL32(?,?,00000020,0040342C,00000008), ref: 00405BA3
          • Part of subcall function 00405B93: LoadLibraryA.KERNELBASE(?,?,00000020,0040342C,00000008), ref: 00405BAE
          • Part of subcall function 00405B93: GetProcAddress.KERNEL32(00000000,?), ref: 00405BBF
        • lstrcatW.KERNEL32(004D10C0,00446220), ref: 00405450
        • lstrlenW.KERNEL32(Execute: ,?,?,?,Execute: ,00000000,004C50A8,004D10C0,00446220,80000001,Control Panel\Desktop\ResourceLocale,00000000,00446220,00000000,00000006,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe"), ref: 004054D3
        • lstrcmpiW.KERNEL32(?,.exe,Execute: ,?,?,?,Execute: ,00000000,004C50A8,004D10C0,00446220,80000001,Control Panel\Desktop\ResourceLocale,00000000,00446220,00000000), ref: 004054E6
        • GetFileAttributesW.KERNEL32(Execute: ), ref: 004054F1
        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C50A8), ref: 00405543
          • Part of subcall function 004059D3: wsprintfW.USER32 ref: 004059E0
        • RegisterClassW.USER32(00468520), ref: 00405593
        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004055AA
        • CreateWindowExW.USER32(00000080,?,00000000,80000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004055DC
          • Part of subcall function 004039D0: SetWindowTextW.USER32(00000000,00468580), ref: 00403A6B
        • ShowWindow.USER32(00000005,00000000), ref: 00405612
        • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405623
        • LoadLibraryW.KERNEL32(RichEd32), ref: 0040562E
        • GetClassInfoW.USER32(00000000,RichEdit20A,00468520), ref: 0040563D
        • GetClassInfoW.USER32(00000000,RichEdit,00468520), ref: 0040564A
        • RegisterClassW.USER32(00468520), ref: 00405657
        • DialogBoxParamW.USER32(?,00000000,00404F19,00000000), ref: 00405676
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
        • String ID: bD$"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe"$.DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$Execute: $RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
        • API String ID: 608394941-3479128306
        • Opcode ID: e5bd86375b049cfdf9392085178ed667b6a17c9246560cd31ef215a591e44f90
        • Instruction ID: 093bf0c0d48276838117c35faa105e0939cf9875183dd8aa56d20d7156519371
        • Opcode Fuzzy Hash: e5bd86375b049cfdf9392085178ed667b6a17c9246560cd31ef215a591e44f90
        • Instruction Fuzzy Hash: BB71DEB0601A01BAD710AFA59D46F6B37ADEB44348F00053BF949B62E1EB7898418F6D
        Function 100010DB Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 248stringwindowCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 608 100010db-100010f8 call 10001000 611 10001101-10001115 608->611 612 100010fa-100010fc 608->612 614 100013a1-100013ce wsprintfW WritePrivateProfileStringW call 1000100f 611->614 615 1000111b 611->615 613 100013d7-100013dc 612->613 618 100013d3 614->618 617 1000111f-10001134 615->617 619 1000113a-1000113d 617->619 620 1000136f-10001378 617->620 625 100013d5-100013d6 618->625 621 10001143-10001146 619->621 622 10001384-1000139b 619->622 623 10001380 620->623 624 1000137a 620->624 626 10001346-10001367 SendMessageW wsprintfW 621->626 627 1000114c-1000114f 621->627 622->614 622->617 623->622 624->623 625->613 626->620 628 10001155-10001158 627->628 629 1000123f-10001250 SendMessageW 627->629 628->622 630 1000115e-10001170 lstrlenW 628->630 631 10001271-1000129b GetWindowTextW 629->631 632 10001252-1000126b call 1000100f call 10001000 629->632 633 10001172-10001189 call 1000100f call 10001000 630->633 634 1000118f-100011a1 call 10001000 630->634 636 100012a1-100012a8 631->636 637 1000120d-1000123a wsprintfW WritePrivateProfileStringW 631->637 632->631 649 100013dd-100013df 632->649 633->634 633->649 648 100011a7-100011c2 SendMessageW 634->648 634->649 636->637 641 100012ae-100012c9 call 10001000 636->641 637->622 651 1000132a-10001341 call 1000100f 641->651 652 100012cb-100012d1 641->652 654 10001204-10001208 call 1000100f 648->654 655 100011c4-100011d1 SendMessageW 648->655 649->625 651->637 656 100012d3-100012d4 652->656 657 10001304-10001307 652->657 654->637 660 100011d3-100011d7 655->660 661 100011fd-10001202 655->661 662 100012d6-100012d9 656->662 663 100012fd-10001302 656->663 664 10001309-1000130f 657->664 666 100011e5-100011f7 SendMessageW lstrcatW 660->666 667 100011d9-100011df lstrcatW 660->667 661->654 661->655 662->663 668 100012db-100012de 662->668 663->664 669 10001312-10001328 CharNextW * 2 664->669 666->661 667->666 670 100012e0-100012e3 668->670 671 100012e6-100012fb CharNextW lstrcpynW 668->671 669->651 669->652 670->671 671->669
        APIs
          • Part of subcall function 10001000: GlobalAlloc.KERNEL32(00000040,?,10001033,?), ref: 10001006
        • lstrlenW.KERNEL32(?), ref: 10001161
        • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 100011BA
        • SendMessageW.USER32(?,00000187,00000000,00000000), ref: 100011CD
        • lstrcatW.KERNEL32(00000000,10003170), ref: 100011DF
        • SendMessageW.USER32(?,00000189,00000000,?), ref: 100011F0
        • lstrcatW.KERNEL32(00000000,?), ref: 100011F7
        • wsprintfW.USER32 ref: 1000121E
        • WritePrivateProfileStringW.KERNEL32(10008528,State,00000000), ref: 10001234
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2927234580.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000000.00000002.2927199836.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927275326.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927321116.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927362794.000000001000A000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
        Similarity
        • API ID: MessageSend$lstrcat$AllocGlobalPrivateProfileStringWritelstrlenwsprintf
        • String ID: Field %d$Settings$State$T
        • API String ID: 1096395104-1936150994
        • Opcode ID: 17cec3b669950b274a13d9cfa8ccf5a3c9039b6b640057dc2b6e307504fc5b0d
        • Instruction ID: 4b0b6636e1f473ce86419a9a4b975d6dff9c5ad7e288d2ff48547d7dd7276540
        • Opcode Fuzzy Hash: 17cec3b669950b274a13d9cfa8ccf5a3c9039b6b640057dc2b6e307504fc5b0d
        • Instruction Fuzzy Hash: AB81BC30100356AFF312DF648C85AEBB7E8FF483C1F104919FA85D616AD774DA958BA2
        Function 10001B0C Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 123windowCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • SetWindowLongW.USER32(00000004,Function_000016AD), ref: 10001B26
        • SendMessageW.USER32(0000040D,00000000), ref: 10001B41
        • ShowWindow.USER32(00000008), ref: 10001B55
        • KiUserCallbackDispatcher.NTDLL(00000000,00000000,00000000,00000000), ref: 10001B71
        • IsDialogMessageW.USER32(?), ref: 10001B82
        • IsDialogMessageW.USER32(?), ref: 10001B93
        • TranslateMessage.USER32(?), ref: 10001B9E
        • DispatchMessageW.USER32(?), ref: 10001BA9
        • SetWindowLongW.USER32(00000004), ref: 10001BD2
        • DestroyWindow.USER32 ref: 10001BDA
        • ShowWindow.USER32(?), ref: 10001BFC
        • DeleteObject.GDI32(?), ref: 10001C69
        • DestroyIcon.USER32(?,00000000), ref: 10001C78
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2927234580.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000000.00000002.2927199836.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927275326.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927321116.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927362794.000000001000A000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
        Similarity
        • API ID: MessageWindow$DestroyDialogLongShow$CallbackDeleteDispatchDispatcherIconObjectSendTranslateUser
        • String ID: back$cancel$success
        • API String ID: 90777642-2779835836
        • Opcode ID: 9aa108e1a2207078de45db08386b877a9647ddd9a9e035c750345920d5a381d0
        • Instruction ID: bc78fe5ddb0ba243c1ccc17d37403391d08dd1986ae6c78b8a1ad00e53ffe1b8
        • Opcode Fuzzy Hash: 9aa108e1a2207078de45db08386b877a9647ddd9a9e035c750345920d5a381d0
        • Instruction Fuzzy Hash: 17417931500B66EFFB22EF61CC899AB7BBAFB447D1B414525F6808203DDB319A54DB84
        Function 00402EE7 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 166fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 881 402ee7-402efe 882 402f00 881->882 883 402f07-402f0f 881->883 882->883 884 402f11 883->884 885 402f16-402f1b 883->885 884->885 886 402f2b-402f38 call 402e9e 885->886 887 402f1d-402f26 call 402ed0 885->887 891 402f42-402f49 886->891 892 402f3a 886->892 887->886 894 403080-403082 891->894 895 402f4f-402f6f GetTickCount call 40677e 891->895 893 402f3c-402f3d 892->893 896 4030a1-4030a5 893->896 897 403084-403087 894->897 898 4030e7-4030eb 894->898 905 40309e 895->905 907 402f75-402f7d 895->907 900 403089 897->900 901 40308c-403095 call 402e9e 897->901 902 4030a8-4030ae 898->902 903 4030ed 898->903 900->901 901->892 915 40309b 901->915 908 4030b0 902->908 909 4030b3-4030c1 call 402e9e 902->909 903->905 905->896 911 402f82-402f90 call 402e9e 907->911 912 402f7f 907->912 908->909 909->892 917 4030c7-4030da WriteFile 909->917 911->892 921 402f92-402f9b 911->921 912->911 915->905 919 403079-40307b 917->919 920 4030dc-4030df 917->920 919->893 920->919 922 4030e1-4030e4 920->922 923 402fa1-402fbe call 40679e 921->923 922->898 926 403072-403074 923->926 927 402fc4-402fdb GetTickCount 923->927 926->893 928 403026-40302a 927->928 929 402fdd-402fe5 927->929 932 403067-40306a 928->932 933 40302c-40302f 928->933 930 402fe7-402feb 929->930 931 402fed-40301e MulDiv wsprintfW call 404a47 929->931 930->928 930->931 938 403023 931->938 932->907 934 403070 932->934 936 403031-403043 WriteFile 933->936 937 40304f-403055 933->937 934->905 936->919 939 403045-403048 936->939 940 40305b-40305f 937->940 938->928 939->919 941 40304a-40304d 939->941 940->923 942 403065 940->942 941->940 942->905
        APIs
        • GetTickCount.KERNEL32 ref: 00402F4F
        • GetTickCount.KERNEL32 ref: 00402FCC
        • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00402FF9
        • wsprintfW.USER32 ref: 0040300C
        • WriteFile.KERNELBASE(00000000,00000000,00422130,7FFFFFFF,00000000), ref: 0040303B
        • WriteFile.KERNELBASE(00000000,0041E130,?,00000000,00000000,0041E130,?,000000FF,00000004,00000000,00000000,00000000), ref: 004030D2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: CountFileTickWrite$wsprintf
        • String ID: ... %d%%$0!B$0!B$0A$0A$8!C$8!C
        • API String ID: 651206458-290856634
        • Opcode ID: 7c22093edace8b3e3b007aac59f8a854671dc2c60aab01ff83a21d7070d88c31
        • Instruction ID: 9b2d31bdcfce42785c5313e4b23fc6def9a56b3a20516d1184574d9d2d801bdf
        • Opcode Fuzzy Hash: 7c22093edace8b3e3b007aac59f8a854671dc2c60aab01ff83a21d7070d88c31
        • Instruction Fuzzy Hash: 2F518D3190121AABCF10DF65DA08A9F7BB8AB04755F10417BFA00B32C0D7B89E41CBA9
        Function 004030EF Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 182COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 943 4030ef-40313d GetTickCount GetModuleFileNameW call 4058d2 946 403149-403177 call 405a8c call 405fe9 call 405a8c GetFileSize 943->946 947 40313f-403144 943->947 955 403264-403272 call 402e3a 946->955 956 40317d 946->956 948 40331e-403322 947->948 962 403278-40327b 955->962 963 40332d-403332 955->963 958 403182-403199 956->958 960 40319b 958->960 961 40319d-40319f call 402e9e 958->961 960->961 967 4031a4-4031a6 961->967 965 4032a7-4032d1 GlobalAlloc call 402ed0 call 402ee7 962->965 966 40327d-40328e call 402ed0 call 402e9e 962->966 963->948 965->963 992 4032d3-4032e4 965->992 987 403293-403295 966->987 970 403325-40332c call 402e3a 967->970 971 4031ac-4031b3 967->971 970->963 975 4031b5-4031c9 call 40588e 971->975 976 40322f-403233 971->976 981 40323d-403243 975->981 990 4031cb-4031d2 975->990 980 403235-40323c call 402e3a 976->980 976->981 980->981 983 403252-40325c 981->983 984 403245-40324f call 40670d 981->984 983->958 991 403262 983->991 984->983 987->963 993 40329b-4032a1 987->993 990->981 996 4031d4-4031db 990->996 991->955 997 4032e6 992->997 998 4032ec-4032ef 992->998 993->963 993->965 996->981 999 4031dd-4031e4 996->999 997->998 1000 4032f2-4032fa 998->1000 999->981 1001 4031e6-4031ed 999->1001 1000->1000 1002 4032fc-403317 SetFilePointer call 40588e 1000->1002 1001->981 1003 4031ef-40320f 1001->1003 1006 40331c 1002->1006 1003->963 1005 403215-403219 1003->1005 1007 403221-403229 1005->1007 1008 40321b-40321f 1005->1008 1006->948 1007->981 1009 40322b-40322d 1007->1009 1008->991 1008->1007 1009->981
        APIs
        • GetTickCount.KERNEL32 ref: 00403100
        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe,00002004,?,?,?,00000000,004035AB,?), ref: 0040311C
          • Part of subcall function 004058D2: GetFileAttributesW.KERNELBASE(00000003,0040312F,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe,80000000,00000003,?,?,?,00000000,004035AB,?), ref: 004058D6
          • Part of subcall function 004058D2: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004035AB,?), ref: 004058F8
        • GetFileSize.KERNEL32(00000000,00000000,004E10E0,00000000,004CD0B8,004CD0B8,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe,80000000,00000003,?,?,?,00000000,004035AB,?), ref: 00403168
        Strings
        • Inst, xrefs: 004031D4
        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 0040332D
        • "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe", xrefs: 004030F9
        • Error launching installer, xrefs: 0040313F
        • soft, xrefs: 004031DD
        • Null, xrefs: 004031E6
        • C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, xrefs: 0040310B, 00403110, 00403129, 00403149
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: File$AttributesCountCreateModuleNameSizeTick
        • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe"$C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
        • API String ID: 4283519449-3549109603
        • Opcode ID: 782f43ac0ac6225b7bed507801c2eee3527b0c761dae626292279349b3ddde75
        • Instruction ID: 23aa85a9d5b667f9f12526b1b59d525af4a5d2b97e23486fbf8ebf880519bccb
        • Opcode Fuzzy Hash: 782f43ac0ac6225b7bed507801c2eee3527b0c761dae626292279349b3ddde75
        • Instruction Fuzzy Hash: B151D371900218ABDB10DFA5DD85BAE7EACEB0471AF10417FE944B62D1C7788E818F6D
        Function 004018D7 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1081 4018d7-4018fb call 40145c call 4057a6 1086 401905-401917 call 405a8c call 405fba lstrcatW 1081->1086 1087 4018fd-401903 call 405a8c 1081->1087 1093 40191c-401927 call 405abb 1086->1093 1087->1093 1097 40192c-401930 1093->1097 1098 401932-40193c call 405b6c 1097->1098 1099 401963-401967 1097->1099 1107 40194e-401960 1098->1107 1108 40193e-40194c CompareFileTime 1098->1108 1101 401969-40196a call 4058b2 1099->1101 1102 40196f-40198b call 4058d2 1099->1102 1101->1102 1109 4019f8-401a23 call 404a47 call 402ee7 1102->1109 1110 40198d-401991 1102->1110 1107->1099 1108->1107 1124 401a25-401a29 1109->1124 1125 401a2b-401a34 SetFileTime 1109->1125 1111 401993-4019c9 call 405a8c * 2 call 40609e call 405a8c call 405721 1110->1111 1112 4019da-4019e4 call 404a47 1110->1112 1111->1097 1145 4019cf-4019d0 1111->1145 1122 4019ed-4019f3 1112->1122 1126 402c61-402c67 1122->1126 1124->1125 1128 401a3a-401a45 FindCloseChangeNotification 1124->1128 1125->1128 1131 402c58-402c5b 1128->1131 1132 401a4b-401a4e 1128->1132 1131->1126 1134 401a50-401a61 call 40609e lstrcatW 1132->1134 1135 401a63-401a66 call 40609e 1132->1135 1140 401a6b-401a76 call 405721 1134->1140 1135->1140 1140->1131 1145->1122 1146 4019d2-4019d3 1145->1146 1146->1112
        APIs
        • lstrcatW.KERNEL32(00000000,00000000), ref: 00401917
        • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00000000,00000000,C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,004C90B0,00000000,00000000), ref: 00401946
          • Part of subcall function 00405A8C: lstrcpynW.KERNEL32(?,?,00002004,00403457,00468580,NSIS Error), ref: 00405A99
          • Part of subcall function 00404A47: lstrlenW.KERNEL32(Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00422130,00000000,00000000), ref: 00404A7F
          • Part of subcall function 00404A47: lstrlenW.KERNEL32(00403023,Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00422130,00000000,00000000), ref: 00404A8F
          • Part of subcall function 00404A47: lstrcatW.KERNEL32(Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00403023), ref: 00404AA2
          • Part of subcall function 00404A47: SetWindowTextW.USER32(Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe), ref: 00404AB4
          • Part of subcall function 00404A47: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404ADA
          • Part of subcall function 00404A47: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404AF4
          • Part of subcall function 00404A47: SendMessageW.USER32(?,00001013,?,00000000), ref: 00404B02
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
        • String ID: 956$C:\Program Files (x86)\IPCTools\IPCTools\IPCTools.exe$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
        • API String ID: 1941528284-2812528609
        • Opcode ID: e0392c4c586b7d17e55c07a15cbf59278c44420d976a0a53bb70fad5cf16f7ba
        • Instruction ID: 9fddd97fb508a68ac4b663ba7cd9ed76fe6da5532ea9f022a761d9023e2c6dde
        • Opcode Fuzzy Hash: e0392c4c586b7d17e55c07a15cbf59278c44420d976a0a53bb70fad5cf16f7ba
        • Instruction Fuzzy Hash: 9D41B471A00614BACB11AB75CD85EAF3A69EF41329F20423BF415F21E1C77C8A51CEAD
        Function 00404A47 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1147 404a47-404a5a 1148 404a60-404a73 1147->1148 1149 404b17-404b19 1147->1149 1150 404a75-404a79 call 40609e 1148->1150 1151 404a7e-404a8a lstrlenW 1148->1151 1150->1151 1152 404aa7-404aab 1151->1152 1153 404a8c-404a9c lstrlenW 1151->1153 1157 404aba-404abe 1152->1157 1158 404aad-404ab4 SetWindowTextW 1152->1158 1155 404b15-404b16 1153->1155 1156 404a9e-404aa2 lstrcatW 1153->1156 1155->1149 1156->1152 1159 404ac0-404b02 SendMessageW * 3 1157->1159 1160 404b04-404b06 1157->1160 1158->1157 1159->1160 1160->1155 1161 404b08-404b0d 1160->1161 1161->1155
        APIs
        • lstrlenW.KERNEL32(Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00422130,00000000,00000000), ref: 00404A7F
        • lstrlenW.KERNEL32(00403023,Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00422130,00000000,00000000), ref: 00404A8F
        • lstrcatW.KERNEL32(Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00403023), ref: 00404AA2
        • SetWindowTextW.USER32(Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe), ref: 00404AB4
        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404ADA
        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404AF4
        • SendMessageW.USER32(?,00001013,?,00000000), ref: 00404B02
          • Part of subcall function 0040609E: GetVersion.KERNEL32(Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,?,00000000,00404A7E,Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00000000,00422130,00000000,00000000), ref: 0040616F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
        • String ID: Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
        • API String ID: 2740478559-384339885
        • Opcode ID: 71531ba1b2e3114129d8726e40f59c144b242fc4feec9357e32b9b3f07bfeedf
        • Instruction ID: 7af13ceb09e94af6774ea9d21630e2ae76d7e3f004ebea636ba850bc6bd8f229
        • Opcode Fuzzy Hash: 71531ba1b2e3114129d8726e40f59c144b242fc4feec9357e32b9b3f07bfeedf
        • Instruction Fuzzy Hash: F5217FB1A00118BACB119FA6DD84E9FBFB9FF84314F10417AF944B22A0D7799A509F58
        Function 100016AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90windowCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1162 100016ad-100016c1 1163 10001733-10001750 CallWindowProcW 1162->1163 1164 100016c3-100016c7 1162->1164 1165 10001752-10001754 1163->1165 1166 10001786 1163->1166 1164->1163 1167 100016c9-100016d1 1164->1167 1165->1166 1168 10001756-1000175a 1165->1168 1171 10001788-1000178c 1166->1171 1169 100016d3-100016dc 1167->1169 1170 10001727-1000172c call 100010db 1167->1170 1172 10001762-10001766 1168->1172 1173 1000175c 1168->1173 1169->1170 1174 100016de-100016ea 1169->1174 1170->1163 1177 10001768 1172->1177 1178 1000176e-10001780 PostMessageW 1172->1178 1173->1172 1179 10001716-10001725 1174->1179 1180 100016ec-10001701 SendMessageW 1174->1180 1177->1178 1178->1166 1179->1170 1179->1174 1181 10001703-10001705 1180->1181 1182 1000170b-10001710 1180->1182 1181->1182 1183 1000178f-10001793 1181->1183 1182->1179 1184 10001712-10001714 1182->1184 1185 100017c5-100017cf call 1000106e 1183->1185 1186 10001795-100017bf GetWindowTextW MessageBoxW 1183->1186 1184->1179 1184->1183 1185->1171 1186->1185
        APIs
        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 100016F6
        • CallWindowProcW.USER32(?,?,?,?), ref: 10001745
        • PostMessageW.USER32(00000010,00000000,00000000), ref: 10001780
        • GetWindowTextW.USER32(?,00000400), ref: 100017A7
        • MessageBoxW.USER32(00000000,?,00000030), ref: 100017BF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2927234580.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000000.00000002.2927199836.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927275326.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927321116.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927362794.000000001000A000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
        Similarity
        • API ID: Message$Window$CallPostProcSendText
        • String ID: x
        • API String ID: 630778482-2363233923
        • Opcode ID: a7900139166d8317da78755d004f5363ea2997786619252e675c525cfdb01f16
        • Instruction ID: 130578bf063fa11b9ef770db438e21f89ab58934f340bc053b678190611d6586
        • Opcode Fuzzy Hash: a7900139166d8317da78755d004f5363ea2997786619252e675c525cfdb01f16
        • Instruction Fuzzy Hash: 95319A35640726EFFB21CF50CD85BDA77B4FB087D1F104429FA8A920A8C770AA94CB90
        Function 00403EE7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(00446220,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00446220,?), ref: 00403F84
        • wsprintfW.USER32 ref: 00403F91
        • SetDlgItemTextW.USER32(?,00446220,000000DF), ref: 00403FA4
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: ItemTextlstrlenwsprintf
        • String ID: bD$%u.%u%s%s
        • API String ID: 3540041739-1843900064
        • Opcode ID: d7ecd48f43ac82c68e3486309e591325042a3a53fd42dce00cc6b01a1226aac0
        • Instruction ID: be0e0bb8a8948cc212994532ab28ff6793b8cb76c4d4e0d5f268d6c0219bbd7d
        • Opcode Fuzzy Hash: d7ecd48f43ac82c68e3486309e591325042a3a53fd42dce00cc6b01a1226aac0
        • Instruction Fuzzy Hash: A8113B327002087BCB10DA699D41E9EB66FABC5334F10423BF619F21D0EAB88A25466D
        Function 004026EF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memoryfilestringCOMMON
        Download Yara Rule
        APIs
        • GlobalAlloc.KERNELBASE(00000040,00002004), ref: 004026F7
        • WideCharToMultiByte.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp,000000FF,?,00002004,00000000,00000000), ref: 00402730
        • lstrlenA.KERNEL32(?), ref: 00402739
        • WriteFile.KERNELBASE(00000000,?,?,00000000,?,00000000), ref: 00402756
        Strings
        • C:\Users\user\AppData\Local\Temp, xrefs: 00402729
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
        • String ID: C:\Users\user\AppData\Local\Temp
        • API String ID: 2568930968-47812868
        • Opcode ID: 2877805963691602fb0db7fc227ae366174493c29af7a67081d71a3c93aeb165
        • Instruction ID: b1ec0a8e8d15d4b4f13d7b52ed8b9a042a84b9e303b90ad2e7c2b447a5fed102
        • Opcode Fuzzy Hash: 2877805963691602fb0db7fc227ae366174493c29af7a67081d71a3c93aeb165
        • Instruction Fuzzy Hash: 9A012C70500204BAEB152F60CE49BBF3A6CEB04744F10443AFA41FA1E1DBB84D419B59
        Function 00401D76 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowtimeCOMMON
        Download Yara Rule
        APIs
        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,00000000,00000002,?), ref: 00401DDF
        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401DF7
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: MessageSend$Timeout
        • String ID: !
        • API String ID: 1777923405-2657877971
        • Opcode ID: d950c98d427324d0f538fa73d6322dadea05074fd71327892156f1bef3b87e7c
        • Instruction ID: 9e1c4f4bf7069fe57929a9fb1343d6da22d2ba42868ec55998fddbc53f385275
        • Opcode Fuzzy Hash: d950c98d427324d0f538fa73d6322dadea05074fd71327892156f1bef3b87e7c
        • Instruction Fuzzy Hash: 70218071900218AADB15ABB4C946BFD7BB5EF04309F10857EFA02B50E1D77C8A809758
        Function 00402145 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78libraryCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNELBASE(00000000), ref: 00402175
          • Part of subcall function 00404A47: lstrlenW.KERNEL32(Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00422130,00000000,00000000), ref: 00404A7F
          • Part of subcall function 00404A47: lstrlenW.KERNEL32(00403023,Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00422130,00000000,00000000), ref: 00404A8F
          • Part of subcall function 00404A47: lstrcatW.KERNEL32(Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00403023), ref: 00404AA2
          • Part of subcall function 00404A47: SetWindowTextW.USER32(Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe), ref: 00404AB4
          • Part of subcall function 00404A47: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404ADA
          • Part of subcall function 00404A47: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404AF4
          • Part of subcall function 00404A47: SendMessageW.USER32(?,00001013,?,00000000), ref: 00404B02
        • LoadLibraryExW.KERNELBASE(00000000,00000000,00000008), ref: 00402185
        • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,00000000,00000000,?), ref: 004021FF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
        • String ID: 956
        • API String ID: 334405425-3111145506
        • Opcode ID: 841ab83f0abe2cdb0b5fafe37b61d522cce6749da3194cdbc318649133987507
        • Instruction ID: a0aadcd4e960106491fa378fc7205a8ac54428ac3f1fe565c4a7430c0f522067
        • Opcode Fuzzy Hash: 841ab83f0abe2cdb0b5fafe37b61d522cce6749da3194cdbc318649133987507
        • Instruction Fuzzy Hash: A3216D35A04324BBCF117BB4CE889AE76645F40B60B204137F656BA1E2CBBC8983865D
        Function 00406016 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00405A8C: lstrcpynW.KERNEL32(?,?,00002004,00403457,00468580,NSIS Error), ref: 00405A99
          • Part of subcall function 004057DB: CharNextW.USER32(?,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",004562A0,?,0040602D,004562A0,004562A0,@e@,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",00000002,00406540,?,004D50C8), ref: 004057E9
          • Part of subcall function 004057DB: CharNextW.USER32(00000000), ref: 004057EE
          • Part of subcall function 004057DB: CharNextW.USER32(00000000), ref: 00405806
        • lstrlenW.KERNEL32(004562A0,?,00000000,004562A0,004562A0,@e@,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",00000002,00406540,?,004D50C8), ref: 00406077
        • GetFileAttributesW.KERNELBASE(004562A0,004562A0), ref: 00406084
        Strings
        • "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe", xrefs: 00406017
        • @e@, xrefs: 00406018
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: CharNext$AttributesFilelstrcpynlstrlen
        • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe"$@e@
        • API String ID: 3248276644-544740542
        • Opcode ID: 89ed34ce11146f177c5f17de7b663d22da4bb1620eee36480089732da64195e1
        • Instruction ID: fcf788885cf613519db47a6c3f2fe537f89f17915a5c718113ce440a17169326
        • Opcode Fuzzy Hash: 89ed34ce11146f177c5f17de7b663d22da4bb1620eee36480089732da64195e1
        • Instruction Fuzzy Hash: AE012B35145D615AD622F33A0D84EAF2599DE46364757023FF857B21C1DF3C8853887D
        Function 00405901 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
        Download Yara Rule
        APIs
        • GetTickCount.KERNEL32 ref: 0040591F
        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403366,004D10C0,004D50C8), ref: 0040593A
        Strings
        • "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe", xrefs: 0040590A
        • nsa, xrefs: 0040590E
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: CountFileNameTempTick
        • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe"$nsa
        • API String ID: 1716503409-1113250525
        • Opcode ID: 8f9989655f15aadf8d0cc60edb10422ff76ceb60520498c0bcc2ef1eb9998b51
        • Instruction ID: 5d7ec9d52ea3925e67f434566bf2f4ffe6e0c56a5a3384118f4878f1e2b9306f
        • Opcode Fuzzy Hash: 8f9989655f15aadf8d0cc60edb10422ff76ceb60520498c0bcc2ef1eb9998b51
        • Instruction Fuzzy Hash: A2F06276610604EBDB109F55DE05E9B7BADEB94720F00803BE984E7290E6B099548B58
        Function 0040172D Relevance: 6.1, APIs: 4, Instructions: 55COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004057DB: CharNextW.USER32(?,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",004562A0,?,0040602D,004562A0,004562A0,@e@,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",00000002,00406540,?,004D50C8), ref: 004057E9
          • Part of subcall function 004057DB: CharNextW.USER32(00000000), ref: 004057EE
          • Part of subcall function 004057DB: CharNextW.USER32(00000000), ref: 00405806
        • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,0000005C,00000000), ref: 00401757
        • GetLastError.KERNEL32 ref: 00401761
        • GetFileAttributesW.KERNELBASE(00000000), ref: 0040176F
        • SetCurrentDirectoryW.KERNELBASE(00000000,004C90B0,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040179F
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
        • String ID:
        • API String ID: 3751793516-0
        • Opcode ID: 004a327844a9ae6d5a9121b473b83933d3aa937797807638232ec5df4f294c51
        • Instruction ID: 254651b9cedfc67d661083826065b09d50cf7e43aeead84f2e72cd94d5ad4441
        • Opcode Fuzzy Hash: 004a327844a9ae6d5a9121b473b83933d3aa937797807638232ec5df4f294c51
        • Instruction Fuzzy Hash: F301F531504621EBE7206B755D45E6F32A8EF14375B21063BF892F72E2D73C8C418A6D
        Function 00401FFE Relevance: 6.1, APIs: 4, Instructions: 53synchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00404A47: lstrlenW.KERNEL32(Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00422130,00000000,00000000), ref: 00404A7F
          • Part of subcall function 00404A47: lstrlenW.KERNEL32(00403023,Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00422130,00000000,00000000), ref: 00404A8F
          • Part of subcall function 00404A47: lstrcatW.KERNEL32(Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00403023), ref: 00404AA2
          • Part of subcall function 00404A47: SetWindowTextW.USER32(Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe), ref: 00404AB4
          • Part of subcall function 00404A47: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404ADA
          • Part of subcall function 00404A47: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404AF4
          • Part of subcall function 00404A47: SendMessageW.USER32(?,00001013,?,00000000), ref: 00404B02
          • Part of subcall function 004056C0: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00456258,Error launching installer), ref: 004056E5
          • Part of subcall function 004056C0: CloseHandle.KERNEL32(?), ref: 004056F2
        • WaitForSingleObject.KERNEL32(00000000,00000064,?,?,?,?,?,00000000,000000EB,00000000), ref: 0040202F
        • WaitForSingleObject.KERNEL32(?,00000064,0000000F,?,?,?,?,?,00000000,000000EB,00000000), ref: 00402044
        • GetExitCodeProcess.KERNELBASE(?,?), ref: 00402051
        • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,00000000,000000EB,00000000), ref: 004026BD
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: MessageSend$CloseObjectProcessSingleWaitlstrlen$ChangeCodeCreateExitFindHandleNotificationTextWindowlstrcat
        • String ID:
        • API String ID: 2769198804-0
        • Opcode ID: 42e5b624c68d5bde706ffe172a26e442ae9b88852f199914c96c10e1c4456ebb
        • Instruction ID: 83fe9a89d349f86f740d767fa2db7219cc622dda3a430a7ef0b0426dd47b159f
        • Opcode Fuzzy Hash: 42e5b624c68d5bde706ffe172a26e442ae9b88852f199914c96c10e1c4456ebb
        • Instruction Fuzzy Hash: 5D118231900214EADB119FA1CE08B9E7A75EB04354F104037F615B60E1C7BD8A82DB5D
        Function 00405BFD Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
        Download Yara Rule
        APIs
        • GlobalAlloc.KERNELBASE(00000040,00002004,00000000,00000000,00000000,0040219A,00000000,?), ref: 00405C08
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000), ref: 00405C1E
        • GetProcAddress.KERNEL32(?,00000000), ref: 00405C2D
        • GlobalFree.KERNEL32(00000000), ref: 00405C36
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Global$AddressAllocByteCharFreeMultiProcWide
        • String ID:
        • API String ID: 2883127279-0
        • Opcode ID: 7b8b1b869dc425c4e8d1decedcc15e3ea1801fb9e202fffad77dd5e1c54a2680
        • Instruction ID: d7fbe5d36eb5badf31992d5501fa29e8c47c8b151734853c79a64c2fed9bdca8
        • Opcode Fuzzy Hash: 7b8b1b869dc425c4e8d1decedcc15e3ea1801fb9e202fffad77dd5e1c54a2680
        • Instruction Fuzzy Hash: 47E092312001107BE2201B269E4CD6B7EACDFCA7B6B00013AF685E11A0CA348C11C678
        Function 004056C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
        Download Yara Rule
        APIs
        • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00456258,Error launching installer), ref: 004056E5
        • CloseHandle.KERNEL32(?), ref: 004056F2
        Strings
        • Error launching installer, xrefs: 004056C9
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: CloseCreateHandleProcess
        • String ID: Error launching installer
        • API String ID: 3712363035-66219284
        • Opcode ID: 3cb8331fcf601d2cd27f36bcb5aa2a347f4293be6f9cce890dcac49e11fd9ab2
        • Instruction ID: 3bef83d431b64371899f9fac0d7cfd1a54596d3c352802c3767d2112f3120323
        • Opcode Fuzzy Hash: 3cb8331fcf601d2cd27f36bcb5aa2a347f4293be6f9cce890dcac49e11fd9ab2
        • Instruction Fuzzy Hash: C1E0C270900219AFEB00AF60DD08D7F7BBDEB00304F804835BD44E2160DBB8D8088B68
        Function 00406D54 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 3501b61b8567f84fab1424f98cfed5924d386c66f6266516111d104cc655e320
        • Instruction ID: a4d199e57bfa398cd4eacc61331f6fd5137b182e22051a0b153e2d9d37bcf05a
        • Opcode Fuzzy Hash: 3501b61b8567f84fab1424f98cfed5924d386c66f6266516111d104cc655e320
        • Instruction Fuzzy Hash: ECA15871904248DBDF18CF29C8946AD3BB1FF44355F11822AFD5AAB290C338D985CF85
        Function 00406F51 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7f629ae8461e937d2c4e670fe4ada93d4b89cd678b2ff9a05af74cd5051e4680
        • Instruction ID: b1b16b1ad4e228a1e796d568e0771b317e6f12c5bfeebec9a7c0ae9e4dbd2df3
        • Opcode Fuzzy Hash: 7f629ae8461e937d2c4e670fe4ada93d4b89cd678b2ff9a05af74cd5051e4680
        • Instruction Fuzzy Hash: C2914771904248DBDF18CF18C894BA93BB1FF44395F11812AFC5AAB291C778E985CF85
        Function 0040679E Relevance: 5.2, APIs: 4, Instructions: 201COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 94ddc3334731d98b37a441b88deb3a0ca94377cb55f299dbf4b693081c1d3289
        • Instruction ID: 1784e8ea9749f4109ed8ad9167c47cdcc61556c5f3fe7baa2daab63b0264b2d2
        • Opcode Fuzzy Hash: 94ddc3334731d98b37a441b88deb3a0ca94377cb55f299dbf4b693081c1d3289
        • Instruction Fuzzy Hash: 39814632904249EBDB14CF29C844AAE3BB1FF44355F11812AFD66AB2D0C778E985CF85
        Function 00406BE1 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c3e40f31b5690663473b13ed15acc8d9cac80ec7f0cab5c441810732d6b60604
        • Instruction ID: bf427146a554b7cc0230d1b9f75b6254d6dc71501ee021a57aaa467f8ca9c2f7
        • Opcode Fuzzy Hash: c3e40f31b5690663473b13ed15acc8d9cac80ec7f0cab5c441810732d6b60604
        • Instruction Fuzzy Hash: 03712272900249EBDF18CF19C854AA93BF1FF44355F11812AFD5AAB290C778E995CF84
        Function 00406CE3 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 03864b5151e077adfdf06e9f336f228a41beaa51649732e05bc07488563c974e
        • Instruction ID: 687e53b4800846dddad6ae3d45b108b37550ae47d629cf8202107dbcb138958d
        • Opcode Fuzzy Hash: 03864b5151e077adfdf06e9f336f228a41beaa51649732e05bc07488563c974e
        • Instruction Fuzzy Hash: F8714371904248EBDF28CF19C884BAD3BB1FF44355F11812AFC5AAA290C778D995CF85
        Function 00406C41 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 02ef525c397aea98d7688a50e02387eb0ad243192e620c1bda8200b6a98c883b
        • Instruction ID: 52fc29f60602cf876e5744fe0a874947d78bd20a446f9ea943f4b5c813bfee1d
        • Opcode Fuzzy Hash: 02ef525c397aea98d7688a50e02387eb0ad243192e620c1bda8200b6a98c883b
        • Instruction Fuzzy Hash: 84615372900248EBDF18CF19C844BAD3BB1FF44345F11812AFC5AAA291C778E995CF85
        Function 004070F1 Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
        Download Yara Rule
        APIs
        • GlobalFree.KERNELBASE(?), ref: 00406851
        • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041E130,00004000), ref: 0040685A
        • GlobalFree.KERNELBASE(?), ref: 004068C9
        • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041E130,00004000), ref: 004068D4
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Global$AllocFree
        • String ID:
        • API String ID: 3394109436-0
        • Opcode ID: 7bbda773e44fb69f719dc36a1a2f034d64895981980a78d6f8d74907cf93e2e3
        • Instruction ID: 3d19d8b63dca09c4ade8603f4c8e551b9b3973ecb90bbd76a0b5d5b89356f9f5
        • Opcode Fuzzy Hash: 7bbda773e44fb69f719dc36a1a2f034d64895981980a78d6f8d74907cf93e2e3
        • Instruction Fuzzy Hash: 72514572910248EBDF18CF19C854AAD3BB1FF44395F11812AFD5AAA291C738D995CF84
        Function 00401CC9 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
        Download Yara Rule
        APIs
        • GlobalAlloc.KERNELBASE(00000040,0000400C), ref: 00401D50
          • Part of subcall function 0040609E: GetVersion.KERNEL32(Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,?,00000000,00404A7E,Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00000000,00422130,00000000,00000000), ref: 0040616F
        • GlobalFree.KERNEL32(00000000), ref: 00402139
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Global$AllocFreeVersion
        • String ID: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
        • API String ID: 2385019812-4041798149
        • Opcode ID: d8844c02b6daa7340249024a8f4dc006079387ba738325c2be04e3f4225c6f33
        • Instruction ID: e99c12b1eefef15e0912125d053ad72f57d1844f77f041fe31b9be10d878993c
        • Opcode Fuzzy Hash: d8844c02b6daa7340249024a8f4dc006079387ba738325c2be04e3f4225c6f33
        • Instruction Fuzzy Hash: 9121AE756042199FE720DF588A41B6F73E8AF14714B10013AE942BB2D0C77CEC119BAE
        Function 00405955 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,?,004061CE,80000002,Software\Microsoft\Windows\CurrentVersion,?,Execute: ,Execute: ), ref: 0040597F
        • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,004061CE,80000002,Software\Microsoft\Windows\CurrentVersion,?,Execute: ,Execute: ), ref: 004059A1
        • RegCloseKey.KERNELBASE(?,?,004061CE,80000002,Software\Microsoft\Windows\CurrentVersion,?,Execute: ,Execute: ), ref: 004059C8
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: CloseOpenQueryValue
        • String ID:
        • API String ID: 3677997916-0
        • Opcode ID: ce379d2cd2c6934f93681775daff6b6b388132cfaa10fc4de9bcc8a3fbe1b6f0
        • Instruction ID: 4de6a3358cf05eba261caf69ff157e5a340ee74cf7374b872799ab5327699954
        • Opcode Fuzzy Hash: ce379d2cd2c6934f93681775daff6b6b388132cfaa10fc4de9bcc8a3fbe1b6f0
        • Instruction Fuzzy Hash: E6014C7121020AEAEF21CF64DD05BDB3BA8EF18314F00442AFD04E2160D334D964DBA9
        Function 100013E1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • GetPrivateProfileStringW.KERNEL32(1000141A,10003174,All Files|*.*,00002000,1000141A,?), ref: 10001408
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2927234580.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000000.00000002.2927199836.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927275326.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927321116.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927362794.000000001000A000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
        Similarity
        • API ID: PrivateProfileString
        • String ID: All Files|*.*
        • API String ID: 1096422788-1532680088
        • Opcode ID: b2838711c591a45a07c90bf7108a8256529f99cf152e78c5e8f7bd7c0e9cc928
        • Instruction ID: d88b5b4bbad7d4c8ba823544616766d5dec1e1d5d036ce33a9ed5c51a854e4b7
        • Opcode Fuzzy Hash: b2838711c591a45a07c90bf7108a8256529f99cf152e78c5e8f7bd7c0e9cc928
        • Instruction Fuzzy Hash: 5DC012B0114510AAF7029B20CD84E6B77A9FB543807524110F5405007CC7310410DB1D
        Function 00403874 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(00000408,?,00000000,00405027), ref: 00403892
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: MessageSend
        • String ID: x
        • API String ID: 3850602802-2363233923
        • Opcode ID: 57eeb2a02b451bafb4772dfe8bbd541a7df30be3a2b32c1aacc4f7ed116abc9c
        • Instruction ID: f9daf6be08c11530e0af9b99f8157a288ba3aca4c6507d743433864c38cba719
        • Opcode Fuzzy Hash: 57eeb2a02b451bafb4772dfe8bbd541a7df30be3a2b32c1aacc4f7ed116abc9c
        • Instruction Fuzzy Hash: 6AC012B2540200FEEA109B44DF09F267B71B764702F10843DF389200B0CAB00861DF0E
        Function 0040139B Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
        Download Yara Rule
        APIs
        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
        • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: MessageSend
        • String ID:
        • API String ID: 3850602802-0
        • Opcode ID: 6986e8bf7cc5cca9d4b8f8707ab7bf348cc05929b3325d8c50f980aba4dc8df0
        • Instruction ID: 9ca4fcea1734446e571c18d581d711c8f30e1e7f8dad8aee2144fb20bbc68942
        • Opcode Fuzzy Hash: 6986e8bf7cc5cca9d4b8f8707ab7bf348cc05929b3325d8c50f980aba4dc8df0
        • Instruction Fuzzy Hash: E201F431610220EFDB159B359C04B2B3798A784354F10423EF811F62F1EAB8CC828B4D
        Function 00401F6C Relevance: 3.0, APIs: 2, Instructions: 22COMMON
        Download Yara Rule
        APIs
        • ShowWindow.USER32(00000000,00000000), ref: 00401F85
        • EnableWindow.USER32(00000000,00000000), ref: 00401F90
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Window$EnableShow
        • String ID:
        • API String ID: 1136574915-0
        • Opcode ID: 9c1d997ce435100918d1e02bd56d1e9c7ce0291f389b80023d16874fd91e4b12
        • Instruction ID: e721601dc9a86bc51af260462faa58b2ba87a46fcb5f0d02587eec7c3c8bc7ed
        • Opcode Fuzzy Hash: 9c1d997ce435100918d1e02bd56d1e9c7ce0291f389b80023d16874fd91e4b12
        • Instruction Fuzzy Hash: 19E0C232608111CBDB68B7B8AA4967E32A4DB413ADB21007FF103F10E0CB388982865E
        Function 00402C18 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(?,0000000B,?,00000000), ref: 00402C28
        • InvalidateRect.USER32(?,00000000,00000000), ref: 00402C3B
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: InvalidateMessageRectSend
        • String ID:
        • API String ID: 909852535-0
        • Opcode ID: c40ea29703b66e53f32ae0a92132d7cd93f3c54aa11d9e2cad576fa9b8becf59
        • Instruction ID: 22e9fc0bcce4a1c823542ab75586f084f6abc247a4c130dcf208e40bfa4112a8
        • Opcode Fuzzy Hash: c40ea29703b66e53f32ae0a92132d7cd93f3c54aa11d9e2cad576fa9b8becf59
        • Instruction Fuzzy Hash: DCE01A32640204AFEB159BA4EE09BAD7771E750712F10017AE201B50E0D7B45D91CA0C
        Function 004058D2 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
        Download Yara Rule
        APIs
        • GetFileAttributesW.KERNELBASE(00000003,0040312F,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe,80000000,00000003,?,?,?,00000000,004035AB,?), ref: 004058D6
        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004035AB,?), ref: 004058F8
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: File$AttributesCreate
        • String ID:
        • API String ID: 415043291-0
        • Opcode ID: 0a2f85832d22be582635bab1499ab015b7246acefa136c2a8fff2ea0c335f580
        • Instruction ID: 3557cad305de1e8d8744f7ed922a0974add56b4630c1d6058af0572804785a4b
        • Opcode Fuzzy Hash: 0a2f85832d22be582635bab1499ab015b7246acefa136c2a8fff2ea0c335f580
        • Instruction Fuzzy Hash: 0AD09E71654201EFEF099F20DE1AF6EBBA2EB84B01F11852CB692940E0DAB15819DB15
        Function 004058B2 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
        Download Yara Rule
        APIs
        • GetFileAttributesW.KERNELBASE(?,004066D5,?,?,?), ref: 004058B6
        • SetFileAttributesW.KERNELBASE(?,00000000), ref: 004058C9
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: AttributesFile
        • String ID:
        • API String ID: 3188754299-0
        • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
        • Instruction ID: 28a88d103941fc2dd0ef0dd07a87eef1b90a733b51023ff35980b695b452f163
        • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
        • Instruction Fuzzy Hash: 17C01272404900AAD6001B34DF0881A7B22AB90330B258739B4BAE00F0CB3088A99A18
        Function 004023EE Relevance: 1.5, APIs: 1, Instructions: 30COMMON
        Download Yara Rule
        APIs
        • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 00402431
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: PrivateProfileStringWrite
        • String ID:
        • API String ID: 390214022-0
        • Opcode ID: 0f5bab9435ef4418196c848e0a850ac442965913f8b1b2c4f89307737bc2ff60
        • Instruction ID: 8e8725621107750f7c3c283ad9b5fec1cf4cdcd145fe47c87bda554b22b7f51b
        • Opcode Fuzzy Hash: 0f5bab9435ef4418196c848e0a850ac442965913f8b1b2c4f89307737bc2ff60
        • Instruction Fuzzy Hash: A2F0E5365002246ADB117FA588C48EE7669AB44304B10C03FF6157A1E3CB7C8E8246CD
        Function 00402E9E Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
        Download Yara Rule
        APIs
        • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F36,000000FF,00000004,00000000,00000000,00000000), ref: 00402EB5
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: FileRead
        • String ID:
        • API String ID: 2738559852-0
        • Opcode ID: 6eb761298bb8b99514d02d989ea50b9b43b036f115663e871731ccf59cb5bf7b
        • Instruction ID: bd695a607233752ff1959b473a7ca1503adc94cd5dff5db9087338bb7c64902f
        • Opcode Fuzzy Hash: 6eb761298bb8b99514d02d989ea50b9b43b036f115663e871731ccf59cb5bf7b
        • Instruction Fuzzy Hash: F0E08C322A0218BBCB219E91DE08AE73B5CEB047A2F008436B958E51D0D674D952DBF9
        Function 00403334 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00405ABB: CharNextW.USER32(?,*?|<>/":,00000000,004D50C8,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",004D50C8,00000000,00403340,004D50C8,00000002,0040356F), ref: 00405B1E
          • Part of subcall function 00405ABB: CharNextW.USER32(?,?,?,00000000), ref: 00405B2D
          • Part of subcall function 00405ABB: CharNextW.USER32(?,004D50C8,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",004D50C8,00000000,00403340,004D50C8,00000002,0040356F), ref: 00405B32
          • Part of subcall function 00405ABB: CharPrevW.USER32(?,?,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",004D50C8,00000000,00403340,004D50C8,00000002,0040356F), ref: 00405B46
        • CreateDirectoryW.KERNELBASE(004D50C8,00000000,004D50C8,004D50C8,004D50C8,00000002,0040356F), ref: 00403355
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Char$Next$CreateDirectoryPrev
        • String ID:
        • API String ID: 4115351271-0
        • Opcode ID: 21f155177f84042a31560904581374915e8fe13ac79124577b57ec7b8c4dd5d2
        • Instruction ID: 182b4a888b14eede291e3f3c933afb20c7256a96ebb7166a86d69448c351a174
        • Opcode Fuzzy Hash: 21f155177f84042a31560904581374915e8fe13ac79124577b57ec7b8c4dd5d2
        • Instruction Fuzzy Hash: 72D05221107D31B2D45232663D06FCF0A0D8F1232AB01403BF800B21C64A2C0A8288EE
        Function 004026AE Relevance: 1.5, APIs: 1, Instructions: 15COMMON
        Download Yara Rule
        APIs
        • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,00000000,000000EB,00000000), ref: 004026BD
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: ChangeCloseFindNotification
        • String ID:
        • API String ID: 2591292051-0
        • Opcode ID: 1bb9da72ed8a8def3c9beefa1a1823760abc7437f96bea7d20e3e967cc0a5fef
        • Instruction ID: b3f9bce2a0f5ec9da239c30a94d59304cdb89288d061bc28e97f64cb27cbc135
        • Opcode Fuzzy Hash: 1bb9da72ed8a8def3c9beefa1a1823760abc7437f96bea7d20e3e967cc0a5fef
        • Instruction Fuzzy Hash: 4FD02372608352DBC300E7F4798554F7BD0EF41335310847BD041F1082D634C8518B1D
        Function 0040389B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0040609E: GetVersion.KERNEL32(Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,?,00000000,00404A7E,Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00000000,00422130,00000000,00000000), ref: 0040616F
        • SetDlgItemTextW.USER32(?,?,00000000), ref: 004038B5
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: ItemTextVersion
        • String ID:
        • API String ID: 1287519508-0
        • Opcode ID: 1b4e83f12fad2669083b10b7e4ba5167054c0782bc8af7f4df01b557aeac1a9d
        • Instruction ID: 3359da5315f57f900709910bc5af3444098700bc88c9eb4d689feefb7e225ffc
        • Opcode Fuzzy Hash: 1b4e83f12fad2669083b10b7e4ba5167054c0782bc8af7f4df01b557aeac1a9d
        • Instruction Fuzzy Hash: 42C08C35048300BFD241EB14CC02F0FB39AEF90315F00C82EB15CA00D1C63688309B26
        Function 0040390B Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(?,?,00000000,00000000), ref: 0040391D
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: MessageSend
        • String ID:
        • API String ID: 3850602802-0
        • Opcode ID: 407214ede30a7f6d9b973b73e8efb069463cc38d79761b0b3573e85aeabcc409
        • Instruction ID: 69b45b3bc8b6fc0d34d97b513501b7c5dc9b764086351cb4b50b86a37df35bba
        • Opcode Fuzzy Hash: 407214ede30a7f6d9b973b73e8efb069463cc38d79761b0b3573e85aeabcc409
        • Instruction Fuzzy Hash: 70C04C756407007AEA108B619D49F0677689754701F144539B241E50E0DAB4D550D61D
        Function 00402ED0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
        Download Yara Rule
        APIs
        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032C2,?,?,?,?,00000000,004035AB,?), ref: 00402EDE
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: FilePointer
        • String ID:
        • API String ID: 973152223-0
        • Opcode ID: 052875b64ac29a69a56fe5fa30ce1250d27c90eff136e832dd86e8876edcd7ee
        • Instruction ID: 4946e7aaa73dbe9c50503acfc76fe66090dc5a246f76b590ec387925aa062f70
        • Opcode Fuzzy Hash: 052875b64ac29a69a56fe5fa30ce1250d27c90eff136e832dd86e8876edcd7ee
        • Instruction Fuzzy Hash: 4EB09231140300AADA215F009E09F057B21AB90700F108824B291281F086712020EA0D
        Function 004038F4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(00000028,?,00000001,00405254), ref: 00403902
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: MessageSend
        • String ID:
        • API String ID: 3850602802-0
        • Opcode ID: 83d18c051255cd1c1bba5d8e8fbd57274dca7168b35988caf70166c51018e129
        • Instruction ID: dfed500a360c9b244f4946477c9ab6bc5a7607930e3a2855ed8480b59d95365e
        • Opcode Fuzzy Hash: 83d18c051255cd1c1bba5d8e8fbd57274dca7168b35988caf70166c51018e129
        • Instruction Fuzzy Hash: ACB09235191600BAEE118B10DE0AF457A62A768701F008038B248640B0CAB204A0DF08
        Function 1000142F Relevance: 1.5, APIs: 1, Instructions: 6COMMON
        Download Yara Rule
        APIs
        • GetPrivateProfileIntW.KERNEL32(?,?,10001E57,NumFields), ref: 10001443
        Memory Dump Source
        • Source File: 00000000.00000002.2927234580.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000000.00000002.2927199836.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927275326.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927321116.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927362794.000000001000A000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
        Similarity
        • API ID: PrivateProfile
        • String ID:
        • API String ID: 1469295129-0
        • Opcode ID: bf7e6bde9a002fecd1e2f3f3974deb4cd3b08116a77807c2f90240a8fa9c2274
        • Instruction ID: 565d3aa99ec9058a8136abfcfcce385638795d5e16bab03d41eb7a94ee187678
        • Opcode Fuzzy Hash: bf7e6bde9a002fecd1e2f3f3974deb4cd3b08116a77807c2f90240a8fa9c2274
        • Instruction Fuzzy Hash: DBC04836006520FFEA42AB80CD9480ABB66BB98390B00C404F29400038C2328220EF29
        Function 004038E1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
        Download Yara Rule
        APIs
        • KiUserCallbackDispatcher.NTDLL(?,004051ED), ref: 004038EB
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: CallbackDispatcherUser
        • String ID:
        • API String ID: 2492992576-0
        • Opcode ID: 8079342df3bba9ac3efb629e1831586107a3ceb257d1e2885fe67377d35d1d60
        • Instruction ID: d8cbcbdf3abab120aaf28a20cb536b016074b51c966aff1d93deddca6c377c4d
        • Opcode Fuzzy Hash: 8079342df3bba9ac3efb629e1831586107a3ceb257d1e2885fe67377d35d1d60
        • Instruction Fuzzy Hash: E9A00176444901ABCE029B61EF09C0ABA72BBA4701B1194B9A29551134CB364835EB1A

        Non-executed Functions

        Function 00404451 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
        Download Yara Rule
        APIs
        • GetDlgItem.USER32(?,000003F9), ref: 00404468
        • GetDlgItem.USER32(?,00000408), ref: 00404475
        • GlobalAlloc.KERNEL32(00000040,?), ref: 004044C4
        • LoadBitmapW.USER32(0000006E), ref: 004044D7
        • SetWindowLongW.USER32(?,000000FC,Function_000043A1), ref: 004044F1
        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404503
        • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404517
        • SendMessageW.USER32(?,00001109,00000002), ref: 0040452D
        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404539
        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404549
        • DeleteObject.GDI32(?), ref: 0040454E
        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404579
        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404585
        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404626
        • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404649
        • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040465A
        • GetWindowLongW.USER32(?,000000F0), ref: 00404684
        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404693
        • ShowWindow.USER32(?,00000005), ref: 004046A4
        • SendMessageW.USER32(?,00000419,00000000,?), ref: 004047A2
        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004047FD
        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404812
        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404836
        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040485C
        • ImageList_Destroy.COMCTL32(?), ref: 00404871
        • GlobalFree.KERNEL32(?), ref: 00404881
        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004048F1
        • SendMessageW.USER32(?,00001102,?,?), ref: 0040499F
        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004049AE
        • InvalidateRect.USER32(?,00000000,00000001), ref: 004049CE
        • ShowWindow.USER32(?,00000000), ref: 00404A1E
        • GetDlgItem.USER32(?,000003FE), ref: 00404A29
        • ShowWindow.USER32(00000000), ref: 00404A30
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
        • String ID: $ @$M$N
        • API String ID: 1638840714-3479655940
        • Opcode ID: fa9cb4be411111584c1e0e63c0987f4d751afded1cc115ea68f7f1b3dcfb3194
        • Instruction ID: c40f330a88119666f25e741ba5bd3022804621728526b498b5c7ec81a7431c21
        • Opcode Fuzzy Hash: fa9cb4be411111584c1e0e63c0987f4d751afded1cc115ea68f7f1b3dcfb3194
        • Instruction Fuzzy Hash: BE0278B1900209EFDB109FA4CD45AAE7BB5FB84314F10813AF614B62E0D7788E91DF58
        Function 10001A21 Relevance: 13.6, APIs: 9, Instructions: 81clipboardstringwindowCOMMON
        Download Yara Rule
        APIs
        • GetDlgCtrlID.USER32(?), ref: 10001A27
        • OpenClipboard.USER32(?), ref: 10001A5A
        • GetClipboardData.USER32(0000000D), ref: 10001A6A
        • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000), ref: 10001A79
        • lstrlenW.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 10001A87
        • SendMessageW.USER32(?,000000C2,00000001,00000000), ref: 10001AD1
        • GlobalUnlock.KERNEL32(00000302,00000002,?,?,?,?,?,00000000), ref: 10001AE0
        • CloseClipboard.USER32 ref: 10001AE8
        Memory Dump Source
        • Source File: 00000000.00000002.2927234580.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000000.00000002.2927199836.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927275326.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927321116.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927362794.000000001000A000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
        Similarity
        • API ID: Clipboard$Global$CloseCtrlDataLockMessageOpenSendUnlocklstrlen
        • String ID:
        • API String ID: 639725540-0
        • Opcode ID: f0f7da96893f8311533de7e69b20229883ee8fb5db0eb7f45ceff88da8ed5eff
        • Instruction ID: 28d32bfd2df0102279a12f875890ab571ab6411e3ad10c9f7bb229b97b551d8a
        • Opcode Fuzzy Hash: f0f7da96893f8311533de7e69b20229883ee8fb5db0eb7f45ceff88da8ed5eff
        • Instruction Fuzzy Hash: 6B21D335602256ABFB029FB0CC88AEB3BADFF093C1B40C025F942D516DEB71C9519B51
        Function 00405C44 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
        Download Yara Rule
        APIs
        • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 00405C57
        • lstrlenW.KERNEL32(?), ref: 00405C64
        • GetVersionExW.KERNEL32(?), ref: 00405CC2
          • Part of subcall function 00405AAE: CharUpperW.USER32(?,00405C99,?), ref: 00405AB4
        • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00405D01
        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00405D20
        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00405D2A
        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00405D35
        • FreeLibrary.KERNEL32(00000000), ref: 00405D6C
        • GlobalFree.KERNEL32(?), ref: 00405D75
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
        • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
        • API String ID: 20674999-2124804629
        • Opcode ID: bfd5aff29ee4f1ffb6214c97bb0594a6be1cab25f0f6d26799202fd0c5d98f81
        • Instruction ID: ed012720ebd00403fbc9968c737870fc56deda01816276707f1d40af578051a6
        • Opcode Fuzzy Hash: bfd5aff29ee4f1ffb6214c97bb0594a6be1cab25f0f6d26799202fd0c5d98f81
        • Instruction Fuzzy Hash: 3D916171900619EBDB10AFA4CE88AAFBBB8EF44341F10447BE545F21D0DB788A45DF59
        Function 00403BF3 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 212windowstringCOMMON
        Download Yara Rule
        APIs
        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00403CA7
        • GetDlgItem.USER32(?,000003E8), ref: 00403CBB
        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00403CD8
        • GetSysColor.USER32(?), ref: 00403CE9
        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00403CF7
        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00403D05
        • lstrlenW.KERNEL32(?), ref: 00403D10
        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00403D1D
        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00403D2C
          • Part of subcall function 00403B05: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00403C5E,?), ref: 00403B1C
          • Part of subcall function 00403B05: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00403C5E,?), ref: 00403B2B
          • Part of subcall function 00403B05: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00403C5E,?), ref: 00403B3F
        • GetDlgItem.USER32(?,0000040A), ref: 00403D86
        • SendMessageW.USER32(00000000), ref: 00403D8D
        • GetDlgItem.USER32(?,000003E8), ref: 00403DB8
        • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 00403DFB
        • LoadCursorW.USER32(00000000,00007F02), ref: 00403E09
        • SetCursor.USER32(00000000), ref: 00403E0C
        • ShellExecuteW.SHELL32(0000070B,open,00460500,00000000,00000000,00000001), ref: 00403E21
        • LoadCursorW.USER32(00000000,00007F00), ref: 00403E2D
        • SetCursor.USER32(00000000), ref: 00403E30
        • SendMessageW.USER32(00000111,00000001,00000000), ref: 00403E5F
        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00403E71
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
        • String ID: Execute: $N$open
        • API String ID: 3928313111-4067340818
        • Opcode ID: 0c9066b4b08cc2f1bc6824065a754e9eb057d0b77994639b1a1894beb620b41b
        • Instruction ID: 4b03a27cdfe26423210c44bf5578cd5c8571735d4c2c96e0fa66b7ab6ab95101
        • Opcode Fuzzy Hash: 0c9066b4b08cc2f1bc6824065a754e9eb057d0b77994639b1a1894beb620b41b
        • Instruction Fuzzy Hash: 0B71A2B1900609BFDB10AF64DD89E6A7F6CFB04316F00813AF905B62D1C7B89A51CF99
        Function 0040632F Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
        Download Yara Rule
        APIs
        • lstrcpyW.KERNEL32(0045A2A8,NUL), ref: 0040633F
        • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,?,?,00406522,00000000,00000000,00000001,004066F5,?,00000000), ref: 0040635E
        • GetShortPathNameW.KERNEL32(00000000,0045A2A8,00000400), ref: 00406367
          • Part of subcall function 00405838: lstrlenA.KERNEL32(00406469,?,00000000,00000000,?,00000000,00406469,00000000,[Rename]), ref: 00405848
          • Part of subcall function 00405838: lstrlenA.KERNEL32(00000000,?,00000000,00406469,00000000,[Rename]), ref: 0040587A
        • GetShortPathNameW.KERNEL32("e@,0045F900,00000400), ref: 00406388
        • WideCharToMultiByte.KERNEL32(00000000,00000000,0045A2A8,000000FF,0045AAA8,00000400,00000000,00000000,?,00000000,?,?,?,00406522,00000000,00000000), ref: 004063B1
        • WideCharToMultiByte.KERNEL32(00000000,00000000,0045F900,000000FF,0045B0F8,00000400,00000000,00000000,?,00000000,?,?,?,00406522,00000000,00000000), ref: 004063C9
        • wsprintfA.USER32 ref: 004063E3
        • GetFileSize.KERNEL32(00000000,00000000,0045F900,C0000000,00000004,0045F900,?), ref: 0040641B
        • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 0040642A
        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406446
        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406476
        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0045B4F8,00000000,-0000000A,004089A0,00000000,[Rename]), ref: 004064C9
          • Part of subcall function 004058D2: GetFileAttributesW.KERNELBASE(00000003,0040312F,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe,80000000,00000003,?,?,?,00000000,004035AB,?), ref: 004058D6
          • Part of subcall function 004058D2: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004035AB,?), ref: 004058F8
        • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 004064DD
        • GlobalFree.KERNEL32(00000000), ref: 004064E4
        • CloseHandle.KERNEL32(?), ref: 004064EE
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
        • String ID: "e@$%s=%s$NUL$[Rename]
        • API String ID: 565278875-458056446
        • Opcode ID: bcf42ad874d498ef41eae12fd257676aaa83228327162adaf0e2dd6e84c0675d
        • Instruction ID: 8b304ee24791ba1dfe4dd60f9fe8fd6f8993bc45ae9da9dd1ca4b961c16cd160
        • Opcode Fuzzy Hash: bcf42ad874d498ef41eae12fd257676aaa83228327162adaf0e2dd6e84c0675d
        • Instruction Fuzzy Hash: C8412A32104209BFC6206B61DE48D2B3F9CDF46759B22453EF946F21D2DE7CA8258A7D
        Function 1000144C Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 183stringwindowCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(?,?,?,?), ref: 1000152E
        • SHGetDesktopFolder.SHELL32(00000045,?,?,?), ref: 10001538
        • SHBrowseForFolderW.SHELL32(?), ref: 1000156D
        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 10001585
        • SetWindowTextW.USER32(?,?), ref: 10001599
        • CoTaskMemFree.OLE32(00000000,?,?,?), ref: 100015A0
        • GetWindowTextW.USER32(?,?,00000104), ref: 100015F7
        • GetCurrentDirectoryW.KERNEL32(00002000,All Files|*.*,?,?), ref: 10001608
        • GetSaveFileNameW.COMDLG32(00000058,?,?), ref: 1000161B
        • GetOpenFileNameW.COMDLG32(00000058,?,?), ref: 10001623
        • CommDlgExtendedError.COMDLG32(?,?), ref: 10001636
        • SetWindowTextW.USER32(?,?), ref: 10001658
        • SetCurrentDirectoryW.KERNEL32(All Files|*.*,?,?), ref: 1000165F
        • ShellExecuteW.SHELL32(00000000,?,00000000,00000000,0000000A), ref: 1000167B
        • SendMessageW.USER32(00000408,00000001,00000000,?), ref: 100016A0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2927234580.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000000.00000002.2927199836.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927275326.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927321116.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927362794.000000001000A000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
        Similarity
        • API ID: TextWindow$CurrentDirectoryFileFolderName$BrowseCommDesktopErrorExecuteExtendedFreeFromListMessageOpenPathSaveSendShellTasklstrlen
        • String ID: All Files|*.*$E$X
        • API String ID: 3306596834-2697086818
        • Opcode ID: 980ef1b5e8d4592872f24bee4f9b120d427fc0f253ae61d470f51b0a69188bac
        • Instruction ID: 3928c9390ed5766f91e0a7f2ad129e026322d8894e10a2a23c7bace8e0ab5023
        • Opcode Fuzzy Hash: 980ef1b5e8d4592872f24bee4f9b120d427fc0f253ae61d470f51b0a69188bac
        • Instruction Fuzzy Hash: B16158B59002189FEB91CFA4CCC8AEE7BF8FF48384F548529E506E6268DB3199408F51
        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
        Download Yara Rule
        APIs
        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
        • BeginPaint.USER32(?,?), ref: 00401047
        • GetClientRect.USER32(?,?), ref: 0040105B
        • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
        • FillRect.USER32(00000000,?,00000000), ref: 004010ED
        • DeleteObject.GDI32(?), ref: 004010F6
        • CreateFontIndirectW.GDI32(?), ref: 0040110E
        • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
        • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
        • SelectObject.GDI32(00000000,?), ref: 00401149
        • DrawTextW.USER32(00000000,00468580,000000FF,00000010,00000820), ref: 0040115F
        • SelectObject.GDI32(00000000,00000000), ref: 00401169
        • DeleteObject.GDI32(?), ref: 0040116E
        • EndPaint.USER32(?,?), ref: 00401177
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
        • String ID: F
        • API String ID: 941294808-1304234792
        • Opcode ID: 5371df3e85ca609354374f4c0d14d795094ab2a54e32d25b9f76c35a1bb7e1bb
        • Instruction ID: eba6d2846177865e86ae0ff20aba6a9a6ebf74dec2baab01ed719fd54090fa59
        • Opcode Fuzzy Hash: 5371df3e85ca609354374f4c0d14d795094ab2a54e32d25b9f76c35a1bb7e1bb
        • Instruction Fuzzy Hash: 45516A71400209AFCF058F95DE459AF7FB9EF44311F04802AF992AA1A0CB38DA54DFA4
        Function 00403926 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
        Download Yara Rule
        APIs
        • GetWindowLongW.USER32(?,000000EB), ref: 00403940
        • GetSysColor.USER32(00000000), ref: 0040395C
        • SetTextColor.GDI32(?,00000000), ref: 00403968
        • SetBkMode.GDI32(?,?), ref: 00403974
        • GetSysColor.USER32(?), ref: 00403987
        • SetBkColor.GDI32(?,?), ref: 00403997
        • DeleteObject.GDI32(?), ref: 004039B1
        • CreateBrushIndirect.GDI32(?), ref: 004039BB
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
        • String ID:
        • API String ID: 2320649405-0
        • Opcode ID: 6e8c2a3615f2505a185ac55974dadb6ac4ac18c0c35a8d3832bbfc0dda71d657
        • Instruction ID: 73aaa22ee8c7594202c421f09f3bd03c12ad470e331578b9b362ada181a5ddb3
        • Opcode Fuzzy Hash: 6e8c2a3615f2505a185ac55974dadb6ac4ac18c0c35a8d3832bbfc0dda71d657
        • Instruction Fuzzy Hash: 6A1163B1510704ABCB219F78DE08B5BBFF8AF00715F04892DE885F22A0D778DA48CB64
        Function 00402A2F Relevance: 10.6, APIs: 7, Instructions: 91memoryfileCOMMON
        Download Yara Rule
        APIs
        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402A83
        • GlobalAlloc.KERNEL32(00000040,?,00000000,?,00000000), ref: 00402AA0
        • GlobalFree.KERNEL32(?), ref: 00402AD7
        • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00402AEB
        • GlobalFree.KERNEL32(00000000), ref: 00402AF2
        • CloseHandle.KERNEL32(?), ref: 00402B09
        • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402B1C
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
        • String ID:
        • API String ID: 3294113728-0
        • Opcode ID: 5fefff2048224de9a5dca2334a0a4cf4436d174f447a8dcd7cd50493160c26d9
        • Instruction ID: 8c2b6cbab68427070d9f4b7e78ba6d85e5b54b25da8bea151e4079ac92037738
        • Opcode Fuzzy Hash: 5fefff2048224de9a5dca2334a0a4cf4436d174f447a8dcd7cd50493160c26d9
        • Instruction Fuzzy Hash: BB21C832C00114BBCB116FA5CD49EAF7F79DF49324F10423AF965761E1CB7848119BA8
        Function 00405ABB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71COMMON
        Download Yara Rule
        APIs
        • CharNextW.USER32(?,*?|<>/":,00000000,004D50C8,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",004D50C8,00000000,00403340,004D50C8,00000002,0040356F), ref: 00405B1E
        • CharNextW.USER32(?,?,?,00000000), ref: 00405B2D
        • CharNextW.USER32(?,004D50C8,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",004D50C8,00000000,00403340,004D50C8,00000002,0040356F), ref: 00405B32
        • CharPrevW.USER32(?,?,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",004D50C8,00000000,00403340,004D50C8,00000002,0040356F), ref: 00405B46
        Strings
        • "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe", xrefs: 00405AC5
        • *?|<>/":, xrefs: 00405B0D
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Char$Next$Prev
        • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe"$*?|<>/":
        • API String ID: 589700163-3933476332
        • Opcode ID: b7b5818da4b4a2654bbca5167226ce5d18b2b6f4b0368041995d2741e331b462
        • Instruction ID: ec06b40a8edb760ae4b02fed7c1605d725e2e6ac821522e163aeef601e06f684
        • Opcode Fuzzy Hash: b7b5818da4b4a2654bbca5167226ce5d18b2b6f4b0368041995d2741e331b462
        • Instruction Fuzzy Hash: BE11E615900A1155CF307B285C40977B3F8EE54790794843FE985B32C0E7BCAC81CAAD
        Function 00404323 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0040433E
        • GetMessagePos.USER32 ref: 00404346
        • ScreenToClient.USER32(?,?), ref: 0040435E
        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404370
        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404396
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Message$Send$ClientScreen
        • String ID: f
        • API String ID: 41195575-1993550816
        • Opcode ID: 0fd0a508c23a1f4cc7d109850199a12f342c67c69df64cb0c481c89d05409d64
        • Instruction ID: 2befe76a286f8b57e8b0190e7c185e11ac1998e1cb849f4a8e6fdf3b91e3f190
        • Opcode Fuzzy Hash: 0fd0a508c23a1f4cc7d109850199a12f342c67c69df64cb0c481c89d05409d64
        • Instruction Fuzzy Hash: 54019E71A00218BAEB00DBA4DD85FEEBBBCAF44710F10012BFB50B61C0C7B45A018B64
        Function 00402DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
        Download Yara Rule
        APIs
        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD2
        • MulDiv.KERNEL32(015CF9D9,00000064,015D25C8), ref: 00402DFD
        • wsprintfW.USER32 ref: 00402E0D
        • SetWindowTextW.USER32(?,?), ref: 00402E1D
        • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E2F
        Strings
        • verifying installer: %d%%, xrefs: 00402E07
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Text$ItemTimerWindowwsprintf
        • String ID: verifying installer: %d%%
        • API String ID: 1451636040-82062127
        • Opcode ID: 23bc872a9a8c51a0cab357086a308774d8747145387efd70ddd87bab5bc00e80
        • Instruction ID: 9890021bb3ca796aa95a3bf91350c02d0854c58f483702886bf4cc829ef68574
        • Opcode Fuzzy Hash: 23bc872a9a8c51a0cab357086a308774d8747145387efd70ddd87bab5bc00e80
        • Instruction Fuzzy Hash: 65016770640108BBDF109F54DE49FEE3BA9BB04305F00403DFA46A51E0DBB98955CF58
        Function 100017D1 Relevance: 9.1, APIs: 6, Instructions: 114windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(?,?,?), ref: 10001810
        • DrawTextW.USER32(?,-10008310,000000FF,?,00000414), ref: 10001879
        • GetWindowLongW.USER32(?,000000EB), ref: 100018AD
        • SetTextColor.GDI32(?,?), ref: 100018C0
        • DrawTextW.USER32(?,?,000000FF,?,?), ref: 100018E6
        • DrawFocusRect.USER32(?,00000010), ref: 10001901
        Memory Dump Source
        • Source File: 00000000.00000002.2927234580.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000000.00000002.2927199836.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927275326.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927321116.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927362794.000000001000A000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
        Similarity
        • API ID: DrawText$ColorFocusLongMessageRectSendWindow
        • String ID:
        • API String ID: 491839470-0
        • Opcode ID: 967768b3cfd73977392e470d2c623e0ef65f221a345cc916fb2f18aa994a2fb5
        • Instruction ID: 48e9e54ded9df787b2ad71e7d80ddcbc3cbbb35c5effc91ff0948fd165971a54
        • Opcode Fuzzy Hash: 967768b3cfd73977392e470d2c623e0ef65f221a345cc916fb2f18aa994a2fb5
        • Instruction Fuzzy Hash: 46417C7190021AABEF05CF94CC80AEA7BA5FB09390F048565FD11DA1AAC771DAA0CB60
        Function 1000191D Relevance: 9.1, APIs: 6, Instructions: 91COMMON
        Download Yara Rule
        APIs
        • GetDlgCtrlID.USER32(?), ref: 10001927
        • CallWindowProcW.USER32(?,?,?,?,?), ref: 10001995
        • MapWindowPoints.USER32(00000000,?,?,00000001), ref: 100019D3
        • PtInRect.USER32(-10008334,?,?), ref: 100019E3
        • LoadCursorW.USER32(00000000,00007F89), ref: 10001A04
        • SetCursor.USER32(00000000,?,00000000), ref: 10001A13
        Memory Dump Source
        • Source File: 00000000.00000002.2927234580.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000000.00000002.2927199836.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927275326.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927321116.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
        • Associated: 00000000.00000002.2927362794.000000001000A000.00000002.00000001.01000000.00000007.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
        Similarity
        • API ID: CursorWindow$CallCtrlLoadPointsProcRect
        • String ID:
        • API String ID: 3496465773-0
        • Opcode ID: afd39e41ba83250591a33b80561070f846d3f6bbda42755ea278ecf21e6c1463
        • Instruction ID: b0e8c61feadedf66eb9fe375a3c2a4394374b69d4168670c7e380582f1df821d
        • Opcode Fuzzy Hash: afd39e41ba83250591a33b80561070f846d3f6bbda42755ea278ecf21e6c1463
        • Instruction Fuzzy Hash: 7831D032910206ABFB11CF78CD99BEE7BE8EB057D1F004628FA12D6098D775D9808B60
        Function 004024F8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78registrystringCOMMON
        Download Yara Rule
        APIs
        • RegCreateKeyExW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 00402546
        • lstrlenW.KERNEL32(C:\Program Files (x86)\IPCTools\IPCTools\IPCTools.exe), ref: 00402567
        • RegSetValueExW.ADVAPI32(?,?,00000000,?,C:\Program Files (x86)\IPCTools\IPCTools\IPCTools.exe,00000000), ref: 004025A6
        • RegCloseKey.ADVAPI32(?), ref: 004025B6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: CloseCreateValuelstrlen
        • String ID: C:\Program Files (x86)\IPCTools\IPCTools\IPCTools.exe
        • API String ID: 1356686001-1351285524
        • Opcode ID: ffbe4bed8aac244d523620c8e909d96bf5353093f07b49712211e57b8bf6005c
        • Instruction ID: 41edd205f1e1c6ba942205d40346f4e7258e23828796bc0f6f9423391be50428
        • Opcode Fuzzy Hash: ffbe4bed8aac244d523620c8e909d96bf5353093f07b49712211e57b8bf6005c
        • Instruction Fuzzy Hash: 7921B371A00204BFEB20AB65DE89EAF7779EB44714F10413BF505B61E1D6B49A818A6C
        Function 004043A1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58windowCOMMON
        Download Yara Rule
        APIs
        • IsWindowVisible.USER32(?), ref: 004043D7
        • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404445
          • Part of subcall function 0040390B: SendMessageW.USER32(?,?,00000000,00000000), ref: 0040391D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Window$CallMessageProcSendVisible
        • String ID: $ bD$956
        • API String ID: 3748168415-1465328316
        • Opcode ID: abbe492218b28b9bdeea7d8afd2912677e6ef30daed32230156002a49c17c970
        • Instruction ID: ebfa5544960bfb21be962cec59c729a1d1dc88f25bd56b5165bab68fb53ce8f2
        • Opcode Fuzzy Hash: abbe492218b28b9bdeea7d8afd2912677e6ef30daed32230156002a49c17c970
        • Instruction Fuzzy Hash: 13116DB1600208BFDB11AF51DC41A9F3629AB94766F40C13BFA047A1A2C7B88D519FA9
        Function 00401EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(?), ref: 00401EF7
        • GetDeviceCaps.GDI32(00000000), ref: 00401EFE
        • MulDiv.KERNEL32(00000000,00000000), ref: 00401F0E
          • Part of subcall function 0040609E: GetVersion.KERNEL32(Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,?,00000000,00404A7E,Execute: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe,00000000,00422130,00000000,00000000), ref: 0040616F
        • CreateFontIndirectW.GDI32(0041E0D0), ref: 00401F61
          • Part of subcall function 004059D3: wsprintfW.USER32 ref: 004059E0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
        • String ID: MS Shell Dlg
        • API String ID: 1599320355-76309092
        • Opcode ID: 4151e9e6646211d68e0b01c73e9f666b9ef3c0423fd98fa2ac5e1d8186cab821
        • Instruction ID: c71fed1a4547a314f9984c6b20d8b8eb615b3007d4d05efb6ac5f24abf254022
        • Opcode Fuzzy Hash: 4151e9e6646211d68e0b01c73e9f666b9ef3c0423fd98fa2ac5e1d8186cab821
        • Instruction Fuzzy Hash: 3301D4766442509FE700DBB5AD4ABDE3FA4AB19305F10C83AF642B61E2C6B880008B3D
        Function 00401497 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014B9
        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014F5
        • RegCloseKey.ADVAPI32(?), ref: 004014FE
        • RegCloseKey.ADVAPI32(?), ref: 00401523
        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401541
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Close$DeleteEnumOpen
        • String ID:
        • API String ID: 1912718029-0
        • Opcode ID: fbd18dba335e43c75763f64bb0bb5c94245b4effa88c7c9cde83b95e40856df9
        • Instruction ID: a91016886583abb331cfcd6d4321b7b442fb6de7ec7c95ca61d5159da64f5b29
        • Opcode Fuzzy Hash: fbd18dba335e43c75763f64bb0bb5c94245b4effa88c7c9cde83b95e40856df9
        • Instruction Fuzzy Hash: 1E115676500008FBEF10AFA0DE84AAE3B6DEB84348F00443AF906E51B0D7359E55AE29
        Function 004020AF Relevance: 7.6, APIs: 5, Instructions: 57memoryCOMMON
        Download Yara Rule
        APIs
        • GetFileVersionInfoSizeW.VERSION(00000000,?), ref: 004020BF
        • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?), ref: 004020E0
        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 004020F8
        • VerQueryValueW.VERSION(?,004082C8,?,?,?,00000000,00000000,00000000), ref: 00402111
          • Part of subcall function 004059D3: wsprintfW.USER32 ref: 004059E0
        • GlobalFree.KERNEL32(00000000), ref: 00402139
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
        • String ID:
        • API String ID: 3376005127-0
        • Opcode ID: 37879b160aaf2956a664f736376cea0444dc5f9e1d3d32a6d4288f8e3bae473d
        • Instruction ID: 9a2d1482e3ef973d65bece09fcd40f3bdae37d2b0713022bee5a62afc67b7ea4
        • Opcode Fuzzy Hash: 37879b160aaf2956a664f736376cea0444dc5f9e1d3d32a6d4288f8e3bae473d
        • Instruction Fuzzy Hash: 3A118C72900204BBDB11EFA5DE08B9E77B8EF08314F10817AF604FA1E1E778C9418B69
        Function 004057DB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
        Download Yara Rule
        APIs
        • CharNextW.USER32(?,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",004562A0,?,0040602D,004562A0,004562A0,@e@,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",00000002,00406540,?,004D50C8), ref: 004057E9
        • CharNextW.USER32(00000000), ref: 004057EE
        • CharNextW.USER32(00000000), ref: 00405806
        Strings
        • "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe", xrefs: 004057E3
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: CharNext
        • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe"
        • API String ID: 3213498283-2611906728
        • Opcode ID: af5ee6a4c00f60c399368bb2218fa231c777b399e1778d3c2c7167b5008f4af5
        • Instruction ID: 1d7caef292293c462532d382eec5a74340b72184e0554700edf354eaaf1083f6
        • Opcode Fuzzy Hash: af5ee6a4c00f60c399368bb2218fa231c777b399e1778d3c2c7167b5008f4af5
        • Instruction Fuzzy Hash: FFF0CD23950B2195DB3176944C94A3762A8EB54360B04D03BEA42A32C093B848A08AAA
        Function 00402E3A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
        Download Yara Rule
        APIs
        • DestroyWindow.USER32(00000000,00000000,0040326B,00000001,?,?,?,00000000,004035AB,?), ref: 00402E4D
        • GetTickCount.KERNEL32 ref: 00402E6B
        • CreateDialogParamW.USER32(0000006F,00000000,00402DB4,00000000), ref: 00402E88
        • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,004035AB,?), ref: 00402E96
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Window$CountCreateDestroyDialogParamShowTick
        • String ID:
        • API String ID: 2102729457-0
        • Opcode ID: 7a01a7daa08511171fc0a3bc874b55fee4ea5e5a25c8e0ce107f659bed9dad89
        • Instruction ID: 7d0765bb49ed1e31724d77003bc7cd800529b80501a661ccb4cac3cbf8faf382
        • Opcode Fuzzy Hash: 7a01a7daa08511171fc0a3bc874b55fee4ea5e5a25c8e0ce107f659bed9dad89
        • Instruction Fuzzy Hash: 9DF05430951621EBC661AF20FE4CAABBB64BB04B51F00047EF985F11E4C77448928BDD
        Function 0040285A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37filestringCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(00000000), ref: 0040287C
        • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp,00000000,?,00000000,00000000), ref: 004028A0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: FileWritelstrlen
        • String ID: C:\Users\user\AppData\Local\Temp
        • API String ID: 427699356-47812868
        • Opcode ID: c2075460aa9f6e240092413906f2b9d2a8a3f78981471fdfe77b6499a2d7e4d9
        • Instruction ID: 2b3c6453146c5d786777c48190b41b49aeee585f54ba4bcc8af39dd9e1c6465e
        • Opcode Fuzzy Hash: c2075460aa9f6e240092413906f2b9d2a8a3f78981471fdfe77b6499a2d7e4d9
        • Instruction Fuzzy Hash: 40F0B436600200E7DB14B7A5D98ABEF2368EF00348F10493BF102F20E1D7BC85939A5E
        Function 0040243C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28stringCOMMON
        Download Yara Rule
        APIs
        • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,00002003,00000000), ref: 00402478
        • lstrcmpW.KERNEL32(?,?,?,00002003,00000000), ref: 00402483
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: PrivateProfileStringlstrcmp
        • String ID: !N~
        • API String ID: 623250636-529124213
        • Opcode ID: fc1006ea5aab162bbc40b6df3c94a123494fc128051bda68380e80ee4f4a212d
        • Instruction ID: 97e2760095c772b904354d470d60f9b26315119a41df21907abd1c807f0e2d98
        • Opcode Fuzzy Hash: fc1006ea5aab162bbc40b6df3c94a123494fc128051bda68380e80ee4f4a212d
        • Instruction Fuzzy Hash: 5CF01275900214ABDB00BFA8DD859AE3BBCAB08300B00412EF601F71A2D67449019B94
        Function 004037DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
        Download Yara Rule
        APIs
        • FreeLibrary.KERNEL32(?,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe",00000000,00000002,004033DC,0040362D,?), ref: 004037F9
        • GlobalFree.KERNEL32(?), ref: 00403800
        Strings
        • "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe", xrefs: 004037F1
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: Free$GlobalLibrary
        • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe"
        • API String ID: 1100898210-2611906728
        • Opcode ID: dc253e1036a46ae0d3aa734275121ef2a9ae6faa48272797afa94833ff7699cf
        • Instruction ID: cf1ce61a12738d4872a7a17e2c1479cdd21c57cdc72b6eeb5397a79dad939526
        • Opcode Fuzzy Hash: dc253e1036a46ae0d3aa734275121ef2a9ae6faa48272797afa94833ff7699cf
        • Instruction Fuzzy Hash: 03E01273411130ABCA226F15E90476ABB68BF45F73F16C57EFD807B2A18B745C4186D8
        Function 00405838 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenA.KERNEL32(00406469,?,00000000,00000000,?,00000000,00406469,00000000,[Rename]), ref: 00405848
        • lstrcmpiA.KERNEL32(00000000,00406469), ref: 00405860
        • CharNextA.USER32(00000000,?,00000000,00406469,00000000,[Rename]), ref: 00405871
        • lstrlenA.KERNEL32(00000000,?,00000000,00406469,00000000,[Rename]), ref: 0040587A
        Memory Dump Source
        • Source File: 00000000.00000002.2922583547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2922490080.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922703255.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.0000000000475000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004C1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004DD000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2922790957.00000000004F1000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2923759156.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
        Similarity
        • API ID: lstrlen$CharNextlstrcmpi
        • String ID:
        • API String ID: 190613189-0
        • Opcode ID: cd19360c238f1349a786dd8267181da6a2629ba8d2dc02acca249f0761a9dd09
        • Instruction ID: 6d19c692ea9b18faa059ead4f9dca4c3e77bc2fe4a7d4fd15b965f68100645cf
        • Opcode Fuzzy Hash: cd19360c238f1349a786dd8267181da6a2629ba8d2dc02acca249f0761a9dd09
        • Instruction Fuzzy Hash: 95F0C236101448EFC701AFA5DD00D9F7BA8EF06350B2180BAEC41E7310DA34DE019FA4

        Execution Graph

        Execution Coverage:27.8%
        Dynamic/Decrypted Code Coverage:59.9%
        Signature Coverage:11.2%
        Total number of Nodes:1071
        Total number of Limit Nodes:47
        execution_graph 4255 1005670 4256 1005684 4255->4256 4259 10056e9 EndDialog 4255->4259 4257 100582a GetDesktopWindow 4256->4257 4258 100568f 4256->4258 4260 1002d83 7 API calls 4257->4260 4263 10056a3 4258->4263 4264 100574f GetDlgItemTextA 4258->4264 4277 1005692 4258->4277 4259->4277 4262 100583a SetWindowTextA SendDlgItemMessageA 4260->4262 4265 100586b GetDlgItem EnableWindow 4262->4265 4262->4277 4268 1005735 EndDialog 4263->4268 4269 10056aa 4263->4269 4266 1005771 4264->4266 4267 10057b5 4264->4267 4265->4277 4270 1002c57 lstrlenA 4266->4270 4272 1003ebe 28 API calls 4267->4272 4268->4277 4271 10056b5 LoadStringA 4269->4271 4269->4277 4273 1005777 4270->4273 4274 10056d5 4271->4274 4275 10056ef 4271->4275 4272->4277 4273->4267 4278 100577f GetFileAttributesA 4273->4278 4279 1003ebe 28 API calls 4274->4279 4297 1004e73 LoadLibraryA 4275->4297 4281 10057c1 4278->4281 4282 100578d 4278->4282 4279->4259 4284 10066cf 2 API calls 4281->4284 4285 1003ebe 28 API calls 4282->4285 4283 1005707 SetDlgItemTextA 4283->4277 4286 100571c 4283->4286 4287 10057cd 4284->4287 4288 10057a0 4285->4288 4289 1003ebe 28 API calls 4286->4289 4290 10044bd 40 API calls 4287->4290 4288->4277 4291 10057a9 CreateDirectoryA 4288->4291 4289->4259 4292 10057d3 4290->4292 4291->4267 4291->4281 4292->4267 4293 10057e3 4292->4293 4294 100456a 44 API calls 4293->4294 4295 1005802 4294->4295 4295->4277 4296 1005806 EndDialog 4295->4296 4296->4277 4298 1004e98 GetProcAddress 4297->4298 4299 1004f8f 4297->4299 4300 1004eb1 GetProcAddress 4298->4300 4301 1004f7c FreeLibrary 4298->4301 4303 1003ebe 28 API calls 4299->4303 4300->4301 4302 1004ec4 GetProcAddress 4300->4302 4301->4299 4302->4301 4305 1004ed7 4302->4305 4304 1004fa1 4303->4304 4304->4277 4304->4283 4306 1004ee4 GetTempPathA lstrlenA CharPrevA 4305->4306 4307 1004f14 4305->4307 4306->4307 4308 1004f0b CharPrevA 4306->4308 4309 1004f6a FreeLibrary 4307->4309 4310 1004f64 4307->4310 4311 1004f5c lstrcpyA 4307->4311 4308->4307 4309->4304 4310->4309 4311->4310 4312 1003bf2 lstrcpyA 4313 10066cf 2 API calls 4312->4313 4314 1003c44 CreateFileA 4313->4314 4315 1003c67 4314->4315 4316 1003c79 WriteFile 4314->4316 4319 10064de 4 API calls 4315->4319 4317 1003c90 CloseHandle 4316->4317 4317->4315 4320 1003cc3 4319->4320 4321 1003165 4322 10031b1 SetFilePointer 4321->4322 4324 100317f 4321->4324 4322->4324 4325 1002fe5 4326 1003042 ReadFile 4325->4326 4327 1002ffe 4325->4327 4328 100305e 4326->4328 4329 1003df6 SendDlgItemMessageA 4330 1003e1d 4329->4330 3110 1002c18 3111 1002c36 CallWindowProcA 3110->3111 3112 1002c26 3110->3112 3113 1002c32 3111->3113 3112->3111 3112->3113 4331 1003e28 4332 1003ea6 EndDialog 4331->4332 4333 1003e36 4331->4333 4334 1003e40 4332->4334 4335 1003e6f GetDesktopWindow 4333->4335 4338 1003e3d 4333->4338 4336 1002d83 7 API calls 4335->4336 4337 1003e7f SetWindowTextA SetDlgItemTextA SetForegroundWindow 4336->4337 4337->4334 4338->4334 4339 1003e61 EndDialog 4338->4339 4339->4334 4340 1002d5a 4341 1002d65 SendMessageA 4340->4341 4342 1002d78 4340->4342 4341->4342 3114 100589b 3115 10058ad 3114->3115 3116 1005a0b 3114->3116 3115->3116 3117 10058c1 3115->3117 3118 1005964 GetDesktopWindow 3115->3118 3119 1005a1f EndDialog 3116->3119 3129 10058cb 3116->3129 3120 10058f4 3117->3120 3121 10058c4 3117->3121 3138 1002d83 6 API calls 3118->3138 3119->3129 3124 1005901 ResetEvent 3120->3124 3120->3129 3123 10058d2 TerminateThread KiUserCallbackDispatcher 3121->3123 3121->3129 3123->3129 3141 1003ebe 3124->3141 3125 100597b 3126 10059c4 SetWindowTextA CreateThread 3125->3126 3127 1005985 GetDlgItem SendMessageA GetDlgItem SendMessageA 3125->3127 3126->3129 3130 10059ed 3126->3130 3206 1005190 3126->3206 3127->3126 3132 1003ebe 28 API calls 3130->3132 3134 10059fd EndDialog 3132->3134 3133 1005942 SetEvent 3168 1002c91 3133->3168 3134->3129 3135 1005931 SetEvent 3135->3129 3139 1002e06 SetWindowPos 3138->3139 3139->3125 3142 1003f04 3141->3142 3143 1003f61 3141->3143 3175 1002ece 3142->3175 3195 10064de 3143->3195 3147 1004096 3147->3133 3147->3135 3148 1003f21 3178 10068b3 3148->3178 3149 1003f69 3150 1003f72 lstrlenA lstrlenA lstrlenA LocalAlloc 3149->3150 3151 1003fbd 3149->3151 3150->3143 3153 1003fa3 wsprintfA 3150->3153 3154 1004000 lstrlenA LocalAlloc 3151->3154 3155 1003fc1 lstrlenA lstrlenA LocalAlloc 3151->3155 3156 100402f MessageBeep 3153->3156 3154->3143 3158 1004021 lstrcpyA 3154->3158 3155->3143 3157 1003fec wsprintfA 3155->3157 3161 10068b3 10 API calls 3156->3161 3157->3156 3158->3156 3159 1003f39 MessageBoxA 3159->3143 3164 100403d 3161->3164 3165 1004050 MessageBoxA LocalFree 3164->3165 3167 100685e EnumResourceLanguagesA 3164->3167 3165->3143 3167->3165 3169 1002caa MsgWaitForMultipleObjects 3168->3169 3170 1002cc1 PeekMessageA 3169->3170 3171 1002cf7 3169->3171 3170->3169 3172 1002ccf 3170->3172 3171->3119 3172->3169 3172->3171 3173 1002cda DispatchMessageA 3172->3173 3174 1002ce4 PeekMessageA 3172->3174 3173->3174 3174->3172 3176 1002ef1 3175->3176 3177 1002edb LoadStringA 3175->3177 3176->3148 3176->3149 3177->3176 3179 10068e4 GetVersionExA 3178->3179 3180 10069ac 3178->3180 3179->3180 3182 100690a 3179->3182 3181 10064de 4 API calls 3180->3181 3183 1003f26 3181->3183 3182->3180 3184 1006931 GetSystemMetrics 3182->3184 3183->3159 3189 100685e 3183->3189 3184->3180 3185 1006941 RegOpenKeyExA 3184->3185 3185->3180 3186 1006963 RegQueryValueExA RegCloseKey 3185->3186 3186->3180 3187 100699c 3186->3187 3200 100678f 3187->3200 3190 1006897 3189->3190 3191 100686c 3189->3191 3190->3159 3204 1006822 EnumResourceLanguagesA 3191->3204 3193 1006883 3193->3190 3205 1006822 EnumResourceLanguagesA 3193->3205 3196 10064e6 3195->3196 3197 10064ef SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 3195->3197 3196->3197 3198 10064ee 3196->3198 3197->3147 3198->3147 3201 100679a 3200->3201 3202 10067c6 CharNextA 3201->3202 3203 10067d4 3201->3203 3202->3201 3203->3180 3204->3193 3205->3190 3229 10032ff 3206->3229 3208 1005195 3209 1005199 3208->3209 3210 10051d2 3208->3210 3211 10051a8 GetDlgItem ShowWindow GetDlgItem ShowWindow 3208->3211 3232 10042a4 3210->3232 3211->3210 3213 10051e1 3214 1003ebe 28 API calls 3213->3214 3216 1005270 3214->3216 3215 10051dd 3215->3213 3240 1007af5 3215->3240 3217 1005272 3216->3217 3219 1005288 3217->3219 3220 100527b FreeResource 3217->3220 3222 10052a4 3219->3222 3223 1005294 3219->3223 3220->3219 3221 1005241 3221->3217 3245 100735b 3221->3245 3224 10052c9 3222->3224 3227 10052b6 SendMessageA 3222->3227 3226 1003ebe 28 API calls 3223->3226 3226->3222 3227->3224 3248 1002e55 FindResourceA SizeofResource 3229->3248 3233 10042e5 3232->3233 3234 1004348 3233->3234 3253 10041d8 3233->3253 3234->3215 3236 1004303 3236->3234 3261 1003108 3236->3261 3239 100735b 2 API calls 3239->3234 3242 1007b3a 3240->3242 3241 1007c0c 3241->3221 3242->3241 3277 100502e 3242->3277 3307 100799f 3242->3307 3246 1007309 2 API calls 3245->3246 3247 1005250 3246->3247 3247->3213 3247->3217 3249 1002ea0 FindResourceA LoadResource LockResource 3248->3249 3250 1002e7c 3248->3250 3249->3208 3250->3249 3251 1002e85 FindResourceA LoadResource LockResource 3250->3251 3251->3249 3252 1002ea4 FreeResource 3251->3252 3252->3249 3254 10041e8 3253->3254 3255 1004219 lstrcmpA 3254->3255 3256 10041fd 3254->3256 3258 100426d 3255->3258 3260 1004212 3255->3260 3257 1003ebe 28 API calls 3256->3257 3257->3260 3264 100412e 3258->3264 3260->3236 3262 100313f FindCloseChangeNotification 3261->3262 3263 1003123 3261->3263 3262->3263 3263->3234 3263->3239 3265 100413b 3264->3265 3266 1004143 CreateFileA 3264->3266 3265->3260 3266->3265 3268 10041af 3266->3268 3268->3265 3269 10041b5 3268->3269 3272 1002f6b 3269->3272 3273 1002fd9 CreateFileA 3272->3273 3275 1002f7d 3272->3275 3273->3265 3274 1002fcc CharNextA 3274->3275 3275->3273 3275->3274 3276 1002fbf CreateDirectoryA 3275->3276 3276->3274 3278 1005065 3277->3278 3279 100504e 3277->3279 3281 1005071 3278->3281 3282 100517a 3278->3282 3280 100505c 3279->3280 3283 1003108 FindCloseChangeNotification 3279->3283 3285 10064de 4 API calls 3280->3285 3281->3280 3286 1005077 3281->3286 3287 10050eb 3281->3287 3346 10032a1 lstrcpyA lstrcpyA lstrcpyA 3282->3346 3283->3280 3290 1005189 3285->3290 3286->3280 3318 1002efd lstrlenA lstrlenA 3286->3318 3288 1005103 3287->3288 3289 10050f4 SetDlgItemTextA 3287->3289 3291 1002efd 8 API calls 3288->3291 3289->3288 3290->3242 3293 100511c 3291->3293 3293->3280 3329 1004faf 3293->3329 3299 10041d8 33 API calls 3301 100514e 3299->3301 3300 1003108 FindCloseChangeNotification 3302 10050c3 3300->3302 3301->3280 3303 100515c 3301->3303 3305 10050d0 SetFileAttributesA 3302->3305 3337 100409f LocalAlloc 3303->3337 3305->3280 3308 10079b5 3307->3308 3309 1007a5c 3307->3309 3357 1007935 3308->3357 3316 100502e 61 API calls 3309->3316 3311 1007a33 3311->3242 3312 10079d5 3312->3311 3314 10079ef 3312->3314 3371 100788d 3312->3371 3314->3309 3314->3311 3315 100788d 6 API calls 3314->3315 3363 1003072 3314->3363 3315->3314 3316->3311 3319 1002f23 lstrcpyA lstrlenA 3318->3319 3320 1002f1f 3318->3320 3321 1002f53 lstrcatA 3319->3321 3322 1002f3a lstrlenA 3319->3322 3320->3280 3324 10031ee 3320->3324 3321->3320 3322->3321 3323 1002f44 lstrlenA lstrlenA 3322->3323 3323->3321 3325 1003209 3324->3325 3326 100320d DosDateTimeToFileTime 3324->3326 3325->3280 3325->3300 3326->3325 3327 1003221 LocalFileTimeToFileTime 3326->3327 3327->3325 3328 1003233 SetFileTime 3327->3328 3328->3325 3347 100672a GetFileAttributesA 3329->3347 3332 100501d 3332->3280 3332->3299 3333 1005011 SetFileAttributesA 3333->3332 3336 100500b 3336->3333 3338 10040d2 lstrlenA LocalAlloc 3337->3338 3339 10040bb 3337->3339 3341 1004107 lstrcpyA 3338->3341 3342 10040e7 3338->3342 3340 1003ebe 28 API calls 3339->3340 3343 10040d0 3340->3343 3341->3343 3344 1003ebe 28 API calls 3342->3344 3343->3280 3345 10040fc LocalFree 3344->3345 3345->3343 3346->3280 3348 1004fc2 3347->3348 3348->3332 3348->3333 3349 1004819 FindResourceA 3348->3349 3350 1004836 LoadResource 3349->3350 3351 100486b 3349->3351 3350->3351 3353 1004844 DialogBoxIndirectParamA FreeResource 3350->3353 3352 1003ebe 28 API calls 3351->3352 3354 100487b 3352->3354 3353->3351 3356 100487e 3353->3356 3354->3356 3356->3332 3356->3333 3356->3336 3358 1007947 3357->3358 3359 100794c 3357->3359 3358->3312 3359->3358 3379 100766b 3359->3379 3361 100797b 3361->3358 3362 100788d 6 API calls 3361->3362 3362->3358 3364 1002c91 4 API calls 3363->3364 3365 1003082 3364->3365 3366 1003090 WriteFile 3365->3366 3367 100308b 3365->3367 3368 10030b4 3366->3368 3369 10030b9 3366->3369 3367->3314 3368->3314 3369->3368 3370 10030da SendDlgItemMessageA 3369->3370 3370->3368 3372 10078aa 3371->3372 3374 10078b0 3371->3374 3427 1007763 3372->3427 3375 1007908 3374->3375 3376 10078d7 3374->3376 3377 1007763 2 API calls 3374->3377 3375->3312 3376->3375 3431 10071a5 3376->3431 3377->3376 3380 100769d 3379->3380 3382 10076fb 3380->3382 3383 1007309 3380->3383 3382->3361 3384 1007325 3383->3384 3387 1007320 3383->3387 3389 1006ef9 3384->3389 3386 100732b 3386->3387 3397 1006f72 3386->3397 3387->3382 3390 1006f38 3389->3390 3392 1006f14 3389->3392 3394 1006f1d 3390->3394 3407 100328c GlobalFree 3390->3407 3391 1006f5c 3408 100328c GlobalFree 3391->3408 3392->3390 3392->3394 3403 1007ea9 3392->3403 3394->3386 3398 1006fa2 3397->3398 3400 1006fdf 3397->3400 3399 1007d6c GlobalAlloc 3398->3399 3398->3400 3402 1006fab 3398->3402 3399->3400 3400->3402 3414 1007d6c 3400->3414 3402->3387 3404 1007ebf 3403->3404 3406 1007eba 3403->3406 3409 1007ee0 3404->3409 3406->3390 3407->3391 3408->3394 3410 1008057 3409->3410 3411 100806d 3410->3411 3413 100328c GlobalFree 3410->3413 3411->3406 3413->3411 3415 1007d87 3414->3415 3416 1007d89 3414->3416 3415->3402 3418 1007dae 3416->3418 3419 1007f7f 3416->3419 3418->3402 3420 1007fd7 3419->3420 3422 1007fdd 3419->3422 3423 1007ff8 3420->3423 3422->3418 3424 1008010 3423->3424 3426 1003275 GlobalAlloc 3424->3426 3425 100803f 3425->3422 3426->3425 3428 10077b1 3427->3428 3429 100766b 2 API calls 3428->3429 3430 1007838 3428->3430 3429->3428 3430->3374 3432 10071c5 3431->3432 3433 10071ce 3431->3433 3432->3433 3435 1007e2e 3432->3435 3433->3375 3436 1007e43 3435->3436 3437 1007e48 3435->3437 3436->3433 3439 1007e53 3437->3439 3440 1007f1c 3437->3440 3439->3433 3441 1007f4a 3440->3441 3444 1008237 3441->3444 3449 100824d 3444->3449 3445 100842c 3462 10094f3 3445->3462 3447 1007f53 3447->3439 3449->3445 3449->3447 3451 1009931 3449->3451 3455 1009862 3449->3455 3452 1009944 3451->3452 3454 100995e 3452->3454 3466 1009b93 3452->3466 3454->3449 3470 1009548 3455->3470 3458 1009548 4 API calls 3459 10098b1 3458->3459 3460 1009548 4 API calls 3459->3460 3461 100988a 3459->3461 3460->3461 3461->3449 3463 1009506 3462->3463 3464 100953e 3462->3464 3463->3464 3474 1008172 3463->3474 3464->3447 3467 1009bc0 3466->3467 3468 10064de SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 3467->3468 3469 1009cb7 3468->3469 3469->3454 3473 1009570 3470->3473 3471 10064de SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 3472 1009855 3471->3472 3472->3458 3472->3461 3473->3471 3475 1008191 3474->3475 3476 10064de SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 3475->3476 3477 100822e 3476->3477 3477->3464 3478 100645c 3499 100646b 3478->3499 3482 10063f7 3482->3482 3483 1006420 GetStartupInfoA 3482->3483 3484 1006434 GetModuleHandleA 3483->3484 3488 100637a 3484->3488 3504 10053fa 3488->3504 3491 10063c2 3492 10063d2 ExitProcess 3491->3492 3493 10063cb CloseHandle 3491->3493 3493->3492 3500 1006483 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 3499->3500 3501 100647c 3499->3501 3503 10064c6 3500->3503 3501->3500 3502 10063e0 GetCommandLineA 3501->3502 3502->3482 3503->3502 3505 1002e55 6 API calls 3504->3505 3506 100546e 3505->3506 3507 1005578 3506->3507 3508 1005481 CreateEventA SetEvent 3506->3508 3509 1003ebe 28 API calls 3507->3509 3510 1002e55 6 API calls 3508->3510 3537 1005599 3509->3537 3511 10054a8 3510->3511 3512 10054d3 3511->3512 3513 1005563 3511->3513 3514 10054b9 3511->3514 3516 1003ebe 28 API calls 3512->3516 3612 100359c 3513->3612 3518 1002e55 6 API calls 3514->3518 3515 10064de 4 API calls 3519 1005667 3515->3519 3547 10054e3 3516->3547 3521 10054cf 3518->3521 3519->3491 3548 1006205 3519->3548 3521->3512 3523 10054f2 CreateMutexA 3521->3523 3522 1005587 3524 100559e FindResourceA 3522->3524 3525 100558f 3522->3525 3523->3513 3526 100550a GetLastError 3523->3526 3529 10055b5 LoadResource 3524->3529 3530 10055c8 3524->3530 3642 1002a96 3525->3642 3526->3513 3528 1005517 3526->3528 3531 1005520 3528->3531 3532 1005532 3528->3532 3529->3530 3533 10055d0 #17 3530->3533 3534 10055d6 3530->3534 3535 1003ebe 28 API calls 3531->3535 3536 1003ebe 28 API calls 3532->3536 3533->3534 3534->3537 3538 10055de 3534->3538 3541 1005530 3535->3541 3539 1005543 3536->3539 3537->3515 3657 100488c GetVersionExA 3538->3657 3539->3513 3542 1005548 CloseHandle 3539->3542 3541->3542 3542->3537 3546 1004819 32 API calls 3546->3547 3547->3537 3549 1006224 3548->3549 3550 1006243 3548->3550 3551 1006231 3549->3551 3753 10043ec 3549->3753 3556 1006259 3550->3556 3793 100435e 3550->3793 3551->3550 3551->3556 3773 1004bc8 3551->3773 3553 100624c 3553->3556 3808 1005f21 3553->3808 3559 10064de 4 API calls 3556->3559 3561 1006373 3559->3561 3560 1006260 GetSystemDirectoryA 3562 10066cf 2 API calls 3560->3562 3585 1003346 3561->3585 3563 1006287 LoadLibraryA 3562->3563 3564 10062b3 FreeLibrary 3563->3564 3565 100629f GetProcAddress 3563->3565 3567 10062c2 3564->3567 3568 10062da SetCurrentDirectoryA 3564->3568 3565->3564 3566 10062af DecryptFileA 3565->3566 3566->3564 3567->3568 3858 10047b3 GetWindowsDirectoryA 3567->3858 3569 1006301 3568->3569 3570 10062e5 3568->3570 3572 100630e 3569->3572 3869 1005a36 3569->3869 3571 1003ebe 28 API calls 3570->3571 3574 10062f5 3571->3574 3572->3556 3579 1006329 3572->3579 3878 1001f93 3572->3878 3927 1003aa1 GetLastError 3574->3927 3580 100634b 3579->3580 3887 1005abc 3579->3887 3580->3556 3583 1006360 3580->3583 3581 10062fa 3581->3556 3930 1004de5 3583->3930 3586 10033a5 3585->3586 3587 1003367 3585->3587 3588 1003400 3586->3588 3591 10033c2 lstrcpyA 3586->3591 3590 1003395 LocalFree LocalFree 3587->3590 3593 1003380 SetFileAttributesA DeleteFileA 3587->3593 3589 1003418 3588->3589 4235 1001a5b 3588->4235 3592 10064de 4 API calls 3589->3592 3590->3586 3590->3587 3595 10033e9 SetCurrentDirectoryA 3591->3595 3596 10033dd 3591->3596 3594 1003427 3592->3594 3593->3590 3594->3491 3600 1002251 3594->3600 3599 1002a96 14 API calls 3595->3599 3598 1006666 5 API calls 3596->3598 3598->3595 3599->3588 3601 1002261 3600->3601 3602 100225c 3600->3602 3604 1002288 3601->3604 3605 100226c 3601->3605 3609 10022a3 3601->3609 3603 100221e 17 API calls 3602->3603 3603->3601 3606 1002292 ExitWindowsEx 3604->3606 3607 100229e 3604->3607 3608 1003ebe 28 API calls 3605->3608 3606->3609 4239 10019c3 GetCurrentProcess OpenProcessToken 3607->4239 3611 1002283 3608->3611 3609->3491 3611->3604 3611->3609 3613 10039a1 3612->3613 3622 10035c6 3612->3622 3614 10064de 4 API calls 3613->3614 3616 1003a98 3614->3616 3615 100369d 3615->3613 3618 10036be GetModuleFileNameA 3615->3618 3616->3507 3616->3522 3617 1003600 CharNextA 3617->3622 3619 10036e5 3618->3619 3620 10036dd 3618->3620 3619->3613 3695 1006752 3620->3695 3622->3613 3622->3615 3622->3617 3623 1003708 CharUpperA 3622->3623 3627 10039c9 lstrlenA 3622->3627 3628 1003908 lstrlenA 3622->3628 3631 100384e CharUpperA 3622->3631 3632 100394a CharUpperA 3622->3632 3633 1003819 lstrcmpiA 3622->3633 3634 10038b6 CharUpperA 3622->3634 3635 100662b IsDBCSLeadByte CharNextA 3622->3635 3636 1003972 lstrcpyA 3622->3636 3637 10037a1 CharUpperA 3622->3637 3639 1003517 lstrlenA 3622->3639 3641 1003a42 lstrcpyA 3622->3641 3704 1002c57 3622->3704 3623->3622 3624 1003a5f 3623->3624 3707 10019a7 3624->3707 3627->3622 3628->3622 3629 1003a74 ExitProcess 3630 1003a6d CloseHandle 3630->3629 3631->3622 3632->3622 3633->3622 3634->3622 3635->3622 3700 10066cf lstrlenA 3636->3700 3637->3622 3639->3622 3641->3622 3643 1002bd9 3642->3643 3646 1002ab5 3642->3646 3644 10064de 4 API calls 3643->3644 3645 1002be3 3644->3645 3645->3537 3646->3643 3647 1002ae4 FindFirstFileA 3646->3647 3647->3643 3648 1002b07 3647->3648 3649 1002b2b lstrcmpA 3648->3649 3650 1002b7d 3648->3650 3652 1002baa FindNextFileA 3648->3652 3655 10066cf 2 API calls 3648->3655 3656 1002a96 6 API calls 3648->3656 3651 1002b37 lstrcmpA 3649->3651 3649->3652 3654 1002b8b SetFileAttributesA DeleteFileA 3650->3654 3651->3648 3651->3652 3652->3648 3653 1002bc5 FindClose RemoveDirectoryA 3652->3653 3653->3643 3654->3652 3655->3648 3656->3648 3658 10048ed 3657->3658 3659 10048cd 3657->3659 3658->3659 3663 100490b 3658->3663 3660 1003ebe 28 API calls 3659->3660 3674 10048e8 3660->3674 3661 10064de 4 API calls 3662 1004bbf 3661->3662 3662->3537 3675 1001760 3662->3675 3664 1004a79 3663->3664 3663->3674 3713 1002410 3663->3713 3666 1004b92 3664->3666 3668 1004ae3 MessageBeep 3664->3668 3664->3674 3667 1003ebe 28 API calls 3666->3667 3667->3674 3669 10068b3 10 API calls 3668->3669 3670 1004af0 3669->3670 3671 1004b03 MessageBoxA 3670->3671 3672 100685e EnumResourceLanguagesA 3670->3672 3671->3674 3672->3671 3674->3661 3676 1001797 3675->3676 3677 100187b 3675->3677 3744 10016b4 LoadLibraryA 3676->3744 3678 10064de 4 API calls 3677->3678 3680 1001896 3678->3680 3680->3537 3680->3546 3682 10017a8 GetCurrentProcess OpenProcessToken 3682->3677 3683 10017c3 GetTokenInformation 3682->3683 3684 100186f CloseHandle 3683->3684 3685 10017df GetLastError 3683->3685 3684->3677 3685->3684 3686 10017ee LocalAlloc 3685->3686 3687 100186e 3686->3687 3688 10017ff GetTokenInformation 3686->3688 3687->3684 3689 1001812 AllocateAndInitializeSid 3688->3689 3690 1001867 LocalFree 3688->3690 3689->3690 3694 1001833 3689->3694 3690->3687 3691 100185e FreeSid 3691->3690 3692 100183a EqualSid 3693 1001851 3692->3693 3692->3694 3693->3691 3694->3691 3694->3692 3694->3693 3696 1006760 3695->3696 3697 1006782 3696->3697 3699 1006774 CharNextA 3696->3699 3710 10065f6 3696->3710 3697->3619 3699->3696 3701 10066ee 3700->3701 3703 10066e7 3700->3703 3702 10066f6 CharPrevA 3701->3702 3701->3703 3702->3703 3703->3622 3705 1002c64 lstrlenA 3704->3705 3706 1002c70 3704->3706 3705->3706 3706->3622 3708 1003ebe 28 API calls 3707->3708 3709 10019bd 3708->3709 3709->3629 3709->3630 3711 1006604 IsDBCSLeadByte 3710->3711 3712 100660f 3710->3712 3711->3712 3712->3696 3714 1002551 3713->3714 3718 1002432 3713->3718 3715 1002572 3714->3715 3716 1002569 GlobalFree 3714->3716 3715->3664 3716->3715 3718->3714 3719 1002469 GetFileVersionInfoSizeA 3718->3719 3724 100252a GlobalUnlock 3718->3724 3725 1002579 GlobalUnlock 3718->3725 3726 10022ac 3718->3726 3719->3718 3720 1002480 GlobalAlloc 3719->3720 3720->3714 3721 1002494 GlobalLock 3720->3721 3721->3714 3722 10024a5 GetFileVersionInfoA 3721->3722 3723 10024b8 VerQueryValueA 3722->3723 3722->3724 3723->3718 3723->3724 3724->3718 3725->3714 3727 10022db CharUpperA CharNextA CharNextA 3726->3727 3728 10023dc GetSystemDirectoryA 3726->3728 3727->3728 3730 10022ff 3727->3730 3729 10023e6 3728->3729 3731 10023f9 3729->3731 3734 10066cf 2 API calls 3729->3734 3732 10023d0 GetWindowsDirectoryA 3730->3732 3733 1002308 lstrcpyA 3730->3733 3736 10064de 4 API calls 3731->3736 3732->3729 3735 10066cf 2 API calls 3733->3735 3734->3731 3737 1002333 RegOpenKeyExA 3735->3737 3738 1002407 3736->3738 3737->3729 3739 100235b RegQueryValueExA 3737->3739 3738->3718 3740 1002381 3739->3740 3741 10023c2 RegCloseKey 3739->3741 3742 100238a ExpandEnvironmentStringsA 3740->3742 3743 100239d 3740->3743 3741->3729 3742->3743 3743->3741 3745 10016f3 GetProcAddress 3744->3745 3746 100174a 3744->3746 3747 1001740 FreeLibrary 3745->3747 3748 1001706 AllocateAndInitializeSid 3745->3748 3749 10064de 4 API calls 3746->3749 3747->3746 3748->3747 3750 1001730 FreeSid 3748->3750 3751 1001757 3749->3751 3750->3747 3751->3677 3751->3682 3754 1002e55 6 API calls 3753->3754 3755 1004404 LocalAlloc 3754->3755 3756 1004433 3755->3756 3757 1004417 3755->3757 3759 1002e55 6 API calls 3756->3759 3758 1003ebe 28 API calls 3757->3758 3760 1004427 3758->3760 3761 100443d 3759->3761 3762 1003aa1 3 API calls 3760->3762 3763 1004441 3761->3763 3764 1004464 lstrcmpA 3761->3764 3772 100442c 3762->3772 3767 1003ebe 28 API calls 3763->3767 3765 1004480 3764->3765 3766 1004474 LocalFree 3764->3766 3769 1003ebe 28 API calls 3765->3769 3770 100447b 3766->3770 3768 1004451 LocalFree 3767->3768 3768->3770 3771 1004491 LocalFree 3769->3771 3770->3551 3771->3772 3772->3770 3774 1002e55 6 API calls 3773->3774 3775 1004bdc LocalAlloc 3774->3775 3776 1004bf3 3775->3776 3777 1004c0f 3775->3777 3779 1003ebe 28 API calls 3776->3779 3778 1002e55 6 API calls 3777->3778 3780 1004c17 3778->3780 3781 1004c03 3779->3781 3782 1004c43 lstrcmpA 3780->3782 3783 1004c1b 3780->3783 3784 1003aa1 3 API calls 3781->3784 3786 1004c90 LocalFree 3782->3786 3787 1004c58 3782->3787 3785 1003ebe 28 API calls 3783->3785 3788 1004c08 3784->3788 3790 1004c2b LocalFree 3785->3790 3789 1004c82 3786->3789 3791 1004819 32 API calls 3787->3791 3788->3789 3789->3550 3790->3789 3792 1004c70 LocalFree 3791->3792 3792->3789 3794 1002e55 6 API calls 3793->3794 3795 1004372 3794->3795 3796 1004379 3795->3796 3797 10043af 3795->3797 3798 1003ebe 28 API calls 3796->3798 3799 1002e55 6 API calls 3797->3799 3800 1004389 3798->3800 3801 10043c0 3799->3801 3802 10043de 3800->3802 3943 1003ac7 wsprintfA FindResourceA 3801->3943 3802->3553 3805 10043e2 3805->3553 3806 10043ce 3807 1003ebe 28 API calls 3806->3807 3807->3802 3809 1002e55 6 API calls 3808->3809 3810 1005f46 LocalAlloc 3809->3810 3811 1005f5c 3810->3811 3812 1005f7d 3810->3812 3813 1003ebe 28 API calls 3811->3813 3814 1002e55 6 API calls 3812->3814 3816 1005f6c 3813->3816 3815 1005f85 3814->3815 3817 1005f89 3815->3817 3818 1005fac lstrcmpA 3815->3818 3819 1003aa1 3 API calls 3816->3819 3820 1003ebe 28 API calls 3817->3820 3821 1005fc5 LocalFree 3818->3821 3822 1005fbf 3818->3822 3823 1005f71 3819->3823 3824 1005f99 LocalFree 3820->3824 3825 1006010 3821->3825 3826 1005fd5 3821->3826 3822->3821 3849 1005f76 3823->3849 3824->3849 3827 10061d5 3825->3827 3828 100602a GetTempPathA 3825->3828 3832 10052d4 66 API calls 3826->3832 3829 1004819 32 API calls 3827->3829 3831 100603f 3828->3831 3837 100605e 3828->3837 3829->3849 3830 10064de 4 API calls 3833 10061fe 3830->3833 3952 10052d4 3831->3952 3835 1005ff7 3832->3835 3833->3556 3833->3560 3839 1005ffb 3835->3839 3835->3849 3836 100606f lstrcpyA 3836->3837 3837->3836 3840 1006082 GetDriveTypeA 3837->3840 3841 10061a7 GetWindowsDirectoryA 3837->3841 3837->3849 3842 1003ebe 28 API calls 3839->3842 3843 1006095 GetFileAttributesA 3840->3843 3855 1006090 3840->3855 3991 100456a 3841->3991 3842->3823 3843->3855 3847 100456a 44 API calls 3847->3855 3848 10052d4 66 API calls 3848->3837 3849->3830 3850 1002025 29 API calls 3850->3855 3852 1006128 GetWindowsDirectoryA 3852->3855 3853 10066cf 2 API calls 3853->3855 3855->3837 3855->3843 3855->3847 3855->3849 3855->3850 3855->3852 3855->3853 3856 100616e SetFileAttributesA lstrcpyA 3855->3856 3984 10069ea 3855->3984 3988 1001ff9 GetFileAttributesA 3855->3988 3857 10052d4 66 API calls 3856->3857 3857->3855 3859 10047fa 3858->3859 3860 10047dc 3858->3860 3861 100456a 44 API calls 3859->3861 3862 1003ebe 28 API calls 3860->3862 3863 100480a 3861->3863 3864 10047ec 3862->3864 3865 10064de 4 API calls 3863->3865 3866 1003aa1 3 API calls 3864->3866 3867 1004812 3865->3867 3868 10047f1 3866->3868 3867->3556 3867->3568 3868->3863 3870 1005a3e 3869->3870 3870->3870 3871 1005a85 3870->3871 3872 1005a5e 3870->3872 3873 1005190 84 API calls 3871->3873 3874 1004819 32 API calls 3872->3874 3875 1005a83 3873->3875 3874->3875 3876 1003ac7 13 API calls 3875->3876 3877 1005a8e 3875->3877 3876->3877 3877->3572 3879 1001fa2 3878->3879 3880 1001fcb 3878->3880 3882 1001fa7 3879->3882 3883 1001fbf 3879->3883 4076 1001e53 GetWindowsDirectoryA 3880->4076 3886 1001fbd 3882->3886 4066 1001edf RegOpenKeyExA 3882->4066 4071 1001f37 RegOpenKeyExA 3883->4071 3886->3579 3888 1005af2 3887->3888 3907 1005b2d 3887->3907 3889 1002e55 6 API calls 3888->3889 3891 1005b03 3889->3891 3890 1005c7b lstrcpyA 3890->3907 3892 1005b0c 3891->3892 3891->3907 3893 1003ebe 28 API calls 3892->3893 3924 1005b1c 3893->3924 3894 1002e55 6 API calls 3894->3907 3895 1005c5a 3897 1003ebe 28 API calls 3895->3897 3897->3924 3898 1005c74 3899 10064de 4 API calls 3898->3899 3900 1005e98 3899->3900 3900->3580 3901 1005e7b 3901->3898 4177 1001cf4 3901->4177 3902 1005cbe lstrcmpiA 3902->3901 3902->3907 3904 1005e9a 3906 1003ebe 28 API calls 3904->3906 3910 1005eaa LocalFree 3906->3910 3907->3890 3907->3894 3907->3895 3907->3898 3907->3901 3907->3902 3907->3904 3909 1005d5c 3907->3909 3911 1005e60 LocalFree 3907->3911 3912 1005f0f LocalFree 3907->3912 3916 1005c18 lstrcmpiA 3907->3916 4084 10026e2 3907->4084 4131 1001aa7 RegCreateKeyExA 3907->4131 4154 1004cae 3907->4154 3914 1005d70 GetProcAddress 3909->3914 3915 1005ec1 3909->3915 3925 1005f09 FreeLibrary 3909->3925 3926 1005e3e FreeLibrary 3909->3926 4168 1003ccc lstrcpyA 3909->4168 3910->3898 3911->3901 3911->3907 3912->3898 3914->3909 3918 1005ed7 3914->3918 3917 1003ebe 28 API calls 3915->3917 3916->3907 3919 1005ed5 3917->3919 3920 1003ebe 28 API calls 3918->3920 3921 1005ef2 LocalFree 3919->3921 3922 1005eeb FreeLibrary 3920->3922 3923 1003aa1 3 API calls 3921->3923 3922->3921 3923->3924 3924->3898 3925->3912 3926->3911 3928 1003ab0 GetLastError 3927->3928 3929 1003ab4 GetLastError 3927->3929 3928->3581 3929->3581 3931 1002e55 6 API calls 3930->3931 3932 1004dfd LocalAlloc 3931->3932 3933 1004e12 3932->3933 3934 1004e24 3932->3934 3935 1003ebe 28 API calls 3933->3935 3936 1002e55 6 API calls 3934->3936 3938 1004e22 3935->3938 3937 1004e2c 3936->3937 3939 1004e30 3937->3939 3940 1004e3c lstrcmpA 3937->3940 3938->3556 3942 1003ebe 28 API calls 3939->3942 3940->3939 3941 1004e60 LocalFree 3940->3941 3941->3938 3942->3941 3944 1003b15 3943->3944 3947 1003b84 3943->3947 3945 1003b1a LoadResource LockResource 3944->3945 3950 1003b95 FreeResource 3944->3950 3951 1003b58 FreeResource wsprintfA FindResourceA 3944->3951 3945->3947 3948 1003b2f lstrlenA 3945->3948 3946 10064de 4 API calls 3949 1003bad 3946->3949 3947->3946 3948->3944 3949->3805 3949->3806 3950->3947 3951->3944 3951->3947 3953 10052f8 3952->3953 3954 100537f lstrcpyA 3952->3954 4021 100342e 3953->4021 3974 100537d 3954->3974 3958 1005313 lstrcpyA 3960 1005371 3958->3960 3961 100532f GetSystemInfo 3958->3961 3968 10066cf 2 API calls 3960->3968 3971 1005347 3961->3971 3962 1005399 CreateDirectoryA 3965 10053c3 3962->3965 3966 10053a5 3962->3966 3963 10053ab 3967 100456a 44 API calls 3963->3967 3964 10053b9 3969 10064de 4 API calls 3964->3969 3973 1003aa1 3 API calls 3965->3973 3966->3963 3972 10053b5 3967->3972 3968->3974 3970 10053f1 3969->3970 3970->3849 3978 1002025 GetWindowsDirectoryA 3970->3978 3971->3960 3975 10066cf 2 API calls 3971->3975 3972->3964 3977 10053d7 RemoveDirectoryA 3972->3977 3976 10053c8 3973->3976 4033 10044bd lstrlenA LocalAlloc 3974->4033 3975->3960 3976->3964 3977->3964 3979 100205e 3978->3979 3980 100204e 3978->3980 3982 10064de 4 API calls 3979->3982 3981 1003ebe 28 API calls 3980->3981 3981->3979 3983 1002076 3982->3983 3983->3837 3983->3848 3985 1006a22 3984->3985 3986 1006a07 GetDiskFreeSpaceA 3984->3986 3985->3855 3986->3985 3987 1006a26 MulDiv 3986->3987 3987->3985 3989 100200c CreateDirectoryA 3988->3989 3990 1002019 3988->3990 3989->3990 3990->3855 3992 100459d GetCurrentDirectoryA SetCurrentDirectoryA 3991->3992 4009 1004595 3991->4009 3993 10045bd 3992->3993 3994 10045de 3992->3994 3997 1003ebe 28 API calls 3993->3997 4043 1006a45 GetDiskFreeSpaceA 3994->4043 3996 10064de 4 API calls 3999 10047aa 3996->3999 4000 10045cd 3997->4000 3999->3837 4001 1003aa1 3 API calls 4000->4001 4004 10045d2 4001->4004 4002 10045f5 4005 1003aa1 3 API calls 4002->4005 4003 100464d GetVolumeInformationA 4006 10046d3 SetCurrentDirectoryA lstrcpynA 4003->4006 4007 100466b 4003->4007 4004->4009 4010 1004610 GetLastError FormatMessageA 4005->4010 4008 10046f0 4006->4008 4011 1003aa1 3 API calls 4007->4011 4014 1004707 4008->4014 4019 100471c 4008->4019 4009->3996 4012 10046bf 4010->4012 4013 1004684 GetLastError FormatMessageA 4011->4013 4015 1003ebe 28 API calls 4012->4015 4013->4012 4016 1003ebe 28 API calls 4014->4016 4017 10046c5 SetCurrentDirectoryA 4015->4017 4018 1004717 4016->4018 4017->4009 4018->4019 4019->4009 4046 10020a4 4019->4046 4022 1003458 wsprintfA lstrcpyA 4021->4022 4023 10066cf 2 API calls 4022->4023 4024 100348c RemoveDirectoryA GetFileAttributesA 4023->4024 4025 10034a5 4024->4025 4026 10034af CreateDirectoryA 4024->4026 4025->4022 4027 10034ad GetTempFileNameA 4025->4027 4026->4027 4028 10034b8 4026->4028 4027->4028 4030 10034e7 DeleteFileA CreateDirectoryA 4027->4030 4031 10064de 4 API calls 4028->4031 4030->4028 4032 100350e 4031->4032 4032->3958 4032->3964 4034 10044e4 4033->4034 4035 1004507 lstrcpyA 4033->4035 4036 1003ebe 28 API calls 4034->4036 4037 10066cf 2 API calls 4035->4037 4042 10044f4 4036->4042 4038 100451d CreateFileA LocalFree 4037->4038 4040 1004541 CloseHandle GetFileAttributesA 4038->4040 4038->4042 4039 1003aa1 3 API calls 4041 10044f9 4039->4041 4040->4042 4041->3962 4041->3963 4042->4039 4042->4041 4044 1006a7a MulDiv 4043->4044 4045 10045eb 4043->4045 4044->4045 4045->4002 4045->4003 4047 10020f1 4046->4047 4048 10020cd 4046->4048 4050 1002126 4047->4050 4051 10020f7 4047->4051 4063 100207f wsprintfA 4048->4063 4052 10020ef 4050->4052 4065 100207f wsprintfA 4050->4065 4064 100207f wsprintfA 4051->4064 4056 10064de 4 API calls 4052->4056 4053 10020e3 4057 1003ebe 28 API calls 4053->4057 4060 1002166 4056->4060 4057->4052 4058 100210e 4061 1003ebe 28 API calls 4058->4061 4059 1002140 4062 1003ebe 28 API calls 4059->4062 4060->4009 4061->4052 4062->4052 4063->4053 4064->4058 4065->4059 4067 1001f07 RegQueryValueExA 4066->4067 4068 1001f2a 4066->4068 4069 1001f21 RegCloseKey 4067->4069 4070 1001f1e 4067->4070 4068->3886 4069->4068 4070->4069 4072 1001f86 4071->4072 4073 1001f5f RegQueryInfoKeyA 4071->4073 4072->3886 4074 1001f7a 4073->4074 4075 1001f7d RegCloseKey 4073->4075 4074->4075 4075->4072 4077 1001e81 4076->4077 4078 1001ecc 4076->4078 4080 10066cf 2 API calls 4077->4080 4079 10064de 4 API calls 4078->4079 4081 1001ed8 4079->4081 4082 1001e93 WritePrivateProfileStringA _lopen 4080->4082 4081->3886 4082->4078 4083 1001eb9 _llseek _lclose 4082->4083 4083->4078 4085 1002726 4084->4085 4188 1001942 4085->4188 4090 1002791 lstrcpyA 4093 100278f 4090->4093 4091 1002775 lstrcpyA 4092 10066cf 2 API calls 4091->4092 4092->4093 4094 1006752 2 API calls 4093->4094 4095 10027a1 4094->4095 4096 10027b1 lstrcmpiA 4095->4096 4097 1002959 4095->4097 4096->4097 4098 10027c1 4096->4098 4099 1006752 2 API calls 4097->4099 4100 100672a GetFileAttributesA 4098->4100 4101 1002961 4099->4101 4102 10027cd 4100->4102 4103 10029c2 LocalAlloc 4101->4103 4104 1002965 lstrcmpiA 4101->4104 4105 10027d1 4102->4105 4109 1001942 2 API calls 4102->4109 4103->4105 4107 10029f1 GetFileAttributesA 4103->4107 4104->4103 4106 1002971 lstrlenA lstrlenA LocalAlloc 4104->4106 4112 1003ebe 28 API calls 4105->4112 4106->4105 4108 10029ab wsprintfA 4106->4108 4116 1002a03 4107->4116 4128 1002a29 4107->4128 4110 1002a71 4108->4110 4111 1002803 lstrlenA 4109->4111 4118 10064de 4 API calls 4110->4118 4113 1002840 4111->4113 4114 1002816 4111->4114 4129 10028bb 4112->4129 4115 1002846 LocalAlloc 4113->4115 4120 1001942 2 API calls 4114->4120 4115->4105 4119 1002861 GetPrivateProfileIntA GetPrivateProfileStringA 4115->4119 4116->4128 4121 1002a8d 4118->4121 4124 10028f3 4119->4124 4119->4129 4123 1002831 4120->4123 4121->3907 4123->4115 4125 100283b lstrlenA 4123->4125 4126 1002922 wsprintfA 4124->4126 4127 1002903 GetShortPathNameA 4124->4127 4125->4115 4126->4110 4127->4126 4197 1002589 4128->4197 4129->4110 4135 1001b20 4131->4135 4139 1001ce2 4131->4139 4132 1001b32 wsprintfA RegQueryValueExA 4134 1001b70 4132->4134 4132->4135 4133 10064de 4 API calls 4136 1001ced 4133->4136 4137 1001b90 GetSystemDirectoryA 4134->4137 4138 1001b78 RegCloseKey 4134->4138 4135->4132 4135->4134 4136->3907 4140 10066cf 2 API calls 4137->4140 4138->4139 4139->4133 4141 1001bb7 LoadLibraryA 4140->4141 4142 1001c1a GetModuleFileNameA 4141->4142 4143 1001bce GetProcAddress FreeLibrary 4141->4143 4145 1001c70 RegCloseKey 4142->4145 4146 1001c32 lstrlenA lstrlenA LocalAlloc 4142->4146 4143->4142 4144 1001bf8 GetSystemDirectoryA 4143->4144 4144->4146 4148 1001c06 4144->4148 4145->4139 4147 1001c60 4146->4147 4151 1001c7e wsprintfA lstrlenA RegSetValueExA RegCloseKey LocalFree 4146->4151 4149 1003ebe 28 API calls 4147->4149 4152 10066cf 2 API calls 4148->4152 4149->4145 4151->4139 4153 1001c18 4152->4153 4153->4146 4155 1004dc5 4154->4155 4156 1004cdf CreateProcessA 4154->4156 4159 10064de 4 API calls 4155->4159 4157 1004d84 4156->4157 4158 1004d05 WaitForSingleObject GetExitCodeProcess 4156->4158 4161 1003aa1 3 API calls 4157->4161 4162 1004d34 4158->4162 4160 1004ddc 4159->4160 4160->3907 4164 1004d89 GetLastError FormatMessageA 4161->4164 4224 1002d03 4162->4224 4166 1003ebe 28 API calls 4164->4166 4166->4155 4167 1004d7a 4167->4155 4169 10066cf 2 API calls 4168->4169 4170 1003d07 GetFileAttributesA 4169->4170 4171 1003d30 LoadLibraryA 4170->4171 4172 1003d19 4170->4172 4174 1003d37 4171->4174 4172->4171 4173 1003d1d LoadLibraryExA 4172->4173 4173->4174 4175 10064de 4 API calls 4174->4175 4176 1003d40 4175->4176 4176->3909 4178 1001e03 4177->4178 4179 1001d16 RegOpenKeyExA 4177->4179 4181 10064de 4 API calls 4178->4181 4179->4178 4180 1001d3b RegQueryValueExA 4179->4180 4182 1001d70 GetSystemDirectoryA 4180->4182 4183 1001df6 RegCloseKey 4180->4183 4184 1001e0c 4181->4184 4185 1001d9c 4182->4185 4186 1001dae wsprintfA lstrlenA RegSetValueExA 4182->4186 4183->4178 4184->3898 4187 10066cf 2 API calls 4185->4187 4186->4183 4187->4186 4189 1001953 4188->4189 4191 100196a 4189->4191 4193 1001972 4189->4193 4212 100662b 4189->4212 4192 100662b 2 API calls 4191->4192 4191->4193 4192->4191 4194 1001e13 4193->4194 4195 1001e20 lstrlenA 4194->4195 4196 1001e2c 4194->4196 4195->4196 4196->4090 4196->4091 4198 10025b5 4197->4198 4199 10026a9 4197->4199 4198->4199 4200 10025be GetModuleFileNameA 4198->4200 4201 10064de 4 API calls 4199->4201 4200->4199 4210 10025e2 4200->4210 4202 10026b7 4201->4202 4202->4110 4203 10025e9 IsDBCSLeadByte 4203->4210 4204 1002607 CharNextA CharUpperA 4207 1002656 CharUpperA 4204->4207 4204->4210 4205 100268d CharNextA 4206 1002696 CharNextA 4205->4206 4206->4199 4206->4203 4207->4210 4210->4203 4210->4204 4210->4205 4210->4206 4211 1002681 lstrlenA 4210->4211 4217 1006666 lstrlenA CharPrevA 4210->4217 4211->4206 4213 1006636 4212->4213 4214 10065f6 IsDBCSLeadByte 4213->4214 4215 1006648 CharNextA 4213->4215 4216 1006656 4213->4216 4214->4213 4215->4213 4216->4189 4218 1006692 CharPrevA 4217->4218 4219 100669b 4218->4219 4220 100668c 4218->4220 4221 100262a lstrlenA CharPrevA 4219->4221 4222 10066a4 CharPrevA 4219->4222 4223 10066ad CharNextA 4219->4223 4220->4218 4220->4219 4221->4210 4222->4221 4222->4223 4223->4221 4225 1002d16 4224->4225 4227 1002d11 CloseHandle CloseHandle 4224->4227 4228 100221e 4225->4228 4227->4155 4227->4167 4229 1002241 4228->4229 4230 100222d 4228->4230 4229->4227 4232 1001fd9 4230->4232 4233 1001f93 17 API calls 4232->4233 4234 1001fe6 4233->4234 4234->4229 4236 1001aa0 4235->4236 4237 1001a6a RegOpenKeyExA 4235->4237 4236->3589 4237->4236 4238 1001a89 RegDeleteValueA RegCloseKey 4237->4238 4238->4236 4240 10019f1 LookupPrivilegeValueA AdjustTokenPrivileges 4239->4240 4241 10019e5 4239->4241 4240->4241 4242 1001a30 ExitWindowsEx 4240->4242 4244 1003ebe 28 API calls 4241->4244 4242->4241 4243 1001a4c 4242->4243 4243->3609 4244->4243 4245 1003d5d 4246 1003d65 4245->4246 4247 1003d72 4246->4247 4248 1003d9c GetDesktopWindow 4246->4248 4251 1003d8b KiUserCallbackDispatcher 4247->4251 4253 1003d94 4247->4253 4249 1002d83 7 API calls 4248->4249 4250 1003dae SetDlgItemTextA SetWindowTextA SetForegroundWindow GetDlgItem 4249->4250 4254 1002bec GetWindowLongA SetWindowLongA 4250->4254 4251->4253 4254->4253 4343 100189d 4344 10018e3 GetDesktopWindow 4343->4344 4345 10018be 4343->4345 4347 1002d83 7 API calls 4344->4347 4346 10018c1 4345->4346 4349 10018d7 EndDialog 4345->4349 4350 10064de 4 API calls 4346->4350 4348 10018f0 LoadStringA SetDlgItemTextA MessageBeep 4347->4348 4348->4346 4349->4346 4351 1001939 4350->4351

        Executed Functions

        Function 010026E2 Relevance: 51.0, APIs: 17, Strings: 12, Instructions: 268stringmemoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 10026e2-100272d call 100160f 3 100273c-1002742 0->3 4 100272f-100273a 0->4 5 1002747-1002773 call 1001942 call 1001e13 3->5 4->5 10 1002791-1002793 lstrcpyA 5->10 11 1002775-100278f lstrcpyA call 10066cf 5->11 13 1002799-10027ab call 1006752 10->13 11->13 17 10027b1-10027bb lstrcmpiA 13->17 18 1002959-1002963 call 1006752 13->18 17->18 19 10027c1-10027cf call 100672a 17->19 24 10029c2-10029d8 LocalAlloc 18->24 25 1002965-100296f lstrcmpiA 18->25 26 10027d1-10027e1 19->26 27 10027e6-1002814 call 1001942 lstrlenA 19->27 29 10029f1-1002a01 GetFileAttributesA 24->29 30 10029da-10029df 24->30 25->24 28 1002971-10029a9 lstrlenA * 2 LocalAlloc 25->28 31 10029e4-10029ec call 1003ebe 26->31 41 1002840 27->41 42 1002816-1002818 27->42 28->30 32 10029ab-10029bd wsprintfA 28->32 34 1002a03-1002a05 29->34 35 1002a4b-1002a59 call 100160f 29->35 30->31 45 1002a82-1002a8e call 10064de 31->45 36 1002a71-1002a81 32->36 34->35 40 1002a07-1002a23 call 100160f 34->40 43 1002a5e-1002a6c call 1002589 35->43 36->45 40->43 54 1002a25-1002a27 40->54 47 1002846-100285b LocalAlloc 41->47 49 1002820-1002839 call 1001942 42->49 50 100281a 42->50 43->36 47->30 53 1002861-100286a 47->53 49->47 64 100283b-100283e lstrlenA 49->64 50->49 57 100286c 53->57 58 100286e-10028b9 GetPrivateProfileIntA GetPrivateProfileStringA 53->58 54->43 59 1002a29-1002a49 call 10021e6 * 2 54->59 57->58 62 10028f3-1002901 58->62 63 10028bb-10028c4 58->63 59->43 68 1002922 62->68 69 1002903-1002920 GetShortPathNameA 62->69 66 10028c6 63->66 67 10028c8-10028ee call 10021c4 * 2 63->67 64->47 66->67 67->36 72 100292c-100292e 68->72 69->72 75 1002930 72->75 76 1002932-1002954 wsprintfA 72->76 75->76 76->36
        APIs
        • lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,0100133C,?,00000104,?,00000001,74DEF530,00000000), ref: 0100277B
        • lstrcpyA.KERNEL32(?,?,?,?,0100133C,?,00000104,?,00000001,74DEF530,00000000), ref: 01002793
        • lstrcmpiA.KERNEL32(00000000,.INF), ref: 010027B7
        • lstrlenA.KERNEL32(DefaultInstall,?,01001330,?), ref: 01002810
        • lstrlenA.KERNEL32(?,?,0100132C), ref: 0100283C
        • LocalAlloc.KERNEL32(00000040,00000200), ref: 0100284D
        • GetPrivateProfileIntA.KERNEL32(?,Reboot,00000000,?), ref: 0100287C
        • GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,01001271,?,00000008,?), ref: 010028B1
        • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 0100291A
        • wsprintfA.USER32 ref: 0100294B
        • lstrcmpiA.KERNEL32(00000000,.BAT), ref: 0100296B
        • lstrlenA.KERNEL32(Command.com /c %s), ref: 0100297D
        • lstrlenA.KERNEL32(?), ref: 0100298C
        • LocalAlloc.KERNEL32(00000040,?), ref: 0100299B
        • wsprintfA.USER32 ref: 010029B4
        • LocalAlloc.KERNEL32(00000040,00000400,?,0000002E,?,0000002E), ref: 010029CA
        • GetFileAttributesA.KERNELBASE(?), ref: 010029F8
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: lstrlen$AllocLocal$PrivateProfilelstrcmpilstrcpywsprintf$AttributesFileNamePathShortString
        • String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
        • API String ID: 1934397216-2280873615
        • Opcode ID: 6c011d49d29e131f740ed8dabe1c808832c5922d73e00483e9065f74cfc82ed7
        • Instruction ID: a376eb2aa62e0528c46e6ae682dde744fbc8027db4852c82fdc9f52ca6896b49
        • Opcode Fuzzy Hash: 6c011d49d29e131f740ed8dabe1c808832c5922d73e00483e9065f74cfc82ed7
        • Instruction Fuzzy Hash: BCA191B5900259ABFF32DB648C48EDA7BBDAB94300F0404D5F6C9A7180DBB19AD48F64
        Function 0100456A Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetCurrentDirectoryA.KERNEL32(00000104,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,74DE83C0,00000000), ref: 010045AA
        • SetCurrentDirectoryA.KERNELBASE(00000000), ref: 010045B7
        Strings
        • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 0100459D
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: CurrentDirectory
        • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
        • API String ID: 1611563598-305352358
        • Opcode ID: 6a901a27d976f6ecd6b1b3fb4ef83800b97c89f981ca28cfd4edf11155ac7cbc
        • Instruction ID: 32a5e2e07f0e045be28bc8ef6b6c2a76a4ecc1151fd6d71cf5cc981d67540b80
        • Opcode Fuzzy Hash: 6a901a27d976f6ecd6b1b3fb4ef83800b97c89f981ca28cfd4edf11155ac7cbc
        • Instruction Fuzzy Hash: 48519EB2900258AFFB23DB64DC85FFA77ACEB09300F0044A5B799D61C5D6759E808F65
        Function 010052D4 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 96stringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 450 10052d4-10052f2 451 10052f8-1005306 call 100342e 450->451 452 100537f-1005386 lstrcpyA 450->452 456 100530b-100530d 451->456 454 100538c-1005397 call 10044bd 452->454 462 1005399-10053a3 CreateDirectoryA 454->462 463 10053ab-10053b0 call 100456a 454->463 457 1005313-100532d lstrcpyA 456->457 458 10053e4 456->458 460 1005371-100537d call 10066cf 457->460 461 100532f-1005345 GetSystemInfo 457->461 464 10053e6-10053f2 call 10064de 458->464 460->454 465 1005365 461->465 466 1005347-1005348 461->466 467 10053c3-10053cd call 1003aa1 462->467 468 10053a5 462->468 475 10053b5-10053b7 463->475 476 100536a-100536c call 10066cf 465->476 473 100534a-100534b 466->473 474 100535e-1005363 466->474 467->458 468->463 479 1005357-100535c 473->479 480 100534d-100534e 473->480 474->476 481 10053b9-10053c1 475->481 482 10053cf-10053d5 475->482 476->460 479->476 480->460 485 1005350-1005355 480->485 481->464 482->458 486 10053d7-10053de RemoveDirectoryA 482->486 485->476 486->458
        APIs
        • lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000,?,00000104,74DE83C0,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 01005320
        • GetSystemInfo.KERNEL32(?), ref: 01005336
        • lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,74DE83C0,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 01005386
        • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0100539B
          • Part of subcall function 0100342E: wsprintfA.USER32 ref: 01003465
          • Part of subcall function 0100342E: lstrcpyA.KERNEL32(74DE83C0,?), ref: 01003476
          • Part of subcall function 0100342E: RemoveDirectoryA.KERNELBASE(74DE83C0,74DE83C0,00000104,?), ref: 0100348D
          • Part of subcall function 0100342E: GetFileAttributesA.KERNELBASE(74DE83C0), ref: 01003494
          • Part of subcall function 0100342E: GetTempFileNameA.KERNEL32(?,IXP,00000000,74DE83C0), ref: 010034DD
          • Part of subcall function 0100342E: DeleteFileA.KERNEL32(74DE83C0), ref: 010034F2
          • Part of subcall function 0100342E: CreateDirectoryA.KERNEL32(74DE83C0,00000000), ref: 010034FB
        • RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 010053DE
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Directory$Filelstrcpy$CreateRemove$AttributesDeleteInfoNameSystemTempwsprintf
        • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
        • API String ID: 2618030033-3374052426
        • Opcode ID: 5207e9f744ef7db5255fb7e2e18f52085c41d1909f07fa191eb1e1e1ead31f8c
        • Instruction ID: bbe6c97369ec8f106fead77e6623ce3be693c8dab588adb95fac2358924cc935
        • Opcode Fuzzy Hash: 5207e9f744ef7db5255fb7e2e18f52085c41d1909f07fa191eb1e1e1ead31f8c
        • Instruction Fuzzy Hash: 7E31C571904615AAF7239F299C44DEE3BE8BB45355F048069B6C5D60C4DFB9C944CF60
        Function 01006205 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 115libraryfileloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 487 1006205-1006222 488 1006224-100622a 487->488 489 1006247-100624e call 100435e 487->489 490 100622c call 10043ec 488->490 491 100623e call 1004bc8 488->491 496 1006250-1006257 call 1005f21 489->496 497 1006259-100625b 489->497 498 1006231-1006233 490->498 499 1006243-1006245 491->499 496->497 505 1006260-100629d GetSystemDirectoryA call 10066cf LoadLibraryA 496->505 501 100636a-1006374 call 10064de 497->501 498->497 502 1006235-100623c 498->502 499->489 499->497 502->489 502->491 509 10062b3-10062c0 FreeLibrary 505->509 510 100629f-10062ad GetProcAddress 505->510 512 10062c2-10062c8 509->512 513 10062da-10062e3 SetCurrentDirectoryA 509->513 510->509 511 10062af-10062b1 DecryptFileA 510->511 511->509 512->513 516 10062ca call 10047b3 512->516 514 1006301-1006307 513->514 515 10062e5-10062ff call 1003ebe call 1003aa1 513->515 518 1006312-1006319 514->518 519 1006309 call 1005a36 514->519 530 10062d3-10062d5 515->530 525 10062cf-10062d1 516->525 523 1006330 518->523 524 100631b-1006324 call 1001f93 518->524 527 100630e-1006310 519->527 529 1006336-100633c 523->529 535 1006329-100632e 524->535 525->513 525->530 527->518 527->530 531 100633e-1006344 529->531 532 100634f-1006356 529->532 533 1006368-1006369 530->533 531->532 536 1006346 call 1005abc 531->536 537 1006365-1006367 532->537 538 1006358-100635e 532->538 533->501 535->529 541 100634b-100634d 536->541 537->533 538->537 540 1006360 call 1004de5 538->540 540->537 541->530 541->532
        APIs
        • GetSystemDirectoryA.KERNEL32(?,00000105), ref: 0100626F
        • LoadLibraryA.KERNEL32(?,?,00000105,advapi32.dll), ref: 0100628E
        • GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 010062A5
        • DecryptFileA.ADVAPI32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 010062B1
        • FreeLibrary.KERNEL32(00000000), ref: 010062B4
          • Part of subcall function 010043EC: LocalAlloc.KERNEL32(00000040,00000001,UPROMPT,00000000,00000000,00000000,00000000,?,?,?,01006231), ref: 0100440B
        • SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 010062DB
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
        • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
        • API String ID: 2126469477-1173327654
        • Opcode ID: 799601459926c632d555a8d86d08fbf0d875e0935837b017e982ad4550c23b2f
        • Instruction ID: 9140d9ddfa85fbf1d4f936cfa7ace5a96bcd53ce79dc58d3eacbe78f2b8b6b31
        • Opcode Fuzzy Hash: 799601459926c632d555a8d86d08fbf0d875e0935837b017e982ad4550c23b2f
        • Instruction Fuzzy Hash: FB310831900A12AAFB73A775DE409BB37EEEB96351F0441A9E9C1C10C4EF7B8590CB61
        Function 01002A96 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97filestringCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • FindFirstFileA.KERNELBASE(?,?,?,00000104,0100134C,?,00000104,00000000,Microsoft Visual C++ 2005 Redistributable (x86),00000001), ref: 01002AF2
        • lstrcmpA.KERNEL32(?,01001348,?,00000104,00000000,00000000), ref: 01002B31
        • lstrcmpA.KERNEL32(?,01001344), ref: 01002B43
          • Part of subcall function 010066CF: lstrlenA.KERNEL32(00000104,0000002F,?,01003991,0100C89A,00000104,01001271), ref: 010066D9
        • SetFileAttributesA.KERNEL32(?,00000080,?,00000104,?,?,00000104,00000000,00000000), ref: 01002B97
        • DeleteFileA.KERNEL32(?), ref: 01002BA4
        • FindNextFileA.KERNELBASE(?,00000010), ref: 01002BB7
        • FindClose.KERNELBASE(?), ref: 01002BCB
        • RemoveDirectoryA.KERNELBASE(00000000), ref: 01002BD2
        Strings
        • Microsoft Visual C++ 2005 Redistributable (x86), xrefs: 01002ABE
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemovelstrlen
        • String ID: Microsoft Visual C++ 2005 Redistributable (x86)
        • API String ID: 1122447120-813803255
        • Opcode ID: a81c931836a2097e773c8ba7cb58b60a1f9ea69d54bc65de08cbb15ef119736b
        • Instruction ID: 3621ff63f4683dfc0afae3feec3247e592be42cb1084b4f5304d675301ecb420
        • Opcode Fuzzy Hash: a81c931836a2097e773c8ba7cb58b60a1f9ea69d54bc65de08cbb15ef119736b
        • Instruction Fuzzy Hash: 80310D76905159ABEB62DBA4DC88EDE77BDAF64300F1041D1B6C9E2084DBB4DAC4CF60
        Function 01004819 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
        Download Yara Rule
        APIs
        • FindResourceA.KERNEL32(00000000,?,00000005), ref: 0100482A
        • LoadResource.KERNEL32(00000000,00000000,?,0100563F,000007D6,00000000,0100189D,00000547,0000083E,?,?,00000000), ref: 01004838
        • DialogBoxIndirectParamA.USER32(00000000,00000000,?,0000083E,00000547), ref: 01004857
        • FreeResource.KERNEL32(00000000,?,0100563F,000007D6,00000000,0100189D,00000547,0000083E,?,?,00000000), ref: 01004860
        Strings
        • Microsoft Visual C++ 2005 Redistributable (x86), xrefs: 0100481F
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Resource$DialogFindFreeIndirectLoadParam
        • String ID: Microsoft Visual C++ 2005 Redistributable (x86)
        • API String ID: 1214682469-813803255
        • Opcode ID: b0a883f33820150622e98825acaf097b5103d0973a58d13b59254d27bc385b11
        • Instruction ID: 4d497d838b3866ab934e730ea3745aad8ad4903298c19d052a2ed601619586ec
        • Opcode Fuzzy Hash: b0a883f33820150622e98825acaf097b5103d0973a58d13b59254d27bc385b11
        • Instruction Fuzzy Hash: 3601A2321001AABFEB225FA5AC88CEF7A9DDB85364F010425FB90E3081C6759D10CBE4
        Function 01001AA7 Relevance: 47.4, APIs: 19, Strings: 8, Instructions: 178registrystringlibraryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,00000001), ref: 01001B12
        • wsprintfA.USER32 ref: 01001B3E
        • RegQueryValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000000,00000000,?), ref: 01001B58
        • RegCloseKey.ADVAPI32(?), ref: 01001B7E
        • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 01001BA3
        • LoadLibraryA.KERNELBASE(00000000,00000000,00000104,advpack.dll), ref: 01001BBE
        • GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 01001BD4
        • FreeLibrary.KERNELBASE(?), ref: 01001BEE
        • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 01001C00
        • GetModuleFileNameA.KERNEL32(00000000,00000104), ref: 01001C28
        • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01001C3E
        • lstrlenA.KERNEL32(00000000), ref: 01001C49
        • LocalAlloc.KERNEL32(00000040,00000050), ref: 01001C52
        • RegCloseKey.ADVAPI32(?), ref: 01001C76
        • wsprintfA.USER32 ref: 01001CAB
        • lstrlenA.KERNEL32(00000000), ref: 01001CB5
        • RegSetValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000001,00000000,00000001), ref: 01001CC9
        • RegCloseKey.KERNELBASE(?), ref: 01001CD5
        • LocalFree.KERNEL32(00000000), ref: 01001CDC
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Closelstrlen$DirectoryFreeLibraryLocalSystemValuewsprintf$AddressAllocCreateFileLoadModuleNameProcQuery
        • String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
        • API String ID: 3084642846-3726664654
        • Opcode ID: e8e5f3b3c36c9a9120034c916e34edcf0355e3275c331066bd0ee2a15f0c6816
        • Instruction ID: cb456183738a0c10edcd6481a0703a1d73204317f046f42922711a87de10383b
        • Opcode Fuzzy Hash: e8e5f3b3c36c9a9120034c916e34edcf0355e3275c331066bd0ee2a15f0c6816
        • Instruction Fuzzy Hash: 3351737594021CABEB329B65DD88FEA7BBDEB54700F0000D5F689E6185DBB5CA80CF61
        Function 01005ABC Relevance: 40.5, APIs: 11, Strings: 12, Instructions: 274stringlibraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 105 1005abc-1005af0 106 1005af2-1005b05 call 1002e55 105->106 107 1005b2d-1005b3a 105->107 115 1005b07-1005b0a 106->115 116 1005b0c-1005b28 call 1003ebe 106->116 108 1005b3b-1005b5e 107->108 110 1005b64-1005b79 call 1002e55 108->110 111 1005c7b-1005c8f lstrcpyA 108->111 123 1005c5a-1005c6a call 1003ebe 110->123 124 1005b7f-1005b82 110->124 113 1005c90-1005c96 111->113 118 1005cd8-1005cf9 call 10026e2 113->118 119 1005c98-1005cb0 call 1002e55 113->119 115->107 115->116 127 1005e8f-1005e99 call 10064de 116->127 136 1005c74-1005c76 118->136 137 1005cff-1005d05 118->137 119->123 133 1005cb2-1005cb8 119->133 123->136 124->123 129 1005b88-1005b91 124->129 134 1005b93-1005b9a 129->134 135 1005b9c-1005ba3 129->135 140 1005e7e-1005e84 133->140 141 1005cbe-1005cd2 lstrcmpiA 133->141 142 1005bc2 134->142 143 1005bb0-1005bb7 135->143 144 1005ba5-1005bae 135->144 138 1005e8d-1005e8e 136->138 145 1005d07-1005d0e 137->145 146 1005d2b-1005d31 137->146 138->127 151 1005e86 call 1001cf4 140->151 152 1005e8b 140->152 141->118 141->140 147 1005bc8-1005bce 142->147 143->147 150 1005bb9 143->150 144->142 145->146 153 1005d10-1005d16 145->153 148 1005e46-1005e53 call 1004cae 146->148 149 1005d37-1005d3d 146->149 147->113 156 1005bd4-1005bdd 147->156 165 1005e58-1005e5a 148->165 157 1005d43-1005d49 149->157 158 1005e9a-1005ebc call 1003ebe LocalFree 149->158 150->142 151->152 152->138 153->146 155 1005d18-1005d1e 153->155 155->149 160 1005d20-1005d26 call 1001aa7 155->160 161 1005c34-1005c3a 156->161 162 1005bdf-1005be1 156->162 157->148 163 1005d4f-1005d56 157->163 158->136 160->146 161->118 171 1005c40-1005c58 call 1002e55 161->171 167 1005be3-1005bed 162->167 168 1005bef-1005bf1 162->168 163->148 169 1005d5c-1005d6a call 1003ccc 163->169 172 1005e60-1005e75 LocalFree 165->172 173 1005f0f-1005f17 LocalFree 165->173 174 1005bfd-1005c16 call 1002e55 167->174 168->174 175 1005bf3 168->175 183 1005d70-1005d7e GetProcAddress 169->183 184 1005ec1-1005ed5 call 1003ebe 169->184 171->113 171->123 172->108 178 1005e7b-1005e7d 172->178 173->136 174->123 185 1005c18-1005c2c lstrcmpiA 174->185 175->174 178->140 187 1005d84-1005dd7 183->187 188 1005ed7-1005eec call 1003ebe FreeLibrary 183->188 194 1005ef2-1005f04 LocalFree call 1003aa1 184->194 185->161 189 1005c2e 185->189 191 1005de0-1005de9 187->191 192 1005dd9 187->192 188->194 189->161 195 1005df2-1005df5 191->195 196 1005deb 191->196 192->191 194->136 199 1005df7 195->199 200 1005dfe-1005e07 195->200 196->195 199->200 202 1005e10-1005e12 200->202 203 1005e09 200->203 204 1005e14 202->204 205 1005e1b-1005e38 202->205 203->202 204->205 207 1005f09 FreeLibrary 205->207 208 1005e3e-1005e44 FreeLibrary 205->208 207->173 208->172
        APIs
        • lstrcpyA.KERNEL32(?,0100CAA2,00000000,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01005C87
        • lstrcmpiA.KERNEL32(?,<None>), ref: 01005C24
          • Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E6B
          • Part of subcall function 01002E55: SizeofResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E6F
          • Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E8B
          • Part of subcall function 01002E55: LoadResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E8F
          • Part of subcall function 01002E55: LockResource.KERNEL32(00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E96
        • lstrcmpiA.KERNEL32(?,<None>), ref: 01005CCA
        • GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 01005D76
        • FreeLibrary.KERNEL32(00000000), ref: 01005E3E
        • LocalFree.KERNEL32(?,?,00000044,?,00000104,?,?), ref: 01005E66
        • LocalFree.KERNEL32(?,00000000,000004C7,00000000,00000000,00000010,00000000,?,00000104,?,?), ref: 01005EB0
        • FreeLibrary.KERNEL32(00000000,00000000,000004C9,DoInfInstall,00000000,00000010,00000000), ref: 01005EEC
        • LocalFree.KERNEL32(?,00000000,000004C8,advpack.dll,00000000,00000010,00000000,advpack.dll,?,00000104,?,?), ref: 01005EF8
        • FreeLibrary.KERNEL32(00000000), ref: 01005F09
        • LocalFree.KERNEL32(?,?,00000044,?,00000104,?,?), ref: 01005F15
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Free$Resource$Local$Library$Findlstrcmpi$AddressLoadLockProcSizeoflstrcpy
        • String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$D$DoInfInstall$Microsoft Visual C++ 2005 Redistributable (x86)$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll
        • API String ID: 770626793-2129721420
        • Opcode ID: cc61a717c1ac84a9bdfc436f46c8520804baf07a4835fa07c55533f653c16650
        • Instruction ID: c2c6c5684892b5d7fa573e4d2de66b3b8837dd926b255ab3696fc0a2f468da05
        • Opcode Fuzzy Hash: cc61a717c1ac84a9bdfc436f46c8520804baf07a4835fa07c55533f653c16650
        • Instruction Fuzzy Hash: 30B1BF7090025C9EFF779B258D85BEA7BB8AB09304F0041EAE6C9A61C0DBB54EC5CF55
        Function 01005F21 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 239stringmemoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 209 1005f21-1005f5a call 1002e55 LocalAlloc 212 1005f5c-1005f71 call 1003ebe call 1003aa1 209->212 213 1005f7d-1005f87 call 1002e55 209->213 228 1005f76-1005f78 212->228 218 1005f89-1005faa call 1003ebe LocalFree 213->218 219 1005fac-1005fbd lstrcmpA 213->219 218->228 222 1005fc5-1005fd3 LocalFree 219->222 223 1005fbf 219->223 226 1006010-1006018 222->226 227 1005fd5-1005fd7 222->227 223->222 229 10061d5-10061f1 call 1004819 226->229 230 100601e-1006024 226->230 231 1005fe7-1005fe9 227->231 232 1005fd9-1005fdf 227->232 233 10061f3-10061ff call 10064de 228->233 229->233 230->229 234 100602a-100603d GetTempPathA 230->234 237 1005feb-1005ff9 call 10052d4 231->237 232->231 236 1005fe1-1005fe5 232->236 239 1006069 234->239 240 100603f-1006043 call 10052d4 234->240 236->237 249 1006062-1006064 237->249 250 1005ffb-100600b call 1003ebe 237->250 246 100606f-100607d lstrcpyA 239->246 248 1006048-100604a 240->248 247 1006194-10061a1 246->247 251 1006082-100608e GetDriveTypeA 247->251 252 10061a7-10061c5 GetWindowsDirectoryA call 100456a 247->252 248->249 253 100604c-1006054 call 1002025 248->253 249->233 250->228 256 1006090-1006093 251->256 257 1006095-10060a5 GetFileAttributesA 251->257 252->246 266 10061cb 252->266 253->239 267 1006056-1006060 call 10052d4 253->267 256->257 260 10060a7-10060aa 256->260 257->260 261 10060e0-10060f3 call 100456a 257->261 264 10060d5-10060db 260->264 265 10060ac-10060b3 260->265 275 10060f5-1006103 call 1002025 261->275 276 1006118-1006126 call 1002025 261->276 264->247 265->264 269 10060b5-10060bc 265->269 273 10061d0-10061d3 266->273 267->239 267->249 269->264 272 10060be-10060cc call 10069ea 269->272 272->264 286 10060ce-10060d3 272->286 273->233 275->264 283 1006105-1006116 call 100456a 275->283 284 1006128-1006134 GetWindowsDirectoryA 276->284 285 100613a-100615e call 10066cf call 1001ff9 276->285 283->264 283->276 284->285 293 1006160-100616c 285->293 294 100616e-1006192 SetFileAttributesA lstrcpyA call 10052d4 285->294 286->261 286->264 293->247 294->247 294->273
        APIs
          • Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E6B
          • Part of subcall function 01002E55: SizeofResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E6F
          • Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E8B
          • Part of subcall function 01002E55: LoadResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E8F
          • Part of subcall function 01002E55: LockResource.KERNEL32(00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E96
        • LocalAlloc.KERNEL32(00000040,00000001,RUNPROGRAM,00000000,00000000,00000000,00000000), ref: 01005F4E
        • lstrcmpA.KERNEL32(00000000,<None>,RUNPROGRAM,00000000,00000000), ref: 01005FB2
        • LocalFree.KERNEL32(00000000), ref: 01005FC6
        • LocalFree.KERNEL32(00000000,00000000,000004B1,00000000,00000000,00000010,00000000,RUNPROGRAM,00000000,00000000), ref: 01005F9A
          • Part of subcall function 01003EBE: MessageBoxA.USER32(?,?,Microsoft Visual C++ 2005 Redistributable (x86),00000000), ref: 01003F5B
          • Part of subcall function 01003AA1: GetLastError.KERNEL32(74E04B00,01004684), ref: 01003AAA
          • Part of subcall function 01003AA1: GetLastError.KERNEL32 ref: 01003AB0
        • GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01006035
        • lstrcpyA.KERNEL32(?,A:\), ref: 0100607B
        • GetDriveTypeA.KERNEL32(0000005A), ref: 01006083
        • GetFileAttributesA.KERNEL32(0000005A), ref: 0100609C
        • GetWindowsDirectoryA.KERNEL32(0000005A,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,00000000), ref: 010061AD
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Resource$Local$ErrorFindFreeLast$AllocAttributesDirectoryDriveFileLoadLockMessagePathSizeofTempTypeWindowslstrcmplstrcpy
        • String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
        • API String ID: 535033332-2740620654
        • Opcode ID: 72180e447f72e634df863711cb3eef120908db6c341b2da6da5b2c7871772f1b
        • Instruction ID: 567b5bc756c7a10916d387d21bd88499efbec6f747d449020ba67bed0e17c02a
        • Opcode Fuzzy Hash: 72180e447f72e634df863711cb3eef120908db6c341b2da6da5b2c7871772f1b
        • Instruction Fuzzy Hash: 2D71E87064431979FB73E7758C48FEB36AE9F15354F000495FAC5D60C2EABAC9908B60
        Function 0100589B Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127threadwindowCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 297 100589b-10058a7 298 1005a16-1005a18 297->298 299 10058ad-10058b2 297->299 300 1005a19 298->300 301 10058b8-10058bb 299->301 302 1005a0b-1005a12 299->302 307 1005a1f-1005a24 EndDialog 300->307 303 10058c1-10058c2 301->303 304 1005964-1005983 GetDesktopWindow call 1002d83 301->304 305 1005a14 302->305 306 1005a2a 302->306 308 10058f4-10058fb 303->308 309 10058c4-10058c9 303->309 316 10059c4-10059eb SetWindowTextA CreateThread 304->316 317 1005985-10059c3 GetDlgItem SendMessageA GetDlgItem SendMessageA 304->317 305->300 310 1005a2c-1005a2e 306->310 307->306 308->306 314 1005901-100592b ResetEvent call 1003ebe 308->314 312 10058d2-10058ef TerminateThread KiUserCallbackDispatcher 309->312 313 10058cb-10058cd 309->313 312->310 313->310 323 1005942-100595f SetEvent call 1002c91 314->323 324 100592d-100592f 314->324 319 1005a05-1005a09 316->319 320 10059ed-10059ff call 1003ebe EndDialog 316->320 317->316 319->310 320->319 323->307 324->323 326 1005931-100593d SetEvent 324->326 326->306
        APIs
        • TerminateThread.KERNELBASE(00000000), ref: 010058DA
        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 010058E6
        • ResetEvent.KERNEL32 ref: 01005907
        • SetEvent.KERNEL32(000004B2,01001271,00000000,00000020,00000004), ref: 01005937
        • GetDesktopWindow.USER32 ref: 0100596E
        • GetDlgItem.USER32(?,0000083B), ref: 0100599E
        • SendMessageA.USER32(00000000,?,?,00000000), ref: 010059A7
        • GetDlgItem.USER32(?,0000083B), ref: 010059B9
        • SendMessageA.USER32(00000000,?,?,00000000), ref: 010059BC
        • SetWindowTextA.USER32(?,Microsoft Visual C++ 2005 Redistributable (x86)), ref: 010059CA
        • CreateThread.KERNELBASE(00000000,00000000,Function_00005190,00000000,00000000,0100BA48), ref: 010059DE
        • EndDialog.USER32(?,00000000), ref: 010059FF
        • EndDialog.USER32(?,00000000), ref: 01005A24
        Strings
        • Microsoft Visual C++ 2005 Redistributable (x86), xrefs: 010059C4
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: DialogEventItemMessageSendThreadWindow$CallbackCreateDesktopDispatcherResetTerminateTextUser
        • String ID: Microsoft Visual C++ 2005 Redistributable (x86)
        • API String ID: 3638050378-813803255
        • Opcode ID: d3500fe9f7f5db743cd9965e837850aa1de798782591f39a44d4ee80d603ffb1
        • Instruction ID: 15f982f993cd47813f1b622385cc2ed99f85bd15372d9b845fe613da468a2202
        • Opcode Fuzzy Hash: d3500fe9f7f5db743cd9965e837850aa1de798782591f39a44d4ee80d603ffb1
        • Instruction Fuzzy Hash: 4C41B135500325BBEB335B689C49EAF3EA8EB4BB61F004111F6C5A50D9C7BA8951CF90
        Function 010053FA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 180synchronizationCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 329 10053fa-1005470 call 1002e55 332 1005476-100547b 329->332 333 100564a-100564f 329->333 332->333 334 1005481-10054aa CreateEventA SetEvent call 1002e55 332->334 335 1005654-1005655 call 1003ebe 333->335 340 10054d3-10054ed call 1003ebe 334->340 341 10054ac-10054b3 334->341 339 100565a 335->339 342 100565c-1005668 call 10064de 339->342 340->339 343 1005563-1005576 call 100359c 341->343 344 10054b9-10054d1 call 1002e55 341->344 353 1005587-100558d 343->353 354 1005578-1005582 343->354 344->340 355 10054f2-1005508 CreateMutexA 344->355 356 100559e-10055b3 FindResourceA 353->356 357 100558f-1005599 call 1002a96 353->357 354->335 355->343 358 100550a-1005515 GetLastError 355->358 361 10055b5-10055c2 LoadResource 356->361 362 10055c8-10055ce 356->362 357->339 358->343 360 1005517-100551e 358->360 364 1005520-1005530 call 1003ebe 360->364 365 1005532-1005546 call 1003ebe 360->365 361->362 366 10055d0 #17 362->366 367 10055d6-10055dc 362->367 375 1005548-100555e CloseHandle 364->375 365->343 365->375 366->367 370 1005646-1005648 367->370 371 10055de-10055eb call 100488c 367->371 370->342 371->339 377 10055ed-10055f6 371->377 375->339 378 1005604-100560b 377->378 379 10055f8-10055fc 377->379 378->370 381 100560d-1005614 378->381 379->378 380 10055fe-1005602 379->380 380->370 380->378 381->370 382 1005616-100561d call 1001760 381->382 382->370 385 100561f-1005644 call 1004819 382->385 385->339 385->370
        APIs
          • Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E6B
          • Part of subcall function 01002E55: SizeofResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E6F
          • Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E8B
          • Part of subcall function 01002E55: LoadResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E8F
          • Part of subcall function 01002E55: LockResource.KERNEL32(00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E96
        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01005485
        • SetEvent.KERNEL32(00000000,?,00000000), ref: 01005491
          • Part of subcall function 01002E55: FreeResource.KERNEL32(00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002EBA
        • CreateMutexA.KERNEL32(00000000,00000001,?,INSTANCECHECK,?,00000104,EXTRACTOPT,0100C494,00000004,?,00000000), ref: 010054FB
        • GetLastError.KERNEL32(?,00000000), ref: 0100550A
        • FindResourceA.KERNEL32(?,VERCHECK,0000000A), ref: 010055AB
        • LoadResource.KERNEL32(?,00000000,?,00000000), ref: 010055BC
        • #17.COMCTL32(?,00000000), ref: 010055D0
        • CloseHandle.KERNEL32(00000000,00000524,Microsoft Visual C++ 2005 Redistributable (x86),00000000,00000020,00000004,?,00000000), ref: 0100554E
          • Part of subcall function 01003EBE: MessageBoxA.USER32(?,?,Microsoft Visual C++ 2005 Redistributable (x86),00000000), ref: 01003F5B
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Resource$Find$CreateEventLoad$CloseErrorFreeHandleLastLockMessageMutexSizeof
        • String ID: EXTRACTOPT$INSTANCECHECK$Microsoft Visual C++ 2005 Redistributable (x86)$TITLE$VERCHECK
        • API String ID: 612345255-2738212212
        • Opcode ID: 1b78d5b43c382f1e261608536129d1f223226e6ea989e2684883b12cf85f6ba3
        • Instruction ID: cbd0a4ee99872fe0b9b450feb2e661f6d2b71e757350258eec7348613e7537f9
        • Opcode Fuzzy Hash: 1b78d5b43c382f1e261608536129d1f223226e6ea989e2684883b12cf85f6ba3
        • Instruction Fuzzy Hash: A05128706403496AF7339B28ED85FEA3A9DEB19745F440195F6C5D61C5CBBA8E80CF20
        Function 0100342E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 71filestringCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • wsprintfA.USER32 ref: 01003465
        • lstrcpyA.KERNEL32(74DE83C0,?), ref: 01003476
          • Part of subcall function 010066CF: lstrlenA.KERNEL32(00000104,0000002F,?,01003991,0100C89A,00000104,01001271), ref: 010066D9
        • RemoveDirectoryA.KERNELBASE(74DE83C0,74DE83C0,00000104,?), ref: 0100348D
        • GetFileAttributesA.KERNELBASE(74DE83C0), ref: 01003494
        • CreateDirectoryA.KERNELBASE(74DE83C0,00000000), ref: 010034B2
        • GetTempFileNameA.KERNEL32(?,IXP,00000000,74DE83C0), ref: 010034DD
        • DeleteFileA.KERNEL32(74DE83C0), ref: 010034F2
        • CreateDirectoryA.KERNEL32(74DE83C0,00000000), ref: 010034FB
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemplstrcpylstrlenwsprintf
        • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$IXP$IXP%03d.TMP
        • API String ID: 2425626272-775753704
        • Opcode ID: 909a37eeb0d10a258c43e028ade7052fe929c50dff5c231103c15f598a75b725
        • Instruction ID: 79b835e8247eab284df87d354388e64f77954c4bc5d13dbb6f938c802c931663
        • Opcode Fuzzy Hash: 909a37eeb0d10a258c43e028ade7052fe929c50dff5c231103c15f598a75b725
        • Instruction Fuzzy Hash: 22218035A00218AFE7239F649C45FDE7BB8FF19350F008195F6C5E6184CBB99A848FA1
        Function 010044BD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64stringmemoryfileCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • lstrlenA.KERNEL32(01005392,74DE83C0,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,?,01005392,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 010044C8
        • LocalAlloc.KERNEL32(00000040,-00000014,?,01005392,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 010044D6
        • lstrcpyA.KERNEL32(00000000,01005392,?,01005392,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0100450B
        • CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,00000000,-00000014,TMP4351$.TMP,?,01005392,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0100452D
        • LocalFree.KERNEL32(00000000,?,01005392,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01004536
        • CloseHandle.KERNEL32(00000000,?,01005392,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01004542
        • GetFileAttributesA.KERNELBASE(01005392,?,01005392,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0100454B
          • Part of subcall function 01003EBE: MessageBoxA.USER32(?,?,Microsoft Visual C++ 2005 Redistributable (x86),00000000), ref: 01003F5B
          • Part of subcall function 01003AA1: GetLastError.KERNEL32(74E04B00,01004684), ref: 01003AAA
          • Part of subcall function 01003AA1: GetLastError.KERNEL32 ref: 01003AB0
        Strings
        • TMP4351$.TMP, xrefs: 01004511
        • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 010044C3
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: ErrorFileLastLocal$AllocAttributesCloseCreateFreeHandleMessagelstrcpylstrlen
        • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$TMP4351$.TMP
        • API String ID: 3688570051-1664176527
        • Opcode ID: 57520002fee6ae4235c75deb696dfb0f82a0d2a6da16ad456c8abe4454f22560
        • Instruction ID: d346d4950023621807eef61a061fb4322b337a095deacce8b095f1f8bab94072
        • Opcode Fuzzy Hash: 57520002fee6ae4235c75deb696dfb0f82a0d2a6da16ad456c8abe4454f22560
        • Instruction Fuzzy Hash: 4611CE722002047FF3235B69AC88EAB3E5DEB857A9F014120FBC5E10C5DBBA8C458B64
        Function 01003346 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65filestringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 585 1003346-1003365 586 10033a6-10033b0 585->586 587 1003367-1003368 585->587 588 1003400-1003408 586->588 589 10033b2-10033b8 586->589 590 100336e-1003375 587->590 592 1003418-1003428 call 10064de 588->592 593 100340a-1003411 588->593 589->588 591 10033ba-10033c0 589->591 594 1003395-10033a3 LocalFree * 2 590->594 595 1003377-100337e 590->595 591->588 597 10033c2-10033db lstrcpyA 591->597 593->592 598 1003413 call 1001a5b 593->598 594->590 596 10033a5 594->596 595->594 600 1003380-100338f SetFileAttributesA DeleteFileA 595->600 596->586 602 10033e9-10033fb SetCurrentDirectoryA call 1002a96 597->602 603 10033dd-10033e4 call 1006666 597->603 598->592 600->594 602->588 603->602
        APIs
        • SetFileAttributesA.KERNELBASE(004F3638,00000080,?,00000000), ref: 01003387
        • DeleteFileA.KERNELBASE(004F3638,?,00000000), ref: 0100338F
        • LocalFree.KERNEL32(004F3638,?,00000000), ref: 0100339A
        • LocalFree.KERNEL32(004F3638,?,00000000), ref: 0100339D
        • lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 010033CE
        • SetCurrentDirectoryA.KERNELBASE(01001344), ref: 010033EE
        Strings
        • 86O, xrefs: 01003358
        • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 010033C2
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: FileFreeLocal$AttributesCurrentDeleteDirectorylstrcpy
        • String ID: 86O$C:\Users\user\AppData\Local\Temp\IXP000.TMP\
        • API String ID: 2574644873-267261057
        • Opcode ID: 72403c605729b33f41dc903b8094f89f79e814846cd34f283f5d5de5f6c18948
        • Instruction ID: 3d978de08161bdf378add94dce6545b53e49bcfa393c6a6d5fd735a2b26ab47d
        • Opcode Fuzzy Hash: 72403c605729b33f41dc903b8094f89f79e814846cd34f283f5d5de5f6c18948
        • Instruction Fuzzy Hash: 0D21D535900215DFFB73EB68E949B9937F8BB04715F0541A5E2C09B284CFBA99C8CB50
        Function 01005190 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107windowCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 607 1005190-1005197 call 10032ff 610 1005199 607->610 611 100519a-10051a6 607->611 612 10051d2-10051df call 10042a4 611->612 613 10051a8-10051d0 GetDlgItem ShowWindow GetDlgItem ShowWindow 611->613 616 10051e1-10051eb 612->616 617 10051ed-1005223 call 1006aa4 612->617 613->612 618 1005265-1005270 call 1003ebe 616->618 623 1005255-1005264 617->623 624 1005225-1005248 call 1007af5 617->624 625 1005272-1005279 618->625 623->618 624->625 632 100524a-100524b call 100735b 624->632 627 1005288-100528a 625->627 628 100527b-1005282 FreeResource 625->628 630 10052a4-10052ab 627->630 631 100528c-1005292 627->631 628->627 634 10052c9-10052ce 630->634 635 10052ad-10052b4 630->635 631->630 633 1005294-100529f call 1003ebe 631->633 639 1005250-1005253 632->639 633->630 635->634 638 10052b6-10052c3 SendMessageA 635->638 638->634 639->623 639->625
        APIs
          • Part of subcall function 010032FF: FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 0100331B
          • Part of subcall function 010032FF: LoadResource.KERNEL32(00000000,00000000), ref: 01003324
          • Part of subcall function 010032FF: LockResource.KERNEL32(00000000), ref: 0100332B
        • GetDlgItem.USER32(00050474,00000842), ref: 010051B5
        • ShowWindow.USER32(00000000), ref: 010051BE
        • GetDlgItem.USER32(00000841,00000005), ref: 010051CD
        • ShowWindow.USER32(00000000), ref: 010051D0
        • FreeResource.KERNEL32(00000000,-00000514,00000000,00000000,00000010,00000000,?,00000000,00000000,00000001,01005A8A,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,0100630E), ref: 0100527C
        • SendMessageA.USER32(00000FA1,00000000,00000000,-00000514), ref: 010052C3
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Resource$ItemShowWindow$FindFreeLoadLockMessageSend
        • String ID: *MEMCAB
        • API String ID: 3694369891-3211172518
        • Opcode ID: 0fad6b1f36d8706e582d9ea836248cbf3b7461d3a55a163e58501e177ea86f4c
        • Instruction ID: 5229d03a171856da93f12892545d0c10a51e3ee78aaa137c78116f6f246e4984
        • Opcode Fuzzy Hash: 0fad6b1f36d8706e582d9ea836248cbf3b7461d3a55a163e58501e177ea86f4c
        • Instruction Fuzzy Hash: D931C5347822157AFA33636A9C4AFDB7E9CEF46B61F400014F5C4A90C5D6FA84808BA1
        Function 01003D5D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 01003D8E
        • GetDesktopWindow.USER32 ref: 01003D9E
        • SetDlgItemTextA.USER32(?,00000834,?), ref: 01003DBB
        • SetWindowTextA.USER32(?,Microsoft Visual C++ 2005 Redistributable (x86)), ref: 01003DC7
        • SetForegroundWindow.USER32(?), ref: 01003DCE
        • GetDlgItem.USER32(?,00000834), ref: 01003DDB
        Strings
        • Microsoft Visual C++ 2005 Redistributable (x86), xrefs: 01003DC1
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Window$ItemText$CallbackDesktopDispatcherForegroundUser
        • String ID: Microsoft Visual C++ 2005 Redistributable (x86)
        • API String ID: 924976953-813803255
        • Opcode ID: dd41d01261ac654faadab94341d01f4823a6473ba55b712613bfd0464c17a586
        • Instruction ID: 0bca5e009dfaa324806a42e26035031ce731b4b5943cf24ccf8c8087cfe3fd89
        • Opcode Fuzzy Hash: dd41d01261ac654faadab94341d01f4823a6473ba55b712613bfd0464c17a586
        • Instruction Fuzzy Hash: 7D015E31144241AFEB236BA0AC0CAFF3EA8BB5A721F00065AF5D5990D5C7798552D7A1
        Function 01004CAE Relevance: 10.6, APIs: 7, Instructions: 96processsynchronizationwindowCOMMON
        Download Yara Rule
        APIs
        • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000104,?,00000001,74DEF530,00000000), ref: 01004CFB
        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 01004D0D
        • GetExitCodeProcess.KERNELBASE(?,?), ref: 01004D20
        • CloseHandle.KERNEL32(?,?), ref: 01004D67
        • CloseHandle.KERNEL32(?), ref: 01004D6F
        • GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 01004D9C
        • FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 01004DA9
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
        • String ID:
        • API String ID: 3183975587-0
        • Opcode ID: 05cf2146d3cb3a1a994f05930313d047acf105d867eac4180c0c86445154b7ef
        • Instruction ID: 5a155537b353c9cd57f3a89634c1b274d3be44dcdf0063c1db90bf3a96692e15
        • Opcode Fuzzy Hash: 05cf2146d3cb3a1a994f05930313d047acf105d867eac4180c0c86445154b7ef
        • Instruction Fuzzy Hash: 22319275541228BEFB33AB64DC48FEA7BBCEB05310F104196F698D2194CA759D81CF64
        Function 010043EC Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 79memoryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E6B
          • Part of subcall function 01002E55: SizeofResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E6F
          • Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E8B
          • Part of subcall function 01002E55: LoadResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E8F
          • Part of subcall function 01002E55: LockResource.KERNEL32(00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E96
        • LocalAlloc.KERNEL32(00000040,00000001,UPROMPT,00000000,00000000,00000000,00000000,?,?,?,01006231), ref: 0100440B
        • LocalFree.KERNEL32(00000000,00000000,000004B1,00000000,00000000,00000010,00000000,UPROMPT,00000000,?,?,?,?,01006231), ref: 01004452
          • Part of subcall function 01003EBE: MessageBoxA.USER32(?,?,Microsoft Visual C++ 2005 Redistributable (x86),00000000), ref: 01003F5B
          • Part of subcall function 01003AA1: GetLastError.KERNEL32(74E04B00,01004684), ref: 01003AAA
          • Part of subcall function 01003AA1: GetLastError.KERNEL32 ref: 01003AB0
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Resource$ErrorFindLastLocal$AllocFreeLoadLockMessageSizeof
        • String ID: <None>$UPROMPT
        • API String ID: 226386726-2980973527
        • Opcode ID: 5621df78db6fb9bc4c81758bdbf51104c654e0ae191e744358777e9de4287252
        • Instruction ID: 146d34d373b0198092be5e02ab1a2f1c89f0357a0b6c02c78eefd4d2e1b3e036
        • Opcode Fuzzy Hash: 5621df78db6fb9bc4c81758bdbf51104c654e0ae191e744358777e9de4287252
        • Instruction Fuzzy Hash: EF1184B1640790BAF3336B626C89E6B7AACD7C6B55F014018FAC1E50C5EBB989018774
        Function 01004BC8 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74memoryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E6B
          • Part of subcall function 01002E55: SizeofResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E6F
          • Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E8B
          • Part of subcall function 01002E55: LoadResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E8F
          • Part of subcall function 01002E55: LockResource.KERNEL32(00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E96
        • LocalAlloc.KERNELBASE(00000040,00000001,LICENSE,00000000,00000000,00000000,00000000,?,01006243), ref: 01004BE4
        • LocalFree.KERNEL32(00000000,000004B1,00000000,00000000,00000010,00000000,LICENSE,00000000,00000000,?,01006243), ref: 01004C31
          • Part of subcall function 01003EBE: MessageBoxA.USER32(?,?,Microsoft Visual C++ 2005 Redistributable (x86),00000000), ref: 01003F5B
          • Part of subcall function 01003AA1: GetLastError.KERNEL32(74E04B00,01004684), ref: 01003AAA
          • Part of subcall function 01003AA1: GetLastError.KERNEL32 ref: 01003AB0
        • LocalFree.KERNEL32(?,01006243), ref: 01004C96
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Resource$Local$ErrorFindFreeLast$AllocLoadLockMessageSizeof
        • String ID: <None>$LICENSE
        • API String ID: 3899723493-383193767
        • Opcode ID: c73d55a50ddab375b18fca3a874db0a6e8ae128fa329b97c8ffd94b4549e4620
        • Instruction ID: 9697d7adc24e1ebcf24a66d17cc2c8ea39a979045a2e6bc1bc079e37bfc5c796
        • Opcode Fuzzy Hash: c73d55a50ddab375b18fca3a874db0a6e8ae128fa329b97c8ffd94b4549e4620
        • Instruction Fuzzy Hash: 1811B471240695BEF3735B22AD48D6B3AADE7C2B10F004159F6C5D50D8DBBA4801CB34
        Function 01001A5B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,01003418,?,?,01003418), ref: 01001A7F
        • RegDeleteValueA.KERNELBASE(01003418,wextract_cleanup0,?,?,01003418), ref: 01001A91
        • RegCloseKey.ADVAPI32(01003418,?,?,01003418), ref: 01001A9A
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: CloseDeleteOpenValue
        • String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
        • API String ID: 849931509-702805525
        • Opcode ID: cd9d913e4fd79f3a06ae71b19d601bebc7f3385b073269ceb231d1a8de7b8e18
        • Instruction ID: 08e6132b78a4405aeda3fa779f53dc0e2de51a409a2e6c94243458a35d58a82b
        • Opcode Fuzzy Hash: cd9d913e4fd79f3a06ae71b19d601bebc7f3385b073269ceb231d1a8de7b8e18
        • Instruction Fuzzy Hash: F8E01A34A40248BBF733DB92DD0AF5A7AA9AB04784F500058B281A0095D7B5D901D714
        Function 0100645C Relevance: 7.6, APIs: 5, Instructions: 52COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0100646B: GetSystemTimeAsFileTime.KERNEL32(?), ref: 01006488
          • Part of subcall function 0100646B: GetCurrentProcessId.KERNEL32 ref: 01006494
          • Part of subcall function 0100646B: GetCurrentThreadId.KERNEL32 ref: 0100649C
          • Part of subcall function 0100646B: GetTickCount.KERNEL32 ref: 010064A4
          • Part of subcall function 0100646B: QueryPerformanceCounter.KERNEL32(?), ref: 010064B0
        • GetCommandLineA.KERNEL32 ref: 010063E9
        • GetStartupInfoA.KERNEL32(?), ref: 01006428
        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0000000A), ref: 01006443
        • ExitProcess.KERNEL32 ref: 01006450
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: CurrentProcessTime$CommandCountCounterExitFileHandleInfoLineModulePerformanceQueryStartupSystemThreadTick
        • String ID:
        • API String ID: 4244892483-0
        • Opcode ID: 8eca9f7f715971f7e939c949c439528cd9193f0ffc909e1846a034fe0de0fca6
        • Instruction ID: 28ebec749969a0dba5d051bd69dfa24efec2f660701a2f3e5969e2e7d4d3e92f
        • Opcode Fuzzy Hash: 8eca9f7f715971f7e939c949c439528cd9193f0ffc909e1846a034fe0de0fca6
        • Instruction Fuzzy Hash: 7A01B1718043949AFB731FAC8449BF97FEB9F16208F650495E9C1D61C2CAB685E383A1
        Function 0100502E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 01002EFD: lstrlenA.KERNEL32(00000104,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F0D
          • Part of subcall function 01002EFD: lstrlenA.KERNEL32(?,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F14
        • SetFileAttributesA.KERNELBASE(?,00000000,?,?,?,?,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 010050D8
        • SetDlgItemTextA.USER32(00050474,00000837,?), ref: 010050FD
          • Part of subcall function 010032A1: lstrcpyA.KERNEL32(0100C17C,?,?,?,?,01005180,?), ref: 010032C8
          • Part of subcall function 010032A1: lstrcpyA.KERNEL32(0100C280,?,?,?,?,01005180,?), ref: 010032D2
          • Part of subcall function 010032A1: lstrcpyA.KERNEL32(0100C384,?,?,?,?,01005180,?), ref: 010032DC
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: lstrcpy$lstrlen$AttributesFileItemText
        • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
        • API String ID: 1052324692-305352358
        • Opcode ID: f19e61d64bcb31124e15a0de3fd3c72425a8ff17acc2b1c39f114b4d5d9fea0a
        • Instruction ID: 90c2899bc6a778b52ee834594eec5cb3686ca2a893eb7b206c14bf922d2a115a
        • Opcode Fuzzy Hash: f19e61d64bcb31124e15a0de3fd3c72425a8ff17acc2b1c39f114b4d5d9fea0a
        • Instruction Fuzzy Hash: E831823650060AAAFB73DB78CD05AEB77E8AB18750F044555BAD5D60C0EE74DA84CFA0
        Function 01003072 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 01002C91: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 01002CB7
          • Part of subcall function 01002C91: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 01002CC9
          • Part of subcall function 01002C91: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 01002CEC
        • WriteFile.KERNELBASE(?,?,?,00000000), ref: 010030AA
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: MessagePeek$FileMultipleObjectsWaitWrite
        • String ID: H&.
        • API String ID: 1084409-2663418753
        • Opcode ID: 3e01d822541ebd2f5a5feccbb733383a8b69a22151e5f48031294b1a04767e1f
        • Instruction ID: 5e22b0a0ad35bde250d44ec082465892956c20a04e3cac16195ac4398cecf9f5
        • Opcode Fuzzy Hash: 3e01d822541ebd2f5a5feccbb733383a8b69a22151e5f48031294b1a04767e1f
        • Instruction Fuzzy Hash: C00180352012499FE7378F5EDC49B693BAAF780725F044225F6A58A1F4CBB69855CB00
        Function 010041D8 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 60stringCOMMON
        Download Yara Rule
        APIs
        • lstrcmpA.KERNEL32(00000180,*MEMCAB,00000000,00000001,?,01004303,*MEMCAB,00008000,00000180,00000000), ref: 01004221
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: lstrcmp
        • String ID: *MEMCAB$T!(
        • API String ID: 1534048567-745981379
        • Opcode ID: 8d1886825cf7cf1b7fca3806ded3f6736f8ae30cbe39c047e8d4af6a682cd926
        • Instruction ID: 92061fbbc721102d292826fa71bb98d8294175fcbeac33c2f5b1cd223c837d31
        • Opcode Fuzzy Hash: 8d1886825cf7cf1b7fca3806ded3f6736f8ae30cbe39c047e8d4af6a682cd926
        • Instruction Fuzzy Hash: C11175716412049FF7639F18C984AB57B94FB00358F4643E9F6D9CA1E6CBB1C8458B54
        Function 010031EE Relevance: 4.5, APIs: 3, Instructions: 38timeCOMMON
        Download Yara Rule
        APIs
        • DosDateTimeToFileTime.KERNEL32(?,00000104,00000104), ref: 01003217
        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01003229
        • SetFileTime.KERNELBASE(?,?,?,?), ref: 0100323F
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Time$File$DateLocal
        • String ID:
        • API String ID: 2071732420-0
        • Opcode ID: a85077572743f2c403f9a8a18ce59d41622f36ce07e64cd569effb84dd5ba5dd
        • Instruction ID: 40f91eae84c0d30797b84d3855ee905c98267c5d71123f35ca3de860f136514f
        • Opcode Fuzzy Hash: a85077572743f2c403f9a8a18ce59d41622f36ce07e64cd569effb84dd5ba5dd
        • Instruction Fuzzy Hash: C8F03C7260011AAFAB22DFA4CD45CFB7BACFA44340F000569B9A6D6095EB31D518CBA0
        Function 01001EDF Relevance: 4.5, APIs: 3, Instructions: 33registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExA.KERNELBASE(80000002,01004D5B,00000000,00020019,01004D5B,00000000,01004D5B,?,01001FBD,System\CurrentControlSet\Control\Session Manager,PendingFileRenameOperations,?,01001FE6,?,?,01002241), ref: 01001EFD
        • RegQueryValueExA.KERNELBASE(01004D5B,?,00000000,00000000,00000000,?,?,01001FBD,System\CurrentControlSet\Control\Session Manager,PendingFileRenameOperations,?,01001FE6,?,?,01002241,00000003), ref: 01001F14
        • RegCloseKey.KERNELBASE(01004D5B,?,01001FBD,System\CurrentControlSet\Control\Session Manager,PendingFileRenameOperations,?,01001FE6,?,?,01002241,00000003,00000000,01002D1B,?,01004D5B,?), ref: 01001F24
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: CloseOpenQueryValue
        • String ID:
        • API String ID: 3677997916-0
        • Opcode ID: 40f801ecea3a8f97b9f9c960bc3d2ecb8093f2fd098167d5a3c61593dd613369
        • Instruction ID: 2ca24a09e34f2df9065e4514fbcabbf1d6ca945d8222d5e896961b6e325d8fb3
        • Opcode Fuzzy Hash: 40f801ecea3a8f97b9f9c960bc3d2ecb8093f2fd098167d5a3c61593dd613369
        • Instruction Fuzzy Hash: 4DF0B775601128FBEB219F92DD08DDBBE6CEF457A0F108055FD4996110D771DA10DBA0
        Function 0100412E Relevance: 3.1, APIs: 2, Instructions: 64fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileA.KERNELBASE(00000180,80000000,00000000,00000000,00008000,00000080,00000000,00000000,00000000,00000000,?,?,0100427B,00000180,00008000,?), ref: 010041A8
        • CreateFileA.KERNEL32(00000180,80000000,00000000,00000000,00000003,00000080,00000000,00000180,?,?,0100427B,00000180,00008000,?,?,01004303), ref: 010041CA
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: b69cf7712ea0dd325566fc773e9ea564160eeb22ca95d34820805d5e9552cd5a
        • Instruction ID: ad9754ded69d89190427acfe716f1ac8fe926d72f3e8cb2752d49aa3ea161600
        • Opcode Fuzzy Hash: b69cf7712ea0dd325566fc773e9ea564160eeb22ca95d34820805d5e9552cd5a
        • Instruction Fuzzy Hash: 661173B265410CBAFB124E69CC44FEA7BA8EB613A8F148225FB64D61D0C379CD41DB54
        Function 010066CF Relevance: 3.0, APIs: 2, Instructions: 37stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenA.KERNEL32(00000104,0000002F,?,01003991,0100C89A,00000104,01001271), ref: 010066D9
        • CharPrevA.USER32(00000104,0100C89A,0100C89A,?,01003991,0100C89A,00000104,01001271), ref: 010066F8
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: CharPrevlstrlen
        • String ID:
        • API String ID: 2709904686-0
        • Opcode ID: e495bcc581d825eadedbe2fa0249395852abc95ba879f853f598c9e8d998fbc5
        • Instruction ID: 01c4db8a04a40ec1d325de77efd8d7371b3f1bfb3a4b2ec35a0bf0181df07810
        • Opcode Fuzzy Hash: e495bcc581d825eadedbe2fa0249395852abc95ba879f853f598c9e8d998fbc5
        • Instruction Fuzzy Hash: 6EF04F35004185EEF7235B18CC88FAA7FAAAB86210F254089F5D98B191D776A861C775
        Function 01006A45 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
        Download Yara Rule
        APIs
        • GetDiskFreeSpaceA.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 01006A70
        • MulDiv.KERNEL32(00000000,00000000,00000400), ref: 01006A8B
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: DiskFreeSpace
        • String ID:
        • API String ID: 1705453755-0
        • Opcode ID: 825da8cf926745c3866bbeb836e8d81481314d09f4b5b7f7c70813e4e2df1b9f
        • Instruction ID: b1f9c66608a2b67e4be2bbf4eebceb79f2602f57f0fa110e7db973902b5e4614
        • Opcode Fuzzy Hash: 825da8cf926745c3866bbeb836e8d81481314d09f4b5b7f7c70813e4e2df1b9f
        • Instruction Fuzzy Hash: E0F0E776D00118BFEF05DF95C844BEEBBBCEF15326F118496AA11A6080DB75A749CFA0
        Function 01004FAF Relevance: 1.5, APIs: 1, Instructions: 41COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0100672A: GetFileAttributesA.KERNELBASE(010027CD,?,010027CD,?), ref: 01006732
        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,01005130,?,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01005017
          • Part of subcall function 01004819: FindResourceA.KERNEL32(00000000,?,00000005), ref: 0100482A
          • Part of subcall function 01004819: LoadResource.KERNEL32(00000000,00000000,?,0100563F,000007D6,00000000,0100189D,00000547,0000083E,?,?,00000000), ref: 01004838
          • Part of subcall function 01004819: DialogBoxIndirectParamA.USER32(00000000,00000000,?,0000083E,00000547), ref: 01004857
          • Part of subcall function 01004819: FreeResource.KERNEL32(00000000,?,0100563F,000007D6,00000000,0100189D,00000547,0000083E,?,?,00000000), ref: 01004860
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Resource$AttributesFile$DialogFindFreeIndirectLoadParam
        • String ID:
        • API String ID: 2018477427-0
        • Opcode ID: 9fcb4db864238772c7e0f37f4d42fba18ce8b857c712aa4923ee3850bd34ccd9
        • Instruction ID: 29f51442478ac074da39ef7c59ef3f45121b76390a107e31bb9452852c9f7bc5
        • Opcode Fuzzy Hash: 9fcb4db864238772c7e0f37f4d42fba18ce8b857c712aa4923ee3850bd34ccd9
        • Instruction Fuzzy Hash: CDF0C2311513096AF7779B28AC84B6A3AD8EB01764F004166F7C05A0C5DAB64940DF99
        Function 010047B3 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
        Download Yara Rule
        APIs
        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 010047D2
          • Part of subcall function 01003EBE: MessageBoxA.USER32(?,?,Microsoft Visual C++ 2005 Redistributable (x86),00000000), ref: 01003F5B
          • Part of subcall function 01003AA1: GetLastError.KERNEL32(74E04B00,01004684), ref: 01003AAA
          • Part of subcall function 01003AA1: GetLastError.KERNEL32 ref: 01003AB0
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: ErrorLast$DirectoryMessageWindows
        • String ID:
        • API String ID: 824312211-0
        • Opcode ID: 35282c28667d4249282c988ff0902db8e714afbbed6593e0c008549f216fc637
        • Instruction ID: fd3234c94b0ccb30078aef88c93f716d7f268c6b22518fee9330ebb3e3fc8867
        • Opcode Fuzzy Hash: 35282c28667d4249282c988ff0902db8e714afbbed6593e0c008549f216fc637
        • Instruction Fuzzy Hash: E1F08270A403057AF722EB709C46FEA33ACA750700F004460B6C1EB0C1DAB49D848B14
        Function 01003108 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
        Download Yara Rule
        APIs
        • FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,0100433C,00000000,?,?,?,?,?,00000000), ref: 01003145
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: ChangeCloseFindNotification
        • String ID:
        • API String ID: 2591292051-0
        • Opcode ID: ddf299c9d854a60029591bd0d9130fc256d7a927763a6f5153bdca3c177d8727
        • Instruction ID: ddcf91d87cb97e1f61d19a99827c2554d1a57a890e9a07dc5fc143585956e2ac
        • Opcode Fuzzy Hash: ddf299c9d854a60029591bd0d9130fc256d7a927763a6f5153bdca3c177d8727
        • Instruction Fuzzy Hash: 78F03632501B11EEA3A38F1995405EA7BE5FA84350B110669D5EEC6250DB30E4018B50
        Function 01002C18 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
        Download Yara Rule
        APIs
        • CallWindowProcA.USER32(?,000000B1,?,?), ref: 01002C48
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: CallProcWindow
        • String ID:
        • API String ID: 2714655100-0
        • Opcode ID: 57bb70af8bfbb8b23156a9c1a0486bed7ddfe1acf454b9b5c5c11542bdb649e9
        • Instruction ID: a07d50798ef149d4e1ecace732c64fb37068310263867ffacb94ca3ca9138ea6
        • Opcode Fuzzy Hash: 57bb70af8bfbb8b23156a9c1a0486bed7ddfe1acf454b9b5c5c11542bdb649e9
        • Instruction Fuzzy Hash: BEE01A3100120DFFEF638E84D908AAA3BA9BB44321F108954F9A5000A1C3768660DB51
        Function 0100672A Relevance: 1.5, APIs: 1, Instructions: 14COMMON
        Download Yara Rule
        APIs
        • GetFileAttributesA.KERNELBASE(010027CD,?,010027CD,?), ref: 01006732
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: AttributesFile
        • String ID:
        • API String ID: 3188754299-0
        • Opcode ID: fc34f9762965e922ec69309eca6e6d82ef122b58ec165bd24e8a40cd18f7f548
        • Instruction ID: fe60699710c37628f3a1ec2a8e4606557de7a92a1d7bfb60a33c4a11166a432d
        • Opcode Fuzzy Hash: fc34f9762965e922ec69309eca6e6d82ef122b58ec165bd24e8a40cd18f7f548
        • Instruction Fuzzy Hash: EBC0803301440C6767125575DC098763E46F741374F504720F1BBC41D0DF7BD4A1D150
        Function 0100637A Relevance: 1.3, APIs: 1, Instructions: 32COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 010053FA: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01005485
          • Part of subcall function 010053FA: SetEvent.KERNEL32(00000000,?,00000000), ref: 01005491
        • CloseHandle.KERNEL32(00000000,00000000,?,?,?,0100644F,00000000), ref: 010063CC
          • Part of subcall function 01003346: SetFileAttributesA.KERNELBASE(004F3638,00000080,?,00000000), ref: 01003387
          • Part of subcall function 01003346: DeleteFileA.KERNELBASE(004F3638,?,00000000), ref: 0100338F
          • Part of subcall function 01003346: LocalFree.KERNEL32(004F3638,?,00000000), ref: 0100339A
          • Part of subcall function 01003346: LocalFree.KERNEL32(004F3638,?,00000000), ref: 0100339D
          • Part of subcall function 01003346: lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 010033CE
          • Part of subcall function 01003346: SetCurrentDirectoryA.KERNELBASE(01001344), ref: 010033EE
          • Part of subcall function 01002251: ExitWindowsEx.USER32(00000002,00000000), ref: 01002296
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: EventFileFreeLocal$AttributesCloseCreateCurrentDeleteDirectoryExitHandleWindowslstrcpy
        • String ID:
        • API String ID: 3566781794-0
        • Opcode ID: 360fb856e433d93ef5c6abbea1fa4c6ea4acfdbb5a2bf550e81dc508a18bc19c
        • Instruction ID: a0c14d9bb266869afe735ce61a49557cb3a3a2021fce37bd23befcfbf90a69dd
        • Opcode Fuzzy Hash: 360fb856e433d93ef5c6abbea1fa4c6ea4acfdbb5a2bf550e81dc508a18bc19c
        • Instruction Fuzzy Hash: A4F0893160061557FB33AFA5E904BDB3BD9EB11361F04D450F9C4A6184CB7BD9748B94
        Function 01003275 Relevance: 1.3, APIs: 1, Instructions: 8memoryCOMMON
        Download Yara Rule
        APIs
        • GlobalAlloc.KERNELBASE(00000000,?), ref: 0100327F
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: AllocGlobal
        • String ID:
        • API String ID: 3761449716-0
        • Opcode ID: 7b71b831925a2d90643e7752b1a2709e506846632fe93e76af179d897e7101ca
        • Instruction ID: 4bb07ebccd0d412d478b25c00f2aeddb319c24c1cf8280db505fbd4cc18ddfdc
        • Opcode Fuzzy Hash: 7b71b831925a2d90643e7752b1a2709e506846632fe93e76af179d897e7101ca
        • Instruction Fuzzy Hash: E0B0123214424CB7CB111BD2E809FD53F1DD7C5772F004001F64C05141CAB3D4508791
        Function 0100328C Relevance: 1.3, APIs: 1, Instructions: 7COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: FreeGlobal
        • String ID:
        • API String ID: 2979337801-0
        • Opcode ID: 551bb148dbce71ccb86f60d786338309b3c648a378d05cbb00bb3c74f7e7c821
        • Instruction ID: faa09d8b584007b82b20e1d52ea593548f9e5b6d19939489179b90da4771cbc5
        • Opcode Fuzzy Hash: 551bb148dbce71ccb86f60d786338309b3c648a378d05cbb00bb3c74f7e7c821
        • Instruction Fuzzy Hash: EAB0123100414CF7CF111B42E8088857F2DD6C0360B004010F48C420118F73D81186A0

        Non-executed Functions

        Function 01001760 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 112memoryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 010016B4: LoadLibraryA.KERNEL32(advapi32.dll,Microsoft Visual C++ 2005 Redistributable (x86),00000000,?,?,?,010017A0,?,00000000,?,?,0100561B,?,?,00000000), ref: 010016E6
          • Part of subcall function 010016B4: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 010016FA
          • Part of subcall function 010016B4: AllocateAndInitializeSid.ADVAPI32(010017A0,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01001726
          • Part of subcall function 010016B4: FreeSid.ADVAPI32(?), ref: 0100173A
          • Part of subcall function 010016B4: FreeLibrary.KERNEL32(?,?,?,?,010017A0,?,00000000,?,?,0100561B,?,?,00000000), ref: 01001743
        • GetCurrentProcess.KERNEL32(00000008,0100561B,?,00000000,?,?,0100561B,?,?,00000000), ref: 010017AE
        • OpenProcessToken.ADVAPI32(00000000,?,?,0100561B,?,?,00000000), ref: 010017B5
        • GetTokenInformation.ADVAPI32(0100561B,00000002,00000000,00000000,?,00000001,?,?,0100561B,?,?,00000000), ref: 010017D5
        • GetLastError.KERNEL32(?,?,0100561B,?,?,00000000), ref: 010017DF
        • LocalAlloc.KERNEL32(00000000,?,Microsoft Visual C++ 2005 Redistributable (x86),?,?,0100561B,?,?,00000000), ref: 010017F3
        • GetTokenInformation.ADVAPI32(0100561B,00000002,00000000,?,?,?,?,0100561B,?,?,00000000), ref: 0100180C
        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0100561B,?), ref: 01001829
        • EqualSid.ADVAPI32(00000004,?,?,?,0100561B,?,?,00000000), ref: 0100183F
        • FreeSid.ADVAPI32(?,?,?,0100561B,?,?,00000000), ref: 01001861
        • LocalFree.KERNEL32(00000000,?,?,0100561B,?,?,00000000), ref: 01001868
        • CloseHandle.KERNEL32(0100561B,?,?,0100561B,?,?,00000000), ref: 01001872
        Strings
        • Microsoft Visual C++ 2005 Redistributable (x86), xrefs: 010017EE
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
        • String ID: Microsoft Visual C++ 2005 Redistributable (x86)
        • API String ID: 2168512254-813803255
        • Opcode ID: f21df1777e37cdd6f0ec34d387a85b1e37b56b33b539e6758f9be16fc240ee8c
        • Instruction ID: 4672b0472d1bbbfd446eee883f18bb1d65bf3648c25b20912db4fd6b3c782e19
        • Opcode Fuzzy Hash: f21df1777e37cdd6f0ec34d387a85b1e37b56b33b539e6758f9be16fc240ee8c
        • Instruction Fuzzy Hash: E0317E71A0024AAFEB22DFA5DC44AEEBBB9EB04344F544465F6C1E2181D775DB04CB60
        Function 010019C3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
        Download Yara Rule
        APIs
        • GetCurrentProcess.KERNEL32(00000028,?,00000000,?,?,0100644F), ref: 010019D2
        • OpenProcessToken.ADVAPI32(00000000,?,0100644F), ref: 010019D9
        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 010019FB
        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000), ref: 01001A1A
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
        • String ID: SeShutdownPrivilege
        • API String ID: 2349140579-3733053543
        • Opcode ID: c17b7cf3f8bdb7068d93d2025f9cbb3199983dd50f7b35b7e72ddddd59bfcf11
        • Instruction ID: 6422d8529b1dadd26b9958a069e7ff89d807a817af3ba06e0855e17f5c681b04
        • Opcode Fuzzy Hash: c17b7cf3f8bdb7068d93d2025f9cbb3199983dd50f7b35b7e72ddddd59bfcf11
        • Instruction Fuzzy Hash: D9018071642225BAF7329BA24C0DFEB7EACEF46794F000010BA8AE40C5D6B5D640C6F5
        Function 0100646B Relevance: 7.5, APIs: 5, Instructions: 36timethreadCOMMON
        Download Yara Rule
        APIs
        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 01006488
        • GetCurrentProcessId.KERNEL32 ref: 01006494
        • GetCurrentThreadId.KERNEL32 ref: 0100649C
        • GetTickCount.KERNEL32 ref: 010064A4
        • QueryPerformanceCounter.KERNEL32(?), ref: 010064B0
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
        • String ID:
        • API String ID: 1445889803-0
        • Opcode ID: 1c9a6aecb8a7c21b59f0650fcfd769be0ce501fac9dd4907ed4c08a4f18fdedf
        • Instruction ID: 54730ea4cddf6389e8530bc477ef8a499c223e9ef8984b798b14dd8bf7ea62bb
        • Opcode Fuzzy Hash: 1c9a6aecb8a7c21b59f0650fcfd769be0ce501fac9dd4907ed4c08a4f18fdedf
        • Instruction Fuzzy Hash: 76F0EC76D002189BDB22ABB4D44859FBBF5FF08350F420561E481E7145DB3AE9008B80
        Function 010064DE Relevance: 6.1, APIs: 4, Instructions: 61COMMON
        Download Yara Rule
        APIs
        • SetUnhandledExceptionFilter.KERNEL32(00000000,00000001), ref: 010065CC
        • UnhandledExceptionFilter.KERNEL32(?), ref: 010065D6
        • GetCurrentProcess.KERNEL32(00000502), ref: 010065E1
        • TerminateProcess.KERNEL32(00000000), ref: 010065E8
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
        • String ID:
        • API String ID: 3231755760-0
        • Opcode ID: f1286b280cafa843d75f99a14fc8f82f3d62a7f6c1ba433f05c714c2799dff35
        • Instruction ID: b59ea808f46e4147d566023df9ea61253988435faf81cc8e47133db2c15ee704
        • Opcode Fuzzy Hash: f1286b280cafa843d75f99a14fc8f82f3d62a7f6c1ba433f05c714c2799dff35
        • Instruction Fuzzy Hash: C531AEB9811228DBCB62DF69D9886CDBBB4FF08300F1041EAE90DA7250E7759B80CF44
        Function 0100359C Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 361stringCOMMON
        Download Yara Rule
        APIs
        • CharNextA.USER32(00000000,00000001,Microsoft Visual C++ 2005 Redistributable (x86),00000000), ref: 01003601
        • GetModuleFileNameA.KERNEL32(0100C99E,00000104,00000001,Microsoft Visual C++ 2005 Redistributable (x86),00000000), ref: 010036CF
        • CharUpperA.USER32(?), ref: 01003716
        • CharUpperA.USER32(-0000004F), ref: 010037A5
        • lstrcmpiA.KERNEL32(RegServer,?), ref: 01003825
        • CharUpperA.USER32(?), ref: 01003856
        • CharUpperA.USER32(-0000004E), ref: 010038BA
        • lstrlenA.KERNEL32(0000002F), ref: 01003921
        • CharUpperA.USER32(?,0000002F,?), ref: 01003952
        • lstrcpyA.KERNEL32(0100C89A,0000002F), ref: 0100397B
        • lstrlenA.KERNEL32(0000002F), ref: 010039E2
        • lstrcpyA.KERNEL32(0100CAA2,0000002F,0000002F,?,0000002F,0000005D,0000002F,0000005B), ref: 01003A57
        • CloseHandle.KERNEL32(00000000), ref: 01003A6E
        • ExitProcess.KERNEL32 ref: 01003A76
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Char$Upper$lstrcpylstrlen$CloseExitFileHandleModuleNameNextProcesslstrcmpi
        • String ID: "$-$:$Microsoft Visual C++ 2005 Redistributable (x86)$RegServer
        • API String ID: 497476604-1144207382
        • Opcode ID: 794e446cbad3e2b7cdf7e932ea0521a881f1aef766460360d9a64afcbe4b84b2
        • Instruction ID: bb19260d6a52b5aa4d74d53b6b2143bc91a7fcd92ee9301d96aa0320e1ef3d88
        • Opcode Fuzzy Hash: 794e446cbad3e2b7cdf7e932ea0521a881f1aef766460360d9a64afcbe4b84b2
        • Instruction Fuzzy Hash: D7D1D271D086959EFB778B2C8D083BA7EE4BB16310F0881D9D5C99E1C5CBB886C58F52
        Function 01003EBE Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 150stringmemorywindowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 01002ECE: LoadStringA.USER32(?,00000001,00000200,LoadString() Error. Could not load string resource.), ref: 01002EEB
        • MessageBoxA.USER32(?,?,Microsoft Visual C++ 2005 Redistributable (x86),00000000), ref: 01003F5B
        • lstrlenA.KERNEL32(00000000,?,?,00000200,00000001,Microsoft Visual C++ 2005 Redistributable (x86),00000000), ref: 01003F7E
        • lstrlenA.KERNEL32(0000007F), ref: 01003F83
        • lstrlenA.KERNEL32(00000000), ref: 01003F8E
        • LocalAlloc.KERNEL32(00000040,00000064), ref: 01003F97
        • wsprintfA.USER32 ref: 01003FB2
        • lstrlenA.KERNEL32(0000007F,?,?,00000200,00000001,Microsoft Visual C++ 2005 Redistributable (x86),00000000), ref: 01003FC8
        • lstrlenA.KERNEL32(00000000), ref: 01003FD3
        • LocalAlloc.KERNEL32(00000040,00000064), ref: 01003FDC
        • wsprintfA.USER32 ref: 01003FF5
        • lstrlenA.KERNEL32(00000000,?,?,00000200,00000001,Microsoft Visual C++ 2005 Redistributable (x86),00000000), ref: 01004007
        • LocalAlloc.KERNEL32(00000040,00000001), ref: 01004011
        • lstrcpyA.KERNEL32(00000000,00000000), ref: 01004029
        • MessageBeep.USER32(?), ref: 01004032
        • MessageBoxA.USER32(?,00000000,Microsoft Visual C++ 2005 Redistributable (x86),00000000), ref: 01004075
        • LocalFree.KERNEL32(00000000), ref: 0100407E
          • Part of subcall function 010068B3: GetVersionExA.KERNEL32(?), ref: 010068FC
          • Part of subcall function 010068B3: GetSystemMetrics.USER32(0000004A), ref: 01006933
          • Part of subcall function 010068B3: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 01006959
          • Part of subcall function 010068B3: RegQueryValueExA.ADVAPI32(?,01001271,00000000,?,?,0000000C,?), ref: 01006983
          • Part of subcall function 010068B3: RegCloseKey.ADVAPI32(?), ref: 01006991
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: lstrlen$Local$AllocMessage$wsprintf$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersionlstrcpy
        • String ID: LoadString() Error. Could not load string resource.$Microsoft Visual C++ 2005 Redistributable (x86)
        • API String ID: 374963636-746039075
        • Opcode ID: 6e6d68f176d476745e32004f49a78736f7c082e95af37230175d7f171fa7616c
        • Instruction ID: eea99181f0804644aa289dd1498f83149dc0c4724dca30bca3b9ea1b6c7227c8
        • Opcode Fuzzy Hash: 6e6d68f176d476745e32004f49a78736f7c082e95af37230175d7f171fa7616c
        • Instruction Fuzzy Hash: 27518F71900619ABFB23EB64DD49BAB7BB9FF04340F0400A1FAC5E6180DB75DA508F60
        Function 01005670 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 185windowCOMMON
        Download Yara Rule
        APIs
        • LoadStringA.USER32(000003E8,0100B640,00000200), ref: 010056CB
        • GetDesktopWindow.USER32 ref: 0100582A
        • SetWindowTextA.USER32(?,Microsoft Visual C++ 2005 Redistributable (x86)), ref: 01005840
        • SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 01005859
        • GetDlgItem.USER32(?,00000836), ref: 01005872
        • EnableWindow.USER32(00000000), ref: 01005879
        • EndDialog.USER32(?,00000000), ref: 01005886
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
        • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Microsoft Visual C++ 2005 Redistributable (x86)
        • API String ID: 2418873061-489689315
        • Opcode ID: 67c2eb31cf3ab21f20db5c8c852de19d0f9fcb7337bab56cf1edb54243df0e23
        • Instruction ID: bceac7bff489e274393193b6e50ad7b08821bdc7de2992364884c992066ff592
        • Opcode Fuzzy Hash: 67c2eb31cf3ab21f20db5c8c852de19d0f9fcb7337bab56cf1edb54243df0e23
        • Instruction Fuzzy Hash: D151B470240685BAF6731B269C4CFAB3DACEBC6B55F004124BAC5A90C5DBB5CA51CBB4
        Function 01004E73 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 110libraryloaderstringCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryA.KERNEL32(SHELL32.DLL,0100B640,0100B338,?), ref: 01004E83
        • GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 01004EA4
        • GetProcAddress.KERNEL32(00000000,000000C3), ref: 01004EB7
        • GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 01004ECA
        • GetTempPathA.KERNEL32(00000104,0100BA80), ref: 01004EEA
        • lstrlenA.KERNEL32(0100BA80), ref: 01004EF1
        • CharPrevA.USER32(0100BA80,00000000), ref: 01004F01
        • CharPrevA.USER32(0100BA80,00000000), ref: 01004F0D
        • lstrcpyA.KERNEL32(?,0100BA80), ref: 01004F5E
        • FreeLibrary.KERNEL32(?), ref: 01004F6D
        • FreeLibrary.KERNEL32(00000000), ref: 01004F7D
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: AddressLibraryProc$CharFreePrev$LoadPathTemplstrcpylstrlen
        • String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
        • API String ID: 2439948570-1731843650
        • Opcode ID: 2e9765e9f73174fdabd9105ff3870c025ec8e8cc93456301d0d3cae1497260b0
        • Instruction ID: fe0e6358b7e97da39a092ede048a89c2912f00ab584277418b1ac7d42fbd63d6
        • Opcode Fuzzy Hash: 2e9765e9f73174fdabd9105ff3870c025ec8e8cc93456301d0d3cae1497260b0
        • Instruction Fuzzy Hash: 9B318CB1905258BFEB139FA5CC88DFEBFB8EB49340F144069F684E6280C7758941CBA4
        Function 010022AC Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 105registrystringCOMMON
        Download Yara Rule
        APIs
        • CharUpperA.USER32(00009B02,?,00000085,00000000), ref: 010022E0
        • CharNextA.USER32(?), ref: 010022EF
        • CharNextA.USER32(00000000), ref: 010022F2
        • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,00000104,00000000), ref: 0100234D
        • RegQueryValueExA.ADVAPI32(?,01001271,00000000,?,-00000004,?), ref: 01002377
        • ExpandEnvironmentStringsA.KERNEL32(-00000004,?,00000104), ref: 01002393
        • RegCloseKey.ADVAPI32(?), ref: 010023C8
        • lstrcpyA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 0100231F
          • Part of subcall function 010066CF: lstrlenA.KERNEL32(00000104,0000002F,?,01003991,0100C89A,00000104,01001271), ref: 010066D9
        • GetWindowsDirectoryA.KERNEL32(-00000004,0000054D), ref: 010023D4
        • GetSystemDirectoryA.KERNEL32(-00000004,0000054D), ref: 010023E0
        Strings
        • Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 01002308
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindowslstrcpylstrlen
        • String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
        • API String ID: 2880253981-2428544900
        • Opcode ID: 7336e8143879b37cb86321436bf8a53eaa814517ff0876aac997468360ad53a5
        • Instruction ID: 1ad0f1247c1ed9861ce20e69da4a43a8ce288dfb09bb26ecbceeb403ef27fb39
        • Opcode Fuzzy Hash: 7336e8143879b37cb86321436bf8a53eaa814517ff0876aac997468360ad53a5
        • Instruction Fuzzy Hash: D7314A75904218AFEF239B64DC49FEE7BBDAF15310F008095F6C5E2081DBB99A948F61
        Function 01001CF4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 82registrystringCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000000), ref: 01001D2D
        • RegQueryValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000000,?,?,74DEF530), ref: 01001D62
        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 01001D92
        • wsprintfA.USER32 ref: 01001DC6
        • lstrlenA.KERNEL32(?), ref: 01001DD6
        • RegSetValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000001,?,00000001), ref: 01001DEF
          • Part of subcall function 010066CF: lstrlenA.KERNEL32(00000104,0000002F,?,01003991,0100C89A,00000104,01001271), ref: 010066D9
        • RegCloseKey.ADVAPI32(?), ref: 01001DFC
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Valuelstrlen$CloseDirectoryOpenQuerySystemwsprintf
        • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
        • API String ID: 2431697979-2036266374
        • Opcode ID: 7ccf2c186cec699dfa9e19b335666aea46083c7a505e779869d620471afed035
        • Instruction ID: ab331a59c0f7b6da72724869899c66218a158f7d6afaae21f27dd4f7a2236e07
        • Opcode Fuzzy Hash: 7ccf2c186cec699dfa9e19b335666aea46083c7a505e779869d620471afed035
        • Instruction Fuzzy Hash: 81210175A00258ABEB33DB55DC49EDE7BBDEB44740F0000A9F689E6045DAB5EB84CB60
        Function 01003AC7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 83stringCOMMON
        Download Yara Rule
        APIs
        • wsprintfA.USER32 ref: 01003AFB
        • FindResourceA.KERNEL32(00000000,?,0000000A), ref: 01003B07
        • LoadResource.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,PACKINSTSPACE,0100C498), ref: 01003B1C
        • LockResource.KERNEL32(00000000,?,?,?,?,?,PACKINSTSPACE,0100C498), ref: 01003B23
        • lstrlenA.KERNEL32(00000008,?,?,?,?,?,PACKINSTSPACE,0100C498), ref: 01003B3E
        • FreeResource.KERNEL32(00000000,?,?,?,?,?,PACKINSTSPACE,0100C498), ref: 01003B58
        • wsprintfA.USER32 ref: 01003B6D
        • FindResourceA.KERNEL32(00000000,?,0000000A), ref: 01003B7A
        • FreeResource.KERNEL32(00000000,?,?,?,?,?,PACKINSTSPACE,0100C498), ref: 01003B99
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Resource$FindFreewsprintf$LoadLocklstrlen
        • String ID: UPDFILE%lu
        • API String ID: 3821519360-2329316264
        • Opcode ID: 576a9d2a41689e10918246a17bc41e24b95d99357cd218a458b2db2c03cc483b
        • Instruction ID: c1f926839f5bccd6bd9dba539fb315616eac7d52b92b8f90cc2973ba09a331c2
        • Opcode Fuzzy Hash: 576a9d2a41689e10918246a17bc41e24b95d99357cd218a458b2db2c03cc483b
        • Instruction Fuzzy Hash: 39313E76A00609EFEB22DFA5D848EEEBBB9FB48705F004019F685E7140D77A9501CFA1
        Function 01002410 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 124memoryCOMMON
        Download Yara Rule
        APIs
        • GlobalFree.KERNEL32(00000000), ref: 0100256C
          • Part of subcall function 010022AC: CharUpperA.USER32(00009B02,?,00000085,00000000), ref: 010022E0
          • Part of subcall function 010022AC: CharNextA.USER32(?), ref: 010022EF
          • Part of subcall function 010022AC: CharNextA.USER32(00000000), ref: 010022F2
          • Part of subcall function 010022AC: lstrcpyA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 0100231F
          • Part of subcall function 010022AC: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,00000104,00000000), ref: 0100234D
          • Part of subcall function 010022AC: RegQueryValueExA.ADVAPI32(?,01001271,00000000,?,-00000004,?), ref: 01002377
          • Part of subcall function 010022AC: ExpandEnvironmentStringsA.KERNEL32(-00000004,?,00000104), ref: 01002393
          • Part of subcall function 010022AC: RegCloseKey.ADVAPI32(?), ref: 010023C8
        • GetFileVersionInfoSizeA.VERSION(00000001,?,00000001,?,?,0000054D,-00000004,?,?,00000104,?,?,?,?,?,?), ref: 01002470
        • GlobalAlloc.KERNEL32(00000042,00000000,0000003C,?,0000003C,?,?,00000001,?,00000001,?,?,0000054D,-00000004,?,?), ref: 01002483
        • GlobalLock.KERNEL32(00000000), ref: 01002495
        • GetFileVersionInfoA.VERSION(0000003C,?,?,00000000), ref: 010024AF
        • VerQueryValueA.VERSION(00000000,010012E8,0000003C,0000003C,0000003C,?,?,00000000), ref: 010024C6
        • GlobalUnlock.KERNEL32(00000000,0000003C,?,?,00000000), ref: 0100252D
        • GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0100257C
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Global$Char$FileInfoNextQueryUnlockValueVersion$AllocCloseEnvironmentExpandFreeLockOpenSizeStringsUpperlstrcpy
        • String ID: <
        • API String ID: 1180996843-4251816714
        • Opcode ID: a61b42028a78b6719a84272888b5fabe7deeadf3e4bb080be80df957aa7dc6f8
        • Instruction ID: 538557d1a956e60c55ac0e275cb9440454b828f686c89056c6c9e8496247c2c4
        • Opcode Fuzzy Hash: a61b42028a78b6719a84272888b5fabe7deeadf3e4bb080be80df957aa7dc6f8
        • Instruction Fuzzy Hash: AA41837190020AEFEF12CF98C898AEDBBF5FF04305F104069EA85A2191D776DA45CF64
        Function 01002589 Relevance: 15.1, APIs: 10, Instructions: 99stringCOMMON
        Download Yara Rule
        APIs
        • GetModuleFileNameA.KERNEL32(?,00000104,?,00000400), ref: 010025D0
        • IsDBCSLeadByte.KERNEL32(00000000,00000000), ref: 010025EA
        • CharNextA.USER32(00000400), ref: 01002608
        • CharUpperA.USER32(00000000), ref: 01002614
        • lstrlenA.KERNEL32(?,?), ref: 01002631
        • CharPrevA.USER32(?,?), ref: 01002642
        • CharUpperA.USER32(00000000), ref: 0100265A
        • lstrlenA.KERNEL32(?,?,00000000,00000400,?,?), ref: 01002682
        • CharNextA.USER32(?), ref: 0100268E
        • CharNextA.USER32(00000400), ref: 01002697
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Char$Next$Upperlstrlen$ByteFileLeadModuleNamePrev
        • String ID:
        • API String ID: 3967807161-0
        • Opcode ID: a820073371754dc5eeb8d23f47868028148f50acb9d5e774029aed37092d399e
        • Instruction ID: eaaee00f3e00e4901544a9c651e5066a5a093bae46e09448390e21310fb16754
        • Opcode Fuzzy Hash: a820073371754dc5eeb8d23f47868028148f50acb9d5e774029aed37092d399e
        • Instruction Fuzzy Hash: F9317A75804285AEEB739F68CC48BEABFEDAF1A300F140595E5C4D3281DB798981CF61
        Function 010016B4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63librarymemoryloaderCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryA.KERNEL32(advapi32.dll,Microsoft Visual C++ 2005 Redistributable (x86),00000000,?,?,?,010017A0,?,00000000,?,?,0100561B,?,?,00000000), ref: 010016E6
        • GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 010016FA
        • AllocateAndInitializeSid.ADVAPI32(010017A0,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01001726
        • FreeSid.ADVAPI32(?), ref: 0100173A
        • FreeLibrary.KERNEL32(?,?,?,?,010017A0,?,00000000,?,?,0100561B,?,?,00000000), ref: 01001743
        Strings
        • Microsoft Visual C++ 2005 Redistributable (x86), xrefs: 010016C4
        • advapi32.dll, xrefs: 010016C8
        • CheckTokenMembership, xrefs: 010016F4
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: FreeLibrary$AddressAllocateInitializeLoadProc
        • String ID: CheckTokenMembership$Microsoft Visual C++ 2005 Redistributable (x86)$advapi32.dll
        • API String ID: 4204503880-1275862661
        • Opcode ID: 80048a897bbb716bc6edda70627e0e87ab6d0b634674ff9098072ab894aeef90
        • Instruction ID: 7f32255cd53d54b6266d59a01a2c9f788efc2b6a55c7d064e1075484334130e5
        • Opcode Fuzzy Hash: 80048a897bbb716bc6edda70627e0e87ab6d0b634674ff9098072ab894aeef90
        • Instruction Fuzzy Hash: 63116072A00289AFDB12DFE9D888ADEBFB9FB14340F444059F285E3181C7759A00CB65
        Function 01002E55 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52COMMON
        Download Yara Rule
        APIs
        • FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E6B
        • SizeofResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E6F
        • FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E8B
        • LoadResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E8F
        • LockResource.KERNEL32(00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E96
        • FreeResource.KERNEL32(00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002EBA
        Strings
        • Microsoft Visual C++ 2005 Redistributable (x86), xrefs: 01002E5B
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Resource$Find$FreeLoadLockSizeof
        • String ID: Microsoft Visual C++ 2005 Redistributable (x86)
        • API String ID: 468261009-813803255
        • Opcode ID: 7090d6fbcbd5b277e53ff8aa31aa3d5f4a0baf2b3be01dcc482b1e99473e37a0
        • Instruction ID: c58e523c2e5cc4a020a6dc9083853665ab900ca59998c1429a4b95f367ba78fb
        • Opcode Fuzzy Hash: 7090d6fbcbd5b277e53ff8aa31aa3d5f4a0baf2b3be01dcc482b1e99473e37a0
        • Instruction Fuzzy Hash: 8F01F231300188BBEB239BA5EC88C7F7BAAEBC5761F144019FA85C3280C6768C01DB61
        Function 01003E28 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON
        Download Yara Rule
        APIs
        • EndDialog.USER32(?,?), ref: 01003E65
        • GetDesktopWindow.USER32 ref: 01003E6F
        • SetWindowTextA.USER32(?,Microsoft Visual C++ 2005 Redistributable (x86)), ref: 01003E85
        • SetDlgItemTextA.USER32(?,00000838), ref: 01003E97
        • SetForegroundWindow.USER32(?), ref: 01003E9E
        • EndDialog.USER32(?,00000002), ref: 01003EAB
        Strings
        • Microsoft Visual C++ 2005 Redistributable (x86), xrefs: 01003E7F
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Window$DialogText$DesktopForegroundItem
        • String ID: Microsoft Visual C++ 2005 Redistributable (x86)
        • API String ID: 852535152-813803255
        • Opcode ID: c58225de05bf9ddd7557f29e4dd6395625a24e078d1bf0613a1e21eb476cea98
        • Instruction ID: bbd0fe0418d4f9b27c80c161e9fa2716d7c3f6b950bf98ca077586a846113f40
        • Opcode Fuzzy Hash: c58225de05bf9ddd7557f29e4dd6395625a24e078d1bf0613a1e21eb476cea98
        • Instruction Fuzzy Hash: FF01BC31500195AFEB635BA8D808DAE7AA8FB09751F008610FAC2DA1C5CB79CE51CB90
        Function 01002EFD Relevance: 12.0, APIs: 8, Instructions: 43stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenA.KERNEL32(00000104,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F0D
        • lstrlenA.KERNEL32(?,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F14
        • lstrcpyA.KERNEL32(?,00000104,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F2A
        • lstrlenA.KERNEL32(?,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F31
        • lstrlenA.KERNEL32(?,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F3B
        • lstrlenA.KERNEL32(?,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F45
        • lstrlenA.KERNEL32(?,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F4C
        • lstrcatA.KERNEL32(?,?,?,?,?,0100511C,?,00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 01002F57
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: lstrlen$lstrcatlstrcpy
        • String ID:
        • API String ID: 2414487701-0
        • Opcode ID: bec1684d548f7f7a66b2a209a78056a6def03e0851b026678931160fd0f5e77e
        • Instruction ID: 3391c5307bafe4b116acb0d74c5fe46b65c44dc66db5e5de76f5420f3b77b05f
        • Opcode Fuzzy Hash: bec1684d548f7f7a66b2a209a78056a6def03e0851b026678931160fd0f5e77e
        • Instruction Fuzzy Hash: BB01A73150829ABEE7139F65DC0CE7F3FE99F85294F044079F58482051CB75D4159BA1
        Function 01002D83 Relevance: 10.6, APIs: 7, Instructions: 85COMMON
        Download Yara Rule
        APIs
        • GetWindowRect.USER32(?,?), ref: 01002D9B
        • GetWindowRect.USER32(?,?), ref: 01002DB0
        • GetDC.USER32(?), ref: 01002DC4
        • GetDeviceCaps.GDI32(00000000,00000008), ref: 01002DD0
        • GetDeviceCaps.GDI32(?,0000000A), ref: 01002DDE
        • ReleaseDC.USER32(?,?), ref: 01002DED
        • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005), ref: 01002E43
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Window$CapsDeviceRect$Release
        • String ID:
        • API String ID: 2212493051-0
        • Opcode ID: e87303e51a87c1f3fcc5427d586fd06ff29c73153c48b8601ce90fe903ab1556
        • Instruction ID: 967cba225b93383e2e60847015f29d3632c184523d341bb7e68964bb8c44351d
        • Opcode Fuzzy Hash: e87303e51a87c1f3fcc5427d586fd06ff29c73153c48b8601ce90fe903ab1556
        • Instruction Fuzzy Hash: 6C215932A0010AAFDF12CFBDCD889EEBBBAEB88300F008125F945E7254D675ED058B50
        Function 010068B3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71registryCOMMON
        Download Yara Rule
        APIs
        • GetVersionExA.KERNEL32(?), ref: 010068FC
        • GetSystemMetrics.USER32(0000004A), ref: 01006933
        • RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 01006959
        • RegQueryValueExA.ADVAPI32(?,01001271,00000000,?,?,0000000C,?), ref: 01006983
        • RegCloseKey.ADVAPI32(?), ref: 01006991
          • Part of subcall function 0100678F: CharNextA.USER32(010069AC,00000000,?,010069AC,?,00000000), ref: 010067CC
        Strings
        • Control Panel\Desktop\ResourceLocale, xrefs: 0100694F
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
        • String ID: Control Panel\Desktop\ResourceLocale
        • API String ID: 3346862599-1109908249
        • Opcode ID: cfd22d1cb8363d992addf5a965baf5ad3a7f3b3c896125044328321e3dcf038f
        • Instruction ID: 5c6acbc3d5fc57845e32ec3dff29f7de8e8621ecf2eb8ce39a92ab546f5c8395
        • Opcode Fuzzy Hash: cfd22d1cb8363d992addf5a965baf5ad3a7f3b3c896125044328321e3dcf038f
        • Instruction Fuzzy Hash: 34215E75A00328EFFF72CB54D948BDA77BDBB05315F0040EAE588A5085DB768A94CF12
        Function 01001E53 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON
        Download Yara Rule
        APIs
        • GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000), ref: 01001E77
          • Part of subcall function 010066CF: lstrlenA.KERNEL32(00000104,0000002F,?,01003991,0100C89A,00000104,01001271), ref: 010066D9
        • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 01001E9D
        • _lopen.KERNEL32(?,00000040), ref: 01001EAC
        • _llseek.KERNEL32(00000000,00000000,00000002), ref: 01001EBD
        • _lclose.KERNEL32(00000000), ref: 01001EC6
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopenlstrlen
        • String ID: wininit.ini
        • API String ID: 979776028-4206010578
        • Opcode ID: 37f4b3d508ecab28613d6a97bb6e1095e4a2a3c7db2d8278c91ef0a9ab821e8d
        • Instruction ID: 18cd7f1609499ba71430b944770d53967596a73aa7aa202a5c8f43e0c2a69e76
        • Opcode Fuzzy Hash: 37f4b3d508ecab28613d6a97bb6e1095e4a2a3c7db2d8278c91ef0a9ab821e8d
        • Instruction Fuzzy Hash: 9701D476A00154ABE721EB65DC4CEDF3BBC9F85310F040065F6C4E31C0DAB8DA858B60
        Function 01004DE5 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60memoryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E6B
          • Part of subcall function 01002E55: SizeofResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E6F
          • Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E8B
          • Part of subcall function 01002E55: LoadResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E8F
          • Part of subcall function 01002E55: LockResource.KERNEL32(00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E96
        • LocalAlloc.KERNEL32(00000040,00000001,FINISHMSG,00000000,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,01006365), ref: 01004E05
        • LocalFree.KERNEL32(?,?,?,01006365), ref: 01004E63
          • Part of subcall function 01003EBE: MessageBoxA.USER32(?,?,Microsoft Visual C++ 2005 Redistributable (x86),00000000), ref: 01003F5B
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Resource$FindLocal$AllocFreeLoadLockMessageSizeof
        • String ID: <None>$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$FINISHMSG
        • API String ID: 1166655539-734647609
        • Opcode ID: 945af8c2f13a4e2e23c29a060e4326b8cf96b2cec21a05c610d2a029f1db482c
        • Instruction ID: b86749c0676bc5709347cbb2394c06ae2176a12615ce74ff3a29be4193e97ba7
        • Opcode Fuzzy Hash: 945af8c2f13a4e2e23c29a060e4326b8cf96b2cec21a05c610d2a029f1db482c
        • Instruction Fuzzy Hash: 4E01BC712402C4BAF7236A539D49FAFBE7DDBC2F44F000059B780E50C1D6B58D009278
        Function 0100409F Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 55memorystringCOMMON
        Download Yara Rule
        APIs
        • LocalAlloc.KERNEL32(00000040,00000008,?,00000000,?,?,01005168,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 010040B1
        • lstrlenA.KERNEL32(01005168,?,00000000,?,?,01005168,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 010040D5
        • LocalAlloc.KERNEL32(00000040,00000001,?,00000000,?,?,01005168,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 010040DF
        • LocalFree.KERNEL32(00000000,000004B5,00000000,00000000,00000010,00000000,?,00000000,?,?,01005168,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 010040FD
          • Part of subcall function 01003EBE: MessageBoxA.USER32(?,?,Microsoft Visual C++ 2005 Redistributable (x86),00000000), ref: 01003F5B
        • lstrcpyA.KERNEL32(00000000,01005168,?,00000000,?,?,01005168,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 0100410B
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Local$Alloc$FreeMessagelstrcpylstrlen
        • String ID: 86O
        • API String ID: 3247521446-3125190734
        • Opcode ID: c08762a5925630561dce2ba68a971d21afc39e1fb6e013559b2dd62ac13e195b
        • Instruction ID: 484c8a38b1ca8798ae1f4b11a91829ed48787486965810eb3b8ebf67eea7932b
        • Opcode Fuzzy Hash: c08762a5925630561dce2ba68a971d21afc39e1fb6e013559b2dd62ac13e195b
        • Instruction Fuzzy Hash: 860188B52402087FF3239F65AC85FABBA5DE754794F008025F7C5D60C4D7B69C504764
        Function 0100488C Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 213windowCOMMON
        Download Yara Rule
        APIs
        • GetVersionExA.KERNEL32(?,00000001,Microsoft Visual C++ 2005 Redistributable (x86)), ref: 010048C3
        • MessageBeep.USER32(00000000), ref: 01004AE5
        • MessageBoxA.USER32(00000000,?,Microsoft Visual C++ 2005 Redistributable (x86),?), ref: 01004B67
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Message$BeepVersion
        • String ID: 3$Microsoft Visual C++ 2005 Redistributable (x86)
        • API String ID: 2519184315-2463836465
        • Opcode ID: bbac37c54156140ae347d57a3b35535c524f278f106985dda0b5bbdecba9b7f6
        • Instruction ID: f0403928f5bfd85afffa019898604f23ae46fd7ae9a1f1be602ae879ebbcfb00
        • Opcode Fuzzy Hash: bbac37c54156140ae347d57a3b35535c524f278f106985dda0b5bbdecba9b7f6
        • Instruction Fuzzy Hash: D881AB70A016159EFB739F18C944BEABBF5FF89304F0440E9D6C9D6294E7B19A90CB09
        Function 01003BF2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62filestringCOMMON
        Download Yara Rule
        APIs
        • lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 01003C2C
          • Part of subcall function 010066CF: lstrlenA.KERNEL32(00000104,0000002F,?,01003991,0100C89A,00000104,01001271), ref: 010066D9
        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000104,?), ref: 01003C5A
        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 01003C86
        • CloseHandle.KERNEL32(00000000), ref: 01003CAC
        Strings
        • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01003C0E
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: File$CloseCreateHandleWritelstrcpylstrlen
        • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
        • API String ID: 3630773104-305352358
        • Opcode ID: 71a52d343370c3aad0e8bea5e8c7a1ee89124c22f7d04e4a93e1b4e400077d81
        • Instruction ID: ed493f8371116e651799eec5aa4685a96e44dd350d2c3c94e76b10785d47f5b1
        • Opcode Fuzzy Hash: 71a52d343370c3aad0e8bea5e8c7a1ee89124c22f7d04e4a93e1b4e400077d81
        • Instruction Fuzzy Hash: 7D216F75900118ABD722CF56DC88EDA7BB8EB49320F004595F6C9D7180C7B99AC4CFA0
        Function 01003CCC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37librarystringCOMMON
        Download Yara Rule
        APIs
        • lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,74DEF530), ref: 01003CEF
          • Part of subcall function 010066CF: lstrlenA.KERNEL32(00000104,0000002F,?,01003991,0100C89A,00000104,01001271), ref: 010066D9
        • GetFileAttributesA.KERNEL32(?,?,00000104,?), ref: 01003D0E
        • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 01003D28
        • LoadLibraryA.KERNEL32(?), ref: 01003D31
        Strings
        • C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 01003CE3
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: LibraryLoad$AttributesFilelstrcpylstrlen
        • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
        • API String ID: 2749481120-305352358
        • Opcode ID: efb49a3551e82d2aca852d6b8404bb15e5416ed9f694a26cd63d4ca69129f5e9
        • Instruction ID: f105a43693de67f3e081fcb7c5b90bd09891202ca5bc0fd204553d5dc91105a1
        • Opcode Fuzzy Hash: efb49a3551e82d2aca852d6b8404bb15e5416ed9f694a26cd63d4ca69129f5e9
        • Instruction Fuzzy Hash: B6F0A435904118ABEB22EBA4D808FDD377CAB14310F404481F6C5E71C0DFB8EA848B50
        Function 010032FF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E6B
          • Part of subcall function 01002E55: SizeofResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E6F
          • Part of subcall function 01002E55: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002E8B
          • Part of subcall function 01002E55: LoadResource.KERNEL32(00000000,00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E8F
          • Part of subcall function 01002E55: LockResource.KERNEL32(00000000,?,0100546E,TITLE,Microsoft Visual C++ 2005 Redistributable (x86),0000007F,?,00000000), ref: 01002E96
        • FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 0100331B
        • LoadResource.KERNEL32(00000000,00000000), ref: 01003324
        • LockResource.KERNEL32(00000000), ref: 0100332B
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Resource$Find$LoadLock$Sizeof
        • String ID: CABINET$T!(
        • API String ID: 1933721802-3894325047
        • Opcode ID: 1692d02a55cbc160416827321246fe4b7eec14d249b88bc8613a2a7260353126
        • Instruction ID: cc1630d2f2e1415729ed085009dd32ef9f31af51343d2801e4429469f1343b9d
        • Opcode Fuzzy Hash: 1692d02a55cbc160416827321246fe4b7eec14d249b88bc8613a2a7260353126
        • Instruction Fuzzy Hash: 89E08675B417506BF33267B16C1DF873E5C9B05711F040015F386DA1C4C6F98400C751
        Function 0100189D Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
        Download Yara Rule
        APIs
        • EndDialog.USER32(?,0000083E), ref: 010018DB
        • GetDesktopWindow.USER32 ref: 010018E3
        • LoadStringA.USER32(?,?,00000200,?), ref: 0100190C
        • SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 0100191F
        • MessageBeep.USER32(000000FF), ref: 01001927
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
        • String ID:
        • API String ID: 1273765764-0
        • Opcode ID: 1fe746244ab481732cb78edc130a925beaacb107ba713200566c6f0ccbcc287c
        • Instruction ID: 55a0027b7669814cd1c96741612cb7e7f9a1a0a3dd5ed6c48cccf5beb83447b2
        • Opcode Fuzzy Hash: 1fe746244ab481732cb78edc130a925beaacb107ba713200566c6f0ccbcc287c
        • Instruction Fuzzy Hash: 8101217150025AEFEB23EF64D908AEE3BA8FB08311F044150F6A5D21C5CB79DB60CBA5
        Function 01006666 Relevance: 7.5, APIs: 5, Instructions: 46stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenA.KERNEL32(0100262A,?,00000000,74DF0440,?,?,0100262A), ref: 01006677
        • CharPrevA.USER32(0100262A,00000000,?,?,0100262A), ref: 01006687
        • CharPrevA.USER32(0100262A,00000000,?,?,0100262A), ref: 01006693
        • CharPrevA.USER32(0100262A,00000000,?,?,0100262A), ref: 010066A6
        • CharNextA.USER32(00000000,?,?,0100262A), ref: 010066AE
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Char$Prev$Nextlstrlen
        • String ID:
        • API String ID: 295585802-0
        • Opcode ID: 915a4317a53b45c8286c77a7661bcefff6abe53e7f04113f2cfc660fb61b7cd7
        • Instruction ID: e6858c63049694c3117230d93b982ded723c412c4e62408bc78f3259928df5ea
        • Opcode Fuzzy Hash: 915a4317a53b45c8286c77a7661bcefff6abe53e7f04113f2cfc660fb61b7cd7
        • Instruction Fuzzy Hash: E8F0D1B2900284BFF7228B69CC88F5F7FEDDB893A4F140095E58193182C77A99108B75
        Function 01002C91 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
        Download Yara Rule
        APIs
        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 01002CB7
        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 01002CC9
        • DispatchMessageA.USER32(?), ref: 01002CDE
        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 01002CEC
        Memory Dump Source
        • Source File: 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 01000000, based on PE: true
        • Associated: 00000004.00000002.1981285664.0000000001000000.00000002.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981324868.000000000100B000.00000004.00000001.01000000.0000000A.sdmpDownload File
        • Associated: 00000004.00000002.1981345041.000000000100D000.00000002.00000001.01000000.0000000A.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_1000000_vcredist_x86_vs2005_en.jbxd
        Similarity
        • API ID: Message$Peek$DispatchMultipleObjectsWait
        • String ID:
        • API String ID: 2776232527-0
        • Opcode ID: ecb5dbb63d15ec62f86b3f7d67ae0d9b5a0ddad4c8e295c16c05b27f8062ba49
        • Instruction ID: 39c073168b69b8e79244012e034678836bc036e0dc16367505055d994280760c
        • Opcode Fuzzy Hash: ecb5dbb63d15ec62f86b3f7d67ae0d9b5a0ddad4c8e295c16c05b27f8062ba49
        • Instruction Fuzzy Hash: 2301447290011DBAAF318BDA9D48DEF7AFCEAC5754F14016AFA51E2084D535D905C770

        Executed Functions

        Function 00A82B14 Relevance: 49.4, APIs: 27, Strings: 1, Instructions: 351COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1316 a82b14-a82bfe call a77e30 * 6 InitializeSecurityDescriptor 1329 a82c00-a82c08 GetLastError 1316->1329 1330 a82c27-a82c4b CreateWellKnownSid 1316->1330 1333 a82c0a-a82c0f 1329->1333 1334 a82c14-a82c18 1329->1334 1331 a82c4d-a82c55 GetLastError 1330->1331 1332 a82c77-a82c92 CreateWellKnownSid 1330->1332 1335 a82c61-a82c65 1331->1335 1336 a82c57-a82c5c 1331->1336 1337 a82cbe-a82cd9 CreateWellKnownSid 1332->1337 1338 a82c94-a82c9c GetLastError 1332->1338 1333->1334 1339 a82c1a 1334->1339 1340 a82c1f-a82c22 1334->1340 1342 a82c6c-a82c72 1335->1342 1343 a82c67 1335->1343 1336->1335 1346 a82cdb-a82ce3 GetLastError 1337->1346 1347 a82d05-a82d20 CreateWellKnownSid 1337->1347 1344 a82ca8-a82cac 1338->1344 1345 a82c9e-a82ca3 1338->1345 1339->1340 1341 a82f46-a82f50 call a8294e 1340->1341 1364 a82f6f-a82f75 1341->1364 1342->1341 1343->1342 1351 a82cae 1344->1351 1352 a82cb3-a82cb9 1344->1352 1345->1344 1353 a82cef-a82cf3 1346->1353 1354 a82ce5-a82cea 1346->1354 1348 a82d4c-a82d67 CreateWellKnownSid 1347->1348 1349 a82d22-a82d2a GetLastError 1347->1349 1360 a82d69-a82d71 GetLastError 1348->1360 1361 a82d93-a82e63 SetEntriesInAclA 1348->1361 1357 a82d2c-a82d31 1349->1357 1358 a82d36-a82d3a 1349->1358 1351->1352 1352->1341 1355 a82cfa-a82d00 1353->1355 1356 a82cf5 1353->1356 1354->1353 1355->1341 1356->1355 1357->1358 1362 a82d3c 1358->1362 1363 a82d41-a82d47 1358->1363 1365 a82d7d-a82d81 1360->1365 1366 a82d73-a82d78 1360->1366 1367 a82e65 1361->1367 1368 a82e87-a82e9e SetSecurityDescriptorOwner 1361->1368 1362->1363 1363->1341 1373 a82f83-a82f93 call a77eaa 1364->1373 1374 a82f77-a82f7d LocalFree 1364->1374 1375 a82d88-a82d8e 1365->1375 1376 a82d83 1365->1376 1366->1365 1369 a82e71-a82e75 1367->1369 1370 a82e67-a82e6c 1367->1370 1371 a82ea0-a82ea8 GetLastError 1368->1371 1372 a82ec7-a82ede SetSecurityDescriptorGroup 1368->1372 1377 a82e7c-a82e82 1369->1377 1378 a82e77 1369->1378 1370->1369 1379 a82eaa-a82eaf 1371->1379 1380 a82eb4-a82eb8 1371->1380 1381 a82ee0-a82ee8 GetLastError 1372->1381 1382 a82f07-a82f1f SetSecurityDescriptorDacl 1372->1382 1374->1373 1375->1341 1376->1375 1377->1341 1378->1377 1379->1380 1386 a82eba 1380->1386 1387 a82ebf-a82ec5 1380->1387 1388 a82eea-a82eef 1381->1388 1389 a82ef4-a82ef8 1381->1389 1384 a82f21-a82f29 GetLastError 1382->1384 1385 a82f52-a82f6d CoInitializeSecurity 1382->1385 1391 a82f2b-a82f30 1384->1391 1392 a82f35-a82f39 1384->1392 1385->1364 1386->1387 1387->1341 1388->1389 1393 a82efa 1389->1393 1394 a82eff-a82f05 1389->1394 1391->1392 1395 a82f3b 1392->1395 1396 a82f40-a82f41 1392->1396 1393->1394 1394->1341 1395->1396 1396->1341
        APIs
        • _memset.LIBCMT ref: 00A82B54
        • _memset.LIBCMT ref: 00A82B77
        • _memset.LIBCMT ref: 00A82B91
        • _memset.LIBCMT ref: 00A82BAB
        • _memset.LIBCMT ref: 00A82BC5
        • _memset.LIBCMT ref: 00A82BDF
        • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00A82BF6
        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00A82C00
        • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00A82C47
        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00A82C4D
        • CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 00A82C8E
        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00A82C94
        • CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 00A82CD5
        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00A82CDB
        • CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 00A82D1C
        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00A82D22
        • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 00A82D63
        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00A82D69
        • SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 00A82E5B
        • SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 00A82E96
        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00A82EA0
        • SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 00A82ED6
        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00A82EE0
        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A82F17
        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00A82F21
        • CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 00A82F67
        • LocalFree.KERNEL32(?), ref: 00A82F7D
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$_memset$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
        • String ID: srputil.cpp
        • API String ID: 3642641498-4105181634
        • Opcode ID: e3b888615d0925fa71913120871a97acefd39673ca1c3f93840e168eb1d2e18a
        • Instruction ID: 678e07b6209ebfe03670c786028abbd2d77c4407cf76a9a3f0e89c7cdbc1c60c
        • Opcode Fuzzy Hash: e3b888615d0925fa71913120871a97acefd39673ca1c3f93840e168eb1d2e18a
        • Instruction Fuzzy Hash: 25D163B2D40229AEDB20DF95CD85BEEBABCBB18300F1445BAE609F7150D7754E448F91
        Function 00A866A3 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 325fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1397 a866a3-a86748 call a77e30 * 2 GetFileAttributesW 1402 a8674a-a86753 GetLastError 1397->1402 1403 a8677b-a86782 1397->1403 1406 a86758-a8675a 1402->1406 1407 a86755-a86757 1402->1407 1404 a86788-a8678f 1403->1404 1405 a86ad5 1403->1405 1410 a86791-a867a4 SetFileAttributesW 1404->1410 1411 a867c7-a867cf 1404->1411 1412 a86ada-a86ae1 1405->1412 1408 a8675c-a8675e 1406->1408 1409 a86760-a86764 1406->1409 1407->1406 1408->1409 1409->1403 1413 a86766-a86767 1409->1413 1410->1411 1414 a867a6-a867ae GetLastError 1410->1414 1415 a867dd-a867e3 1411->1415 1416 a867d1-a867d7 1411->1416 1417 a86aef-a86af6 1412->1417 1418 a86ae3-a86ae9 FindClose 1412->1418 1424 a8676c-a86776 call a8294e 1413->1424 1425 a867b0-a867b2 1414->1425 1426 a867b4-a867b8 1414->1426 1420 a8681f-a8683a call a8201f 1415->1420 1421 a867e5-a867f9 GetTempPathW 1415->1421 1416->1415 1419 a869ea-a869f8 RemoveDirectoryW 1416->1419 1422 a86af8-a86afe call a801e8 1417->1422 1423 a86b03-a86b13 call a77eaa 1417->1423 1418->1417 1419->1412 1434 a869fe-a86a06 GetLastError 1419->1434 1420->1417 1446 a86840-a8685c FindFirstFileW 1420->1446 1421->1420 1427 a867fb-a86803 GetLastError 1421->1427 1422->1423 1424->1417 1425->1426 1432 a867ba 1426->1432 1433 a867bf-a867c5 1426->1433 1435 a86809-a8680d 1427->1435 1436 a86805-a86807 1427->1436 1432->1433 1433->1424 1440 a86a08-a86a0a 1434->1440 1441 a86a0c-a86a14 1434->1441 1444 a8680f 1435->1444 1445 a86814-a8681a 1435->1445 1436->1435 1440->1441 1442 a86a35-a86a37 1441->1442 1443 a86a16-a86a1d 1441->1443 1442->1412 1447 a86a3d-a86a3e 1442->1447 1443->1447 1448 a86a1f-a86a31 MoveFileExW 1443->1448 1444->1445 1445->1424 1449 a8685e-a86866 GetLastError 1446->1449 1450 a86882-a8688c 1446->1450 1454 a86a43-a86a4d call a8294e 1447->1454 1448->1447 1453 a86a33 1448->1453 1455 a86868-a8686a 1449->1455 1456 a8686c-a86870 1449->1456 1451 a868b8-a868de call a8201f 1450->1451 1452 a8688e-a86897 1450->1452 1451->1412 1467 a868e4-a868ec 1451->1467 1457 a869bc-a869d1 FindNextFileW 1452->1457 1458 a8689d-a868a7 1452->1458 1453->1442 1454->1412 1455->1456 1461 a86872 1456->1461 1462 a86877-a86878 1456->1462 1457->1450 1466 a869d7-a869e2 GetLastError 1457->1466 1458->1451 1463 a868a9-a868b2 1458->1463 1461->1462 1462->1450 1463->1451 1463->1457 1468 a869e8 1466->1468 1469 a86ab5-a86ab9 GetLastError 1466->1469 1470 a868ee-a868f5 1467->1470 1471 a86920-a86926 1467->1471 1468->1419 1472 a86abb-a86abd 1469->1472 1473 a86abf-a86ac3 1469->1473 1470->1471 1475 a868f7-a86907 call a81e29 1470->1475 1471->1457 1474 a8692c-a86933 1471->1474 1472->1473 1476 a86aca-a86ad0 1473->1476 1477 a86ac5 1473->1477 1478 a8694e-a8695c DeleteFileW 1474->1478 1479 a86935-a86948 SetFileAttributesW 1474->1479 1475->1412 1488 a8690d-a8691b call a866a3 1475->1488 1476->1454 1477->1476 1478->1457 1482 a8695e-a86964 1478->1482 1479->1478 1481 a86a52-a86a5a GetLastError 1479->1481 1486 a86a5c-a86a5e 1481->1486 1487 a86a60-a86a64 1481->1487 1484 a8696a-a86986 GetTempFileNameW 1482->1484 1485 a86a94-a86a9c GetLastError 1482->1485 1491 a8698c-a869a9 MoveFileExW 1484->1491 1492 a86a73-a86a7b GetLastError 1484->1492 1489 a86a9e-a86aa0 1485->1489 1490 a86aa2-a86aa6 1485->1490 1486->1487 1493 a86a6b-a86a71 1487->1493 1494 a86a66 1487->1494 1488->1457 1489->1490 1496 a86aa8 1490->1496 1497 a86aad-a86ab3 1490->1497 1498 a869ab-a869b2 1491->1498 1499 a869b4 1491->1499 1500 a86a7d-a86a7f 1492->1500 1501 a86a81-a86a85 1492->1501 1493->1454 1494->1493 1496->1497 1497->1454 1505 a869ba MoveFileExW 1498->1505 1499->1505 1500->1501 1503 a86a8c-a86a92 1501->1503 1504 a86a87 1501->1504 1503->1454 1504->1503 1505->1457
        APIs
        • _memset.LIBCMT ref: 00A86718
        • _memset.LIBCMT ref: 00A86726
        • GetFileAttributesW.KERNELBASE(?,?,?,?,00000000,?,00000000), ref: 00A8672F
        • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00A8674A
        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000000,?,00000000), ref: 00A8679C
        • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00A867A6
        • GetTempPathW.KERNEL32(00000104,?,?,?,?,00000000,?,00000000), ref: 00A867F1
        • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00A867FB
        • FindFirstFileW.KERNELBASE(?,?,?,*.*,?,?,?,?,00000000,?,00000000), ref: 00A8684D
        • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00A8685E
        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000000,?,00000000), ref: 00A86940
        • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000000,?,00000000), ref: 00A86954
        • GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000000,?,00000000), ref: 00A8697E
        • MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000000,?,00000000), ref: 00A869A1
        • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000000,?,00000000), ref: 00A869BA
        • FindNextFileW.KERNELBASE(000000FF,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00A869C9
        • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00A869DD
        • RemoveDirectoryW.KERNELBASE(?,?,?,?,00000000,?,00000000), ref: 00A869F0
        • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00A869FE
        • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000000,?,00000000), ref: 00A86A29
        • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00A86A52
        • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00A86A73
        • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00A86A94
        • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00A86AB5
        • FindClose.KERNEL32(000000FF,?,?,?,00000000,?,00000000), ref: 00A86AE9
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFileLast$AttributesFindMove$Temp_memset$CloseDeleteDirectoryFirstNameNextPathRemove
        • String ID: *.*$DEL$dirutil.cpp
        • API String ID: 4152325254-1252831301
        • Opcode ID: 124978a8badfd97dce8ab4c2bbc50728b28214ce23b7358d9e4eea6af12aab8c
        • Instruction ID: 6ecf600ec19a83eb0c15951bc7b6ce36e5746ceb2a32ba74b2d7d1ad581d363f
        • Opcode Fuzzy Hash: 124978a8badfd97dce8ab4c2bbc50728b28214ce23b7358d9e4eea6af12aab8c
        • Instruction Fuzzy Hash: 54B1F972A00225ABFB31BB34CC09FAAB6B6AFD0754F1445A5E519E7190EB32CD91CF50
        Function 00A87378 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 184encryptionfileCOMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A873CF
        • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000000,F0000040,00000000,?,00000000,00000000,?,?,00A695E8,00000000,?,?,00000000), ref: 00A873F4
        • GetLastError.KERNEL32(?,?,00A695E8,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 00A873FE
        • CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?,?,?,00A695E8,00000000,?,?,00000000,?,?,00000000,00000000), ref: 00A8743A
        • GetLastError.KERNEL32(?,?,00A695E8,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 00A87444
        • CryptHashData.ADVAPI32(?,?,?,00000000,?,?,00A695E8,00000000,?,?,00000000,?,?,00000000,00000000,?), ref: 00A87495
        • ReadFile.KERNELBASE(?,?,00001000,?,00000000,?,?,00A695E8,00000000,?,?,00000000,?,?,00000000,00000000), ref: 00A874BA
        • GetLastError.KERNEL32(?,?,00A695E8,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 00A874C0
        • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,?,00A695E8,00000000,?,?,00000000,?,?,00000000,00000000), ref: 00A874FC
        • GetLastError.KERNEL32(?,?,00A695E8,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 00A87506
        • SetFilePointerEx.KERNELBASE(?,?,?,?,00000001,?,?,00A695E8,00000000,?,?,00000000,?,?,00000000,00000000), ref: 00A8754F
        • GetLastError.KERNEL32(?,?,00A695E8,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 00A87559
        • GetLastError.KERNEL32(?,?,00A695E8,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 00A87580
        • CryptDestroyHash.ADVAPI32(?,?,?,00A695E8,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 00A875BF
        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,00A695E8,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000), ref: 00A875D4
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease_memset
        • String ID: cryputil.cpp
        • API String ID: 961722652-2185294990
        • Opcode ID: 01777913169ed485ae59cff91726d99b9a6082106ffa7beb22facc42ad6bab15
        • Instruction ID: 071e22e8ff53eda6761305899b79a08eaca765eb874e5c282fcf2837a3435b72
        • Opcode Fuzzy Hash: 01777913169ed485ae59cff91726d99b9a6082106ffa7beb22facc42ad6bab15
        • Instruction Fuzzy Hash: 1551F971A04256ABEB31AF64CC44BEEBBB9BF18700F2040B5B649E1050E7B9CEC49F51
        Function 00A68BE8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 112filestringCOMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A68C21
        • FindFirstFileW.KERNEL32(?,?,?,*.*,?,?,.unverified,?,?,?), ref: 00A68C9A
        • lstrlenW.KERNEL32(?,?,?), ref: 00A68CC1
        • FindNextFileW.KERNEL32(00000000,00000010,?,?), ref: 00A68D23
        • FindClose.KERNEL32(00000000,?,?), ref: 00A68D32
          • Part of subcall function 00A866A3: _memset.LIBCMT ref: 00A86718
          • Part of subcall function 00A866A3: _memset.LIBCMT ref: 00A86726
          • Part of subcall function 00A866A3: GetFileAttributesW.KERNELBASE(?,?,?,?,00000000,?,00000000), ref: 00A8672F
          • Part of subcall function 00A866A3: GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00A8674A
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: FileFind_memset$AttributesCloseErrorFirstLastNextlstrlen
        • String ID: *.*$.unverified
        • API String ID: 2873512992-2528915496
        • Opcode ID: ff6e6db43b0de6344b4f39189a7cf78d6e48079c3d77356bc10edd4c8d69d469
        • Instruction ID: ad8e9e70224ceabe29d0152ad07db0075abc28e25cf7f8577eb9e413b08add54
        • Opcode Fuzzy Hash: ff6e6db43b0de6344b4f39189a7cf78d6e48079c3d77356bc10edd4c8d69d469
        • Instruction Fuzzy Hash: 7C41923190066CAEDF20AFA4DD49BEE77B8AF54305F5002E6E508E1090EB749E858F24
        Function 00A7F195 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136threadtimeCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • EnterCriticalSection.KERNEL32(00AA5D9C,00000000,00000000,00000000), ref: 00A7F1CB
        • GetCurrentProcessId.KERNEL32 ref: 00A7F1DA
        • GetCurrentThreadId.KERNEL32 ref: 00A7F1E3
        • GetLocalTime.KERNEL32(?), ref: 00A7F1F9
        • LeaveCriticalSection.KERNEL32(00AA5D9C,?,?,00000000,0000FDE9), ref: 00A7F2F3
        Strings
        • %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 00A7F298
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
        • String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
        • API String ID: 296830338-59366893
        • Opcode ID: e49899083263b4041fa2677fc101a44611d2d8421751427d3bfcd5d0b953348d
        • Instruction ID: 8f7c9836eaf27b846863d606241650040d75b9eda8d39d732e8ca4a542eab4f4
        • Opcode Fuzzy Hash: e49899083263b4041fa2677fc101a44611d2d8421751427d3bfcd5d0b953348d
        • Instruction Fuzzy Hash: 48415F76E0060AAFDF10DFE4DC889FE77B9AB49311B11803AF915A6191D7348E42DBA1
        Function 00A85710 Relevance: 4.5, APIs: 3, Instructions: 43fileCOMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A8573B
        • FindFirstFileW.KERNELBASE(00000000,?,00000000,?,80070002), ref: 00A8574B
        • FindClose.KERNEL32(00000000), ref: 00A85757
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Find$CloseFileFirst_memset
        • String ID:
        • API String ID: 3141757445-0
        • Opcode ID: 565ed300c0deec6a40c711f6b9ba08089f6293294e8f29e49ac4290655c342af
        • Instruction ID: 0bc85e7b3d2d880784da05498104a9c49699b3b52f98f2fff8dd4882b9d325d5
        • Opcode Fuzzy Hash: 565ed300c0deec6a40c711f6b9ba08089f6293294e8f29e49ac4290655c342af
        • Instruction Fuzzy Hash: D801F972A00608AFD710EFF8AD899BEF3ACEF44719F004566F909D3180D774AD498B90
        Function 00A8233B Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetProcessHeap.KERNEL32(?,?,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000), ref: 00A8234C
        • RtlAllocateHeap.NTDLL(00000000,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000,00000000), ref: 00A82353
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Heap$AllocateProcess
        • String ID:
        • API String ID: 1357844191-0
        • Opcode ID: e08ad35fe3918439fdf037aaa758a4fb3f995541d4bca9c9e0bff27d162da266
        • Instruction ID: b8fd8405c57e5b775b435531a7410609d37f60477ef834539e516fdaab1977c1
        • Opcode Fuzzy Hash: e08ad35fe3918439fdf037aaa758a4fb3f995541d4bca9c9e0bff27d162da266
        • Instruction Fuzzy Hash: 4AC012321A0209A78B009FF4DC09CC9379CE7246127008501B505C2020D639E0508761
        Function 00A56217 Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 434COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 a56217-a56249 call a84ea7 3 a5624d-a5624f 0->3 4 a5624b 0->4 5 a56251-a56256 3->5 6 a5625b-a56273 call a8540b 3->6 4->3 7 a5673c-a56743 call a7fa86 5->7 12 a56275-a5627a 6->12 13 a5627f-a56294 call a8540b 6->13 14 a56744-a56749 7->14 12->7 19 a56296-a5629b 13->19 20 a562a0-a562ac call a55bbd 13->20 17 a56751-a56756 14->17 18 a5674b-a5674d 14->18 21 a5675e-a56763 17->21 22 a56758-a5675a 17->22 18->17 19->7 29 a562ae-a562b3 20->29 30 a562b8-a562cd call a8540b 20->30 24 a56765-a56767 21->24 25 a5676b-a5676f 21->25 22->21 24->25 27 a56771-a56774 call a801e8 25->27 28 a56779-a5677f 25->28 27->28 29->7 34 a562cf-a562d4 30->34 35 a562d9-a562eb call a85d5f 30->35 34->7 38 a562ed-a562f5 35->38 39 a562fa-a5630f call a8540b 35->39 40 a565c6-a565cf call a7fa86 38->40 44 a56311-a56316 39->44 45 a5631b-a56330 call a8540b 39->45 40->14 44->7 49 a56332-a56337 45->49 50 a5633c-a5634e call a854dd 45->50 49->7 53 a56350-a56355 50->53 54 a5635a-a56370 call a84ea7 50->54 53->7 57 a56376-a56378 54->57 58 a56620-a5663a call a558d0 54->58 59 a56384-a56399 call a854dd 57->59 60 a5637a-a5637f 57->60 65 a56646-a5665c call a84ea7 58->65 66 a5663c-a56641 58->66 67 a563a5-a563ba call a8540b 59->67 68 a5639b-a563a0 59->68 60->7 73 a56662-a56664 65->73 74 a5672a-a5672c call a55aa7 65->74 66->7 75 a563bc-a563be 67->75 76 a563ca-a563df call a8540b 67->76 68->7 77 a56666-a5666b 73->77 78 a56670-a56692 call a8540b 73->78 83 a56731-a56735 74->83 75->76 80 a563c0-a563c5 75->80 89 a563e1-a563e3 76->89 90 a563ef-a56404 call a8540b 76->90 77->7 87 a56694-a56699 78->87 88 a5669e-a566b6 call a8540b 78->88 80->7 83->14 84 a56737 83->84 84->7 87->7 98 a566c3-a566db call a8540b 88->98 99 a566b8-a566ba 88->99 89->90 92 a563e5-a563ea 89->92 96 a56414-a56429 call a8540b 90->96 97 a56406-a56408 90->97 92->7 108 a56439-a5644e call a8540b 96->108 109 a5642b-a5642d 96->109 97->96 100 a5640a-a5640f 97->100 106 a566dd-a566df 98->106 107 a566e8-a56700 call a8540b 98->107 99->98 103 a566bc-a566c1 99->103 100->7 103->7 106->107 110 a566e1-a566e6 106->110 116 a56702-a56707 107->116 117 a56709-a56721 call a8540b 107->117 118 a56450-a56452 108->118 119 a5645e-a56473 call a8540b 108->119 109->108 112 a5642f-a56434 109->112 110->7 112->7 116->7 117->74 125 a56723-a56728 117->125 118->119 121 a56454-a56459 118->121 126 a56475-a56477 119->126 127 a56483-a56498 call a8540b 119->127 121->7 125->7 126->127 128 a56479-a5647e 126->128 131 a564a8-a564bd call a8540b 127->131 132 a5649a-a5649c 127->132 128->7 136 a564cd-a564e5 call a8540b 131->136 137 a564bf-a564c1 131->137 132->131 133 a5649e-a564a3 132->133 133->7 141 a564f5-a5650d call a8540b 136->141 142 a564e7-a564e9 136->142 137->136 138 a564c3-a564c8 137->138 138->7 146 a5651d-a56532 call a8540b 141->146 147 a5650f-a56511 141->147 142->141 144 a564eb-a564f0 142->144 144->7 151 a565d4-a565d6 146->151 152 a56538-a56551 CompareStringW 146->152 147->146 148 a56513-a56518 147->148 148->7 153 a565e0-a565e2 151->153 154 a565d8-a565da 151->154 155 a56553-a56559 152->155 156 a5655e-a56577 CompareStringW 152->156 157 a565e4-a565e9 153->157 158 a565ee-a56606 call a854dd 153->158 154->153 155->153 159 a56585-a5659e CompareStringW 156->159 160 a56579-a56583 156->160 157->7 158->58 167 a56608-a5660a 158->167 162 a565a0-a565a7 159->162 163 a565a9-a565c1 call a8294e 159->163 160->153 162->153 163->40 168 a56616 167->168 169 a5660c-a56611 167->169 168->58 169->7
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: StringVariant$AllocClearFreeInit
        • String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
        • API String ID: 760788290-2956246334
        • Opcode ID: d07db818ecfc350aaf9f70d62b1ac40fd8c7d423b44cd70cf3c707b720faaa6c
        • Instruction ID: 08be7523929f607b7e68c60dbd167a947d774d6915d7dc2205ce990c624faec8
        • Opcode Fuzzy Hash: d07db818ecfc350aaf9f70d62b1ac40fd8c7d423b44cd70cf3c707b720faaa6c
        • Instruction Fuzzy Hash: 23D10B32A40B05BACB01FA64DD41EBE77B7BB94722FB10815FC16A32D1EB71D9499B00
        Function 00A5449E Relevance: 102.1, APIs: 8, Strings: 50, Instructions: 592COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 170 a5449e-a544cf call a84f9e 173 a544d1-a544d6 170->173 174 a544d8-a544e9 170->174 175 a544f0-a544f8 call a7fa86 173->175 178 a544fd-a54506 174->178 179 a544eb 174->179 181 a54c17-a54c1c 175->181 182 a545d7-a545dc 178->182 183 a5450c-a5451b call a8233b 178->183 179->175 187 a54c24-a54c29 181->187 188 a54c1e-a54c20 181->188 185 a545e7-a545fc call a84f9e 182->185 186 a545de-a545e4 182->186 193 a5451d-a54534 call a8294e 183->193 194 a54539-a54544 183->194 203 a545fe-a54603 185->203 204 a54608-a54619 185->204 186->185 190 a54c31-a54c35 187->190 191 a54c2b-a54c2d 187->191 188->187 195 a54c37-a54c3a SysFreeString 190->195 196 a54c40-a54c44 190->196 191->190 208 a54c0a-a54c12 call a7fa86 193->208 194->182 200 a5454a-a54569 call a85026 194->200 195->196 201 a54c46-a54c49 call a801e8 196->201 202 a54c4e-a54c53 196->202 214 a549e0-a549e5 200->214 215 a5456f-a54583 call a8540b 200->215 201->202 203->208 212 a54625-a5462a 204->212 213 a5461b-a54620 204->213 220 a54c16 208->220 217 a54c14 212->217 218 a54630-a54643 call a8233b 212->218 213->208 214->208 224 a54589-a545a1 call a854dd 215->224 225 a549ea-a549ef 215->225 217->220 226 a54645-a5465c call a8294e 218->226 227 a54661-a5466c 218->227 220->181 236 a545a7-a545ac 224->236 237 a54a30-a54a35 224->237 225->208 226->208 230 a54bf5-a54c03 call a542fe 227->230 231 a54672 227->231 230->217 244 a54c05 230->244 235 a54675-a5468f call a85026 231->235 235->214 247 a54695-a546a7 call a8540b 235->247 238 a545b7-a545ba 236->238 239 a545ae-a545b4 236->239 237->208 242 a545bc-a545c5 SysFreeString 238->242 243 a545c8-a545d1 238->243 239->238 242->243 243->182 243->200 244->208 247->225 250 a546ad-a546c2 call a854dd 247->250 253 a549f4-a549f9 250->253 254 a546c8-a546dd call a8540b 250->254 253->208 257 a546e3-a546f8 call a85586 254->257 258 a549fe-a54a03 254->258 261 a546fe-a54713 call a85586 257->261 262 a54a08-a54a0d 257->262 258->208 265 a54a12-a54a17 261->265 266 a54719-a5472e call a854dd 261->266 262->208 265->208 269 a54734-a54749 call a854dd 266->269 270 a54a1c-a54a21 266->270 273 a54a26-a54a2b 269->273 274 a5474f-a5476f call a854dd 269->274 270->208 273->208 274->237 277 a54775-a5478e call a8540b 274->277 280 a54790-a54792 277->280 281 a54798-a547b1 call a8540b 277->281 280->281 282 a54a3a-a54a3f 280->282 285 a547b3-a547b5 281->285 286 a547bb-a547d4 call a8540b 281->286 282->208 285->286 287 a54a44-a54a49 285->287 290 a547d6-a547d8 286->290 291 a547de-a547f7 call a8540b 286->291 287->208 290->291 292 a54a4e-a54a53 290->292 295 a54819-a54832 call a8540b 291->295 296 a547f9-a547fb 291->296 292->208 303 a54854-a5486f CompareStringW 295->303 304 a54834-a54836 295->304 297 a54801-a54813 call a5445b 296->297 298 a54a58-a54a5d 296->298 297->295 307 a54a62-a54a6a 297->307 298->208 305 a54871-a54888 call a69e4e 303->305 306 a54898-a548ad CompareStringW 303->306 308 a54a6c-a54a71 304->308 309 a5483c-a5484e call a5445b 304->309 322 a5493b-a5494c call a541ad 305->322 324 a5488e-a54893 305->324 312 a548af-a548b9 call a6c6fa 306->312 313 a548ce-a548e3 CompareStringW 306->313 311 a54a7e-a54a87 call a7fa86 307->311 308->208 309->303 323 a54a76-a54a79 309->323 311->220 325 a548be-a548c2 312->325 318 a548e5-a548fc call a6d2d2 313->318 319 a54907-a5491c CompareStringW 313->319 334 a54902-a54905 318->334 335 a54a8c-a54a91 318->335 321 a5491e-a54935 call a6e459 319->321 319->322 321->322 336 a54a96-a54a9b 321->336 337 a54aa0-a54aa5 322->337 338 a54952-a5495f call a6f1fd 322->338 323->311 324->208 325->322 330 a548c4-a548c9 325->330 330->208 334->322 335->208 336->208 337->208 341 a54965-a5496c 338->341 342 a54aaa-a54aaf 338->342 343 a54977-a5497a 341->343 344 a5496e-a54974 341->344 342->208 345 a5497c-a54985 SysFreeString 343->345 346 a54988-a54998 343->346 344->343 345->346 346->235 347 a5499e-a549a3 346->347 347->230 349 a549a9-a549bb call a8233b 347->349 352 a54ab4-a54ac7 call a8233b 349->352 353 a549c1-a549db call a8294e 349->353 358 a54ac9-a54ae3 call a8294e 352->358 359 a54ae8-a54aee 352->359 353->208 358->208 359->230 361 a54af4 359->361 363 a54af7-a54b04 361->363 364 a54bdf-a54bef 363->364 365 a54b0a-a54b3f 363->365 364->230 364->363 365->364 366 a54b45 365->366 367 a54b49-a54b56 366->367 368 a54bc9-a54bd9 367->368 369 a54b58-a54b63 367->369 368->364 368->367 369->368 370 a54b65-a54b74 369->370 371 a54b76-a54b8b CompareStringW 370->371 372 a54bbb-a54bc7 370->372 371->372 373 a54b8d-a54ba5 371->373 372->368 372->370 373->372 374 a54ba7-a54bb7 call a801e8 373->374 374->372
        APIs
        • SysFreeString.OLEAUT32(?), ref: 00A545BF
        • SysFreeString.OLEAUT32(00000000), ref: 00A54C3A
          • Part of subcall function 00A8233B: GetProcessHeap.KERNEL32(?,?,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000), ref: 00A8234C
          • Part of subcall function 00A8233B: RtlAllocateHeap.NTDLL(00000000,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000,00000000), ref: 00A82353
        Strings
        • Failed to allocate memory for patch sequence information to package lookup., xrefs: 00A54ADE
        • Failed to parse payload references., xrefs: 00A54AA0
        • Failed to get @Permanent., xrefs: 00A54A26
        • PerMachine, xrefs: 00A5471D
        • package.cpp, xrefs: 00A54525, 00A5464D, 00A549CC, 00A54AD4
        • Failed to find backward transaction boundary: %ls, xrefs: 00A54A79
        • Permanent, xrefs: 00A54738
        • Failed to parse EXE package., xrefs: 00A5488E
        • Vital, xrefs: 00A54590, 00A5475E
        • Failed to parse MSP package., xrefs: 00A54A8C
        • Failed to select package nodes., xrefs: 00A545FE
        • Failed to allocate memory for MSP patch sequence information., xrefs: 00A549D6
        • Failed to get @RollbackBoundaryBackward., xrefs: 00A54A6C
        • RollbackLogPathVariable, xrefs: 00A5479C
        • Failed to get @RollbackLogPathVariable., xrefs: 00A54A44
        • MspPackage, xrefs: 00A548D0
        • CacheId, xrefs: 00A546CC
        • Failed to get rollback bundary node count., xrefs: 00A544EB
        • Failed to allocate memory for rollback boundary structs., xrefs: 00A5452F
        • Failed to allocate memory for package structs., xrefs: 00A54657
        • MsuPackage, xrefs: 00A54909
        • Failed to get @RollbackBoundaryForward., xrefs: 00A54A58
        • Failed to get package node count., xrefs: 00A5461B
        • Failed to get @LogPathVariable., xrefs: 00A54A3A
        • Failed to get @CacheId., xrefs: 00A549FE
        • Failed to find forward transaction boundary: %ls, xrefs: 00A54A65
        • RollbackBoundaryBackward, xrefs: 00A5481D
        • Failed to get @Cache., xrefs: 00A549F4
        • Failed to get next node., xrefs: 00A549E0
        • Failed to select rollback boundary nodes., xrefs: 00A544D1
        • InstallSize, xrefs: 00A54702
        • Cache, xrefs: 00A546B1
        • Failed to get @PerMachine., xrefs: 00A54A1C
        • Failed to parse target product codes., xrefs: 00A54C05
        • Failed to parse dependency providers., xrefs: 00A54AAA
        • Failed to parse MSU package., xrefs: 00A54A96
        • Failed to parse MSI package., xrefs: 00A548C4
        • RollbackBoundaryForward, xrefs: 00A547E2
        • Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage, xrefs: 00A545EB
        • Failed to get @InstallSize., xrefs: 00A54A12
        • ExePackage, xrefs: 00A5485C
        • Size, xrefs: 00A546E7
        • LogPathVariable, xrefs: 00A54779
        • Failed to get @Vital., xrefs: 00A54A30
        • InstallCondition, xrefs: 00A547BF
        • Failed to get @InstallCondition., xrefs: 00A54A4E
        • RollbackBoundary, xrefs: 00A544AC
        • Failed to get @Size., xrefs: 00A54A08
        • MsiPackage, xrefs: 00A5489A
        • Failed to get @Id., xrefs: 00A549EA
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: FreeHeapString$AllocateProcess
        • String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$package.cpp
        • API String ID: 336948655-3675780287
        • Opcode ID: 7755ff866a4be65691071ff0750ea0e77d2fa1c0e2a805677b3fbb17fd1effe8
        • Instruction ID: f5d6d82e5880c1e9ab47eedfcb504bc3eef019263cc78b965e5e728724cb65cd
        • Opcode Fuzzy Hash: 7755ff866a4be65691071ff0750ea0e77d2fa1c0e2a805677b3fbb17fd1effe8
        • Instruction Fuzzy Hash: 2022C471940205FFCB00EF54CD85EAE7BB6BB8872AF204529ED15AB291DB31D985DF20
        Function 00A5209F Relevance: 96.8, APIs: 28, Strings: 27, Instructions: 576fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 377 a5209f-a5213a call a77e30 * 2 call a81a74 384 a5213c 377->384 385 a5214e-a52171 CreateFileW 377->385 386 a52141-a52149 call a7fa86 384->386 387 a52173-a5217b GetLastError 385->387 388 a521b8-a521d3 SetFilePointerEx 385->388 408 a525d6-a525dd 386->408 392 a52187-a5218b 387->392 393 a5217d-a52182 387->393 389 a521d5-a521dd GetLastError 388->389 390 a5220b-a52226 ReadFile 388->390 398 a521df-a521e4 389->398 399 a521e9-a521ed 389->399 394 a5225e-a52265 390->394 395 a52228-a52230 GetLastError 390->395 396 a52192-a521b3 call a8294e call a7fa86 392->396 397 a5218d 392->397 393->392 404 a52267-a52270 394->404 405 a52272-a52284 call a8294e 394->405 401 a52232-a52237 395->401 402 a5223c-a52240 395->402 396->408 397->396 398->399 406 a521f4-a52206 call a8294e 399->406 407 a521ef 399->407 401->402 409 a52247-a52254 call a8294e 402->409 410 a52242 402->410 404->405 414 a5228e-a5229e SetFilePointerEx 404->414 405->414 406->386 407->406 412 a525df-a525e5 call a801e8 408->412 413 a525ea-a525fa call a77eaa 408->413 409->394 410->409 412->413 423 a522d6-a522ee ReadFile 414->423 424 a522a0-a522a8 GetLastError 414->424 429 a52326-a5232d 423->429 430 a522f0-a522f8 GetLastError 423->430 425 a522b4-a522b8 424->425 426 a522aa-a522af 424->426 434 a522bf-a522cc call a8294e 425->434 435 a522ba 425->435 426->425 432 a5232f-a52339 429->432 433 a5233b-a5234d call a8294e 429->433 436 a52304-a52308 430->436 437 a522fa-a522ff 430->437 432->433 438 a52357-a5237a SetFilePointerEx 432->438 433->438 434->423 435->434 441 a5230f-a5231c call a8294e 436->441 442 a5230a 436->442 437->436 445 a523b2-a523ca ReadFile 438->445 446 a5237c-a52384 GetLastError 438->446 441->429 442->441 448 a52402-a5241a ReadFile 445->448 449 a523cc-a523d4 GetLastError 445->449 450 a52386-a5238b 446->450 451 a52390-a52394 446->451 455 a52455-a5246f SetFilePointerEx 448->455 456 a5241c-a52424 GetLastError 448->456 453 a523d6-a523db 449->453 454 a523e0-a523e4 449->454 450->451 457 a52396 451->457 458 a5239b-a523a8 call a8294e 451->458 453->454 461 a523e6 454->461 462 a523eb-a523f8 call a8294e 454->462 459 a52471-a52479 GetLastError 455->459 460 a524aa-a524c9 ReadFile 455->460 463 a52426-a5242b 456->463 464 a52430-a52434 456->464 457->458 458->445 466 a52485-a52489 459->466 467 a5247b-a52480 459->467 469 a52540-a52548 GetLastError 460->469 470 a524cb 460->470 461->462 462->448 463->464 471 a52436 464->471 472 a5243b-a5244b call a8294e 464->472 476 a52490-a524a0 call a8294e 466->476 477 a5248b 466->477 467->466 474 a52554-a52558 469->474 475 a5254a-a5254f 469->475 479 a524d5-a524dc 470->479 471->472 472->455 481 a5255f-a52575 call a8294e 474->481 482 a5255a 474->482 475->474 476->460 477->476 484 a524e2-a524f4 479->484 485 a5257f-a5259a call a8294e 479->485 481->485 482->481 490 a524f6-a524f8 484->490 491 a524fb-a524fd 484->491 496 a525a4-a525c4 call a8294e call a7fa86 485->496 490->491 492 a52503-a52510 491->492 493 a525fd-a52604 491->493 492->496 497 a52516-a5253e ReadFile 492->497 498 a52606-a52621 call a8294e 493->498 499 a5262b-a5263e call a8233b 493->499 513 a525ca-a525ce 496->513 497->469 497->479 498->499 507 a52640-a52655 call a8294e 499->507 508 a5265f-a52675 SetFilePointerEx 499->508 507->508 511 a52677-a5267f GetLastError 508->511 512 a526b6-a526de ReadFile 508->512 517 a52681-a52686 511->517 518 a5268b-a5268f 511->518 514 a52716-a52722 512->514 515 a526e0-a526e8 GetLastError 512->515 513->408 519 a525d0-a525d1 call a824f6 513->519 522 a52724-a5273e call a8294e 514->522 523 a52743-a52747 514->523 520 a526f4-a526f8 515->520 521 a526ea-a526ef 515->521 517->518 524 a52696-a526a6 call a8294e 518->524 525 a52691 518->525 519->408 529 a526ff-a52714 call a8294e 520->529 530 a526fa 520->530 521->520 538 a526ab-a526b1 call a7fa86 522->538 526 a52771-a52783 call a856aa 523->526 527 a52749-a5276c call a8294e call a7fa86 523->527 524->538 525->524 544 a52785-a5278a 526->544 545 a5278f-a5279a 526->545 550 a5284d-a52850 527->550 529->538 530->529 538->513 544->538 548 a527a1-a527a9 545->548 549 a5279c-a5279f 545->549 552 a527b8-a527bd 548->552 553 a527ab 548->553 551 a527b1-a527b6 549->551 554 a527c0-a5281b call a8233b 551->554 552->554 553->551 557 a5281d-a52832 call a8294e 554->557 558 a5283c-a52848 call a77ec0 554->558 557->558 558->550
        APIs
        • _memset.LIBCMT ref: 00A520E3
        • _memset.LIBCMT ref: 00A520F5
          • Part of subcall function 00A81A74: GetModuleFileNameW.KERNEL32(00A52136,?,00000104,?,00000104,?,00000000,?,?,00A52136,?,00000000,?,?,?,76EEC3F0), ref: 00A81A95
        • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000,?,?,?,76EEC3F0,?,00000000), ref: 00A52166
        • GetLastError.KERNEL32(?,?,?,76EEC3F0,?,00000000), ref: 00A52173
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: File_memset$CreateErrorLastModuleName
        • String ID: ($.wixburn$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get path to engine process.$Failed to get total size of bundle.$Failed to open handle to engine process path: %ls$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$section.cpp
        • API String ID: 3151910114-3305245485
        • Opcode ID: 5cf2fbd47e32fea891855eda039773c09407dffb6b2521e8e564daced198cfae
        • Instruction ID: 795948b4538aaae1226d16ebe836334b2a99459d1c4607ccd0781ed85f55a1e0
        • Opcode Fuzzy Hash: 5cf2fbd47e32fea891855eda039773c09407dffb6b2521e8e564daced198cfae
        • Instruction Fuzzy Hash: 3012F671A40626FBEB30AB64CD06FAA76B4BF15711F1001A5FD08FA190E7799D44CBE1
        Function 00A56C31 Relevance: 82.7, APIs: 1, Strings: 46, Instructions: 444registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 562 a56c31-a56c66 call a61879 call a51566 567 a56c68-a56c7a call a697e3 562->567 568 a56c9b-a56cb3 call a836cb 562->568 572 a56c7f-a56c83 567->572 573 a56cb5-a56cc2 call a7fa86 568->573 574 a56cc7-a56ccc 568->574 572->568 575 a56c85-a56c96 call a7fa86 572->575 585 a57171-a57175 573->585 577 a570e6-a570ea 574->577 578 a56cd2-a56ce7 call a83b02 574->578 575->585 582 a57137-a5713b 577->582 583 a570ec-a570fb 577->583 593 a57126-a57135 call a7fa86 578->593 594 a56ced-a56d05 call a83bea 578->594 586 a57150-a57158 call a56893 582->586 587 a5713d-a5713e call a6f78a 582->587 583->582 589 a570fd 583->589 590 a57177-a5717a call a801e8 585->590 591 a5717f-a57183 585->591 606 a5715d-a57161 586->606 603 a57143-a57147 587->603 595 a570ff-a57101 589->595 596 a5710e 589->596 590->591 601 a57185-a57188 RegCloseKey 591->601 602 a5718e-a57193 591->602 612 a57170 593->612 594->593 616 a56d0b-a56d23 call a83bea 594->616 595->582 605 a57103-a57105 595->605 598 a57111-a5711b call a8362a 596->598 615 a57120-a57124 598->615 601->602 603->586 609 a57149-a5714e 603->609 605->598 611 a57107 605->611 606->612 613 a57163 606->613 614 a57168-a5716f call a7fa86 609->614 611->596 617 a57109-a5710c 611->617 612->585 613->614 614->612 615->582 615->593 616->593 622 a56d29-a56d41 call a83bea 616->622 617->596 617->598 622->593 625 a56d47-a56d5f call a83bea 622->625 625->593 628 a56d65-a56da1 call a83ba8 625->628 628->593 631 a56da7-a56dac 628->631 632 a56dc7-a56dcc 631->632 633 a56dae-a56db8 call a83b02 631->633 635 a56de7-a56e06 call a83ba8 632->635 636 a56dce-a56dd8 call a83b02 632->636 638 a56dbd-a56dc1 633->638 635->593 642 a56e0c-a56e29 call a83ba8 635->642 640 a56ddd-a56de1 636->640 638->593 638->632 640->593 640->635 642->593 645 a56e2f-a56e42 call a55b5a 642->645 648 a56e44 645->648 649 a56e47-a56e5a call a83b02 645->649 648->649 649->593 652 a56e60-a56e65 649->652 653 a56e67-a56e71 call a83b02 652->653 654 a56e80-a56e85 652->654 658 a56e76-a56e7a 653->658 656 a56e87-a56e91 call a83b02 654->656 657 a56ea0-a56ea5 654->657 662 a56e96-a56e9a 656->662 660 a56ea7-a56eba call a83b02 657->660 661 a56ec0-a56ec5 657->661 658->593 658->654 660->593 660->661 664 a56ec7-a56eda call a83b02 661->664 665 a56ee0-a56ee5 661->665 662->593 662->657 664->593 664->665 668 a56ee7-a56efa call a83b02 665->668 669 a56f00-a56f05 665->669 668->593 668->669 671 a56f07-a56f1a call a83b02 669->671 672 a56f20-a56f25 669->672 671->593 671->672 676 a56f27-a56f3a call a83b02 672->676 677 a56f5b-a56f63 672->677 676->593 690 a56f40-a56f55 call a83b02 676->690 680 a56f65-a56f78 call a83b02 677->680 681 a56f7e-a56f86 677->681 680->593 680->681 682 a56fa1-a56faa 681->682 683 a56f88-a56f9b call a83b02 681->683 688 a57091-a57094 682->688 689 a56fb0-a56fbb call a8362a 682->689 683->593 683->682 694 a56fca-a56fd1 688->694 695 a5709a-a570ab call a83ba8 688->695 697 a56fc0-a56fc4 689->697 690->593 690->677 698 a56ff1-a56ff5 694->698 699 a56fd3-a56feb call a8362a 694->699 701 a570b0-a570b7 695->701 697->593 697->694 703 a56ff7-a5700b call a8362a 698->703 704 a57011-a5702e call a83ba8 698->704 699->593 699->698 701->593 705 a570b9 701->705 703->593 703->704 704->593 712 a57034-a57040 704->712 711 a570c3-a570ca 705->711 711->577 713 a570cc-a570da call a56aa5 711->713 714 a57047-a57059 call a83ba8 712->714 715 a57042 712->715 713->577 720 a570dc-a570e1 713->720 719 a5705e-a57065 714->719 715->714 719->593 721 a5706b-a57072 719->721 720->614 721->711 722 a57074-a57085 call a55ebf 721->722 722->711 725 a57087-a5708c 722->725 725->614
        APIs
        • RegCloseKey.ADVAPI32(00000000,00000000,00000000,F08B8007,057CF33B,00020006,00000000), ref: 00A57188
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Close
        • String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.7.2829.0$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EngineVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString$engine.cpp
        • API String ID: 3535843008-1617658161
        • Opcode ID: 1a6e9693f52c10779dee197c7fd9d9390734dd5174691f8a0a9e2d79ddf2309c
        • Instruction ID: 1c0e4e5bc67bb995379fa795398a2b42e35aa8e3cc924ebc90ae9111777566c3
        • Opcode Fuzzy Hash: 1a6e9693f52c10779dee197c7fd9d9390734dd5174691f8a0a9e2d79ddf2309c
        • Instruction Fuzzy Hash: B0E1CF71B04B01BBDF21AEA9DE86F5F7AF9BB44711F100538BD44A2261DB71EE089B10
        Function 00A5A947 Relevance: 54.6, APIs: 12, Strings: 19, Instructions: 398stringCOMMONLIBRARYCODE
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 726 a5a947-a5a988 EnterCriticalSection lstrlenW call a800d8 729 a5a994-a5a9a5 call a78671 726->729 730 a5a98a-a5a98f 726->730 736 a5ab35-a5ab44 call a81325 729->736 737 a5a9ab-a5a9bd call a78671 729->737 731 a5ad70-a5ad77 call a7fa86 730->731 740 a5ad78-a5ad86 LeaveCriticalSection 731->740 747 a5ab46-a5ab4b 736->747 748 a5ab62-a5ab73 #17 736->748 745 a5ab50-a5ab60 call a81325 737->745 746 a5a9c3-a5a9cb 737->746 743 a5ada8-a5adad 740->743 744 a5ad88-a5ad8d 740->744 749 a5adb7-a5adba 743->749 750 a5adaf-a5adb2 #8 743->750 751 a5ada2-a5ada3 call a824f6 744->751 752 a5ad8f-a5ad94 744->752 745->747 745->748 755 a5a9cd-a5a9e4 call a81325 746->755 756 a5a9ef-a5a9f1 746->756 747->731 761 a5ab75-a5ab8f call a8294e 748->761 762 a5ab94-a5aba0 #125 748->762 759 a5adc4-a5adc7 749->759 760 a5adbc-a5adbf call a801e8 749->760 750->749 751->743 753 a5ad96-a5ad97 call a801e8 752->753 754 a5ad9c-a5ada0 752->754 753->754 754->751 754->752 755->747 785 a5a9ea 755->785 765 a5aa11-a5aa20 call a81171 756->765 766 a5a9f3-a5aa08 call a81325 756->766 769 a5add1-a5add7 759->769 770 a5adc9-a5adcc call a801e8 759->770 760->759 761->731 772 a5abd3-a5abd6 762->772 773 a5aba2 762->773 799 a5aa26-a5aa37 765->799 800 a5ad0b-a5ad10 765->800 766->747 795 a5aa0e 766->795 770->769 777 a5abf9-a5ac13 #171 772->777 778 a5abd8-a5abe2 772->778 774 a5aba4-a5aba9 773->774 775 a5abae-a5abb2 773->775 774->775 783 a5abb4 775->783 784 a5abb9-a5abce call a8294e 775->784 789 a5ac15-a5ac17 777->789 790 a5ac7b-a5ac80 777->790 786 a5abe4-a5abf1 #125 778->786 787 a5abf3-a5abf7 778->787 783->784 784->731 793 a5ab19-a5ab2d call a78671 785->793 786->787 794 a5ac4a 786->794 787->777 787->778 789->790 798 a5ac19 789->798 796 a5ac82-a5ac95 call a800d8 790->796 797 a5acfd-a5ad02 790->797 793->737 820 a5ab33 793->820 804 a5ac56-a5ac5a 794->804 805 a5ac4c-a5ac51 794->805 795->765 824 a5ac97-a5ac9c 796->824 825 a5aca1-a5acb1 #171 796->825 797->740 808 a5ad04-a5ad09 797->808 809 a5ac25-a5ac29 798->809 810 a5ac1b-a5ac20 798->810 802 a5aa4e-a5aa58 call a8233b 799->802 803 a5aa39-a5aa43 call a8235d 799->803 800->731 831 a5ad2e-a5ad48 call a8294e 802->831 832 a5aa5e-a5aa62 802->832 829 a5ad12-a5ad2c call a8294e 803->829 830 a5aa49-a5aa4c 803->830 814 a5ac61-a5ac76 call a8294e 804->814 815 a5ac5c 804->815 805->804 808->740 817 a5ac30-a5ac45 call a8294e 809->817 818 a5ac2b 809->818 810->809 814->731 815->814 817->731 818->817 820->736 824->731 826 a5ace4-a5acf4 call a81171 825->826 827 a5acb3 825->827 826->797 852 a5acf6-a5acfb 826->852 834 a5acb5-a5acba 827->834 835 a5acbf-a5acc3 827->835 829->731 830->832 831->731 838 a5aa64-a5aa6a 832->838 839 a5aa7e-a5aa82 832->839 834->835 842 a5acc5 835->842 843 a5acca-a5acdf call a8294e 835->843 838->839 846 a5aa6c-a5aa77 838->846 847 a5aa84-a5aa96 call a5a066 839->847 848 a5aa9c-a5aaa7 839->848 842->843 843->731 853 a5aa78-a5aa7c 846->853 847->848 861 a5ad4a-a5ad5b call a7fa86 847->861 849 a5aab1-a5aac8 call a5a63b 848->849 850 a5aaa9-a5aaaf 848->850 862 a5aad8-a5aada 849->862 863 a5aaca-a5aad0 849->863 850->853 852->731 857 a5aad1-a5aad6 call a81171 853->857 857->862 861->740 867 a5aae0-a5aafb call a8177a 862->867 868 a5ad5d-a5ad62 862->868 863->857 871 a5ad64-a5ad69 867->871 872 a5ab01-a5ab13 call a81325 867->872 868->731 871->731 872->793 875 a5ad6b 872->875 875->731
        APIs
        • EnterCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,00A58B89,?,?,?,?,?,?,?,?,00000001), ref: 00A5A96A
        • lstrlenW.KERNEL32(?,?,00A58B89,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00A5A973
        • _wcschr.LIBCMT ref: 00A5A99A
        • _wcschr.LIBCMT ref: 00A5A9B1
        • _wcschr.LIBCMT ref: 00A5AB22
        • LeaveCriticalSection.KERNEL32(?,00000000,00000000,00A8A5C8,00000000,00000000,00000000,00A58B89,?,00A58B89,?,00000000,00A58B89,00000001,?,00A58B89), ref: 00A5AD7B
        • #8.MSI(?,?,00A58B89,?), ref: 00A5ADB2
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _wcschr$CriticalSection$EnterLeavelstrlen
        • String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
        • API String ID: 144789458-2050445661
        • Opcode ID: e048a071062a4218a26992b462f69989bf21e17ee2fa5302768cf2d1100079bf
        • Instruction ID: 4d37422c9ae8467ebd2e93648285323201cce3115480fdddf7e5c99be3edcffe
        • Opcode Fuzzy Hash: e048a071062a4218a26992b462f69989bf21e17ee2fa5302768cf2d1100079bf
        • Instruction Fuzzy Hash: 87C1F472F4061ABFCB21BBA48D41FAE76B9BF20752F114725FD00BB181D6349E4587A2
        Function 00A754EE Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 287synchronizationCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 876 a754ee-a75508 SetEvent 877 a75543-a75551 WaitForSingleObject 876->877 878 a7550a-a75512 GetLastError 876->878 881 a75553-a7555b GetLastError 877->881 882 a7558c-a75597 ResetEvent 877->882 879 a75514-a75519 878->879 880 a7551e-a75522 878->880 879->880 883 a75524 880->883 884 a75529-a7553e call a8294e 880->884 885 a75567-a7556b 881->885 886 a7555d-a75562 881->886 887 a755d2-a755d6 882->887 888 a75599-a755a1 GetLastError 882->888 883->884 904 a7587e-a75885 call a7fa86 884->904 894 a75572-a75587 call a8294e 885->894 895 a7556d 885->895 886->885 892 a75606-a7561c call a808bb 887->892 893 a755d8-a755db 887->893 889 a755a3-a755a8 888->889 890 a755ad-a755b1 888->890 889->890 896 a755b3 890->896 897 a755b8-a755cd call a8294e 890->897 914 a75634-a7563f SetEvent 892->914 915 a7561e-a7562f call a7fa86 892->915 899 a755dd-a755f7 call a8294e 893->899 900 a755fc-a75601 893->900 894->904 895->894 896->897 897->904 899->904 906 a75886-a7588d 900->906 904->906 912 a75894-a75898 906->912 913 a7588f-a75893 906->913 917 a75641-a75649 GetLastError 914->917 918 a7566b-a75679 WaitForSingleObject 914->918 915->906 921 a75655-a75659 917->921 922 a7564b-a75650 917->922 923 a756a5-a756b0 ResetEvent 918->923 924 a7567b-a75683 GetLastError 918->924 927 a75660-a75661 921->927 928 a7565b 921->928 922->921 925 a756b2-a756ba GetLastError 923->925 926 a756dc-a756e1 923->926 929 a75685-a7568a 924->929 930 a7568f-a75693 924->930 931 a756c6-a756ca 925->931 932 a756bc-a756c1 925->932 933 a75746-a75769 CreateFileW 926->933 934 a756e3-a756e4 926->934 927->918 928->927 929->930 935 a75695 930->935 936 a7569a-a7569b 930->936 937 a756d1-a756d2 931->937 938 a756cc 931->938 932->931 939 a757a7-a757bb SetFilePointerEx 933->939 940 a7576b-a75773 GetLastError 933->940 941 a756e6-a756e7 934->941 942 a75709-a7570d call a8233b 934->942 935->936 936->923 937->926 938->937 947 a757f6-a75801 SetEndOfFile 939->947 948 a757bd-a757c5 GetLastError 939->948 943 a75775-a7577a 940->943 944 a7577f-a75783 940->944 945 a75700-a75704 941->945 946 a756e9-a756ea 941->946 952 a75712-a75717 942->952 943->944 955 a75785 944->955 956 a7578a-a7579d call a8294e 944->956 945->906 946->900 957 a756f0-a756f6 946->957 953 a75803-a7580b GetLastError 947->953 954 a75839-a75848 SetFilePointerEx 947->954 950 a757c7-a757cc 948->950 951 a757d1-a757d5 948->951 950->951 960 a757d7 951->960 961 a757dc-a757f1 call a8294e 951->961 958 a75719-a75733 call a8294e 952->958 959 a75738-a75741 952->959 962 a75817-a7581b 953->962 963 a7580d-a75812 953->963 954->906 965 a7584a-a75852 GetLastError 954->965 955->956 956->939 957->945 958->904 959->906 960->961 961->904 970 a75822-a75837 call a8294e 962->970 971 a7581d 962->971 963->962 966 a75854-a75859 965->966 967 a7585e-a75862 965->967 966->967 973 a75864 967->973 974 a75869-a75879 call a8294e 967->974 970->904 971->970 973->974 974->904
        APIs
        • SetEvent.KERNEL32(?,?,?,?,?,00A75D18), ref: 00A75500
        • GetLastError.KERNEL32(?,?,?,00A75D18), ref: 00A7550A
        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00A75D18), ref: 00A75548
        • GetLastError.KERNEL32(?,?,?,00A75D18), ref: 00A75553
        • ResetEvent.KERNEL32(?,?,?,?,00A75D18), ref: 00A7558F
        • GetLastError.KERNEL32(?,?,?,00A75D18), ref: 00A75599
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$Event$ObjectResetSingleWait
        • String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
        • API String ID: 1865021742-2104912459
        • Opcode ID: 385111f8ef19be7e2c17470def8eb8c30144fa0a1e9cce59293a99d3e6cf7a1f
        • Instruction ID: 07025f37dcde51df9973c861f0d89034e02b5e8c45c5fadd8cd1f81df5ce5f3e
        • Opcode Fuzzy Hash: 385111f8ef19be7e2c17470def8eb8c30144fa0a1e9cce59293a99d3e6cf7a1f
        • Instruction Fuzzy Hash: B091E432F50E23BBE73057B48E0AB662994AF10B60F65C625F90DFA1E0E6D9DC1097D1
        Function 00A6CC4F Relevance: 53.0, APIs: 1, Strings: 29, Instructions: 465COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 981 a6cc4f-a6ccdb call a77e30 984 a6cd76-a6cd84 981->984 985 a6cce1-a6cce7 981->985 988 a6cd86 984->988 989 a6cd90-a6cd94 984->989 986 a6cd19-a6cd1c 985->986 987 a6cce9-a6cd13 call a84461 985->987 986->984 993 a6cd1e-a6cd48 call a84461 986->993 987->984 998 a6cd15-a6cd17 987->998 988->989 991 a6cdf6-a6ce21 call a84cfe 989->991 992 a6cd96-a6cdaf call a6743f 989->992 1002 a6ce23-a6ce28 991->1002 1003 a6ce2d-a6ce32 991->1003 1005 a6cdb1-a6cdc4 call a7fa86 992->1005 1006 a6cdc9-a6cdea call a8201f 992->1006 993->984 1007 a6cd4a 993->1007 1004 a6cd4c-a6cd71 call a618a7 call a617ca call a51566 998->1004 1008 a6d218-a6d21f call a7fa86 1002->1008 1009 a6ce67-a6ce93 call a6c569 1003->1009 1010 a6ce34-a6ce37 1003->1010 1022 a6d220-a6d232 call a841e9 1004->1022 1005->1022 1006->991 1025 a6cdec-a6cdf1 1006->1025 1007->1004 1008->1022 1028 a6ce95-a6ce9a 1009->1028 1029 a6ce9f-a6cecc call a6c569 1009->1029 1010->1009 1014 a6ce39-a6ce41 call a841a2 1010->1014 1027 a6ce46-a6ce4a 1014->1027 1035 a6d234-a6d23a call a801e8 1022->1035 1036 a6d23f-a6d245 1022->1036 1025->1008 1027->1009 1032 a6ce4c-a6ce62 call a7fa86 1027->1032 1028->1008 1040 a6cece-a6ced3 1029->1040 1041 a6ced8-a6ceee call a6b278 1029->1041 1032->1022 1035->1036 1043 a6d247-a6d24d call a801e8 1036->1043 1044 a6d252-a6d258 1036->1044 1040->1008 1056 a6cef0-a6cef5 1041->1056 1057 a6cefa-a6cf10 call a6b278 1041->1057 1043->1044 1048 a6d265-a6d26b 1044->1048 1049 a6d25a-a6d260 call a801e8 1044->1049 1052 a6d26d-a6d273 call a801e8 1048->1052 1053 a6d278-a6d27e 1048->1053 1049->1048 1052->1053 1054 a6d280-a6d286 call a801e8 1053->1054 1055 a6d28b-a6d293 1053->1055 1054->1055 1060 a6d2b7-a6d2bd 1055->1060 1061 a6d295-a6d296 1055->1061 1056->1008 1068 a6cf12-a6cf17 1057->1068 1069 a6cf1c-a6cf32 call a6b5c2 1057->1069 1066 a6d2bf-a6d2cf call a77eaa 1060->1066 1063 a6d298-a6d299 1061->1063 1064 a6d2a9-a6d2b5 1061->1064 1063->1066 1067 a6d29b-a6d2a7 1063->1067 1064->1066 1067->1066 1068->1008 1074 a6cf34-a6cf39 1069->1074 1075 a6cf3e-a6cf54 call a6b5c2 1069->1075 1074->1008 1078 a6cf56-a6cf5b 1075->1078 1079 a6cf60-a6cf68 1075->1079 1078->1008 1080 a6cf6f-a6cfa5 call a617ca call a61b91 call a51566 1079->1080 1081 a6cf6a 1079->1081 1088 a6cfab-a6cfac 1080->1088 1089 a6d189-a6d19f call a81325 1080->1089 1081->1080 1091 a6cfae-a6cfaf 1088->1091 1092 a6cfcd-a6cfe3 call a81325 1088->1092 1097 a6d1a1-a6d1a6 1089->1097 1098 a6d1a8-a6d1cb call a8177a 1089->1098 1095 a6cfb5-a6cfb6 1091->1095 1096 a6d128-a6d13e call a81325 1091->1096 1105 a6d14e-a6d161 call a8461a 1092->1105 1106 a6cfe9-a6cfee 1092->1106 1101 a6d06e-a6d071 1095->1101 1102 a6cfbc-a6cfbd 1095->1102 1096->1092 1112 a6d144-a6d149 1096->1112 1097->1008 1120 a6d0f2-a6d0f7 1098->1120 1121 a6d1d1-a6d1f7 call a845c8 1098->1121 1103 a6d083 1101->1103 1104 a6d073-a6d081 1101->1104 1102->1101 1109 a6cfc3-a6cfc4 1102->1109 1110 a6d088-a6d090 1103->1110 1104->1103 1104->1110 1122 a6d166-a6d16a 1105->1122 1106->1008 1114 a6cfc6-a6cfc7 1109->1114 1115 a6cff3-a6cffc 1109->1115 1116 a6d097-a6d09f 1110->1116 1117 a6d092 1110->1117 1112->1008 1114->1022 1114->1092 1118 a6d020-a6d036 call a81325 1115->1118 1119 a6cffe-a6d014 call a81325 1115->1119 1124 a6d0a6-a6d0c1 call a8177a 1116->1124 1125 a6d0a1 1116->1125 1117->1116 1139 a6d042-a6d05e call a8461a 1118->1139 1140 a6d038-a6d03d 1118->1140 1119->1118 1135 a6d016-a6d01b 1119->1135 1120->1008 1136 a6d20f-a6d211 1121->1136 1137 a6d1f9-a6d20d call a51566 1121->1137 1128 a6d176-a6d17f call a6c67d 1122->1128 1129 a6d16c-a6d171 1122->1129 1143 a6d0c3-a6d0c8 1124->1143 1144 a6d0cd-a6d0f0 call a8177a 1124->1144 1125->1124 1141 a6d184 1128->1141 1129->1008 1135->1008 1136->1022 1145 a6d213 1136->1145 1137->1136 1139->1128 1150 a6d064-a6d069 1139->1150 1140->1008 1141->1022 1143->1008 1144->1120 1152 a6d0fc-a6d118 call a8461a 1144->1152 1145->1008 1150->1008 1152->1022 1155 a6d11e-a6d123 1152->1155 1155->1008
        APIs
        • _memset.LIBCMT ref: 00A6CCAD
          • Part of subcall function 00A84CFE: _memset.LIBCMT ref: 00A84D0F
        Strings
        • Failed to run maintanance mode for MSI package., xrefs: 00A6D11E
        • Failed to build MSI path., xrefs: 00A6CDEC
        • Failed to add ADMIN property on admin install., xrefs: 00A6D144
        • %ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress, xrefs: 00A6D0AF
        • Failed to uninstall MSI package., xrefs: 00A6D213
        • VersionString, xrefs: 00A6CCF8, 00A6CD2D
        • ACTION=ADMIN, xrefs: 00A6D129
        • Failed to perform minor upgrade of MSI package., xrefs: 00A6D064
        • Failed to get cached path for package: %ls, xrefs: 00A6CDB6
        • Failed to add reboot suppression property on install., xrefs: 00A6CFE9
        • Failed to enable logging for package: %ls to: %ls, xrefs: 00A6CE54
        • Failed to add reinstall mode and reboot suppression properties on repair., xrefs: 00A6D0C3
        • Failed to add feature action properties to argument string., xrefs: 00A6CEF0
        • Failed to add properties to argument string., xrefs: 00A6CE95
        • Failed to add obfuscated properties to argument string., xrefs: 00A6CECE
        • Failed to add patch properties to argument string., xrefs: 00A6CF34
        • Failed to add reboot suppression property on uninstall., xrefs: 00A6D1A1
        • Failed to initialize external UI handler., xrefs: 00A6CE23
        • IGNOREDEPENDENCIES, xrefs: 00A6D0CD, 00A6D1A8
        • Failed to install MSI package., xrefs: 00A6D16C
        • Failed to add reinstall all property on minor upgrade., xrefs: 00A6D016
        • %ls %ls=ALL, xrefs: 00A6D0DE, 00A6D1B9
        • REINSTALLMODE="vomus" REBOOT=ReallySuppress, xrefs: 00A6D021
        • Failed to add feature action properties to obfuscated argument string., xrefs: 00A6CF12
        • Failed to add the list of dependencies to ignore to the properties., xrefs: 00A6D0F2
        • Failed to add reinstall mode and reboot suppression properties on minor upgrade., xrefs: 00A6D038
        • REBOOT=ReallySuppress, xrefs: 00A6CFCE, 00A6D18A
        • REINSTALL=ALL, xrefs: 00A6CFFF, 00A6D076
        • Failed to add patch properties to obfuscated argument string., xrefs: 00A6CF56
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memset
        • String ID: ACTION=ADMIN$ REBOOT=ReallySuppress$ REINSTALL=ALL$ REINSTALLMODE="vomus" REBOOT=ReallySuppress$%ls %ls=ALL$%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress$Failed to add ADMIN property on admin install.$Failed to add feature action properties to argument string.$Failed to add feature action properties to obfuscated argument string.$Failed to add obfuscated properties to argument string.$Failed to add patch properties to argument string.$Failed to add patch properties to obfuscated argument string.$Failed to add properties to argument string.$Failed to add reboot suppression property on install.$Failed to add reboot suppression property on uninstall.$Failed to add reinstall all property on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on repair.$Failed to add the list of dependencies to ignore to the properties.$Failed to build MSI path.$Failed to enable logging for package: %ls to: %ls$Failed to get cached path for package: %ls$Failed to initialize external UI handler.$Failed to install MSI package.$Failed to perform minor upgrade of MSI package.$Failed to run maintanance mode for MSI package.$Failed to uninstall MSI package.$IGNOREDEPENDENCIES$VersionString
        • API String ID: 2102423945-2112609193
        • Opcode ID: 5ac851090de793c7f3737d62bddd35b0634b09c0065964de5d378578cf5486ca
        • Instruction ID: ef3bbfa76865f5db8d7a062b165af33cbdb432d0b03ab83f30f47d2e2f7ae246
        • Opcode Fuzzy Hash: 5ac851090de793c7f3737d62bddd35b0634b09c0065964de5d378578cf5486ca
        • Instruction Fuzzy Hash: 3502C130B40614BFDF21EFA4CD81EAAB7F6FB98340F1445A9F109A7121E6729E91CB50
        Function 00A51B46 Relevance: 42.3, APIs: 7, Strings: 17, Instructions: 294COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1506 a51b46-a51be0 call a77e30 * 2 call a51033 1513 a51be2-a51be7 1506->1513 1514 a51bec-a51c0e call a7fa1a call a5e1aa CoInitializeEx 1506->1514 1515 a51d87-a51d8f call a7fa86 1513->1515 1525 a51c10-a51c15 1514->1525 1526 a51c1a-a51c3f GetModuleHandleW call a7f054 call a8315b 1514->1526 1521 a51e3c-a51e42 1515->1521 1523 a51e44-a51e4a call a801e8 1521->1523 1524 a51e4f-a51e51 1521->1524 1523->1524 1529 a51e73-a51e90 call a5b7b2 call a68988 1524->1529 1530 a51e53-a51e59 1524->1530 1525->1515 1539 a51c41-a51c46 1526->1539 1540 a51c4b-a51c5e call a83d19 1526->1540 1543 a51e92-a51e98 1529->1543 1544 a51ec9-a51eda call a510dc 1529->1544 1530->1529 1532 a51e5b-a51e6e call a7f8ab 1530->1532 1532->1529 1539->1515 1549 a51c60-a51c65 1540->1549 1550 a51c6a-a51c7d call a84dc3 1540->1550 1543->1544 1547 a51e9a-a51ea1 1543->1547 1552 a51ee1-a51ee7 1544->1552 1553 a51edc call a84e21 1544->1553 1547->1544 1551 a51ea3-a51ec4 call a61a96 call a51566 1547->1551 1549->1515 1564 a51c7f-a51c84 1550->1564 1565 a51c89-a51ca8 GetVersionExW 1550->1565 1551->1544 1557 a51eee-a51ef4 1552->1557 1558 a51ee9 call a83e26 1552->1558 1553->1552 1562 a51ef6 call a831a3 1557->1562 1563 a51efb-a51f01 1557->1563 1558->1557 1562->1563 1569 a51f03 CoUninitialize 1563->1569 1570 a51f09-a51f0f 1563->1570 1564->1515 1571 a51ce0-a51cf7 call a81a74 1565->1571 1572 a51caa-a51cb2 GetLastError 1565->1572 1569->1570 1576 a51f11-a51f13 1570->1576 1577 a51f53-a51f59 1570->1577 1587 a51cfe-a51d36 call a51566 1571->1587 1588 a51cf9 1571->1588 1573 a51cb4-a51cb9 1572->1573 1574 a51cbe-a51cc2 1572->1574 1573->1574 1580 a51cc4 1574->1580 1581 a51cc9-a51cdb call a8294e 1574->1581 1578 a51f15-a51f17 1576->1578 1579 a51f19-a51f1f 1576->1579 1583 a51f61-a51f67 1577->1583 1584 a51f5b-a51f5c call a7f5cc 1577->1584 1585 a51f21-a51f43 call a61879 call a51566 1578->1585 1579->1585 1580->1581 1581->1515 1590 a51f6e-a51f74 1583->1590 1591 a51f69 call a513ba 1583->1591 1584->1583 1585->1577 1610 a51f45-a51f52 call a51566 1585->1610 1604 a51d49-a51d5a call a5d764 1587->1604 1605 a51d38-a51d43 call a801e8 1587->1605 1588->1587 1592 a51f76-a51f77 call a7f62b 1590->1592 1593 a51f7c-a51f8c call a77eaa 1590->1593 1591->1590 1592->1593 1612 a51d63-a51d6b 1604->1612 1613 a51d5c-a51d61 1604->1613 1605->1604 1610->1577 1615 a51df7-a51e16 call a518b9 1612->1615 1616 a51d71-a51d72 1612->1616 1613->1515 1628 a51e22-a51e36 1615->1628 1629 a51e18-a51e1d 1615->1629 1618 a51d74-a51d75 1616->1618 1619 a51dd8-a51de5 call a5157c 1616->1619 1622 a51d77-a51d78 1618->1622 1623 a51db0-a51dcf call a51af3 1618->1623 1626 a51dea-a51dee 1619->1626 1622->1623 1627 a51d7a-a51d7b 1622->1627 1623->1628 1634 a51dd1-a51dd6 1623->1634 1626->1628 1631 a51df0-a51df5 1626->1631 1632 a51d94-a51da7 call a51226 1627->1632 1633 a51d7d-a51d82 1627->1633 1628->1521 1629->1515 1631->1515 1632->1628 1637 a51da9-a51dae 1632->1637 1633->1515 1634->1515 1637->1515
        APIs
        • _memset.LIBCMT ref: 00A51BA5
        • _memset.LIBCMT ref: 00A51BC9
          • Part of subcall function 00A51033: InitializeCriticalSection.KERNEL32(?,?,0000011C), ref: 00A51057
          • Part of subcall function 00A51033: InitializeCriticalSection.KERNEL32(?,?,0000011C), ref: 00A51060
        • CoInitializeEx.OLE32(00000000,00000000,00000003,00000000), ref: 00A51C04
        • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00A51F03
          • Part of subcall function 00A51226: CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,?), ref: 00A512AC
          • Part of subcall function 00A5157C: ReleaseMutex.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00A5174B
          • Part of subcall function 00A5157C: CloseHandle.KERNEL32(00000000,?,?,?,00A51DEA,?,?), ref: 00A51754
          • Part of subcall function 00A518B9: IsWindow.USER32(?), ref: 00A51AC3
          • Part of subcall function 00A518B9: PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A51AD6
          • Part of subcall function 00A518B9: CloseHandle.KERNEL32(00000000,?,?,?,00A51E12,?), ref: 00A51AE5
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseHandleInitialize$CriticalSection_memset$MessageMutexPostReleaseUninitializeWindow
        • String ID: 3.7.2829.0$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Invalid run mode.$Setup$_Failed$engine.cpp$txt
        • API String ID: 3679201541-1932953092
        • Opcode ID: f2f0c825a67d28b26630baca7031dacad27f823a7ddb1345c0e0765691b98779
        • Instruction ID: edd7f5db9284e5543062d91c81636470c0ce50437bee6447e8172c169edca7bc
        • Opcode Fuzzy Hash: f2f0c825a67d28b26630baca7031dacad27f823a7ddb1345c0e0765691b98779
        • Instruction Fuzzy Hash: EBB1B272900229ABDF20BF64CD85BFDB6B9BB58306F0405EAF909A3141DA354E89CF51
        Function 00A76231 Relevance: 35.2, APIs: 11, Strings: 9, Instructions: 185COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1741 a76231-a76260 CoInitializeEx 1742 a76274-a762bf #20 1741->1742 1743 a76262-a7626f call a7fa86 1741->1743 1745 a762e7-a7630e #22 1742->1745 1746 a762c1-a762e2 call a8294e call a7fa86 1742->1746 1755 a76464-a76474 call a77eaa 1743->1755 1747 a76316-a76322 1745->1747 1748 a76310-a76314 1745->1748 1759 a7645d-a7645e CoUninitialize 1746->1759 1753 a76455-a76458 #23 1747->1753 1754 a76328-a7632e 1747->1754 1748->1747 1752 a7635a-a76368 SetEvent 1748->1752 1756 a7639d-a763ae WaitForSingleObject 1752->1756 1757 a7636a-a76372 GetLastError 1752->1757 1753->1759 1754->1753 1761 a76334-a76336 1754->1761 1766 a763e0-a763eb ResetEvent 1756->1766 1767 a763b0-a763b8 GetLastError 1756->1767 1762 a76374-a76376 1757->1762 1763 a76378-a7637c 1757->1763 1759->1755 1768 a76350-a76355 1761->1768 1769 a76338-a7633d 1761->1769 1762->1763 1772 a76383-a76398 call a8294e 1763->1772 1773 a7637e 1763->1773 1770 a7641d-a76421 1766->1770 1771 a763ed-a763f5 GetLastError 1766->1771 1774 a763be-a763c2 1767->1774 1775 a763ba-a763bc 1767->1775 1778 a76442-a7644a call a7fa86 1768->1778 1776 a76347 1769->1776 1777 a7633f 1769->1777 1782 a76423-a76426 1770->1782 1783 a76450 1770->1783 1779 a763f7-a763f9 1771->1779 1780 a763fb-a763ff 1771->1780 1772->1778 1773->1772 1786 a763c4 1774->1786 1787 a763c9-a763de call a8294e 1774->1787 1775->1774 1788 a7634c 1776->1788 1784 a76341-a76345 1777->1784 1785 a7634e 1777->1785 1778->1753 1779->1780 1790 a76406-a7641b call a8294e 1780->1790 1791 a76401 1780->1791 1793 a7644c-a7644e 1782->1793 1794 a76428-a7643d call a8294e 1782->1794 1783->1753 1784->1788 1785->1752 1785->1768 1786->1787 1787->1778 1788->1785 1790->1778 1791->1790 1793->1753 1794->1778
        APIs
        • CoInitializeEx.OLE32(00000000,00000000), ref: 00A76256
        • #20.CABINET(00A7594A,00A75959,00A75D1C,00A75F23,00A75966,00A760F1,00A75FB8,000000FF,?), ref: 00A762B2
        • CoUninitialize.OLE32 ref: 00A7645E
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: InitializeUninitialize
        • String ID: <the>.cab$Failed to extract all files from container.$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
        • API String ID: 3442037557-3821814080
        • Opcode ID: 76afb70f45d9b28636e44c93bd3f45b050a60caaac2b427db95df7c1f8c37ca1
        • Instruction ID: 63001f620eadbfb5f3e9494ce1d4c3345690c6c4bb44eeabcfc55516911eb3ef
        • Opcode Fuzzy Hash: 76afb70f45d9b28636e44c93bd3f45b050a60caaac2b427db95df7c1f8c37ca1
        • Instruction Fuzzy Hash: 68511C32F40A21BBDB20AB788E4AF6F76A46F14B60F15C535F90DBB291D5A49C40C791
        Function 00A53156 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 183fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1802 a53156-a53191 GetCurrentProcessId ReadFile 1803 a53193-a5319b GetLastError 1802->1803 1804 a531cc-a531d6 1802->1804 1805 a531a7-a531ab 1803->1805 1806 a5319d-a531a2 1803->1806 1807 a531d8-a531ef call a8294e 1804->1807 1808 a531fa-a53209 call a800d8 1804->1808 1810 a531b2-a531c7 call a8294e 1805->1810 1811 a531ad 1805->1811 1806->1805 1816 a531f4-a531f5 1807->1816 1817 a53215-a53227 ReadFile 1808->1817 1818 a5320b-a53210 1808->1818 1821 a5333e 1810->1821 1811->1810 1820 a5333f-a53345 call a7fa86 1816->1820 1822 a53262-a53277 CompareStringW 1817->1822 1823 a53229-a53231 GetLastError 1817->1823 1818->1821 1838 a53346-a53349 1820->1838 1821->1820 1827 a53279-a53295 call a8294e 1822->1827 1828 a5329a-a532ac ReadFile 1822->1828 1825 a53233-a53238 1823->1825 1826 a5323d-a53241 1823->1826 1825->1826 1832 a53243 1826->1832 1833 a53248-a5325d call a8294e 1826->1833 1827->1816 1829 a532e4-a532eb 1828->1829 1830 a532ae-a532b6 GetLastError 1828->1830 1839 a532ed-a532f0 1829->1839 1840 a5335c-a5335f 1829->1840 1836 a532c2-a532c6 1830->1836 1837 a532b8-a532bd 1830->1837 1832->1833 1833->1821 1842 a532cd-a532e2 call a8294e 1836->1842 1843 a532c8 1836->1843 1837->1836 1844 a53353-a53359 1838->1844 1845 a5334b-a5334e call a801e8 1838->1845 1846 a532f2-a53308 WriteFile 1839->1846 1840->1846 1847 a53361-a53378 call a8294e 1840->1847 1842->1821 1843->1842 1845->1844 1846->1838 1851 a5330a-a53312 GetLastError 1846->1851 1854 a53314-a53319 1851->1854 1855 a5331e-a53322 1851->1855 1854->1855 1857 a53324 1855->1857 1858 a53329-a53339 call a8294e 1855->1858 1857->1858 1858->1821
        APIs
        • GetCurrentProcessId.KERNEL32(8000FFFF,00000000,74DF3140,?,00A53983,?,?,00000008,00000000,?), ref: 00A5316D
        • ReadFile.KERNELBASE(00000008,00000008,00000004,?,00000000,?,00A53983,?,?,00000008,00000000,?), ref: 00A5318D
        • GetLastError.KERNEL32(?,00A53983,?,?,00000008,00000000,?), ref: 00A53193
        • ReadFile.KERNELBASE(00000008,00000000,00000008,?,00000000,00000000,00000009,?,00A53983,?,?,00000008,00000000,?), ref: 00A53223
        • GetLastError.KERNEL32(?,00A53983,?,?,00000008,00000000,?), ref: 00A53229
        Strings
        • pipe.cpp, xrefs: 00A531B8, 00A531E3, 00A5324E, 00A53284, 00A532D3, 00A5332F, 00A5336C
        • Verification secret from parent does not match., xrefs: 00A53290
        • Failed to read size of verification secret from parent pipe., xrefs: 00A531C2
        • Failed to read verification process id from parent pipe., xrefs: 00A532DD
        • Failed to read verification secret from parent pipe., xrefs: 00A53258
        • Verification secret from parent is too big., xrefs: 00A531EF
        • Verification process id from parent does not match., xrefs: 00A53378
        • Failed to inform parent process that child is running., xrefs: 00A53339
        • Failed to allocate buffer for verification secret., xrefs: 00A5320B
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFileLastRead$CurrentProcess
        • String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$pipe.cpp
        • API String ID: 1233551569-826945260
        • Opcode ID: 42f1843e638557747bcb6ef5ef7c54d89e749e407d8f02913b5a2e013d5a74ab
        • Instruction ID: ee98e2ee0cd993744cdc47c83f2e746e6cfbe9551ced8e3c8c6e3f506121ec29
        • Opcode Fuzzy Hash: 42f1843e638557747bcb6ef5ef7c54d89e749e407d8f02913b5a2e013d5a74ab
        • Instruction Fuzzy Hash: 01511A73A5010ABBDF10AB948D86EBE7A79BF90761F204535F901FB190DB358B0987B1
        Function 00A56893 Relevance: 31.7, APIs: 3, Strings: 15, Instructions: 166registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1861 a56893-a568d2 call a61879 * 2 call a61a53 call a51566 1870 a568d4-a568e6 call a8362a 1861->1870 1871 a56916-a56919 1861->1871 1880 a568f2-a568f5 1870->1880 1881 a568e8-a568ed 1870->1881 1872 a56925-a56929 1871->1872 1873 a5691b-a5691f 1871->1873 1875 a569c0-a569e4 call a8378b 1872->1875 1876 a5692f-a5694c call a8177a 1872->1876 1873->1872 1873->1875 1886 a569e6-a569ec 1875->1886 1887 a56a2f 1875->1887 1888 a5694e-a56953 1876->1888 1889 a56958-a56972 call a836cb 1876->1889 1880->1871 1885 a568f7-a56901 call a8362a 1880->1885 1884 a56a78-a56a7f call a7fa86 1881->1884 1897 a56a80-a56a84 1884->1897 1895 a56906-a5690a 1885->1895 1886->1887 1893 a569ee-a569f9 RegDeleteValueW 1886->1893 1892 a56a31-a56a35 1887->1892 1888->1884 1908 a56974-a56979 1889->1908 1909 a5697e-a56990 call a83b02 1889->1909 1892->1897 1898 a56a37-a56a44 RegDeleteValueW 1892->1898 1899 a569fd-a569ff 1893->1899 1900 a569fb 1893->1900 1895->1873 1902 a5690c-a56911 1895->1902 1903 a56a86-a56a89 call a801e8 1897->1903 1904 a56a8e-a56a92 1897->1904 1905 a56a46 1898->1905 1906 a56a48-a56a4a 1898->1906 1899->1892 1907 a56a01 1899->1907 1900->1899 1902->1884 1903->1904 1911 a56a94-a56a97 RegCloseKey 1904->1911 1912 a56a9d-a56aa2 1904->1912 1905->1906 1906->1897 1913 a56a4c 1906->1913 1914 a56a03-a56a08 1907->1914 1915 a56a0d-a56a11 1907->1915 1908->1884 1924 a56992-a56997 1909->1924 1925 a5699c-a569a7 call a83b02 1909->1925 1911->1912 1917 a56a4e-a56a53 1913->1917 1918 a56a58-a56a5c 1913->1918 1914->1915 1919 a56a13 1915->1919 1920 a56a18-a56a2d call a8294e 1915->1920 1917->1918 1922 a56a63-a56a73 call a8294e 1918->1922 1923 a56a5e 1918->1923 1919->1920 1920->1884 1922->1884 1923->1922 1924->1884 1930 a569ac-a569b0 1925->1930 1930->1897 1932 a569b6-a569bb 1930->1932 1932->1884
        APIs
        • RegCloseKey.KERNELBASE(00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006,00000000,00000000,00000000,?,?), ref: 00A56A97
          • Part of subcall function 00A8362A: RegSetValueExW.KERNELBASE(?,00020006,00000000,00000004,00A568E2,00000004,00000001,?,00A568E2,00020006,Resume,00A513BB,00000000,00000000,?,?), ref: 00A8363F
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseValue
        • String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$burn.runonce$registration.cpp
        • API String ID: 3132538880-3648537543
        • Opcode ID: ca5417fdea3c30aabe67e067f8ec7074a1ebd0cc68ef192c5a4a4b116110f6f9
        • Instruction ID: 3bc693ccadbcc84da76f5731b78898ab156667e1f4f007c251d0fb71583dc9c7
        • Opcode Fuzzy Hash: ca5417fdea3c30aabe67e067f8ec7074a1ebd0cc68ef192c5a4a4b116110f6f9
        • Instruction Fuzzy Hash: F7514672940305FADB22BB64CD02F6E3AB6BB80791F648824FA05B71A1DB71DE49D710
        Function 00A5AE56 Relevance: 30.3, APIs: 1, Strings: 19, Instructions: 342COMMON
        Download Yara Rule
        APIs
        • InitializeCriticalSection.KERNEL32(00A52222,00000000,00A51D56,00A521DE), ref: 00A5AE76
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalInitializeSection
        • String ID: #$$$'$0$9$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleManufacturer$WixBundleProviderKey$WixBundleTag$WixBundleVersion
        • API String ID: 32694325-3014018290
        • Opcode ID: 5cb47ace8dc047ce756eafe8ec1067ae50b5353613645f68f2156db7cac3b2a5
        • Instruction ID: 905315bfcf6a217a5ae8097cd4a2d1eb3f643f382e74b8be1452f30f57bbf749
        • Opcode Fuzzy Hash: 5cb47ace8dc047ce756eafe8ec1067ae50b5353613645f68f2156db7cac3b2a5
        • Instruction Fuzzy Hash: C31278B5D016289BDB629F49C9497DEFBB6BF88344F0085D9910C7B224C7B12B89CF81
        Function 00A61377 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 139registryCOMMON
        Download Yara Rule
        APIs
        • TlsSetValue.KERNEL32(?,?), ref: 00A613C1
        • RegisterClassW.USER32(?), ref: 00A613EF
        • GetLastError.KERNEL32 ref: 00A613FA
        • CreateWindowExW.USER32(00000080,00A93EB8,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 00A6146A
        • GetLastError.KERNEL32 ref: 00A61474
        • SetEvent.KERNEL32(?), ref: 00A614B7
        • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00A614F6
        • UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 00A6151B
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ClassErrorLast$CallbackCreateDispatcherEventRegisterUnregisterUserValueWindow
        • String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
        • API String ID: 4252647486-288575659
        • Opcode ID: 77e1f38464d3943051b856ab5e78ae020efc067e9471c81b4279748b7d2063a8
        • Instruction ID: 36e9efedb7b4fad414766eae2121a309479c88c09e917f8360053878debace29
        • Opcode Fuzzy Hash: 77e1f38464d3943051b856ab5e78ae020efc067e9471c81b4279748b7d2063a8
        • Instruction Fuzzy Hash: 10413CB6A00209FFEB109FE4CD48AEDBBB9FB04314F24892AE211E7150DB749A459B51
        Function 00A538B6 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 158sleepfileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?), ref: 00A53917
        • GetLastError.KERNEL32 ref: 00A53921
        • Sleep.KERNELBASE(00000064), ref: 00A53946
        Strings
        • \\.\pipe\%ls.Cache, xrefs: 00A539A5
        • pipe.cpp, xrefs: 00A5395D, 00A53A62
        • Failed to allocate name of parent cache pipe., xrefs: 00A539BB
        • Failed to open parent pipe: %ls, xrefs: 00A5396A
        • Failed to allocate name of parent pipe., xrefs: 00A538DC
        • Failed to open companion process with PID: %u, xrefs: 00A53A6F
        • \\.\pipe\%ls, xrefs: 00A538C8
        • Failed to verify parent pipe: %ls, xrefs: 00A5398C
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CreateErrorFileLastSleep
        • String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
        • API String ID: 408151869-645222887
        • Opcode ID: 9ffff86de111c53dad61cd0296874e665a2db75e9176851a6261d40d888c72f8
        • Instruction ID: d4df9de8586f2c6c006ac0fb773514d551d7b37a63a1d08373280c8670ceb5fc
        • Opcode Fuzzy Hash: 9ffff86de111c53dad61cd0296874e665a2db75e9176851a6261d40d888c72f8
        • Instruction Fuzzy Hash: C8413D73540202FBDF21AB60CD06F6A7AB5BFC47E1F204528F955D6190E7B5DB089B11
        Function 00A607BE Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 233COMMON
        Download Yara Rule
        APIs
        Strings
        • Failed to read slipstream action., xrefs: 00A609C9
        • Failed to read parent hwnd., xrefs: 00A60854
        • Failed to read rollback flag., xrefs: 00A609E9
        • Failed to allocate memory for slipstream patch actions., xrefs: 00A60961
        • Failed to read UI level., xrefs: 00A60896
        • Failed to read action., xrefs: 00A60808
        • Failed to read feature action., xrefs: 00A6096B
        • Failed to read package log., xrefs: 00A60875
        • Failed to allocate memory for feature actions., xrefs: 00A608F1
        • elevation.cpp, xrefs: 00A608E7, 00A60957
        • Failed to find package: %ls, xrefs: 00A6082A
        • Failed to execute MSI package., xrefs: 00A60A14
        • Failed to read variables., xrefs: 00A609C2
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memset
        • String ID: Failed to allocate memory for feature actions.$Failed to allocate memory for slipstream patch actions.$Failed to execute MSI package.$Failed to find package: %ls$Failed to read UI level.$Failed to read action.$Failed to read feature action.$Failed to read package log.$Failed to read parent hwnd.$Failed to read rollback flag.$Failed to read slipstream action.$Failed to read variables.$elevation.cpp
        • API String ID: 2102423945-2584093861
        • Opcode ID: c318d177514706299d7161abce18e6379445ef530dfe8b29a7905e72546bd9ba
        • Instruction ID: c7ddd839e3e8744c51d917ef5aa229efdaac79aff304318a58f29e0b44766915
        • Opcode Fuzzy Hash: c318d177514706299d7161abce18e6379445ef530dfe8b29a7905e72546bd9ba
        • Instruction Fuzzy Hash: 1A71897294021CBEDF12EFD4CA81DEFB7B9EB64380F1045A2F911B7111E2718E959BA1
        Function 00A5D764 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 200COMMON
        Download Yara Rule
        APIs
        Strings
        • Failed to initialize variables., xrefs: 00A5D81C
        • Failed to parse command line., xrefs: 00A5D7FE
        • Failed to load catalog files., xrefs: 00A5D965
        • WixBundleOriginalSource, xrefs: 00A5D8E5
        • Failed to set original source variable., xrefs: 00A5D8F6
        • Failed to get manifest stream from container., xrefs: 00A5D8AE
        • Failed to overwrite the %ls built-in variable., xrefs: 00A5D84A
        • Failed to get unique temporary folder for bootstrapper application., xrefs: 00A5D924
        • Failed to extract bootstrapper application payloads., xrefs: 00A5D945
        • Failed to open attached UX container., xrefs: 00A5D870
        • WixBundleElevated, xrefs: 00A5D831, 00A5D836, 00A5D849
        • Failed to load manifest., xrefs: 00A5D8CA
        • Failed to open manifest stream., xrefs: 00A5D88D
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memset
        • String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$WixBundleElevated$WixBundleOriginalSource
        • API String ID: 2102423945-1257586656
        • Opcode ID: 2fc8438a596bcb198bd34543aa285ef7bf9bb7d170398051bbf5282e535fd66a
        • Instruction ID: 19c33fb26c519bcd57fbbd195e5c727dfbd8e8c79bf3e53e91359013c1bddcd6
        • Opcode Fuzzy Hash: 2fc8438a596bcb198bd34543aa285ef7bf9bb7d170398051bbf5282e535fd66a
        • Instruction Fuzzy Hash: 09615E73940619FACB22DAA4CC81EDB77FDBB44752F10892AF95EE3100EE70E6498751
        Function 00A850CA Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 151libraryloadercomCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,?,?,00A852B2,00000000,?,00000000), ref: 00A850E8
        • GetLastError.KERNEL32(?,?,00A852B2,00000000,?,00000000,?,?,?,?,?,?,?,?,00A7386B,00A52222), ref: 00A850F4
        • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00A85158
        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A85164
        • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 00A8516E
        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A85179
        • CoCreateInstance.OLE32(00AA5E58,00000000,00000001,00A8ACB0,?,?,?,00A852B2,00000000,?,00000000), ref: 00A851B3
        • ExitProcess.KERNEL32 ref: 00A85268
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
        • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
        • API String ID: 2124981135-499589564
        • Opcode ID: 24315616a7fe5e489a87ee90f8075c1ab1674612afd250e975c74b2cc7b58d40
        • Instruction ID: 6d4ad9cafa0915d23231dc77adc163d99d97a6a3072b88210bf75518471e13cd
        • Opcode Fuzzy Hash: 24315616a7fe5e489a87ee90f8075c1ab1674612afd250e975c74b2cc7b58d40
        • Instruction Fuzzy Hash: 0B516071E00619BBDB10EFB4CC48BAEBBB4BF15711F104669E910E7180E7B5DA41CB90
        Function 00A5157C Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 147synchronizationCOMMON
        Download Yara Rule
        APIs
        • ReleaseMutex.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00A5174B
        • CloseHandle.KERNEL32(00000000,?,?,?,00A51DEA,?,?), ref: 00A51754
          • Part of subcall function 00A528DB: UuidCreate.RPCRT4(?), ref: 00A52912
          • Part of subcall function 00A528DB: StringFromGUID2.OLE32(?,?,00000027), ref: 00A52925
        Strings
        • Failed to launch unelevated process., xrefs: 00A515D6
        • Failed to set elevated pipe into thread local storage for logging., xrefs: 00A51688
        • Failed to pump messages from parent process., xrefs: 00A5171D
        • Failed to create the message window., xrefs: 00A516A1
        • engine.cpp, xrefs: 00A51634, 00A5167E
        • Failed to allocate thread local storage for logging., xrefs: 00A5163E
        • Failed to create implicit elevated connection name and secret., xrefs: 00A515AD
        • Failed to connect to unelevated process., xrefs: 00A515F4
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseCreateFromHandleMutexReleaseStringUuid
        • String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create implicit elevated connection name and secret.$Failed to create the message window.$Failed to launch unelevated process.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$engine.cpp
        • API String ID: 3991521885-93479633
        • Opcode ID: b9f03879849ed9308140f10e63fba6c630e55ba85b7c448debfb213f55b0dfe7
        • Instruction ID: e5e4f94baa098ff6669ed88f0d88298a6b140726ec82c3f977a4561336618559
        • Opcode Fuzzy Hash: b9f03879849ed9308140f10e63fba6c630e55ba85b7c448debfb213f55b0dfe7
        • Instruction Fuzzy Hash: 68412572140605BBEB21ABA0CD85FEB76BDFF94351F10442AF61AD2150EF38E9099B21
        Function 00A68A1A Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 155COMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A68A74
          • Part of subcall function 00A85640: SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,00A67D44,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00A85656
          • Part of subcall function 00A85640: GetLastError.KERNEL32(?,00A67D44,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,00A695E8,00000000,?), ref: 00A85660
        • WinVerifyTrust.WINTRUST(000000FF,00AAC56B,?,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00A68AD0
        • WinVerifyTrust.WINTRUST(000000FF,00AAC56B,?,000000FF,00AAC56B,?,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00A68AEA
        Strings
        • Failed to move file pointer to beginning of file., xrefs: 00A68A8C
        • Failed to get signer chain from authenticode certificate., xrefs: 00A68BB0
        • Failed to verify expected payload against actual certificate chain., xrefs: 00A68BC8
        • cache.cpp, xrefs: 00A68B10, 00A68B63, 00A68BA6
        • Failed authenticode verification of payload: %ls, xrefs: 00A68B1D
        • Failed to get provider state from authenticode certificate., xrefs: 00A68B6D
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: TrustVerify$ErrorFileLastPointer_memset
        • String ID: Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to move file pointer to beginning of file.$Failed to verify expected payload against actual certificate chain.$cache.cpp
        • API String ID: 2460818389-4294895434
        • Opcode ID: da5829af7a5dd7c40f9c29a577e16cc9683352e2720c97c4564a55e261dbd740
        • Instruction ID: 8fce5098f794b4a0b941b996dcbf0054f2ae78812eb134c5aa830cc7cfe50b42
        • Opcode Fuzzy Hash: da5829af7a5dd7c40f9c29a577e16cc9683352e2720c97c4564a55e261dbd740
        • Instruction Fuzzy Hash: 4041D872D40219ABCB11DBE8DD05ADFBBFCEF05360F104625F514F7251EA78890187A1
        Function 00A70431 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,00000000,00000000), ref: 00A70483
        • GetLastError.KERNEL32 ref: 00A70494
        • GetCurrentProcess.KERNEL32(00A51D72,00000000,00000000,00000002,00000000,00000000), ref: 00A704DD
        • GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00A704E3
        • DuplicateHandle.KERNELBASE(00000000), ref: 00A704E6
        • GetLastError.KERNEL32 ref: 00A704F0
        • SetFilePointerEx.KERNELBASE(00A51D72,00A52142,00A51D72,00000000,00000000), ref: 00A70557
        • GetLastError.KERNEL32 ref: 00A70561
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
        • String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp
        • API String ID: 2619879409-2168299741
        • Opcode ID: 5467182ded31e75b5115ecf32c51e8525ec8258d1ae57d144edfac919e63b1f1
        • Instruction ID: 8d1ce1cc036cf02b4f3d7aeb9256b46a12513027f80ba67dac5ee4e5dd916d4d
        • Opcode Fuzzy Hash: 5467182ded31e75b5115ecf32c51e8525ec8258d1ae57d144edfac919e63b1f1
        • Instruction Fuzzy Hash: 27416DB1A0020AFFDB20DFA4DE85E6ABBB5FB04310F10C529F545E6290D375AA509F51
        Function 00A75D1C Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON
        Download Yara Rule
        APIs
        • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,000000FF,?,000000FF), ref: 00A75D4E
        • GetCurrentProcess.KERNEL32(000000FF,00000000,00000000,00000000), ref: 00A75D66
        • GetCurrentProcess.KERNEL32(?,00000000), ref: 00A75D6B
        • DuplicateHandle.KERNELBASE(00000000), ref: 00A75D6E
        • GetLastError.KERNEL32 ref: 00A75D78
        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000), ref: 00A75DE7
        • GetLastError.KERNEL32 ref: 00A75DF5
        Strings
        • cabextract.cpp, xrefs: 00A75D9D, 00A75E1A
        • <the>.cab, xrefs: 00A75D45
        • Failed to open cabinet file: %hs, xrefs: 00A75E27
        • Failed to add virtual file pointer for cab container., xrefs: 00A75DC5
        • Failed to duplicate handle to cab container., xrefs: 00A75DA7
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
        • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
        • API String ID: 3030546534-3446344238
        • Opcode ID: ae683c1bc702f9c7321760ac36707ba2e46e58f209a6cd27281f2797e084e027
        • Instruction ID: 762553916b3654e442f0e691950650ef6d8486290fbebb55ed67a70082e1c8f9
        • Opcode Fuzzy Hash: ae683c1bc702f9c7321760ac36707ba2e46e58f209a6cd27281f2797e084e027
        • Instruction Fuzzy Hash: 11312572E00516BFEB20ABB4CD89E9A7BA8EB04374F208725F518F71E0D6B59D418790
        Function 00A76477 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 105COMMON
        Download Yara Rule
        APIs
        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00A51D72,00000000,00A52142,00A51D72,00000000,?,00A705AB,00A51D72,?), ref: 00A764AE
        • GetLastError.KERNEL32(?,00A705AB,00A51D72,?), ref: 00A764B7
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CreateErrorEventLast
        • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp
        • API String ID: 545576003-1680384675
        • Opcode ID: 0925146951f8927c4accf82119029232bf85feda14c41ca7a007447f59025155
        • Instruction ID: 73c8d1a07b7937a29008867e28e1a519ce150190aa745042ae24760a02ff8f92
        • Opcode Fuzzy Hash: 0925146951f8927c4accf82119029232bf85feda14c41ca7a007447f59025155
        • Instruction Fuzzy Hash: EC2136B23407067EE7207A348ECAF3A35DDAB84764F25C939F20ED7181E9B99C415761
        Function 00A59C0E Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 141COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memmove_memset
        • String ID: Failed to allocate room for more variables.$Failed to allocate room for variables.$Failed to copy variable name.$Overflow while calculating size of variable array buffer$Overflow while dealing with variable array buffer allocation$Overflow while growing variable array size$variable.cpp
        • API String ID: 3555123492-2816863117
        • Opcode ID: 5e46479f818b249dc5caa0bdc8b2fb8ad8e98616d93a8d5823dba720a5fba8c6
        • Instruction ID: 329ae96ac19909c86b8e270560279269b1d0da59ff811cad181d202edc0ce8e8
        • Opcode Fuzzy Hash: 5e46479f818b249dc5caa0bdc8b2fb8ad8e98616d93a8d5823dba720a5fba8c6
        • Instruction Fuzzy Hash: E441E5B6640305FFE724ABA4CE43F6BB7B9BB14711F10892AF505BE181E6B4E9048794
        Function 00A67915 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 126COMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A67943
        • LocalFree.KERNEL32(?,?,00000001,80000005,?,00000000,?,00000000,00000003,000007D0), ref: 00A67A7D
        Strings
        • Failed to allocate access for SYSTEM group to path: %ls, xrefs: 00A67991
        • Failed to create ACL to secure cache path: %ls, xrefs: 00A67A2A
        • Failed to allocate access for Everyone group to path: %ls, xrefs: 00A679B7
        • Failed to allocate access for Users group to path: %ls, xrefs: 00A679D8
        • cache.cpp, xrefs: 00A67A1A
        • Failed to secure cache path: %ls, xrefs: 00A67A61
        • Failed to allocate access for Administrators group to path: %ls, xrefs: 00A67970
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: FreeLocal_memset
        • String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$cache.cpp
        • API String ID: 3302596199-4113288589
        • Opcode ID: efec14a4a76a1a124465612e98acffbdd0c8b3dab8d3951ce648c513fe3e4a05
        • Instruction ID: 3915975d69c80c4c6831065a73007408dc6aed7e54dbdc03a588cb923c59271a
        • Opcode Fuzzy Hash: efec14a4a76a1a124465612e98acffbdd0c8b3dab8d3951ce648c513fe3e4a05
        • Instruction Fuzzy Hash: 23410473E14229FBDF20ABA08D86FDDB6B4BB14748F4084A4F649F7140EA714F858B91
        Function 00A6152B Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 100threadCOMMON
        Download Yara Rule
        APIs
        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,00A51E12,?), ref: 00A6154D
        • GetLastError.KERNEL32(?,?,00A51E12,?), ref: 00A6155A
        • CreateThread.KERNELBASE(00000000,00000000,Function_00011377,?,00000000,00000000), ref: 00A615AE
        • GetLastError.KERNEL32(?,?,00A51E12,?), ref: 00A615BB
        • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00A51E12,?), ref: 00A61606
        • CloseHandle.KERNEL32(00000001,?,?,00A51E12,?), ref: 00A61626
        • FindCloseChangeNotification.KERNELBASE(?,?,?,00A51E12,?), ref: 00A61633
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseCreateErrorLast$ChangeEventFindHandleMultipleNotificationObjectsThreadWait
        • String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
        • API String ID: 1372344712-3599963359
        • Opcode ID: e87207b8de41e1b58a96f4049c04bd7a03588eea6a6af347332862266a25dc77
        • Instruction ID: bcd784dab4c55f63f26060c3e53324f95c4e3324a34cef7e06b657df9d0e6e7f
        • Opcode Fuzzy Hash: e87207b8de41e1b58a96f4049c04bd7a03588eea6a6af347332862266a25dc77
        • Instruction Fuzzy Hash: C6314BB6D00209FFDB10DFA8CD859AEFFB8FB08310F24486AE206F6150D3745A448B91
        Function 00A52FFE Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 120fileCOMMON
        Download Yara Rule
        APIs
        • ReadFile.KERNELBASE(00000000,?,00000008,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00A5302C
        • GetLastError.KERNEL32(?,?,?,00000000), ref: 00A53036
        • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,?,?,00000000), ref: 00A530E3
        • GetLastError.KERNEL32(?,?,?,00000000), ref: 00A530ED
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFileLastRead
        • String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$pipe.cpp
        • API String ID: 1948546556-3912962418
        • Opcode ID: c0e3e4d75b083c482a3b710dfd03428e8329ecac76b8a18a72d283e1f514649c
        • Instruction ID: 9c75447394dc2eedb66c6a54672c01a6620c9c1176cd7eead776e9521fe4ef6a
        • Opcode Fuzzy Hash: c0e3e4d75b083c482a3b710dfd03428e8329ecac76b8a18a72d283e1f514649c
        • Instruction Fuzzy Hash: 85413472A00219FFEF11AFA5CD85BAEBB78FF04741F108565F901EA091D3B48B0887A1
        Function 00A69124 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 86fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNELBASE(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,?,?,00A695E8,00000000,?,?,00000000,?), ref: 00A6913E
        • GetLastError.KERNEL32(?,?,00A695E8,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 00A6914C
          • Part of subcall function 00A67E2A: _memset.LIBCMT ref: 00A67E54
        • CloseHandle.KERNEL32(000000FF,?,?,00A695E8,00000000,?,?,00000000,?,?,00000000,00000000), ref: 00A69218
        Strings
        • Failed to verify catalog signature of payload: %ls, xrefs: 00A691DC
        • Failed to verify signature of payload: %ls, xrefs: 00A691BB
        • Failed to verify hash of payload: %ls, xrefs: 00A69201
        • cache.cpp, xrefs: 00A69184
        • Failed to open payload at path: %ls, xrefs: 00A69191
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseCreateErrorFileHandleLast_memset
        • String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
        • API String ID: 1470872789-2757871984
        • Opcode ID: b2031c21f72bc97a732d83cfd2397629ec354fbf690a6522ee488dd492c6b088
        • Instruction ID: cf693fd6f52b60a30bd676f7e786066b5fb7c0d68f5bba8839cb392d7d234899
        • Opcode Fuzzy Hash: b2031c21f72bc97a732d83cfd2397629ec354fbf690a6522ee488dd492c6b088
        • Instruction Fuzzy Hash: 6321F731240605FBDF235B64CD09FAF3ABAAF85760F304618F915A61A0E735DA52DB11
        Function 00A60E3A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 65COMMON
        Download Yara Rule
        APIs
        • TlsSetValue.KERNEL32(?,?), ref: 00A60E50
        • GetLastError.KERNEL32 ref: 00A60E5A
        • CoInitializeEx.OLE32(00000000,00000000), ref: 00A60E9C
        • CoUninitialize.OLE32(?,00A60347,?,?), ref: 00A60ED9
        Strings
        • Failed to pump messages in child process., xrefs: 00A60EC7
        • Failed to initialize COM., xrefs: 00A60EA8
        • elevation.cpp, xrefs: 00A60E7F
        • Failed to set elevated cache pipe into thread local storage for logging., xrefs: 00A60E89
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorInitializeLastUninitializeValue
        • String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$elevation.cpp
        • API String ID: 876858697-113251691
        • Opcode ID: 253ac7a2485cd635295cfbdc222153076fa835a0f08f9c28d920293ad3d2f1c2
        • Instruction ID: 04dcc029939ea14426fba2c5601fd0de6667048db75c850d629202aa7416dd8a
        • Opcode Fuzzy Hash: 253ac7a2485cd635295cfbdc222153076fa835a0f08f9c28d920293ad3d2f1c2
        • Instruction Fuzzy Hash: 5711CA33641535BBE7215795DC06F5F7A74EF00B61F004525F905F6290E6A6ED8043D5
        Function 00A571FB Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 133registryCOMMON
        Download Yara Rule
        APIs
        • RegCloseKey.ADVAPI32(00000000,00000000,00000000,?,?,00020006,00000000,00000000,00000000,?,00000000,00000001), ref: 00A5732B
        • RegCloseKey.ADVAPI32(00000001,00000000,00000000,?,?,00020006,00000000,00000000,00000000,?,00000000,00000001), ref: 00A57338
          • Part of subcall function 00A8371B: RegCreateKeyExW.KERNELBASE(00000001,00000000,00000000,00000000,00000000,00000001,00A513BB,?,?,00000001,?,00A57275,?,00A513BB,00020006,00000001), ref: 00A8373F
        Strings
        • Failed to delete registration key: %ls, xrefs: 00A572DB
        • Failed to open registration key., xrefs: 00A57369
        • %ls.RebootRequired, xrefs: 00A5724F
        • Failed to write volatile reboot required registry key., xrefs: 00A57279
        • Failed to update resume mode., xrefs: 00A57310
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Close$Create
        • String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.
        • API String ID: 359002179-2517785395
        • Opcode ID: c3fc7be7277c603f1feb4ed098d30316364b7e75ec65bda96f0efd83e6fd94b3
        • Instruction ID: 07e202e8c6ed28be68c0343ed512fd4ba9b2469e8041138b31c2082a7c2165ed
        • Opcode Fuzzy Hash: c3fc7be7277c603f1feb4ed098d30316364b7e75ec65bda96f0efd83e6fd94b3
        • Instruction Fuzzy Hash: 34419D72904214FFDF21AFA0ED82CAE7BBAFF04315F14882EFA0572011D6719A18DB51
        Function 00A7FF4A Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93processCOMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A7FF61
        • CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00A52A93,?,?,?,?,00000000,00000000), ref: 00A7FFB8
        • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 00A7FFC2
        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 00A8000C
        • CloseHandle.KERNEL32(00A52A93,?,?,?,?,00000000,00000000,00000000), ref: 00A80019
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseHandle$CreateErrorLastProcess_memset
        • String ID: "%ls" %ls$procutil.cpp
        • API String ID: 1393943095-4145822745
        • Opcode ID: 28428cf16ee01d179adb6673327e4706fa01cbdf698a136d00657baa91aebf40
        • Instruction ID: 12e4178da12963fca4d3b2167acea1317dff903db2fa20fd55b36abd10eb73e5
        • Opcode Fuzzy Hash: 28428cf16ee01d179adb6673327e4706fa01cbdf698a136d00657baa91aebf40
        • Instruction Fuzzy Hash: D3216D7290010AAFDB20EFE8CD819EEBBB9EB45310F14443AF505E6120D6318E45DBA2
        Function 00A52A19 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 73COMMON
        Download Yara Rule
        APIs
        • GetCurrentProcessId.KERNEL32(00000000,?,?,?), ref: 00A52A2D
          • Part of subcall function 00A81A74: GetModuleFileNameW.KERNEL32(00A52136,?,00000104,?,00000104,?,00000000,?,?,00A52136,?,00000000,?,?,?,76EEC3F0), ref: 00A81A95
        • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00A52AB2
          • Part of subcall function 00A7FF4A: _memset.LIBCMT ref: 00A7FF61
          • Part of subcall function 00A7FF4A: CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00A52A93,?,?,?,?,00000000,00000000), ref: 00A7FFB8
          • Part of subcall function 00A7FF4A: GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 00A7FFC2
          • Part of subcall function 00A7FF4A: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 00A8000C
          • Part of subcall function 00A7FF4A: CloseHandle.KERNEL32(00A52A93,?,?,?,?,00000000,00000000,00000000), ref: 00A80019
        Strings
        • Failed to allocate parameters for elevated process., xrefs: 00A52A72
        • burn.unelevated, xrefs: 00A52A56
        • %ls -%ls %ls %ls %u, xrefs: 00A52A5E
        • Failed to get current process path., xrefs: 00A52A45
        • Failed to launch parent process with unelevate disabled: %ls, xrefs: 00A52A9C
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseHandle$Process$CreateCurrentErrorFileLastModuleName_memset
        • String ID: %ls -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to get current process path.$Failed to launch parent process with unelevate disabled: %ls$burn.unelevated
        • API String ID: 1951228193-688900554
        • Opcode ID: 8706596d8c3dc156e6e6c71d0d637495ac32186b5f6316ef87c22a65813f72f8
        • Instruction ID: b595c76e31bda7489cf9ab2204fab84d0b7e3f4131ae6af98ed6f88f6b14a8bd
        • Opcode Fuzzy Hash: 8706596d8c3dc156e6e6c71d0d637495ac32186b5f6316ef87c22a65813f72f8
        • Instruction Fuzzy Hash: CD216A32D00208BF8F22FBA48D458EDBBB8BF55391B108562FA14B2121E3714B55AB61
        Function 00A61133 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 111threadCOMMON
        Download Yara Rule
        APIs
        • CreateThread.KERNELBASE(00000000,00000000,Function_00010E3A,?,00000000,00000000), ref: 00A611BC
        • GetLastError.KERNEL32(?,?,?,00A51DEA,?,?), ref: 00A611C8
          • Part of subcall function 00A5E8A3: WaitForSingleObject.KERNEL32(?,000493E0,00000000,?,?,00A61236,00000000,?,00A60EE7,?,00000000,?,?,?,00A51DEA,?), ref: 00A5E8B5
          • Part of subcall function 00A5E8A3: GetLastError.KERNEL32(?,?,00A61236,00000000,?,00A60EE7,?,00000000,?,?,?,00A51DEA,?,?), ref: 00A5E8BF
        • CloseHandle.KERNEL32(00000000,00000000,?,00A60EE7,?,00000000,?,?,?,00A51DEA,?,?), ref: 00A61247
        Strings
        • Failed to pump messages in child process., xrefs: 00A61221
        • Failed to create elevated cache thread., xrefs: 00A611F7
        • elevation.cpp, xrefs: 00A611ED
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$CloseCreateHandleObjectSingleThreadWait
        • String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$elevation.cpp
        • API String ID: 3606931770-4134175193
        • Opcode ID: 4218f73f3f3a685083b7dfb73fcc866df1e3d5e9a31777929bb3225de8b0243d
        • Instruction ID: ced55ff1f358496a679a1228d3cfdbbb0dbc6c59d7353302c3284f4637eb24cf
        • Opcode Fuzzy Hash: 4218f73f3f3a685083b7dfb73fcc866df1e3d5e9a31777929bb3225de8b0243d
        • Instruction Fuzzy Hash: 28411472A01219AFDB01DFA8D9819EEBBF8FF48710F10452AF909E7350D770A9418BA0
        Function 00A83BEA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 111stringregistryCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(F08B8007,057CF33B,BundleUpgradeCode,00A513BB,00000000,00000000,F08B8007,057CF33B,00020006,00000000,?,?,C53300AA), ref: 00A83C27
        • lstrlenW.KERNEL32(F08B8007,00020006,00000001,F08B8007,00020006,00000001,BundleUpgradeCode,00A513BB,00000000), ref: 00A83C88
        • lstrlenW.KERNEL32(F08B8007), ref: 00A83C8F
        • RegSetValueExW.KERNELBASE(00020006,00000000,00000000,00000007,00020006,00000000,00000001,00000000,00000000,00020006,00000001,BundleUpgradeCode,00A513BB,00000000), ref: 00A83CCB
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: lstrlen$Value
        • String ID: BundleUpgradeCode$regutil.cpp
        • API String ID: 198323757-1648651458
        • Opcode ID: dca65975dbd57e831ad0d863c6a80577896b7c7fa0850c6b8fccf09467f59180
        • Instruction ID: 1e67d93ea1766bc46bc92d06336ff4a7165012b78be3b0e6f10c3b222865e812
        • Opcode Fuzzy Hash: dca65975dbd57e831ad0d863c6a80577896b7c7fa0850c6b8fccf09467f59180
        • Instruction Fuzzy Hash: 564115B2E0021AEFDF01EFA5CD80AAEBBB9FF00744F10446AE910B7150D775EA559B60
        Function 00A6C569 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 105COMMON
        Download Yara Rule
        APIs
        • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A6C5CB
        Strings
        • Failed to append property string part., xrefs: 00A6C640
        • Failed to format property string part., xrefs: 00A6C639
        • Failed to format property value., xrefs: 00A6C62B
        • Failed to escape string., xrefs: 00A6C632
        • %s%="%s", xrefs: 00A6C5F1
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Open@16
        • String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.
        • API String ID: 3613110473-515423128
        • Opcode ID: 929315a5ab18a994390398a382430140f987f4ba3d3111c3048aaf0d0fb3390e
        • Instruction ID: 31299869d2ec73fa0eacfad3f60776e36d9410a71338933e641cef502856ee04
        • Opcode Fuzzy Hash: 929315a5ab18a994390398a382430140f987f4ba3d3111c3048aaf0d0fb3390e
        • Instruction Fuzzy Hash: 5231AE76D0011AFFCF11EF98CD818BEB7B9FF04320B10956AF551A2141E3319E509B99
        Function 00A5F44E Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 94COMMON
        Download Yara Rule
        APIs
        Strings
        • Failed to read package id from message buffer., xrefs: 00A5F48D
        • Failed to execute package dependency action., xrefs: 00A5F529
        • Failed to find package: %ls, xrefs: 00A5F508
        • Failed to read bundle dependency key from message buffer., xrefs: 00A5F4B0
        • Failed to read action., xrefs: 00A5F4D0
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memset
        • String ID: Failed to execute package dependency action.$Failed to find package: %ls$Failed to read action.$Failed to read bundle dependency key from message buffer.$Failed to read package id from message buffer.
        • API String ID: 2102423945-4197210911
        • Opcode ID: ce3ea1c68b2f3620ffd0d1ecba5b5e8ffebc129de3a5a374c7cbbc79b42f54d3
        • Instruction ID: bc47c71b75688b3b6a02c4bc47c5c52a2440ccf62c045cc773d1b6859240ed21
        • Opcode Fuzzy Hash: ce3ea1c68b2f3620ffd0d1ecba5b5e8ffebc129de3a5a374c7cbbc79b42f54d3
        • Instruction Fuzzy Hash: 30314472940129BFDF12EEA4DE41EEE7BB8AF14311F104671FD00A6191E7719E189BA1
        Function 00A7FE13 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76COMMON
        Download Yara Rule
        APIs
        • OpenProcessToken.ADVAPI32(?,00000008,00000000,76EEC3F0,?,00000000), ref: 00A7FE35
        • GetLastError.KERNEL32 ref: 00A7FE3F
        • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00A7FE72
        • GetLastError.KERNEL32 ref: 00A7FE8B
        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00A7FECB
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLastToken$ChangeCloseFindInformationNotificationOpenProcess
        • String ID: procutil.cpp
        • API String ID: 3650908616-1178289305
        • Opcode ID: ebde773205e649e4f5bb4e9fb36b6a6f8bd19bd82bb790f6e6da051976f64a95
        • Instruction ID: d35e4a6bdb9af65ee3885d1520d5562315dc3b1f1db839925eed228b7f79c403
        • Opcode Fuzzy Hash: ebde773205e649e4f5bb4e9fb36b6a6f8bd19bd82bb790f6e6da051976f64a95
        • Instruction Fuzzy Hash: 3921A432A00115EFD720AFA48C85AAEBBB5EF14710F11C476E509EB071D2358F44A791
        Function 00A67800 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74COMMON
        Download Yara Rule
        APIs
        • InitializeAcl.ADVAPI32(00000000,00000008,00000002,0000001A,?,00000000,00000000,00000000,00000000,?,?,00000000,?), ref: 00A6783E
        • GetLastError.KERNEL32 ref: 00A67848
        • SetFileAttributesW.KERNELBASE(00000000,00000080,00000000,00000001,20000004,?,00000000,00000000,00000000,00000003,000007D0,00000000,00000000,00000000,00000000,?), ref: 00A678B0
        Strings
        • Failed to allocate administrator SID., xrefs: 00A6782F
        • Failed to initialize ACL., xrefs: 00A67877
        • cache.cpp, xrefs: 00A6786D
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: AttributesErrorFileInitializeLast
        • String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$cache.cpp
        • API String ID: 669721577-1117388985
        • Opcode ID: 11dafc908cd41ee77acebdb381b4d529b4f7a3d21cf5c463b7cc9f92d32fe76a
        • Instruction ID: e303e0828f49be43c8ed751940db300492dd8953dcc5ceef46e7b3616d5f443a
        • Opcode Fuzzy Hash: 11dafc908cd41ee77acebdb381b4d529b4f7a3d21cf5c463b7cc9f92d32fe76a
        • Instruction Fuzzy Hash: 24110632E54204BAFB21ABA49D0AF9EB7B9AF40B50F108126FA05F7190E6744E44D790
        Function 00A84DC3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
        Download Yara Rule
        APIs
        • CoInitialize.OLE32(00000000), ref: 00A84DD2
        • InterlockedIncrement.KERNEL32(00AA5E68), ref: 00A84DEF
        • CLSIDFromProgID.OLE32(Msxml2.DOMDocument,00AA5E58), ref: 00A84E0A
        • CLSIDFromProgID.OLE32(MSXML.DOMDocument,00AA5E58), ref: 00A84E16
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: FromProg$IncrementInitializeInterlocked
        • String ID: MSXML.DOMDocument$Msxml2.DOMDocument
        • API String ID: 2109125048-2356320334
        • Opcode ID: b121ca6fd22fa5cf9f57f0f37fcb8f7c3371548b469126b5e18206cba2edabf8
        • Instruction ID: b51dc9211e444871ed43cfa7e9c5a7ff9d70163ba7cf24148a8c59efe01652af
        • Opcode Fuzzy Hash: b121ca6fd22fa5cf9f57f0f37fcb8f7c3371548b469126b5e18206cba2edabf8
        • Instruction Fuzzy Hash: 2BF0E535B8027377E72077F5AC0CB473DA5B796F92F14052AEA44C3090C398884387B5
        Function 00A61297 Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON
        Download Yara Rule
        APIs
        • DefWindowProcW.USER32(?,00000082,?,?), ref: 00A612C2
        • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00A612D1
        • SetWindowLongW.USER32(?,000000EB,?), ref: 00A612E5
        • DefWindowProcW.USER32(?,?,?,?), ref: 00A612F5
        • GetWindowLongW.USER32(?,000000EB), ref: 00A6130F
        • PostQuitMessage.USER32(00000000), ref: 00A6136A
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Window$Long$Proc$MessagePostQuit
        • String ID:
        • API String ID: 3812958022-0
        • Opcode ID: 2a385613207ba8b90bb05b2cb63a4bb37718d1cf65c7ab22d926ab6dcb6e9060
        • Instruction ID: 70bf497fbada7b8975998f22ff42132974498bd3e4ed96ccefec94921ee1bd2d
        • Opcode Fuzzy Hash: 2a385613207ba8b90bb05b2cb63a4bb37718d1cf65c7ab22d926ab6dcb6e9060
        • Instruction Fuzzy Hash: 23219236100204BFDB129FB4DD09E6B7FB9FF55321F588525FA169A2A0C631CD11DB91
        Function 00A60EE7 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 161synchronizationCOMMON
        Download Yara Rule
        APIs
        Strings
        • Failed to save state., xrefs: 00A60FAC
        • elevation.cpp, xrefs: 00A610C4
        • Unexpected elevated message sent to child process, msg: %u, xrefs: 00A610D3
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseHandleMutexRelease
        • String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
        • API String ID: 4207627910-1576875097
        • Opcode ID: 699069c532555169d6d668c7a8ff0a6d78c1f411ee22806cd1caaf3395d6bf90
        • Instruction ID: bf2a5148f88b719e0491a2fbfc73e76e5f116127357e11da526e7ec5a225d365
        • Opcode Fuzzy Hash: 699069c532555169d6d668c7a8ff0a6d78c1f411ee22806cd1caaf3395d6bf90
        • Instruction Fuzzy Hash: 4251E47A114600FFCB269F84CA41D5ABBB6FF08320711C459F99A5B672C732ED60EB11
        Function 00A75FB8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 114COMMON
        Download Yara Rule
        APIs
        • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?), ref: 00A7607B
        • GetLastError.KERNEL32 ref: 00A76085
        Strings
        • cabextract.cpp, xrefs: 00A760AF
        • Failed to move file pointer 0x%x bytes., xrefs: 00A760BC
        • Invalid seek type., xrefs: 00A75FF4
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFileLastPointer
        • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
        • API String ID: 2976181284-417918914
        • Opcode ID: 6f7ad8d40f6dc0bec0b95401de613049958e0416c7d8116c748ed81ba6db26d3
        • Instruction ID: a263294f2b034fb8fa59f1c1e49c1c7e115ffdeac41c747667bde72bd7b3ad9f
        • Opcode Fuzzy Hash: 6f7ad8d40f6dc0bec0b95401de613049958e0416c7d8116c748ed81ba6db26d3
        • Instruction Fuzzy Hash: EB416D72A00605EFCB00CF68CD84A99B7B4FF44364F18C165E818EB261E775EE51DB50
        Function 00A85A70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON
        Download Yara Rule
        APIs
        • MoveFileExW.KERNELBASE(00000003,00000001,000007D0,?,00000000,?,?,?,00A85B97,00000003,00000001,00000001,00000000,00000000,00000000), ref: 00A85A9D
        • GetLastError.KERNEL32(?,?,?,00A85B97,00000003,00000001,00000001,00000000,00000000,00000000,?,00A67625,?,00000000,00000001,00000001), ref: 00A85AAB
        • MoveFileExW.KERNELBASE(00000003,00000001,000007D0,00000001,00000000,?,?,?,00A85B97,00000003,00000001,00000001,00000000,00000000,00000000), ref: 00A85B0F
        • GetLastError.KERNEL32(?,?,?,00A85B97,00000003,00000001,00000001,00000000,00000000,00000000,?,00A67625,?,00000000,00000001,00000001), ref: 00A85B19
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFileLastMove
        • String ID: fileutil.cpp
        • API String ID: 55378915-2967768451
        • Opcode ID: f139c7c37c2ec5dfd50573d896ad6c770ef388f28dc5cc716e573882c571b656
        • Instruction ID: 6a0bdc3678332ef8d66009850ba465ac3aaa7a6ec74e2a2db313e1d921466d0e
        • Opcode Fuzzy Hash: f139c7c37c2ec5dfd50573d896ad6c770ef388f28dc5cc716e573882c571b656
        • Instruction Fuzzy Hash: D6210235E00A16ABEF346B758C88A7EBAB5EF617A0F20012AFC04D7150E735CD0193A1
        Function 00A8593D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85fileCOMMON
        Download Yara Rule
        APIs
        • CopyFileW.KERNELBASE(00000000,00000000,00000000,?,?,00000000,?,00A85A4A,00000000,00000000,?,?,?,00A67736,00000000,?), ref: 00A85957
        • GetLastError.KERNEL32(?,00A85A4A,00000000,00000000,?,?,?,00A67736,00000000,?,00000001,00000003,000007D0,?,?,00A69676), ref: 00A85965
        • CopyFileW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00A85A4A,00000000,00000000,?,?,?,00A67736,00000000,?,00000001), ref: 00A859C9
        • GetLastError.KERNEL32(?,00A85A4A,00000000,00000000,?,?,?,00A67736,00000000,?,00000001,00000003,000007D0,?,?,00A69676), ref: 00A859D3
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CopyErrorFileLast
        • String ID: fileutil.cpp
        • API String ID: 374144340-2967768451
        • Opcode ID: 2c9ab803654328f90b48b5ab0b83d1bd13085961272b0b12ecc149a0d78b86c6
        • Instruction ID: 9c2437f8dfbc4d3f58ddbde9370f24450f87a45e0b842e89aa50c76a17a20e60
        • Opcode Fuzzy Hash: 2c9ab803654328f90b48b5ab0b83d1bd13085961272b0b12ecc149a0d78b86c6
        • Instruction Fuzzy Hash: 3A21D436E50A12DBEF356F758C84B3AB699EF907F0BA0063AFC4ADB150D624CC518361
        Function 00A8540B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83memoryCOMMON
        Download Yara Rule
        APIs
        • VariantInit.OLEAUT32(?), ref: 00A85421
        • SysAllocString.OLEAUT32(?), ref: 00A8543D
        • VariantClear.OLEAUT32(?), ref: 00A854C4
        • SysFreeString.OLEAUT32(00000000), ref: 00A854CF
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: StringVariant$AllocClearFreeInit
        • String ID: xmlutil.cpp
        • API String ID: 760788290-1270936966
        • Opcode ID: 74547af45a0e7774d166e9af062bbeb34ebe7c58c63d2cd30de22cf905829e82
        • Instruction ID: 01ce1290694f3299048d8b9072a3c7e6b1386ec2cd4460c7b329a1a610d94d0c
        • Opcode Fuzzy Hash: 74547af45a0e7774d166e9af062bbeb34ebe7c58c63d2cd30de22cf905829e82
        • Instruction Fuzzy Hash: 37216075E00619AFDB10ABF4CD88EAE7BB9AF04766F144564FE01AB250D634DD818B90
        Function 00A70D9A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 79registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A8378B: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00A61F19,?,00000009,00000000,?,00A61BE1,80000002,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,?,00000001), ref: 00A8379F
        • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?,?,?,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,?,?,?,00000000), ref: 00A70E19
        • RegCloseKey.ADVAPI32(?,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,?,?,?,00000000,?,?,?,?,00000001,00000000), ref: 00A70E63
        Strings
        • Failed to open uninstall registry key., xrefs: 00A70DE2
        • Failed to enumerate uninstall key for related bundles., xrefs: 00A70E3D
        • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00A70DB6
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseCompareOpenString
        • String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
        • API String ID: 2817536665-2531018330
        • Opcode ID: 6a20f7c57e568fd98008a1d053e2b8b9aa33004ec5fd63a50d2eb81fa851f446
        • Instruction ID: 5a2e2e56e3b3a3cc5dc1f920084fd7ed77b5af44c373a87653394a49ff32cb50
        • Opcode Fuzzy Hash: 6a20f7c57e568fd98008a1d053e2b8b9aa33004ec5fd63a50d2eb81fa851f446
        • Instruction Fuzzy Hash: 56217F7A900219FFCF21AFD49D85CDDBB79BB04720F24CA6AF91973190C2355E909B90
        Function 00A865D3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON
        Download Yara Rule
        APIs
        • CreateDirectoryW.KERNELBASE(00000003,00000001,00000000,00000001,?,00A85AFC,00000001,00000000,?,?,?,00A85B97,00000003,00000001,00000001,00000000), ref: 00A865E1
        • GetLastError.KERNEL32(?,00A85AFC,00000001,00000000,?,?,?,00A85B97,00000003,00000001,00000001,00000000,00000000,00000000,?,00A67625), ref: 00A865EF
          • Part of subcall function 00A865A8: GetFileAttributesW.KERNEL32(00000003,00000000,?,00A8660C,00000003,00000000,?,00A85AFC,00000001,00000000,?,?,?,00A85B97,00000003,00000001), ref: 00A865B1
          • Part of subcall function 00A865D3: CreateDirectoryW.KERNELBASE(00000003,00000001,00000000,?,00A85AFC,00000001,00000000,?,?,?,00A85B97,00000003,00000001,00000001,00000000,00000000), ref: 00A8666A
          • Part of subcall function 00A865D3: GetLastError.KERNEL32(?,00A85AFC,00000001,00000000,?,?,?,00A85B97,00000003,00000001,00000001,00000000,00000000,00000000,?,00A67625), ref: 00A86674
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CreateDirectoryErrorLast$AttributesFile
        • String ID: dirutil.cpp
        • API String ID: 925696554-2193988115
        • Opcode ID: 7aa4a66319b89d2da66b5733176b409b8821328987b3a35d0cdf34fe10efbb2f
        • Instruction ID: be4d24d76950a47b1a9b600b765715aeb6b57ed8c22207d502d458132147d82a
        • Opcode Fuzzy Hash: 7aa4a66319b89d2da66b5733176b409b8821328987b3a35d0cdf34fe10efbb2f
        • Instruction Fuzzy Hash: BE110436100282A6FB383B669D44B7B76A9EFE5761F54043AFC46CA160FA3DDC018361
        Function 00A705CB Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
        Download Yara Rule
        APIs
        Strings
        • Failed to get path for executing module., xrefs: 00A7062B
        • Failed to get container information for UX container., xrefs: 00A70614
        • Failed to open attached container., xrefs: 00A70649
        • WixBundleElevated, xrefs: 00A705D1
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memset
        • String ID: Failed to get container information for UX container.$Failed to get path for executing module.$Failed to open attached container.$WixBundleElevated
        • API String ID: 2102423945-2733515141
        • Opcode ID: f8b58ed67556f4bab2686d5161da03b4ecb4307f30f54af83e61fa2ee6b15d87
        • Instruction ID: 02a85d74a137cd29992328f5ce175e00c72f8f31c4a7d07e7242d7eca1157233
        • Opcode Fuzzy Hash: f8b58ed67556f4bab2686d5161da03b4ecb4307f30f54af83e61fa2ee6b15d87
        • Instruction Fuzzy Hash: B1118EB2D00118FA8B11EBE4DE41CEEB7BCAA94710B108126F519A7100EA705B15C7A0
        Function 00A82FFF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44libraryloaderCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A82A2D: _memset.LIBCMT ref: 00A82A54
          • Part of subcall function 00A82A2D: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00A82A69
          • Part of subcall function 00A82A2D: LoadLibraryW.KERNELBASE(?,?,00000104,00A51C3B), ref: 00A82AB7
          • Part of subcall function 00A82A2D: GetLastError.KERNEL32 ref: 00A82AC3
        • GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 00A8302A
        • GetLastError.KERNEL32(?,00A516AF,00000001,00000000,?,?,?,?,00A51DEA,?,?), ref: 00A83039
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$AddressDirectoryLibraryLoadProcSystem_memset
        • String ID: SRSetRestorePointW$srclient.dll$srputil.cpp
        • API String ID: 2131201312-398595594
        • Opcode ID: 4a88a08cf3b657ea7035a4bcd543d427462601aefb9ff1d445bba29e20772013
        • Instruction ID: 8502c54f08cc46d6ac2cdc64213fbf1f94e60a152cdb9bc16d9304ed3d90f149
        • Opcode Fuzzy Hash: 4a88a08cf3b657ea7035a4bcd543d427462601aefb9ff1d445bba29e20772013
        • Instruction Fuzzy Hash: BD01D633E81623A7DB31B7A99C0D73969606B01FA1F010235AE00EB291D769CD40C7D5
        Function 00A8497B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: #115#116
        • String ID: 2$wiutil.cpp
        • API String ID: 618785432-2873045267
        • Opcode ID: 871d70437ee3747948d99517f28d92adecb5548a748aae1ac79ab97633456c92
        • Instruction ID: dcbe4eee5c6889a4e6feaa9efbed4331927ad539647993e55d80df96b734ac90
        • Opcode Fuzzy Hash: 871d70437ee3747948d99517f28d92adecb5548a748aae1ac79ab97633456c92
        • Instruction Fuzzy Hash: 9561F3709402068FCB2CEF28C88567EB7B5FB98364B54867ED806DF196E730D951CB90
        Function 00A83336 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153registrystringCOMMON
        Download Yara Rule
        APIs
        • RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 00A8335F
        • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,?), ref: 00A83397
        • lstrlenW.KERNEL32(00000000,?,00000000,00000000,?,?,00000004,00000000,?,?,?,?,?,00020019,00000000,?), ref: 00A834A1
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: QueryValue$lstrlen
        • String ID: regutil.cpp
        • API String ID: 3790715954-955085611
        • Opcode ID: 109213b4f7cccafdf1ed0d493f6d536bc2a7975b96647f9910f456b8ef321f79
        • Instruction ID: f66678b7cb03c2844d24365382d06c73a57dfbfc2d0f3b3f7807b98d36abe3cf
        • Opcode Fuzzy Hash: 109213b4f7cccafdf1ed0d493f6d536bc2a7975b96647f9910f456b8ef321f79
        • Instruction Fuzzy Hash: 91519177A00119EFCF22EFE4C9849AEB7B5FB04B11F218579E901AB241D7349F059BA0
        Function 00A837F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115registryCOMMON
        Download Yara Rule
        APIs
        • RegEnumKeyExW.KERNELBASE(?,?,?,00000000,00000000,00000000,00000000,00000000,?,00000002,?,00000000,00000000,?,?,00A70DFE), ref: 00A8384C
        • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00A70DFE,?), ref: 00A8386E
        • RegEnumKeyExW.KERNELBASE(?,?,?,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00A70DFE,?,?,?), ref: 00A838B9
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Enum$InfoQuery
        • String ID: regutil.cpp
        • API String ID: 73471667-955085611
        • Opcode ID: 31ebcb4f8e1c7ae974e48b3d8d6dc0b6927b5d0539fd60aa026711ce8989c8d2
        • Instruction ID: 13504aed8a2af4742b72bae39404b385196b99ecaacc2b9f5c9663a08c635f57
        • Opcode Fuzzy Hash: 31ebcb4f8e1c7ae974e48b3d8d6dc0b6927b5d0539fd60aa026711ce8989c8d2
        • Instruction Fuzzy Hash: FC31AD72A01128BBDF20AB90CD99DAFBEBDEF0AF50F204425F506E6151D2B58F5097E0
        Function 00A58E63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,?,000000FF,?,00000000,00000030,00A5982F,?,00A5ADF0,?,00000030,00000000,00000030), ref: 00A58E9C
        • GetLastError.KERNEL32(?,00A5ADF0,?,00000030,00000000,00000030,00A5982F,?,00A5B589,?,?,00000030), ref: 00A58ED2
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CompareErrorLastString
        • String ID: Failed to compare strings.$variable.cpp
        • API String ID: 1733990998-1686915864
        • Opcode ID: 5835b5ae37b3e6dff4259216ef5f65c61b5d31019ea3299d296ad633bb7c4900
        • Instruction ID: 31cc0f3fc9c8d320fb95fd6c5b58d746dff3ef9172f8f4cd05b5449a80fc09ce
        • Opcode Fuzzy Hash: 5835b5ae37b3e6dff4259216ef5f65c61b5d31019ea3299d296ad633bb7c4900
        • Instruction Fuzzy Hash: 7C21A532A05226EFDB119F98CC42A5AB7B4BF45762B114269FC24FB2E1DA78DD048790
        Function 00A70CDA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A8378B: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00A61F19,?,00000009,00000000,?,00A61BE1,80000002,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,?,00000001), ref: 00A8379F
        • RegCloseKey.KERNELBASE(00000000,00000000,00000000,?,?,00020019,00000000,?,?,?,?,00A70E36,?,?,?), ref: 00A70D8D
        Strings
        • Failed to open uninstall key for potential related bundle: %ls, xrefs: 00A70D01
        • Failed to initialize package from related bundle id: %ls, xrefs: 00A70D6A
        • Failed to ensure there is space for related bundles., xrefs: 00A70D39
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseOpen
        • String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
        • API String ID: 47109696-1717420724
        • Opcode ID: 4da2b8f7cb094e7011a6668c185cdb2276d70918db13cd6579a0c80eb2a1e85c
        • Instruction ID: 601b9e3b2da5314ba43d8d639de7d8f14a15540b73c70601a575a238ce367ba5
        • Opcode Fuzzy Hash: 4da2b8f7cb094e7011a6668c185cdb2276d70918db13cd6579a0c80eb2a1e85c
        • Instruction Fuzzy Hash: 6C21C376640705FFDB21DA94CD41FAE77B9EB90755F20C024F80996282E774EE00A720
        Function 00A7F326 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60windowCOMMON
        Download Yara Rule
        APIs
        • FormatMessageW.KERNEL32(00000900,00000000,?,00000000,?,00000000,?,00000000,00000000,?,00A7F4E7,00000000,?,00000000,?,00000001), ref: 00A7F345
        • GetLastError.KERNEL32(?,00A7F4E7,00000000,?,00000000,?,00000001,?,00A5157A,00000000,00000000,00000000,?,?,00A6971D,00000002), ref: 00A7F34F
        • LocalFree.KERNEL32(00000000,00000000,?,00000000,?,00A7F4E7,00000000,?,00000000,?,00000001,?,00A5157A,00000000,00000000,00000000), ref: 00A7F3BA
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFormatFreeLastLocalMessage
        • String ID: logutil.cpp
        • API String ID: 1365068426-3545173039
        • Opcode ID: 1031cf93e29d00a48ba2d9c38d762dfde692240666102004ddd5f12763963150
        • Instruction ID: 0935703a8c48fc97014c7287039d0e8f8c5988fd3290411ab9b8816acff1bf1d
        • Opcode Fuzzy Hash: 1031cf93e29d00a48ba2d9c38d762dfde692240666102004ddd5f12763963150
        • Instruction Fuzzy Hash: 5411CE76200209EFEB21CFA5CD46EAE3779EF94724F10802AF519DA0A0D3329B50D761
        Function 00A75F23 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A75E49: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,00000000,?,?,00A75F51,?,?), ref: 00A75E6E
          • Part of subcall function 00A75E49: GetLastError.KERNEL32(?,00A75F51,?,?), ref: 00A75E78
        • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?), ref: 00A75F5F
        • GetLastError.KERNEL32 ref: 00A75F69
        Strings
        • cabextract.cpp, xrefs: 00A75F8E
        • Failed to read during cabinet extraction., xrefs: 00A75F98
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFileLast$PointerRead
        • String ID: Failed to read during cabinet extraction.$cabextract.cpp
        • API String ID: 2170121939-2426083571
        • Opcode ID: 0195bca8569ef2f087b78595db313d80525389ff882c0b45a2027cc43f8245d9
        • Instruction ID: 084b18fc42699153573dfaa9315fed099c20f9859c50efef3834c0b90304f3a7
        • Opcode Fuzzy Hash: 0195bca8569ef2f087b78595db313d80525389ff882c0b45a2027cc43f8245d9
        • Instruction Fuzzy Hash: C6010436600605FBDB11DF68DD05E9A3BF8FF84760F108129F918D6290D771EA01DB50
        Function 00A86182 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNELBASE(E900A8E1,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00A57081,?,00A55F72,00A57081,00000080,E900A8E1,00000000), ref: 00A8619A
        • GetLastError.KERNEL32(?,00A55F72,00A57081,00000080,E900A8E1,00000000,?,?,00A57081,00A513BB,?,?,?,?,?,DisplayName), ref: 00A861A7
        • FindCloseChangeNotification.KERNELBASE(00000000,00000000,00A57081,00A55F72,?,00A55F72,00A57081,00000080,E900A8E1,00000000,?,?,00A57081,00A513BB), ref: 00A861FC
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ChangeCloseCreateErrorFileFindLastNotification
        • String ID: fileutil.cpp
        • API String ID: 4091947256-2967768451
        • Opcode ID: 1cde73506be92140420d8e6751f5e517ede9da8f7e74ab36dd832471d4e466a6
        • Instruction ID: d2e63ec83ba95d630c210206884325cfe257f79d23842be9764f77e87c5dc1d2
        • Opcode Fuzzy Hash: 1cde73506be92140420d8e6751f5e517ede9da8f7e74ab36dd832471d4e466a6
        • Instruction Fuzzy Hash: 5A01F23660061277E7216B6C9D0AF9A3A25AB85770F110321FE24AB1E2EB35CC1153E1
        Function 00A75E49 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
        Download Yara Rule
        APIs
        • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,00000000,?,?,00A75F51,?,?), ref: 00A75E6E
        • GetLastError.KERNEL32(?,00A75F51,?,?), ref: 00A75E78
        Strings
        • cabextract.cpp, xrefs: 00A75E9D
        • Failed to move to virtual file pointer., xrefs: 00A75EA7
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFileLastPointer
        • String ID: Failed to move to virtual file pointer.$cabextract.cpp
        • API String ID: 2976181284-3005670968
        • Opcode ID: 0b73883a68766ecc697e5120259070f81142105f0a00765be01af20082075532
        • Instruction ID: 4efaa23e58b13fdb8dd5ff7de4d61b1b739e49d57c46a936e83b44debbaae6e8
        • Opcode Fuzzy Hash: 0b73883a68766ecc697e5120259070f81142105f0a00765be01af20082075532
        • Instruction Fuzzy Hash: 3C01A232740B02ABD7216A65CC05F177AA5AF81B61F20C029F54CDA160EAB5E9409794
        Function 00A82A2D Relevance: 6.1, APIs: 4, Instructions: 68libraryCOMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A82A54
        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00A82A69
        • LoadLibraryW.KERNELBASE(?,?,00000104,00A51C3B), ref: 00A82AB7
        • GetLastError.KERNEL32 ref: 00A82AC3
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: DirectoryErrorLastLibraryLoadSystem_memset
        • String ID:
        • API String ID: 1376650706-0
        • Opcode ID: b100b665834b091b728bad27212027c52de253f7268bba166fc7a8269c86f413
        • Instruction ID: bb55257f9b26559f3cb32a907f2794ea6500b951946cc7af0c89d6a1ad1b840d
        • Opcode Fuzzy Hash: b100b665834b091b728bad27212027c52de253f7268bba166fc7a8269c86f413
        • Instruction Fuzzy Hash: 8E1138BAA0031A67EB30FB64DC49FABB7ADAF80350F204076F508D7181EA34D9458B60
        Function 00A51033 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 58COMMON
        Download Yara Rule
        APIs
        • InitializeCriticalSection.KERNEL32(?,?,0000011C), ref: 00A51057
        • InitializeCriticalSection.KERNEL32(?,?,0000011C), ref: 00A51060
          • Part of subcall function 00A7FE13: OpenProcessToken.ADVAPI32(?,00000008,00000000,76EEC3F0,?,00000000), ref: 00A7FE35
          • Part of subcall function 00A7FE13: GetLastError.KERNEL32 ref: 00A7FE3F
          • Part of subcall function 00A7FE13: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00A7FECB
          • Part of subcall function 00A7FDAD: _memset.LIBCMT ref: 00A7FDD5
        Strings
        • Failed to verify elevation state., xrefs: 00A510B0
        • Failed to initialize engine section., xrefs: 00A510C9
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalInitializeSection$ChangeCloseErrorFindLastNotificationOpenProcessToken_memset
        • String ID: Failed to initialize engine section.$Failed to verify elevation state.
        • API String ID: 1157272915-3203524654
        • Opcode ID: 585df85eebccb1e3316f6a8790a247701d42b2ca9dffbe8d7c2830bc9ab6b545
        • Instruction ID: 4dd32155fb680f6aaee4309f7693f356a293ff0053f05f12ef476f25cf0e4922
        • Opcode Fuzzy Hash: 585df85eebccb1e3316f6a8790a247701d42b2ca9dffbe8d7c2830bc9ab6b545
        • Instruction Fuzzy Hash: 4611E9B2540215BBDB30A7B4CD06BDF73DCAF10351F10491AF905D3181EA78D94487A5
        Function 00A884E7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A88123: lstrlenW.KERNEL32(?,?,?,00A88243,?,?,?,00000000,?,?,?,00A6F535,?,?,?,00000000), ref: 00A88146
        • RegCloseKey.ADVAPI32(00000000,00A513BB,?,?,00A513BB,00000000,00000000,?,00A513BB,00000001,00000000), ref: 00A885CC
        • RegCloseKey.ADVAPI32(00000001,00A513BB,?,?,00A513BB,00000000,00000000,?,00A513BB,00000001,00000000), ref: 00A885E6
          • Part of subcall function 00A8371B: RegCreateKeyExW.KERNELBASE(00000001,00000000,00000000,00000000,00000000,00000001,00A513BB,?,?,00000001,?,00A57275,?,00A513BB,00020006,00000001), ref: 00A8373F
          • Part of subcall function 00A83B02: RegSetValueExW.KERNELBASE(00020006,?,00000000,00000001,?,00000000,?,000000FF,00000000,00000001,?,?,00A5698C,00000000,?,00020006), ref: 00A83B35
          • Part of subcall function 00A83B02: RegDeleteValueW.KERNELBASE(00020006,?,00000001,?,?,00A5698C,00000000,?,00020006,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006,00000000), ref: 00A83B64
          • Part of subcall function 00A8362A: RegSetValueExW.KERNELBASE(?,00020006,00000000,00000004,00A568E2,00000004,00000001,?,00A568E2,00020006,Resume,00A513BB,00000000,00000000,?,?), ref: 00A8363F
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Value$Close$CreateDeletelstrlen
        • String ID: %ls\%ls
        • API String ID: 3924016894-2125769799
        • Opcode ID: ca3c7a34b7918b8f4f85d01b5d87e8c9e2be8f303da33fcdade9207e582a6a1c
        • Instruction ID: 972455ed1ef759ec4ee58d869dd5446c86aab0b614a02e9be4b2b68ec590b14e
        • Opcode Fuzzy Hash: ca3c7a34b7918b8f4f85d01b5d87e8c9e2be8f303da33fcdade9207e582a6a1c
        • Instruction Fuzzy Hash: 8931E672D0122DBBCF12BFD4CE8589EBB7AFB08B00B544466F511A2121DBB54B51DB91
        Function 00A84C0C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
        Download Yara Rule
        APIs
        • #171.MSI(00000000,?,00A8A5C8,?), ref: 00A84C66
        • #171.MSI(00000000,?,?,00000000,?,00000000,00000000,?,00A8A5C8,?), ref: 00A84CA7
          • Part of subcall function 00A8497B: #115.MSI(?), ref: 00A849A8
          • Part of subcall function 00A8497B: #116.MSI(?,00000001,?), ref: 00A849C8
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: #171$#115#116
        • String ID: wiutil.cpp
        • API String ID: 2532461077-4248292292
        • Opcode ID: cdb8ec137201e8f9e9552ff3be2e4411837dff1d6fa63be8c5fb1a93e4739185
        • Instruction ID: cd45d57697baffb2beb2ff492617b37a24801491439603edf6c2a54ecc95bc0b
        • Opcode Fuzzy Hash: cdb8ec137201e8f9e9552ff3be2e4411837dff1d6fa63be8c5fb1a93e4739185
        • Instruction Fuzzy Hash: 69216BB6A0120ABBDF10FFA4CD41AAE7BBDAF08350F148439FD14E6241D734DA559B60
        Function 00A8308D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memset
        • String ID: d$srputil.cpp
        • API String ID: 2102423945-1161740003
        • Opcode ID: 9570c6ef781b872bb1b66337e3449e79a64bf6acbdb5611314c435678729418b
        • Instruction ID: c5ade80b341caee32be3c3a65a53ea4f0f940d5e8be646edc4cea58ac99b5d26
        • Opcode Fuzzy Hash: 9570c6ef781b872bb1b66337e3449e79a64bf6acbdb5611314c435678729418b
        • Instruction Fuzzy Hash: 0F11BB72B4061EBADF20DBA4CC89FBF77B8BB04B04F004569A605DB181D675DE098B50
        Function 00A83B02 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60registryCOMMON
        Download Yara Rule
        APIs
        • RegSetValueExW.KERNELBASE(00020006,?,00000000,00000001,?,00000000,?,000000FF,00000000,00000001,?,?,00A5698C,00000000,?,00020006), ref: 00A83B35
        • RegDeleteValueW.KERNELBASE(00020006,?,00000001,?,?,00A5698C,00000000,?,00020006,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006,00000000), ref: 00A83B64
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Value$Delete
        • String ID: regutil.cpp
        • API String ID: 1738766685-955085611
        • Opcode ID: 900544349b24a69b61eadec3c7b1a1e07790ab8af127c9ce80f63f5e1faeaf66
        • Instruction ID: 6aac48516e99362b9db91327304fd1187829f6a49a8dfa9c4abb1a3acea61585
        • Opcode Fuzzy Hash: 900544349b24a69b61eadec3c7b1a1e07790ab8af127c9ce80f63f5e1faeaf66
        • Instruction Fuzzy Hash: C411C273D51526B7DF316B54CC0ABAA7A55AF01F60F110624FD10EA190D769CF1097D0
        Function 00A7FA9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,20000004,?,00A678A6,00000000,00000001,20000004,?,00000000,00000000,00000000), ref: 00A7FACB
        • SetNamedSecurityInfoW.ADVAPI32(00000000,000007D0,00000003,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,20000004,?,00A678A6,00000000), ref: 00A7FAE6
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: InfoNamedSecuritySleep
        • String ID: aclutil.cpp
        • API String ID: 2352087905-2159165307
        • Opcode ID: 459723cae1cf8c28c0b90e7fae6ca8e13b453a422df6f50bc7c870f9aee50687
        • Instruction ID: 9374291006732b3d0289c1d13e9042142956a85ffdb600b95be6bd2c830c5342
        • Opcode Fuzzy Hash: 459723cae1cf8c28c0b90e7fae6ca8e13b453a422df6f50bc7c870f9aee50687
        • Instruction Fuzzy Hash: 30015B3390111AFFDF229F94DD05FDE7A69AF447A4F158224FA08A6160C376CE21AB90
        Function 00A85783 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42fileCOMMON
        Download Yara Rule
        APIs
        • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00A858B2,?,?,00000000), ref: 00A857A5
        • GetLastError.KERNEL32(?,?,00A858B2,?,?,00000000), ref: 00A857AF
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFileLastWrite
        • String ID: fileutil.cpp
        • API String ID: 442123175-2967768451
        • Opcode ID: f1997629a093287eedd4429d80dc71cf6255a4c53b287bf52ce8e186852c1de4
        • Instruction ID: 1b73f06a7a000712e8de4a343cc615fef2c7432a91c16f6da09e8529ac53eb7f
        • Opcode Fuzzy Hash: f1997629a093287eedd4429d80dc71cf6255a4c53b287bf52ce8e186852c1de4
        • Instruction Fuzzy Hash: D4F04F32B00615FBDB10AF6ADC09F9F7FADEB91B60F104525BD18E7150D634EA0097A1
        Function 00A85640 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
        Download Yara Rule
        APIs
        • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,00A67D44,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00A85656
        • GetLastError.KERNEL32(?,00A67D44,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,00A695E8,00000000,?), ref: 00A85660
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFileLastPointer
        • String ID: fileutil.cpp
        • API String ID: 2976181284-2967768451
        • Opcode ID: 41dbcdef4447a8c3fe8cb38cfb9b8502e1ef2e3c55935465405b543db940d55a
        • Instruction ID: 9642714c922b86a859596b8a500d465f582323c0e71586e271cc0b0d41286234
        • Opcode Fuzzy Hash: 41dbcdef4447a8c3fe8cb38cfb9b8502e1ef2e3c55935465405b543db940d55a
        • Instruction Fuzzy Hash: 02F0A431A0021AABDB219F65DC08E967F69EF147A0F454135FD08DB260E635D8109BD0
        Function 00A86C5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32comCOMMON
        Download Yara Rule
        APIs
        • CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,00A51DEA,00000000,00A51DEA,?,?), ref: 00A86C81
        • CoCreateInstance.OLE32(00000000,00000000,00000001,00AA15F8,00000000), ref: 00A86C9A
        Strings
        • Microsoft.Update.AutoUpdate, xrefs: 00A86C7C
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CreateFromInstanceProg
        • String ID: Microsoft.Update.AutoUpdate
        • API String ID: 2151042543-675569418
        • Opcode ID: 1a441517c5d9eb90caaae0cf3efce07d271165885b83459178cc6bfc58d9a5b6
        • Instruction ID: d5e98e91d63a0c5be6448ca0d258589d3ecc30742b47f39b8f44dca30b17f4cc
        • Opcode Fuzzy Hash: 1a441517c5d9eb90caaae0cf3efce07d271165885b83459178cc6bfc58d9a5b6
        • Instruction Fuzzy Hash: CFF03771600309BFEF00DBF9DD05EAFB7B8AB49744F500425A605E7190DBB0AA058762
        Function 00A824F6 Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetProcessHeap.KERNEL32(00000000,?,?,00A7F71F,?,?,?,00000000,00000000,?,75C0B390,?,?,?,00A7FA98,?), ref: 00A824FE
        • RtlFreeHeap.NTDLL(00000000,?,00A7F71F,?,?,?,00000000,00000000,?,75C0B390,?,?,?,00A7FA98,?,?), ref: 00A82505
        • GetLastError.KERNEL32(?,00A7F71F,?,?,?,00000000,00000000,?,75C0B390,?,?,?,00A7FA98,?,?,?), ref: 00A82513
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Heap$ErrorFreeLastProcess
        • String ID:
        • API String ID: 406640338-0
        • Opcode ID: 75a729a1b2f7f19d09fe9b68301220f5689586dab640ec481d685f2604b92115
        • Instruction ID: c9e979f20517bd864b8008a6f949bd78676bb8a3ef880293cd0b01390d0d56a8
        • Opcode Fuzzy Hash: 75a729a1b2f7f19d09fe9b68301220f5689586dab640ec481d685f2604b92115
        • Instruction Fuzzy Hash: 0BD05E72680207BBE731ABF1EC19B7A3A9CEF24B81F104431B606C40B0EA2EC0119766
        Function 00A8526F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON
        Download Yara Rule
        APIs
        • VariantInit.OLEAUT32(?), ref: 00A852A1
          • Part of subcall function 00A850CA: GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,?,?,00A852B2,00000000,?,00000000), ref: 00A850E8
          • Part of subcall function 00A850CA: GetLastError.KERNEL32(?,?,00A852B2,00000000,?,00000000,?,?,?,?,?,?,?,?,00A7386B,00A52222), ref: 00A850F4
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorHandleInitLastModuleVariant
        • String ID: WixBundleElevated
        • API String ID: 52713655-4097796520
        • Opcode ID: d5ec7b2b5370424426846620adfdbf3555ec58455700f3efbe3be4269681fc8b
        • Instruction ID: 79255ae21b8c1f051783ec64f8890015931472cbbe6a178b622fb55d00a65133
        • Opcode Fuzzy Hash: d5ec7b2b5370424426846620adfdbf3555ec58455700f3efbe3be4269681fc8b
        • Instruction Fuzzy Hash: 05314D76E006199FCB00EFA8D884AEEB7F9FF89310F114469F905EB201EA75D9058B64
        Function 00A8371B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43registryCOMMON
        Download Yara Rule
        APIs
        • RegCreateKeyExW.KERNELBASE(00000001,00000000,00000000,00000000,00000000,00000001,00A513BB,?,?,00000001,?,00A57275,?,00A513BB,00020006,00000001), ref: 00A8373F
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Create
        • String ID: regutil.cpp
        • API String ID: 2289755597-955085611
        • Opcode ID: a4647d9c408a226c7298b68faaa52da58b34c2e8b8e9dc7402f682643e6ac5c3
        • Instruction ID: e6c6a575d19579fbd525b077678bcae5e3e1576d0eb0227c593aaacee46b134b
        • Opcode Fuzzy Hash: a4647d9c408a226c7298b68faaa52da58b34c2e8b8e9dc7402f682643e6ac5c3
        • Instruction Fuzzy Hash: C9F04FB760122AABDF219F65DC05ABB7E98EF05BA0F014034FD05DA150D279CE20DBE4
        Function 00A8378B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00A61F19,?,00000009,00000000,?,00A61BE1,80000002,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,?,00000001), ref: 00A8379F
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Open
        • String ID: regutil.cpp
        • API String ID: 71445658-955085611
        • Opcode ID: 5a88e8d21bd1d80f058c9de2ca86f2d2e335e301f24822868da6e02407a942b9
        • Instruction ID: 394379e9475f9b2517cdcc876693eb168b0f065e9f7987aa579d2087aa76d926
        • Opcode Fuzzy Hash: 5a88e8d21bd1d80f058c9de2ca86f2d2e335e301f24822868da6e02407a942b9
        • Instruction Fuzzy Hash: 9EF0BEF330021A7FEF10AEA88C91B3A3A89AF18F60F144038FA06CA192D666CD515390
        Function 00A836CB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
        Download Yara Rule
        APIs
        • RegCreateKeyExW.KERNELBASE(00020006,?,00000000,00000000,00000000,?,00000000,00A5696E,00000000,00000000,00000001,?,00A5696E,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006), ref: 00A836E5
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Create
        • String ID: regutil.cpp
        • API String ID: 2289755597-955085611
        • Opcode ID: c0276b7aad7739f274640a13e4a9920bac237fce7f5b3cadc7e40adb0e1ea190
        • Instruction ID: 389ebbf3c4dccb7627fec9799d08b98a32db6fbc15638694af2d7170488d799a
        • Opcode Fuzzy Hash: c0276b7aad7739f274640a13e4a9920bac237fce7f5b3cadc7e40adb0e1ea190
        • Instruction Fuzzy Hash: DEF0E53390006577CB306AAB8D0DE9B7E29EBC2FA0F054424FA08DA050E22A8820D3E0
        Function 00A8362A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29registryCOMMON
        Download Yara Rule
        APIs
        • RegSetValueExW.KERNELBASE(?,00020006,00000000,00000004,00A568E2,00000004,00000001,?,00A568E2,00020006,Resume,00A513BB,00000000,00000000,?,?), ref: 00A8363F
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Value
        • String ID: regutil.cpp
        • API String ID: 3702945584-955085611
        • Opcode ID: 60d5822445232bbcff74005513b652a961b9b72bd364af4ac3b7e29fd713d2fd
        • Instruction ID: 58b3c8328d512ef50a3b3e0ae61c39ef8ed8448be4888dedb91b6404f6fbc06b
        • Opcode Fuzzy Hash: 60d5822445232bbcff74005513b652a961b9b72bd364af4ac3b7e29fd713d2fd
        • Instruction Fuzzy Hash: 2FE0ED73A8162A77DB216A99CC0AFA77E48EB01FA0F454135BB14DA1D0E665CA1087E4
        Function 00A8235D Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • GetProcessHeap.KERNEL32(?,?,?,?,00A8097E,?,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?), ref: 00A82371
        • RtlReAllocateHeap.NTDLL(00000000,?,00A8097E,?,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000), ref: 00A82378
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Heap$AllocateProcess
        • String ID:
        • API String ID: 1357844191-0
        • Opcode ID: 4d885fa880a0115cb72a6167a427702cd43608c1ff4ae887dc83e639a4fc791f
        • Instruction ID: 216b4857ed9d0d766bcf7b5f1fa2ca6d0eb58513a63a114ba5989a8de933beb8
        • Opcode Fuzzy Hash: 4d885fa880a0115cb72a6167a427702cd43608c1ff4ae887dc83e639a4fc791f
        • Instruction Fuzzy Hash: 76D0C932194209AB8F009FF4DC09C9A7B6CEB243127048402F915C2120D63AE0209B61
        Function 00A84887 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memset
        • String ID:
        • API String ID: 2102423945-0
        • Opcode ID: 09c8aad963d0da2988b171c622a1bfd523fe97a0ffa538174feb25c6d6ff2523
        • Instruction ID: cc0dd58f5fe0ed09cd1f11d891ee81bcccbc1d3eaaa77eac41aeb647d9625b21
        • Opcode Fuzzy Hash: 09c8aad963d0da2988b171c622a1bfd523fe97a0ffa538174feb25c6d6ff2523
        • Instruction Fuzzy Hash: D0219171100216ABDB38BF38CC95B7B7765EB4C721F24826AF5568A5E2E734CD80CB90
        Function 00A8841F Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A88123: lstrlenW.KERNEL32(?,?,?,00A88243,?,?,?,00000000,?,?,?,00A6F535,?,?,?,00000000), ref: 00A88146
        • RegCloseKey.KERNELBASE(00000000,?,8000FFFF,?,?,?,8000FFFF,00000000,?,?,?,00000000,000000B9,00A737C3,?,?), ref: 00A884C9
          • Part of subcall function 00A8371B: RegCreateKeyExW.KERNELBASE(00000001,00000000,00000000,00000000,00000000,00000001,00A513BB,?,?,00000001,?,00A57275,?,00A513BB,00020006,00000001), ref: 00A8373F
          • Part of subcall function 00A83B02: RegSetValueExW.KERNELBASE(00020006,?,00000000,00000001,?,00000000,?,000000FF,00000000,00000001,?,?,00A5698C,00000000,?,00020006), ref: 00A83B35
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseCreateValuelstrlen
        • String ID:
        • API String ID: 1356686001-0
        • Opcode ID: 19d0841a1630960721fefdb85b9b3996b2a2a9152d4895389a0094ba5bcf23ec
        • Instruction ID: b9feea68b5655870a2013b774719d17cd46d335940c15ddaf22cd289b28e8778
        • Opcode Fuzzy Hash: 19d0841a1630960721fefdb85b9b3996b2a2a9152d4895389a0094ba5bcf23ec
        • Instruction Fuzzy Hash: D9213E73C00029FACF22BF98DE458CEFE79EB84740B518161F915A2020DB354E61EB90
        Function 00A81FE9 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
        Download Yara Rule
        APIs
        • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00A6745F,-0000001C,00000000,00000000,?,?,00A68DEB), ref: 00A8200A
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: FolderPath
        • String ID:
        • API String ID: 1514166925-0
        • Opcode ID: 3a702e9d175558b52a7c947688e62be3310a43f6a986498f725c4c5e4c1810d5
        • Instruction ID: d41dd75fbda8f40bf8e9b8323e60b601bde6a1492b559e2f9c036068e058db36
        • Opcode Fuzzy Hash: 3a702e9d175558b52a7c947688e62be3310a43f6a986498f725c4c5e4c1810d5
        • Instruction Fuzzy Hash: 6BE05B7134522477E7517F959C02FDA7B6CBF19751F004011FF84AD081C6A1E551D7B9
        Function 00A760F1 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
        Download Yara Rule
        APIs
        • FindCloseChangeNotification.KERNELBASE(?,?), ref: 00A7612C
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ChangeCloseFindNotification
        • String ID:
        • API String ID: 2591292051-0
        • Opcode ID: 642511d472400c2ff188fc0c0411935605ce7378bf044b7f1798a96a31423607
        • Instruction ID: 3047d0027ee8dad2d8a5be0758985a0f8ac4e983f797f283d8c64a904b8ad568
        • Opcode Fuzzy Hash: 642511d472400c2ff188fc0c0411935605ce7378bf044b7f1798a96a31423607
        • Instruction Fuzzy Hash: 62F03931510A048FDB10CFA8CC48B687BE4AB09779F59C261E9198B2F2C735D812CB10
        Function 00A5131F Relevance: 1.3, APIs: 1, Instructions: 57COMMON
        Download Yara Rule
        APIs
        • TlsGetValue.KERNEL32(?), ref: 00A51350
          • Part of subcall function 00A828FD: lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00A51371,?,?,?), ref: 00A82906
          • Part of subcall function 00A828FD: _memcpy_s.LIBCMT ref: 00A8293A
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Value_memcpy_slstrlen
        • String ID:
        • API String ID: 32415546-0
        • Opcode ID: af4a5aedc41e42178ca104497c4bf2c05a3cba776d02861125348776333c2999
        • Instruction ID: 40903ffe8a24a9e3e8cce6e5966eef5084a20b40a0e292aa9d453c4697533d85
        • Opcode Fuzzy Hash: af4a5aedc41e42178ca104497c4bf2c05a3cba776d02861125348776333c2999
        • Instruction Fuzzy Hash: 96117776D00114FFCF11EFE5C9449AEFBB8BB84721F204566E911A7121F2714E48DB50
        Function 00A81171 Relevance: 1.3, APIs: 1, Instructions: 52stringCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(?,?,00000000,00000000,?,00A82746,?,00A8A5C8,00000000,?,00000000,00000004,00000000,00000004,?,00000000), ref: 00A811A2
          • Part of subcall function 00A82382: GetProcessHeap.KERNEL32(00000000,?,?,00A808DD,?,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000,00000000), ref: 00A8238A
          • Part of subcall function 00A82382: HeapSize.KERNEL32(00000000,?,00A808DD,?,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000,00000000,?), ref: 00A82391
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Heap$ProcessSizelstrlen
        • String ID:
        • API String ID: 3492610842-0
        • Opcode ID: 0c52a9bc74d8a304b509513f9a0cc3c03aa85fe1943ebe36da232a9ef8eaf5e4
        • Instruction ID: 8178e1351b8e1381c6b29a0071e4293d3385388cc6e338917932dba596853bd0
        • Opcode Fuzzy Hash: 0c52a9bc74d8a304b509513f9a0cc3c03aa85fe1943ebe36da232a9ef8eaf5e4
        • Instruction Fuzzy Hash: 9801A7323402047BEB507FA5DC88F9E3B5DAF94760F10431AFF189B181D671E94287A0
        Function 00A85B65 Relevance: 1.3, APIs: 1, Instructions: 34sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00A67625,00000000,00000000,?,00A67625,?,00000000,00000001,00000001,00000003,000007D0,?,?,00000000), ref: 00A85B80
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Sleep
        • String ID:
        • API String ID: 3472027048-0
        • Opcode ID: 0d711fddd872593d88a8687499e34a1ee61bac522eb86f280e8c768ec3347452
        • Instruction ID: b120a7f993c559a78be2e456f3a2a630faf8bac081e5a6425a81d959516fb025
        • Opcode Fuzzy Hash: 0d711fddd872593d88a8687499e34a1ee61bac522eb86f280e8c768ec3347452
        • Instruction Fuzzy Hash: E4F0273280151AE7CF327F699C4CA9E7A54AB643B0F244216FD09C5030E27ACCA19BD6
        Function 00A85A1F Relevance: 1.3, APIs: 1, Instructions: 29sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000000,?,?,00A67736,00000000,?,00000001,00000003,000007D0,?,?,00A69676,00000000,00000000,00000000,00000000), ref: 00A85A36
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Sleep
        • String ID:
        • API String ID: 3472027048-0
        • Opcode ID: eb0af231a6cc0fe338bcfc5f203cacdfac1eb4dc8028a1f20c30a4261e8457ce
        • Instruction ID: 1268a2fd1cf9ba4e56084ce13332b199df5f2105e21229e7b4acc72be30a9fa1
        • Opcode Fuzzy Hash: eb0af231a6cc0fe338bcfc5f203cacdfac1eb4dc8028a1f20c30a4261e8457ce
        • Instruction Fuzzy Hash: 06E03032840E1ED7CB29BB689CCD69EFA94AF047E0B198315ED09D6031D226CDA197D6

        Non-executed Functions

        Function 00A67E2A Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 239COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memset
        • String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$Failed to move file pointer to beginning of file.$cache.cpp
        • API String ID: 2102423945-1888235766
        • Opcode ID: 879c665d9092f9c750a3f30551344bd80bbe2c74018e504f22bdffd8c700351d
        • Instruction ID: db7dbaefc269163f5e102b3d41f1ce3e49549ff8c82c43dc168df249a5f86dab
        • Opcode Fuzzy Hash: 879c665d9092f9c750a3f30551344bd80bbe2c74018e504f22bdffd8c700351d
        • Instruction Fuzzy Hash: 71819072D10219AFDF20EFA4CD81AEEBBF8BF08314F15462AE904F7251E6754D458BA1
        Function 00A513BA Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 142sleepshutdownCOMMON
        Download Yara Rule
        APIs
        • GetCurrentProcess.KERNEL32(00000020,00A51F6E,00000000,?,00000000,?,00A51F6E,?,?,?,?,?), ref: 00A513E4
        • OpenProcessToken.ADVAPI32(00000000,?,00A51F6E,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A513EB
        • GetLastError.KERNEL32(?,00A51F6E,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00A513F5
        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00A51445
        • GetLastError.KERNEL32(?,00A51F6E,?,?,?), ref: 00A5144F
        • AdjustTokenPrivileges.ADVAPI32(00A51F6E,00000000,?,00000010,00000000,00000000,?,00A51F6E,?,?,?), ref: 00A51494
        • GetLastError.KERNEL32(?,00A51F6E,?,?,?), ref: 00A5149E
        • Sleep.KERNEL32(000003E8,?,00A51F6E,?,?,?), ref: 00A514DB
        • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,80040002), ref: 00A514EB
        • GetLastError.KERNEL32(?,00A51F6E,?,?,?), ref: 00A514F5
        • CloseHandle.KERNEL32(00A51F6E), ref: 00A5154F
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSleepSystemValue
        • String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$engine.cpp
        • API String ID: 2241679041-1583736410
        • Opcode ID: 410a57479e3caaf6e424c3998e8cd082d5f7eba065315cf8e0335fd35e36ff48
        • Instruction ID: a15fcd67a9ffe84e3aac9b978dce45f3a683b0ab8c4613efebe425d91a38ebd2
        • Opcode Fuzzy Hash: 410a57479e3caaf6e424c3998e8cd082d5f7eba065315cf8e0335fd35e36ff48
        • Instruction Fuzzy Hash: 3E410972A40116BEE720ABE59D8DBBFBAB8BB10711F14053AF902F6090F27D4D454792
        Function 00A535A5 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 174pipeCOMMON
        Download Yara Rule
        APIs
        • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 00A535D2
        • GetLastError.KERNEL32(00000000,00A517A1,00A5BD3C,00A5130D,?), ref: 00A535DB
        • CreateNamedPipeW.KERNEL32(00A5130D,00080003,00000000,00000001,00010000,00010000,00000001,?,00A5130D,00000000,00A517A1,00A5BD3C,00A5130D,?), ref: 00A5368E
        • GetLastError.KERNEL32 ref: 00A53698
        • CloseHandle.KERNEL32(?,pipe.cpp,0000014E,000000FF), ref: 00A5371E
        • LocalFree.KERNEL32(?,00A5130D), ref: 00A5373E
        • CreateNamedPipeW.KERNEL32(00A5130D,00080003,00000000,00000001,00010000,00010000,00000001,00000000), ref: 00A53759
        • GetLastError.KERNEL32 ref: 00A53760
        Strings
        • \\.\pipe\%ls.Cache, xrefs: 00A536F3
        • pipe.cpp, xrefs: 00A53605, 00A536C2, 00A5378A
        • D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 00A535CD
        • Failed to allocate full name of cache pipe: %ls, xrefs: 00A5370D
        • \\.\pipe\%ls, xrefs: 00A5363C
        • Failed to create the security descriptor for the connection event and pipe., xrefs: 00A5360F
        • Failed to create pipe: %ls, xrefs: 00A536CF, 00A53797
        • Failed to allocate full name of pipe: %ls, xrefs: 00A53653
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$CreateDescriptorNamedPipeSecurity$CloseConvertFreeHandleLocalString
        • String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
        • API String ID: 1214480349-3253666091
        • Opcode ID: c0713e3b827d8ecfca8fb150ec8ad532311150bdfc70b1f43f111eab068f617d
        • Instruction ID: 041caae4780fc75389255e50b528e1977f17e57b90111c26dfc3e4d2869afc95
        • Opcode Fuzzy Hash: c0713e3b827d8ecfca8fb150ec8ad532311150bdfc70b1f43f111eab068f617d
        • Instruction Fuzzy Hash: 515170B2D00209FFDF11EFA4CD46AAEBBB5FF08351F204569F904A62A0D3758B549B51
        Function 00A76994 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 148filenetworkCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A85640: SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,00A67D44,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00A85656
          • Part of subcall function 00A85640: GetLastError.KERNEL32(?,00A67D44,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,00A695E8,00000000,?), ref: 00A85660
        • InternetReadFile.WININET(?,00000000,?,?), ref: 00A769D6
        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00A76A05
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: File$ErrorInternetLastPointerReadWrite
        • String ID: Failed to seek to start point in file.$Failed to write data from internet.$Failed while reading from internet.$UX aborted on cache progress.$downloadengine.cpp
        • API String ID: 1734627056-3175886020
        • Opcode ID: d14cc2d4776271d4c25095ec7fcadab1c008900c6f0c6933af3e7f2c311db14e
        • Instruction ID: f878b2ca1e2c4890c03b3f3ca0ec8666156f73e287bab45033afba4571349345
        • Opcode Fuzzy Hash: d14cc2d4776271d4c25095ec7fcadab1c008900c6f0c6933af3e7f2c311db14e
        • Instruction Fuzzy Hash: A3415BB2A4060AFFDF10DFA48D85AAEBBB9FF54340F20C92AF519E6051D7359A509B10
        Function 00A68101 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 137encryptionCOMMON
        Download Yara Rule
        APIs
        • CryptHashPublicKeyInfo.CRYPT32(00000000,00008004,00000000,00000001,?,?,00000014), ref: 00A68170
        • GetLastError.KERNEL32 ref: 00A6820C
        Strings
        • Failed to get certificate public key identifier., xrefs: 00A6823B
        • Failed to read certificate thumbprint., xrefs: 00A68242
        • Failed to find expected public key in certificate chain., xrefs: 00A68254
        • cache.cpp, xrefs: 00A68231
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CryptErrorHashInfoLastPublic
        • String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp
        • API String ID: 823482589-3408201827
        • Opcode ID: e0f58cf20a75793baebced0141ed2f2303132352e41fc8ce09926133c501d41d
        • Instruction ID: 0b33fc7e19bcd4c9008576635a747d00680c0089421207cae4a63e66bc5f4035
        • Opcode Fuzzy Hash: e0f58cf20a75793baebced0141ed2f2303132352e41fc8ce09926133c501d41d
        • Instruction Fuzzy Hash: A2417D71A002199FCB10DF68C950AEEB7F8BF48710F114655E920FB290DB789942CBA4
        Function 00A59A5A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLastNameUser
        • String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
        • API String ID: 2054405381-1522884404
        • Opcode ID: 2e04196ce81be5feb4628257d491a063ae49ac7d8247d817c99b3eaccac4b05b
        • Instruction ID: 0328fecf2a762d598855a836f7bb214606a1d6dfab9283598244d0deb64ebe4f
        • Opcode Fuzzy Hash: 2e04196ce81be5feb4628257d491a063ae49ac7d8247d817c99b3eaccac4b05b
        • Instruction Fuzzy Hash: B801F932600329EBD721EB68DC09BEF77ACBF04750F104166F908EA291DA78DD0647A1
        Function 00A77EAA Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • IsDebuggerPresent.KERNEL32 ref: 00A79F4F
        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A79F64
        • UnhandledExceptionFilter.KERNEL32(00A9F6B8), ref: 00A79F6F
        • GetCurrentProcess.KERNEL32(C0000409), ref: 00A79F8B
        • TerminateProcess.KERNEL32(00000000), ref: 00A79F92
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
        • String ID:
        • API String ID: 2579439406-0
        • Opcode ID: cfb8f42f61ff575d6b0ef39e27d42af35cb8431bab90cfdb4359fa567ebdace7
        • Instruction ID: 00fb0d43133c3c23309f31341fe3f26996c89d0b143fa8bb9430494e81b1bec1
        • Opcode Fuzzy Hash: cfb8f42f61ff575d6b0ef39e27d42af35cb8431bab90cfdb4359fa567ebdace7
        • Instruction Fuzzy Hash: 9921C574802B46EFD750DFB4FC456467BF0BB4A320F50401AE5089B6B1E7B45896CF0A
        Function 00A87D79 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76timeCOMMON
        Download Yara Rule
        APIs
        • GetTimeZoneInformation.KERNEL32(?,00AA0B94,?), ref: 00A87DCE
        • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 00A87DE0
        Strings
        • %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 00A87E28
        • %04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 00A87DB7
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Time$InformationLocalSpecificSystemZone
        • String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ
        • API String ID: 1772835396-395410266
        • Opcode ID: e28f8fd6c413c5bfdbe4cd4bce6e615fbe02522bcefa13d09e04173cc8abc940
        • Instruction ID: 6f56ebcbbbbe8decc5282fa617f5ad6c7f4a4895e9e398af9e02cd325ba29336
        • Opcode Fuzzy Hash: e28f8fd6c413c5bfdbe4cd4bce6e615fbe02522bcefa13d09e04173cc8abc940
        • Instruction Fuzzy Hash: 4A2109A2900128FADB24DFA98C05EBBB3FDAB4D711F04855AB945E6190E738DE81D770
        Function 00A68386 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON
        Download Yara Rule
        Strings
        • Failed create working folder., xrefs: 00A683B9
        • Failed to copy working folder., xrefs: 00A683E1
        • Failed to calculate working folder to ensure it exists., xrefs: 00A683A3
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLastPathTemp_memset
        • String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
        • API String ID: 623060366-2072961686
        • Opcode ID: 0c0ccee2c15a68b404a4932af63393a72203b506eb85b8347e9fed372a664523
        • Instruction ID: 5c07d4570d745d7f508ac2f893fa320924083363996f3e4329db5586dccc6172
        • Opcode Fuzzy Hash: 0c0ccee2c15a68b404a4932af63393a72203b506eb85b8347e9fed372a664523
        • Instruction Fuzzy Hash: C201F772A09128FFCF10BF949EC58DDB7BCEA00B95710467AF6017B210DA750F40A790
        Function 00A69E4E Relevance: 79.1, APIs: 7, Strings: 38, Instructions: 365COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: StringVariant$AllocClearFreeInit
        • String ID: AsyncInstall$AsyncRepair$AsyncUninstall$Code$DetectCondition$ExitCode$Failed to allocate memory for exit code structs.$Failed to convert @Code value: %ls$Failed to get @AsyncInstall.$Failed to get @AsyncRepair.$Failed to get @AsyncUninstall.$Failed to get @Code.$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @Type.$Failed to get @UninstallArguments.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$InstallArguments$Invalid exit code type: %ls$Protocol$RepairArguments$Repairable$Type$UninstallArguments$burn$error$exeengine.cpp$forceReboot$netfx4$none$scheduleReboot$success
        • API String ID: 760788290-4137368201
        • Opcode ID: d1841697c3a1ce8e8712c2a75b4fa4af037704d3e2d82babe7a5cae18db9ca1b
        • Instruction ID: 03f27dc3438695aa4694ca323ac877a47d2668a386b05c37616c755ff95abf8e
        • Opcode Fuzzy Hash: d1841697c3a1ce8e8712c2a75b4fa4af037704d3e2d82babe7a5cae18db9ca1b
        • Instruction Fuzzy Hash: 35C1CF31B80626BBDB119BA4CC41FAF7BB8BF21B50F204611F915BB291DB759D408B92
        Function 00A54D71 Relevance: 75.6, APIs: 3, Strings: 40, Instructions: 363COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A8540B: VariantInit.OLEAUT32(?), ref: 00A85421
          • Part of subcall function 00A8540B: SysAllocString.OLEAUT32(?), ref: 00A8543D
          • Part of subcall function 00A8540B: VariantClear.OLEAUT32(?), ref: 00A854C4
          • Part of subcall function 00A8540B: SysFreeString.OLEAUT32(00000000), ref: 00A854CF
        • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000001,Packaging,00000000,00000001,FilePath,?,00000001,00A8BBB0,?,00000000), ref: 00A54E9D
        • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,embedded,000000FF), ref: 00A54EBD
        • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,external,000000FF), ref: 00A54EDB
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: String$Compare$Variant$AllocClearFreeInit
        • String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$X$download$embedded$external$payload.cpp
        • API String ID: 937563602-2914604125
        • Opcode ID: 4a526e009122fb2b8702d9030033ffab3785cde86cda3557cf7bf296be0157d3
        • Instruction ID: 3364b3804b5fb2eb341b1c50b63bd67acb614520b58ec3a81d9973504aa06b06
        • Opcode Fuzzy Hash: 4a526e009122fb2b8702d9030033ffab3785cde86cda3557cf7bf296be0157d3
        • Instruction Fuzzy Hash: 44C18432D40E29BFCB21BA64CD51EADBA74BB04B21F210761FD11B7190D771AE499FA0
        Function 00A6A2B3 Relevance: 67.0, APIs: 11, Strings: 27, Instructions: 461COMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A6A308
        • _memset.LIBCMT ref: 00A6A341
        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,?,00A737C3), ref: 00A6A936
        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,?,00A737C3), ref: 00A6A94C
        Strings
        • Failed to create executable command., xrefs: 00A6A466
        • D, xrefs: 00A6A745
        • Failed to wait for executable to complete: %ls, xrefs: 00A6A883
        • Failed to append the list of ancestors to the command line., xrefs: 00A6A5AB
        • Failed to append the list of dependencies to ignore to the command line., xrefs: 00A6A543
        • burn.ancestors, xrefs: 00A6A58A, 00A6A5BB
        • Failed to run bundle asynchronously from path: %ls, xrefs: 00A6A6A7
        • 2, xrefs: 00A6A7D3
        • Failed to get action arguments for executable package., xrefs: 00A6A3E2
        • Failed to run netfx chainer: %ls, xrefs: 00A6A6F5
        • Failed to run bundle as embedded from path: %ls, xrefs: 00A6A660
        • Failed to get cached path for package: %ls, xrefs: 00A6A387
        • Failed to CreateProcess on path: %ls, xrefs: 00A6A794
        • Failed to append the list of dependencies to ignore to the obfuscated command line., xrefs: 00A6A57B
        • Failed to format obfuscated argument string., xrefs: 00A6A48F
        • Failed to get bundle element., xrefs: 00A6A521
        • burn.ignoredependencies, xrefs: 00A6A522, 00A6A560
        • Failed to build executable path., xrefs: 00A6A3BD
        • exeengine.cpp, xrefs: 00A6A784, 00A6A830, 00A6A864
        • Bootstrapper application aborted during EXE progress., xrefs: 00A6A86E
        • %ls -%ls=%ls, xrefs: 00A6A518, 00A6A533, 00A6A56B, 00A6A59B, 00A6A5C6
        • Failed to format argument string., xrefs: 00A6A439
        • "%ls" %s, xrefs: 00A6A452, 00A6A4AB
        • "%ls", xrefs: 00A6A4C7, 00A6A4E7
        • Process returned error: 0x%x, xrefs: 00A6A840
        • Failed to append the list of ancestors to the obfuscated command line., xrefs: 00A6A5D6
        • Failed to create obfuscated executable command., xrefs: 00A6A4FB
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseHandle_memset
        • String ID: "%ls"$"%ls" %s$%ls -%ls=%ls$2$Bootstrapper application aborted during EXE progress.$D$Failed to CreateProcess on path: %ls$Failed to append the list of ancestors to the command line.$Failed to append the list of ancestors to the obfuscated command line.$Failed to append the list of dependencies to ignore to the command line.$Failed to append the list of dependencies to ignore to the obfuscated command line.$Failed to build executable path.$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$Failed to get action arguments for executable package.$Failed to get bundle element.$Failed to get cached path for package: %ls$Failed to run bundle as embedded from path: %ls$Failed to run bundle asynchronously from path: %ls$Failed to run netfx chainer: %ls$Failed to wait for executable to complete: %ls$Process returned error: 0x%x$burn.ancestors$burn.ignoredependencies$exeengine.cpp
        • API String ID: 900656945-2335447641
        • Opcode ID: 3a6a073325a3fb69041a866c1be339b8d0f3cdffad3ec5b3e495ecef0dd7fad1
        • Instruction ID: 14d1ec1d98ad0a9c3e491e34c2368acd6dadd5a135f228f0a1aa4ebce126f4d9
        • Opcode Fuzzy Hash: 3a6a073325a3fb69041a866c1be339b8d0f3cdffad3ec5b3e495ecef0dd7fad1
        • Instruction Fuzzy Hash: 9602AF72A40219AFCF21AFA4CD89EADB7B5FB24300F1444E9F109B3161DB359E819F12
        Function 00A6EA09 Relevance: 58.1, APIs: 8, Strings: 25, Instructions: 378processCOMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A6EA39
        • GetCurrentProcess.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,00A60DED,00000007,?,?,Function_0000F67C,?,?), ref: 00A6EA62
          • Part of subcall function 00A7FEDA: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,00000000,?,?,00A5911F,00000000), ref: 00A7FEEE
          • Part of subcall function 00A7FEDA: GetProcAddress.KERNEL32(00000000), ref: 00A7FEF5
          • Part of subcall function 00A7FEDA: GetLastError.KERNEL32(?,?,00A5911F,00000000), ref: 00A7FF0C
        • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?), ref: 00A6EC95
        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,wusa.exe,?,00000025,?,00000000), ref: 00A6EC9F
        • GetExitCodeProcess.KERNEL32(?,?), ref: 00A6ED2C
        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,wusa.exe,?,00000025,?,00000000), ref: 00A6ED36
        • CloseHandle.KERNEL32(?,?,000001F4,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025,?), ref: 00A6EE48
        • CloseHandle.KERNEL32(?,?,000001F4,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025,?), ref: 00A6EE55
        Strings
        • Failed to wait for executable to complete: %ls, xrefs: 00A6ED99
        • msuengine.cpp, xrefs: 00A6ECC4, 00A6ED5B, 00A6ED82
        • Failed to build MSU path., xrefs: 00A6EB66
        • Failed to determine WOW64 status., xrefs: 00A6EA74
        • Failed to get cached path for package: %ls, xrefs: 00A6EB36
        • Failed to CreateProcess on path: %ls, xrefs: 00A6ECD1
        • Failed to find System32 directory., xrefs: 00A6EAD0
        • Failed to find Windows directory., xrefs: 00A6EA94
        • Bootstrapper application aborted during MSU progress., xrefs: 00A6ED8C
        • wusa.exe, xrefs: 00A6EADE
        • "%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 00A6EBA3
        • Failed to format MSU uninstall command., xrefs: 00A6EBB7
        • "%ls" "%ls" /quiet /norestart, xrefs: 00A6EB79
        • Failed to format MSU install command., xrefs: 00A6EB8D
        • Failed to append log switch to MSU command-line., xrefs: 00A6EBDF
        • /log:, xrefs: 00A6EBCB
        • Failed to ensure WU service was enabled to install MSU package., xrefs: 00A6EC5E
        • Failed to get process exit code., xrefs: 00A6ED65
        • Failed to get action arguments for MSU package., xrefs: 00A6EB10
        • SysNative\, xrefs: 00A6EAA2
        • Failed to append log path to MSU command-line., xrefs: 00A6EBF9
        • 2, xrefs: 00A6ECF4
        • Failed to allocate WUSA.exe path., xrefs: 00A6EAF1
        • D, xrefs: 00A6EC88
        • Failed to append SysNative directory., xrefs: 00A6EAB5
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorHandleLastProcess$Close$AddressCodeCreateCurrentExitModuleProc_memset
        • String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$msuengine.cpp$wusa.exe
        • API String ID: 3952624013-2978926632
        • Opcode ID: f4c23cc186cb7478f110727b46a7f2ace5d924394088fe8864cbe5b50c79aec7
        • Instruction ID: 9d2ca0c55fcc366b98e887a3ede123215795699f5df91c7da0844bb127a61c44
        • Opcode Fuzzy Hash: f4c23cc186cb7478f110727b46a7f2ace5d924394088fe8864cbe5b50c79aec7
        • Instruction Fuzzy Hash: B6C1CE7AA00219FFDF11EF94CD85DAEBBBAFF14B50F148422F505A7150DA358E828B91
        Function 00A5A0C3 Relevance: 58.1, APIs: 5, Strings: 28, Instructions: 307COMMON
        Download Yara Rule
        APIs
        • EnterCriticalSection.KERNEL32(?,00000000,?,80070490,?,?,?,?,?,?,?,?,00A73A1D,?,?,?), ref: 00A5A0F2
        • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,00A73A1D,?,?,?,?,?,Chain), ref: 00A5A408
        Strings
        • numeric, xrefs: 00A5A20D
        • Failed to get @Value., xrefs: 00A5A3BC
        • Persisted, xrefs: 00A5A199
        • Failed to change variant type., xrefs: 00A5A3D1
        • Invalid value for @Type: %ls, xrefs: 00A5A37A
        • Type, xrefs: 00A5A1F2
        • string, xrefs: 00A5A23F
        • Failed to insert variable '%ls'., xrefs: 00A5A3ED
        • Failed to get next node., xrefs: 00A5A3A0
        • Initializing string variable '%ls' to value '%ls', xrefs: 00A5A25D
        • Failed to set variant value., xrefs: 00A5A3C3
        • Hidden, xrefs: 00A5A17E
        • Value, xrefs: 00A5A1B4
        • Initializing numeric variable '%ls' to value '%ls', xrefs: 00A5A22B
        • Failed to find variable value '%ls'., xrefs: 00A5A3E3
        • Failed to get variable node count., xrefs: 00A5A12C
        • Failed to get @Hidden., xrefs: 00A5A3AE
        • version, xrefs: 00A5A270
        • Attempt to set built-in variable value: %ls, xrefs: 00A5A399
        • Initializing version variable '%ls' to value '%ls', xrefs: 00A5A292
        • Failed to get @Type., xrefs: 00A5A3CA
        • Initializing hidden variable '%ls', xrefs: 00A5A2AF
        • Failed to set value of variable: %ls, xrefs: 00A5A3F7
        • variable.cpp, xrefs: 00A5A38C
        • Failed to select variable nodes., xrefs: 00A5A10F
        • Variable, xrefs: 00A5A0FC
        • Failed to get @Persisted., xrefs: 00A5A3B5
        • Failed to get @Id., xrefs: 00A5A3A7
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalSection$EnterLeave
        • String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
        • API String ID: 3168844106-1657652604
        • Opcode ID: f64faaa4a9731a181b53126c822c4428ce32422b2357b0a8622928d9b1f24e8a
        • Instruction ID: 8f81e320ac50df28af19fcb85ee0a2cf7b3e2f65fa0b39741d44b764b6ade91a
        • Opcode Fuzzy Hash: f64faaa4a9731a181b53126c822c4428ce32422b2357b0a8622928d9b1f24e8a
        • Instruction Fuzzy Hash: DDA1BE76E00129FFCB10BF90CD86CAEBB75BB24315F10466AF911BB161D3718E459B82
        Function 00A74D0B Relevance: 51.0, APIs: 13, Strings: 16, Instructions: 294COMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A74D66
        • UuidCreate.RPCRT4(?), ref: 00A74D7E
        • StringFromGUID2.OLE32(?,?,00000027), ref: 00A74D9F
        • CloseHandle.KERNEL32(?,NetFxChainer.cpp,000001A8,00000000,?,?,?,?), ref: 00A750A1
        • CloseHandle.KERNEL32(?,NetFxChainer.cpp,000001A8,00000000,?,?,?,?), ref: 00A750B7
        Strings
        • Failed to allocate section name., xrefs: 00A74DE5
        • %ls /pipe %ls, xrefs: 00A74E45
        • Failed to wait for netfx chainer process to complete, xrefs: 00A75050
        • Failed to allocate event name., xrefs: 00A74E0A
        • NetFxSection.%ls, xrefs: 00A74DCF
        • NetFxEvent.%ls, xrefs: 00A74DF6
        • Failed to send internal error message from netfx chainer., xrefs: 00A7501A
        • Failed to create netfx chainer., xrefs: 00A74E29
        • NetFxChainer.cpp, xrefs: 00A74DB4, 00A74EB7, 00A74FBD, 00A75046
        • Failed to create netfx chainer guid., xrefs: 00A74D8B
        • Failed to allocate netfx chainer arguments., xrefs: 00A74E59
        • Failed to CreateProcess on path: %ls, xrefs: 00A74EC4
        • Failed to convert netfx chainer guid into string., xrefs: 00A74DBE
        • D, xrefs: 00A74E7B
        • Failed to get netfx return code., xrefs: 00A74FC7
        • Failed to process netfx chainer message., xrefs: 00A74F18
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseHandle$CreateFromStringUuid_memset
        • String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to send internal error message from netfx chainer.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
        • API String ID: 2223292257-4284037740
        • Opcode ID: d7381afb145720c324e59bd6ff0dd5dc588c7f5fcfc87de9f107e1c48142f604
        • Instruction ID: ff7bb349c2f27ddc6c423d0678337cc6b8f1dc8741f5dd2ecc8db7378945bbfc
        • Opcode Fuzzy Hash: d7381afb145720c324e59bd6ff0dd5dc588c7f5fcfc87de9f107e1c48142f604
        • Instruction Fuzzy Hash: EDA1AE31A40709AFEF209BB4CD85FAEBBB9BB08710F10C56AE60CA7151E7B599418F51
        Function 00A5799F Relevance: 44.1, APIs: 8, Strings: 17, Instructions: 313registryCOMMON
        Download Yara Rule
        APIs
        • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A579DC
        • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A57A02
        • RegCloseKey.ADVAPI32(00A58B40,?,00000000,?,00000000,?,?,?,?,00000000), ref: 00A57D07
        Strings
        • Failed to get expand environment string., xrefs: 00A57C6D
        • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00A57AA3
        • Failed to clear variable., xrefs: 00A57A5D
        • Failed to format value string., xrefs: 00A57A0D
        • Failed to allocate string buffer., xrefs: 00A57BF8
        • Failed to set variable., xrefs: 00A57CBF
        • RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 00A57CD4
        • Failed to query registry key value., xrefs: 00A57B6B
        • Unsupported registry key value type. Type = '%u', xrefs: 00A57B93
        • Failed to query registry key value size., xrefs: 00A57AE7
        • Registry key not found. Key = '%ls'; variable = '%ls', xrefs: 00A57A37
        • Failed to format key string., xrefs: 00A579E7
        • Failed to allocate memory registry value., xrefs: 00A57B1B
        • search.cpp, xrefs: 00A57ADD, 00A57B11, 00A57B61, 00A57C63
        • Failed to open registry key., xrefs: 00A57A72
        • Failed to change value type., xrefs: 00A57CA1
        • Failed to read registry value., xrefs: 00A57C88
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Open@16$Close
        • String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'; variable = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
        • API String ID: 2348241696-822975546
        • Opcode ID: 563cf362abfa467d8b307cc1d3825dfc1abc1ec78c2b0f521c5dbe105a729518
        • Instruction ID: 071c3e0f363c286b9ff915e18af10c8c84c5e3134eb5e8917db1c6344e181946
        • Opcode Fuzzy Hash: 563cf362abfa467d8b307cc1d3825dfc1abc1ec78c2b0f521c5dbe105a729518
        • Instruction Fuzzy Hash: 07A10572D4412AFBDF12EBA4DD02EBEBA79BF04711F118565FD00B6291D631CE089BA1
        Function 00A52BBB Relevance: 44.0, APIs: 17, Strings: 8, Instructions: 232filepipesleepCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(CADCE856,00000000,00A5130D,80070642,?,00A5BD3C,00A5130D,?,75C0B390,?,?,00A5130D), ref: 00A52BDC
        • GetCurrentProcessId.KERNEL32(?,00A5BD3C,00A5130D,?,75C0B390,?,?,00A5130D), ref: 00A52BE7
        • SetNamedPipeHandleState.KERNEL32(?,?,00000000,00000000,?,00A5BD3C,00A5130D,?,75C0B390,?), ref: 00A52C23
        • ConnectNamedPipe.KERNEL32(?,00000000,?,00A5BD3C,00A5130D,?,75C0B390,?), ref: 00A52C3E
        • GetLastError.KERNEL32(?,00A5BD3C,00A5130D,?,75C0B390,?), ref: 00A52C48
        • Sleep.KERNEL32(00000064,?,00A5BD3C,00A5130D,?,75C0B390,?), ref: 00A52C73
        • SetNamedPipeHandleState.KERNEL32(?,00000001,00000000,00000000,?,00A5BD3C,00A5130D,?,75C0B390,?), ref: 00A52CAB
        • WriteFile.KERNEL32(?,?,00000004,000000FF,00000000,?,00A5BD3C,00A5130D,?,75C0B390,?), ref: 00A52CCC
        • WriteFile.KERNEL32(?,75C0B390,?,000000FF,00000000,?,00A5BD3C,00A5130D,?,75C0B390,?), ref: 00A52CED
        • WriteFile.KERNEL32(?,?,00000004,000000FF,00000000,?,00A5BD3C,00A5130D,?,75C0B390,?), ref: 00A52D0E
        • ReadFile.KERNEL32(?,00A5130D,00000004,000000FF,00000000,?,00A5BD3C,00A5130D,?,75C0B390,?), ref: 00A52D2F
        • GetLastError.KERNEL32(?,00A5BD3C,00A5130D,?,75C0B390,?), ref: 00A52D6E
        • GetLastError.KERNEL32(?,00A5BD3C,00A5130D,?,75C0B390,?), ref: 00A52DA1
        • GetLastError.KERNEL32(?,00A5BD3C,00A5130D,?,75C0B390,?), ref: 00A52DD4
        • GetLastError.KERNEL32(?,00A5BD3C,00A5130D,?,75C0B390,?), ref: 00A52E07
        • GetLastError.KERNEL32(?,00A5BD3C,00A5130D,?,75C0B390,?), ref: 00A52E37
        • GetLastError.KERNEL32(?,00A5BD3C,00A5130D,?,75C0B390,?), ref: 00A52E67
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
        • String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$pipe.cpp
        • API String ID: 2944378912-2009266399
        • Opcode ID: ca587bbc22bacbef7d1dc58fc99f891f664de23429a79a64a698bf052db5c72b
        • Instruction ID: f9ec79bb6cf8e724d4e8e2c4cc0aaf26714f4e8cda1692cffe5e911ea04c6385
        • Opcode Fuzzy Hash: ca587bbc22bacbef7d1dc58fc99f891f664de23429a79a64a698bf052db5c72b
        • Instruction Fuzzy Hash: 23710572B50216BBE720DFD8DD4AFAE7AF8BF19711F144125BD00EA1A0D774C9058BA2
        Function 00A74A40 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 232synchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A8233B: GetProcessHeap.KERNEL32(?,?,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000), ref: 00A8234C
          • Part of subcall function 00A8233B: RtlAllocateHeap.NTDLL(00000000,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000,00000000), ref: 00A82353
        • CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000018,00000001,00000000,00000000,00000000,?,?,00A74E23,?,?,?), ref: 00A74A7E
        • GetLastError.KERNEL32(?,?,00A74E23,?,?,?), ref: 00A74A8B
        • ReleaseMutex.KERNEL32(?), ref: 00A74CF7
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
        • String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$NetFxChainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
        • API String ID: 3944734951-2991465304
        • Opcode ID: af23495e991b739dbb129917bd9cf3a1ce722190972639cbb6b687d1b4f7937d
        • Instruction ID: bd008f1bc452a55bb821541df58f6b146dabebeae46c39c31f12b8aafc98e718
        • Opcode Fuzzy Hash: af23495e991b739dbb129917bd9cf3a1ce722190972639cbb6b687d1b4f7937d
        • Instruction Fuzzy Hash: 3471F1B2240305BFDB20AF60CD89E6A7AF5AB58314F24C93CF20A9B251D775DD458B21
        Function 00A7999B Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00A77D3B), ref: 00A799A3
        • __mtterm.LIBCMT ref: 00A799AF
          • Part of subcall function 00A796E8: DecodePointer.KERNEL32(00000005,00A79B11,?,00A77D3B), ref: 00A796F9
          • Part of subcall function 00A796E8: TlsFree.KERNEL32(00000011,00A79B11,?,00A77D3B), ref: 00A79713
          • Part of subcall function 00A796E8: DeleteCriticalSection.KERNEL32(00000000,00000000,76EF5810,?,00A79B11,?,00A77D3B), ref: 00A7B698
          • Part of subcall function 00A796E8: _free.LIBCMT ref: 00A7B69B
          • Part of subcall function 00A796E8: DeleteCriticalSection.KERNEL32(00000011,76EF5810,?,00A79B11,?,00A77D3B), ref: 00A7B6C2
        • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00A799C5
        • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00A799D2
        • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00A799DF
        • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00A799EC
        • TlsAlloc.KERNEL32(?,00A77D3B), ref: 00A79A3C
        • TlsSetValue.KERNEL32(00000000,?,00A77D3B), ref: 00A79A57
        • __init_pointers.LIBCMT ref: 00A79A61
        • EncodePointer.KERNEL32(?,00A77D3B), ref: 00A79A72
        • EncodePointer.KERNEL32(?,00A77D3B), ref: 00A79A7F
        • EncodePointer.KERNEL32(?,00A77D3B), ref: 00A79A8C
        • EncodePointer.KERNEL32(?,00A77D3B), ref: 00A79A99
        • DecodePointer.KERNEL32(00A7986C,?,00A77D3B), ref: 00A79ABA
        • __calloc_crt.LIBCMT ref: 00A79ACF
        • DecodePointer.KERNEL32(00000000,?,00A77D3B), ref: 00A79AE9
        • GetCurrentThreadId.KERNEL32 ref: 00A79AFB
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
        • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
        • API String ID: 3698121176-3819984048
        • Opcode ID: 020094e968126b40f48f065abd10c280566cfbdba2e0817131b2c824621baddf
        • Instruction ID: c6acc26d5fdd5689f538f33d79aa4e6752e99fef24ba73fd48f7504983510dec
        • Opcode Fuzzy Hash: 020094e968126b40f48f065abd10c280566cfbdba2e0817131b2c824621baddf
        • Instruction Fuzzy Hash: 9C314D71D41712AADB20EFB5EC0854A3FF4EB4A760B14862BE818D21F1E7788443EF59
        Function 00A7401F Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 337COMMON
        Download Yara Rule
        Strings
        • Failed to copy filename for pseudo bundle., xrefs: 00A74106
        • Failed to allocate memory for pseudo bundle payload hash., xrefs: 00A74197
        • Failed to copy install arguments for related bundle package, xrefs: 00A74268
        • Failed to append relation type to repair arguments for related bundle package, xrefs: 00A742D1
        • Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 00A7406E
        • Failed to append relation type to install arguments for related bundle package, xrefs: 00A74289
        • Failed to copy cache id for pseudo bundle., xrefs: 00A74247
        • pseudobundle.cpp, xrefs: 00A74064, 00A74097, 00A7418D, 00A74380
        • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 00A740A1
        • Failed to copy version for pseudo bundle., xrefs: 00A743D0
        • Failed to copy repair arguments for related bundle package, xrefs: 00A742B0
        • Failed to copy download source for pseudo bundle., xrefs: 00A74157
        • Failed to copy local source path for pseudo bundle., xrefs: 00A74129
        • -%ls, xrefs: 00A74037
        • Failed to append relation type to uninstall arguments for related bundle package, xrefs: 00A74323
        • Failed to copy uninstall arguments for related bundle package, xrefs: 00A74302
        • Failed to allocate memory for dependency providers., xrefs: 00A7438A
        • Failed to copy display name for pseudo bundle., xrefs: 00A743F1
        • Failed to copy key for pseudo bundle payload., xrefs: 00A740E3
        • Failed to copy key for pseudo bundle., xrefs: 00A74229
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Heap$AllocateProcess
        • String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
        • API String ID: 1357844191-2832335422
        • Opcode ID: b67101d605c475a5080cda0ec695d7f0a2f572fa9fb592ffbfffc274d1d2252b
        • Instruction ID: 371a15256ceb02386e1aa22bdcba7050be0dd6d2c221974eaad38b569c20be4a
        • Opcode Fuzzy Hash: b67101d605c475a5080cda0ec695d7f0a2f572fa9fb592ffbfffc274d1d2252b
        • Instruction Fuzzy Hash: 15C18275340B05EFDB21EF28CD46F6A76E5AF88710F20C919FA1E9B291DB74E8418B50
        Function 00A6DA9F Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 320COMMON
        Download Yara Rule
        APIs
        Strings
        • Failed to add reboot suppression property on uninstall., xrefs: 00A6DE13
        • Failed to initialize external UI handler., xrefs: 00A6DB72
        • IGNOREDEPENDENCIES, xrefs: 00A6DE1A
        • Failed to add patches to PATCH property on install., xrefs: 00A6DDA6
        • Failed to install MSP package., xrefs: 00A6DDF4
        • %ls %ls=ALL, xrefs: 00A6DE2B
        • Failed to semi-colon delimit patches., xrefs: 00A6DC77
        • Failed to get cached path for MSP package: %ls, xrefs: 00A6DC50
        • " REBOOT=ReallySuppress, xrefs: 00A6DDB1
        • Failed to add the list of dependencies to ignore to the properties., xrefs: 00A6DE3F
        • Failed to uninstall MSP package., xrefs: 00A6DE67
        • Failed to add properties to obfuscated argument string., xrefs: 00A6DD1F
        • REBOOT=ReallySuppress, xrefs: 00A6DDFC
        • Failed to add reboot suppression property on install., xrefs: 00A6DDC8
        • Failed to enable logging for package: %ls to: %ls, xrefs: 00A6DCAB
        • Failed to add PATCH property on install., xrefs: 00A6DD83
        • Failed to build MSP path., xrefs: 00A6DC65
        • PATCH=", xrefs: 00A6DD6C
        • Failed to append patch., xrefs: 00A6DC7E
        • Failed to add properties to argument string., xrefs: 00A6DCE9
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memset
        • String ID: PATCH="$ REBOOT=ReallySuppress$" REBOOT=ReallySuppress$%ls %ls=ALL$Failed to add PATCH property on install.$Failed to add patches to PATCH property on install.$Failed to add properties to argument string.$Failed to add properties to obfuscated argument string.$Failed to add reboot suppression property on install.$Failed to add reboot suppression property on uninstall.$Failed to add the list of dependencies to ignore to the properties.$Failed to append patch.$Failed to build MSP path.$Failed to enable logging for package: %ls to: %ls$Failed to get cached path for MSP package: %ls$Failed to initialize external UI handler.$Failed to install MSP package.$Failed to semi-colon delimit patches.$Failed to uninstall MSP package.$IGNOREDEPENDENCIES
        • API String ID: 2102423945-1976012679
        • Opcode ID: ffa8be9a7580d25510085ae3e6fd074e461f1e940689cd7caa83a4bee1cd20b1
        • Instruction ID: ff958054cb411d6cc8fadb8cac6dcc1d48605a1c118002c233d5bc0b94c02a1b
        • Opcode Fuzzy Hash: ffa8be9a7580d25510085ae3e6fd074e461f1e940689cd7caa83a4bee1cd20b1
        • Instruction Fuzzy Hash: 33C17F71F00618AFCF21AF64CD81EAAB7B6BB98740F1045E9F509A7111D6739EA0DF40
        Function 00A66520 Relevance: 35.4, APIs: 8, Strings: 12, Instructions: 416COMMON
        Download Yara Rule
        APIs
        • GetStringTypeW.KERNEL32(00000001,?,00000001,00A67324,?,?,00000000,?,?,?,?,00A67324,00000000,?,?), ref: 00A66553
        Strings
        • Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 00A66921
        • Failed to set symbol value., xrefs: 00A66899
        • Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 00A667B9
        • NOT, xrefs: 00A66855
        • condition.cpp, xrefs: 00A66602, 00A666BE, 00A66740, 00A6679F, 00A66907, 00A66936, 00A66987
        • Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 00A669A1
        • Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 00A666D8
        • Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 00A66950
        • Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 00A6675A
        • Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 00A6661C
        • @, xrefs: 00A66559
        • AND, xrefs: 00A66835
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: StringType
        • String ID: @$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$condition.cpp
        • API String ID: 4177115715-289295652
        • Opcode ID: fb2b928675a38f3897294173d22547a66839af4fdae0b7857923a54f11c20965
        • Instruction ID: ff9bbb6ceb9711f6e4a534b8205bf75388866062be548a425864db584427fbfd
        • Opcode Fuzzy Hash: fb2b928675a38f3897294173d22547a66839af4fdae0b7857923a54f11c20965
        • Instruction Fuzzy Hash: F3E1D3B1A00705EBDB35CFA0C949BBABBF5FF50704F10890EE1526B590D7B5AA84DB50
        Function 00A55BBD Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 222COMMON
        Download Yara Rule
        Strings
        • Failed to resize Upgrade code array in registration, xrefs: 00A55E10
        • Failed to get RelatedBundle element count., xrefs: 00A55C0A
        • Upgrade, xrefs: 00A55CC0
        • Failed to resize Addon code array in registration, xrefs: 00A55E17
        • Invalid value for @Action: %ls, xrefs: 00A55DA8
        • Failed to get RelatedBundle nodes, xrefs: 00A55BED
        • Failed to get @Action., xrefs: 00A55DFB
        • Failed to get next RelatedBundle element., xrefs: 00A55DF4
        • Detect, xrefs: 00A55C78
        • Failed to resize Patch code array in registration, xrefs: 00A55E1E
        • Action, xrefs: 00A55C3C
        • RelatedBundle, xrefs: 00A55BCB
        • Addon, xrefs: 00A55D08
        • Failed to resize Detect code array in registration, xrefs: 00A55E09
        • Patch, xrefs: 00A55D4D
        • Failed to get @Id., xrefs: 00A55E02
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID:
        • String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade
        • API String ID: 0-3660206225
        • Opcode ID: 8bf03cea20c09f677ffde36ce2283716d979e8a69f40347b1763dab38c67622e
        • Instruction ID: 6d36a85b97353e3b6780ca1a58874d6f318477596829bc1bb9a41fb1184871b7
        • Opcode Fuzzy Hash: 8bf03cea20c09f677ffde36ce2283716d979e8a69f40347b1763dab38c67622e
        • Instruction Fuzzy Hash: 1771AF72D40A09BFD710EB60CD96FAE77B5FB84715F200459F902AB281D670AE06DF10
        Function 00A5C33B Relevance: 33.6, APIs: 6, Strings: 13, Instructions: 354synchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A5BB5E: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,00A5D9E6,?,00000000,75C0B390,?,00000000), ref: 00A5BB6D
          • Part of subcall function 00A5BB5E: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 00A5BB7A
          • Part of subcall function 00A5BB5E: LeaveCriticalSection.KERNEL32(?,?,00A5D9E6,?,00000000,75C0B390,?,00000000), ref: 00A5BB8F
        • ReleaseMutex.KERNEL32(?,00A5138B,00000000,?,00A513BB,00000001,00000000), ref: 00A5C71E
        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00A51303,?,?,00A5180F), ref: 00A5C727
        • CloseHandle.KERNEL32(?,00A5138B,00000000,?,00A513BB,00000001,00000000), ref: 00A5C746
          • Part of subcall function 00A7118E: SetThreadExecutionState.KERNEL32(80000001), ref: 00A71193
        Strings
        • Another per-machine setup is already executing., xrefs: 00A5C51A
        • Failed to set initial apply variables., xrefs: 00A5C454
        • Failed to register bundle., xrefs: 00A5C53F
        • UX aborted apply begin., xrefs: 00A5C3E9
        • Engine cannot start apply because it is busy with another action., xrefs: 00A5C399
        • Posted message to parent process to signal that the parent process can stop waiting, xrefs: 00A5C590
        • core.cpp, xrefs: 00A5C3DF, 00A5C604
        • Failed to send completion over the pipe., xrefs: 00A5C586
        • Failed while caching, aborting execution., xrefs: 00A5C62A
        • Failed to elevate., xrefs: 00A5C4E0
        • Another per-user setup is already executing., xrefs: 00A5C42A
        • Failed to create cache thread., xrefs: 00A5C60E
        • Failed to cache engine to working directory., xrefs: 00A5C4BC
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseCriticalHandleSection$CompareEnterExchangeExecutionInterlockedLeaveMutexReleaseStateThread
        • String ID: Another per-machine setup is already executing.$Another per-user setup is already executing.$Engine cannot start apply because it is busy with another action.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to send completion over the pipe.$Failed to set initial apply variables.$Failed while caching, aborting execution.$Posted message to parent process to signal that the parent process can stop waiting$UX aborted apply begin.$core.cpp
        • API String ID: 1740103319-3198874528
        • Opcode ID: 8f4772db940a3507e784d684a43d92bc139278e6f0fcd90d76fc09c2ff798956
        • Instruction ID: be066d77a8317269c485746e13621120af7e6c8b619aa1849b0d09eb82829356
        • Opcode Fuzzy Hash: 8f4772db940a3507e784d684a43d92bc139278e6f0fcd90d76fc09c2ff798956
        • Instruction Fuzzy Hash: ECC1B7B2900705FFCF20AFA4CD85AEEB7F9BB44322F10842EF616A6055EB705649CB51
        Function 00A7527D Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 189COMMON
        Download Yara Rule
        APIs
        • GetCurrentProcessId.KERNEL32(00000000,00A7387B,00000000), ref: 00A75289
        • _memset.LIBCMT ref: 00A752A4
        • CloseHandle.KERNEL32(00A6A697,00000000,00A751E1,00A754D4,?,?,?,?,00000000,?,?,00000001,?), ref: 00A75449
        • CloseHandle.KERNEL32(?,00000000,00A751E1,00A754D4,?,?,?,?,00000000,?,?,00000001,?), ref: 00A75456
        • CloseHandle.KERNEL32(?,00000000,00A751E1,00A754D4,?,?,?,?,00000000,?,?,00000001,?), ref: 00A75470
          • Part of subcall function 00A535A5: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 00A535D2
          • Part of subcall function 00A535A5: GetLastError.KERNEL32(00000000,00A517A1,00A5BD3C,00A5130D,?), ref: 00A535DB
          • Part of subcall function 00A535A5: LocalFree.KERNEL32(?,00A5130D), ref: 00A5373E
        Strings
        • Failed to process messages from embedded message., xrefs: 00A753FE
        • Failed to create embedded pipe name and client token., xrefs: 00A75304
        • Failed to create embedded process atpath: %ls, xrefs: 00A753B1
        • burn.embedded, xrefs: 00A752EC
        • %ls -%ls %ls %ls %u, xrefs: 00A7533C
        • Failed to wait for embedded process to connect to pipe., xrefs: 00A753DC
        • Failed to allocate embedded command., xrefs: 00A75350
        • Failed to wait for embedded executable: %ls, xrefs: 00A7542D
        • burn.embedded.async, xrefs: 00A752E2, 00A75338
        • Failed to create embedded pipe., xrefs: 00A75322
        • embedded.cpp, xrefs: 00A753A4
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseHandle$DescriptorSecurity$ConvertCurrentErrorFreeLastLocalProcessString_memset
        • String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process atpath: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$burn.embedded.async$embedded.cpp
        • API String ID: 1195026954-3691304899
        • Opcode ID: 4137ec88f44464c04eb09ede4309158b7068fd3604eba5b868a9b00dc66c77fd
        • Instruction ID: f2935599cf82d312b537797f84d134ecbbadff1a67a25d0ac91f9859d53fd181
        • Opcode Fuzzy Hash: 4137ec88f44464c04eb09ede4309158b7068fd3604eba5b868a9b00dc66c77fd
        • Instruction Fuzzy Hash: D1518C72E00618BBCF11EFF4DD819EEBBB9BF18751F10C426F609B6160D6B14A858B91
        Function 00A67AAE Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 206fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(00A5130D,40000000,00000005,00000000,00000002,08000080,00000000,00000000,00000000,00000000,00A5130D,00A5179D,?,00A51355,?,00000000), ref: 00A67AED
        • GetLastError.KERNEL32(?,00A5130D,?,?,00A5180F,?,?,?,00A51E12,?), ref: 00A67AFB
          • Part of subcall function 00A857EB: ReadFile.KERNEL32(?,?,?,?,00000000,00000000,75C0B390,00000000,?,00A67B78,?,?,?,00000000,00000000,?), ref: 00A85887
        • SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00A67BAA
        • GetLastError.KERNEL32(?,00A5130D,?,?,00A5180F,?,?,?,00A51E12,?), ref: 00A67BB4
        • CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00A5130D,?,?,00A5180F), ref: 00A67CEE
        Strings
        • Failed to zero out original data offset., xrefs: 00A67CDE
        • Failed to seek to beginning of engine file: %ls, xrefs: 00A67B55
        • Failed to seek to checksum in exe header., xrefs: 00A67BE3
        • Failed to seek to original data in exe burn section header., xrefs: 00A67CC3
        • cache.cpp, xrefs: 00A67B20, 00A67BD9, 00A67C44, 00A67CB9
        • Failed to create engine file at path: %ls, xrefs: 00A67B2D
        • Failed to copy engine from: %ls to: %ls, xrefs: 00A67B84
        • Failed to seek to signature table in exe header., xrefs: 00A67C4E
        • Failed to update signature offset., xrefs: 00A67C01
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: File$ErrorLast$CloseCreateHandlePointerRead
        • String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cache.cpp
        • API String ID: 3456208997-3092846023
        • Opcode ID: 937a0f3f5ed9e256ec63d8ddc305b9b35b23f32a7dcf9c8db133bed077db8232
        • Instruction ID: bea5f7e409731b0e49426c913460cbe41d40db0b191d9757998f18a6f9b604b0
        • Opcode Fuzzy Hash: 937a0f3f5ed9e256ec63d8ddc305b9b35b23f32a7dcf9c8db133bed077db8232
        • Instruction Fuzzy Hash: 74510872A5410ABFEB10ABA4CE86E7F76FAFF48758F104434F601E71A0E6758D0147A2
        Function 00A661CC Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 155windowregistryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A660BD: LoadBitmapW.USER32(?,00000001), ref: 00A660ED
          • Part of subcall function 00A660BD: GetLastError.KERNEL32(?,00000001), ref: 00A660F9
        • LoadCursorW.USER32(00000000,00007F00), ref: 00A6622C
        • RegisterClassW.USER32(?), ref: 00A66240
        • GetLastError.KERNEL32 ref: 00A6624B
        • CreateWindowExW.USER32(00000080,00A96504,?,90000000,?,?,?,?,00000000,00000000,?,?), ref: 00A662AF
        • GetLastError.KERNEL32 ref: 00A662BB
        • SetEvent.KERNEL32(?), ref: 00A66307
        • IsDialogMessageW.USER32(00000000,?), ref: 00A66322
        • TranslateMessage.USER32(?), ref: 00A66330
        • DispatchMessageW.USER32(?), ref: 00A6633A
        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A66349
        • UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 00A66371
        • DeleteObject.GDI32(?), ref: 00A66381
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Message$ErrorLast$ClassLoad$BitmapCreateCursorDeleteDialogDispatchEventObjectRegisterTranslateUnregisterWindow
        • String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
        • API String ID: 1682452648-2188509422
        • Opcode ID: 1b4080089a615f9f7917d614978d45a3a19075517ed6363952ea4e58f4d8fa89
        • Instruction ID: dc97275582b9372290ae9af931c2874666c73af9ec65a512e3de9e868591fdd4
        • Opcode Fuzzy Hash: 1b4080089a615f9f7917d614978d45a3a19075517ed6363952ea4e58f4d8fa89
        • Instruction Fuzzy Hash: B251CC72A00219FFDF119FE0DD499EEBBB9FF08740F208526F515EA290D7309A518BA1
        Function 00A73297 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 210threadCOMMON
        Download Yara Rule
        APIs
        • WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,?,?,?,?,00A737C3,00000001,00000000,000000B9,00000000,?), ref: 00A732F0
        • GetExitCodeThread.KERNEL32(?,00000001,?,?,?,?,00A737C3,00000001,00000000,000000B9,00000000,?,?,?,000000B9,00000000), ref: 00A7330C
        • GetLastError.KERNEL32(?,?,?,?,00A737C3,00000001,00000000,000000B9,00000000,?,?,?,000000B9,00000000,00000001,00000000), ref: 00A7331A
        • GetLastError.KERNEL32(?,?,?,?,00A737C3,00000001,00000000,000000B9,00000000,?,?,?,000000B9,00000000,00000001,00000000), ref: 00A734E0
        Strings
        • Invalid execute action., xrefs: 00A734B3
        • Failed to execute MSP package., xrefs: 00A733D3
        • Failed to execute EXE package., xrefs: 00A7337D
        • Failed to execute compatible package action., xrefs: 00A73478
        • Failed to execute MSU package., xrefs: 00A73408
        • Failed to execute package provider registration action., xrefs: 00A73423
        • Failed to execute dependency action., xrefs: 00A7343E
        • apply.cpp, xrefs: 00A73344, 00A7350A
        • Cache thread exited unexpectedly., xrefs: 00A734D6
        • Failed to load compatible package on per-machine package., xrefs: 00A73464
        • Failed to execute MSI package., xrefs: 00A733A8
        • Failed to get cache thread exit code., xrefs: 00A7334E
        • Failed to wait for cache check-point., xrefs: 00A73514
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
        • String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
        • API String ID: 3703294532-2662572847
        • Opcode ID: 9f1139acf07f0ae29c585bc203084c63dccc66162f3ca870431c78940e4fee17
        • Instruction ID: 67bfe20c3c357790c297c6c9b6ad61c232cf0fa85c7a8d67a5047d4fd43597c5
        • Opcode Fuzzy Hash: 9f1139acf07f0ae29c585bc203084c63dccc66162f3ca870431c78940e4fee17
        • Instruction Fuzzy Hash: 65714976B0120AFBDF0ADFA8CD419AE7BB8AF04311B11C469F919E7250E774DB01AB51
        Function 00A58011 Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 208COMMON
        Download Yara Rule
        APIs
        • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A58086
        • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A581AC
        Strings
        • Unsupported product search type: %u, xrefs: 00A58044
        • Trying per-user extended info for property '%ls' for product: %ls, xrefs: 00A58139
        • Failed to get product info., xrefs: 00A58198
        • Failed to set variable., xrefs: 00A5821F
        • Product not found: %ls, xrefs: 00A58164
        • Failed to find product for UpgradeCode: %ls, xrefs: 00A580B8
        • Failed to format upgrade code string., xrefs: 00A58091
        • No products found for UpgradeCode: %ls, xrefs: 00A580CE
        • VersionString, xrefs: 00A58066
        • State, xrefs: 00A58054
        • Failed to format product code string., xrefs: 00A581BB
        • Trying per-machine extended info for property '%ls' for product: %ls, xrefs: 00A5810B
        • Failed to change value type., xrefs: 00A58201
        • MsiProductSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 00A5822F
        • Language, xrefs: 00A5805D
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Open@16
        • String ID: Failed to change value type.$Failed to find product for UpgradeCode: %ls$Failed to format product code string.$Failed to format upgrade code string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$No products found for UpgradeCode: %ls$Product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
        • API String ID: 3613110473-2367264253
        • Opcode ID: b31e9bb186c967b8d494765989f5796b358707c1b0134212c0108a213e07027c
        • Instruction ID: 37250f1b8f65b8f2c9130171f17f43341c3493cad4b7eea792d6ff265e6b3196
        • Opcode Fuzzy Hash: b31e9bb186c967b8d494765989f5796b358707c1b0134212c0108a213e07027c
        • Instruction Fuzzy Hash: 5C61FF72D00628FAEF11EB94CD06FEEBA75BF14702F048565FD14BA191DB798E089B90
        Function 00A76FA0 Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 205networkfilememoryCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,C0000000,00000004,00000000,00000004,00000080,00000000,?,00000000,?,?,?,000000FF,?), ref: 00A76FD8
        • GetLastError.KERNEL32 ref: 00A76FE6
        • VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 00A77038
        • GetLastError.KERNEL32 ref: 00A77045
        • InternetCloseHandle.WININET(00000000), ref: 00A770D4
        • InternetCloseHandle.WININET(?), ref: 00A770E5
        • InternetCloseHandle.WININET(?), ref: 00A771C8
        • InternetCloseHandle.WININET(00000000), ref: 00A771D6
        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00A771F7
        • CloseHandle.KERNEL32(000000FF), ref: 00A77206
        Strings
        • downloadengine.cpp, xrefs: 00A7700B, 00A7706A
        • GET, xrefs: 00A77106
        • Failed to allocate buffer to download files into., xrefs: 00A77074
        • Failed while reading from internet and writing to: %ls, xrefs: 00A771B1
        • Failed to create download destination file: %ls, xrefs: 00A77018
        • Failed to request URL for download: %ls, xrefs: 00A771A7
        • Failed to allocate range request header., xrefs: 00A77196
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseHandle$Internet$ErrorLastVirtual$AllocCreateFileFree
        • String ID: Failed to allocate buffer to download files into.$Failed to allocate range request header.$Failed to create download destination file: %ls$Failed to request URL for download: %ls$Failed while reading from internet and writing to: %ls$GET$downloadengine.cpp
        • API String ID: 424062026-2629732388
        • Opcode ID: 786b371b4466e2af321e1865a9dfb5cb8e587646dc58b2919c87bf3425935b34
        • Instruction ID: 376413d117e111f5ace10734b48b69ef55d0cc5929098de79da4e6a3971c29b7
        • Opcode Fuzzy Hash: 786b371b4466e2af321e1865a9dfb5cb8e587646dc58b2919c87bf3425935b34
        • Instruction Fuzzy Hash: 7D71597290421AEFDF11EF94CD85AED7BB5BB08314F50C22AFA19B2160D3758E81DB91
        Function 00A56AA5 Relevance: 29.9, APIs: 1, Strings: 16, Instructions: 144registryCOMMON
        Download Yara Rule
        APIs
        • RegCloseKey.ADVAPI32(00000000), ref: 00A56C13
          • Part of subcall function 00A83B02: RegSetValueExW.KERNELBASE(00020006,?,00000000,00000001,?,00000000,?,000000FF,00000000,00000001,?,?,00A5698C,00000000,?,00020006), ref: 00A83B35
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseValue
        • String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled$UninstallString
        • API String ID: 3132538880-2375234059
        • Opcode ID: bdbf824ad29d049d896dd83e94f2dc399adcdcf409c61b161e8bf5938c7cedd5
        • Instruction ID: 6064ef1c2767348a1ea461a7260d7ec8f36960b9ce518f35e5a6576bc3bf2c81
        • Opcode Fuzzy Hash: bdbf824ad29d049d896dd83e94f2dc399adcdcf409c61b161e8bf5938c7cedd5
        • Instruction Fuzzy Hash: FA41A476940615FBCB12BA54CD42D9FBE7AFF847A1B624434F908A7222DB31DE04A750
        Function 00A518B9 Relevance: 28.2, APIs: 4, Strings: 12, Instructions: 185windowCOMMON
        Download Yara Rule
        APIs
        • IsWindow.USER32(?), ref: 00A51AC3
        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A51AD6
        • CloseHandle.KERNEL32(00000000,?,?,?,00A51E12,?), ref: 00A51AE5
        Strings
        • Failed to set action variables., xrefs: 00A51A0F
        • Failed to set layout directory variable to value provided from command-line., xrefs: 00A51A51
        • Failed to set registration variables., xrefs: 00A51A29
        • WixBundleLayoutDirectory, xrefs: 00A51A40
        • Failed while running , xrefs: 00A51A75
        • Failed to open log., xrefs: 00A518ED
        • Failed to create the message window., xrefs: 00A519E3
        • Failed to check global conditions, xrefs: 00A51997
        • Failed to initialize internal cache functionality., xrefs: 00A5190A
        • Failed to connect to elevated parent process., xrefs: 00A5194B
        • Failed to create pipes to connect to elevated parent process., xrefs: 00A51935
        • Failed to query registration., xrefs: 00A519F9
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseHandleMessagePostWindow
        • String ID: Failed to check global conditions$Failed to connect to elevated parent process.$Failed to create pipes to connect to elevated parent process.$Failed to create the message window.$Failed to initialize internal cache functionality.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
        • API String ID: 3586352542-3026528549
        • Opcode ID: 3dec6a0ddc09c6c14e937702c7c2010d233668bfbb0efd685d5dc8aec4a7e136
        • Instruction ID: 0093873c5b4a72109f511f307a64351c747e689566615affa6350608762d2a73
        • Opcode Fuzzy Hash: 3dec6a0ddc09c6c14e937702c7c2010d233668bfbb0efd685d5dc8aec4a7e136
        • Instruction Fuzzy Hash: BF51F371140B05FEDB22EB60CD45FBB76F9BB50386F21482AFA5A92140EB30EA4D9711
        Function 00A77214 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 171networkfileCOMMON
        Download Yara Rule
        APIs
        • InternetOpenW.WININET(Burn,00000000,00000000,00000000,00000000), ref: 00A77272
        • GetLastError.KERNEL32 ref: 00A7727F
        • InternetCloseHandle.WININET(00000000), ref: 00A773D8
          • Part of subcall function 00A87D08: RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000000,00000000), ref: 00A87D59
        • InternetSetOptionW.WININET(00000000,00000002,?,00000004), ref: 00A772EB
        • InternetSetOptionW.WININET(00000000,00000006,?,00000004), ref: 00A772F8
        • InternetSetOptionW.WININET(00000000,00000005,?,00000004), ref: 00A77305
          • Part of subcall function 00A76FA0: CreateFileW.KERNEL32(?,C0000000,00000004,00000000,00000004,00000080,00000000,?,00000000,?,?,?,000000FF,?), ref: 00A76FD8
          • Part of subcall function 00A76FA0: GetLastError.KERNEL32 ref: 00A76FE6
          • Part of subcall function 00A76FA0: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00A771F7
          • Part of subcall function 00A76FA0: CloseHandle.KERNEL32(000000FF), ref: 00A77206
        • DeleteFileW.KERNEL32(?,?,000000FF,00000000,?,00000001,?,?,?,?,?,?,?,00000078,000000FF,?), ref: 00A773AE
        • CloseHandle.KERNEL32(000000FF,?,000000FF,00000000,?,00000001,?,?,?,?,?,?,?,00000078,000000FF,?), ref: 00A773BD
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Internet$Close$HandleOption$ErrorFileLast$CreateDeleteFreeOpenVirtual
        • String ID: Burn$DownloadTimeout$Failed to copy download source URL.$Failed to download URL: %ls$Failed to get size and time for URL: %ls$Failed to open internet session$WiX\Burn$downloadengine.cpp
        • API String ID: 328221957-1870125225
        • Opcode ID: 378ff92b792335e0df8bcf885fe7b3a43234ff439b651d4b9ee44b840be2ecd2
        • Instruction ID: cbd9249e7ecc0aa82438ec6a621d001fe04599f2247775f12b53744985356d7c
        • Opcode Fuzzy Hash: 378ff92b792335e0df8bcf885fe7b3a43234ff439b651d4b9ee44b840be2ecd2
        • Instruction Fuzzy Hash: AC512772D0421ABBDF12EFD4CD819EEBBB9BB08304F108565F618B61A0D3719E51AB91
        Function 00A74415 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 266COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A8233B: GetProcessHeap.KERNEL32(?,?,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000), ref: 00A8234C
          • Part of subcall function 00A8233B: RtlAllocateHeap.NTDLL(00000000,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000,00000000), ref: 00A82353
        • _memcpy_s.LIBCMT ref: 00A7458F
        Strings
        • Failed to allocate memory for pseudo bundle payload hash., xrefs: 00A74675
        • Failed to copy download source for passthrough pseudo bundle., xrefs: 00A74653
        • Failed to copy cache id for passthrough pseudo bundle., xrefs: 00A74695
        • pseudobundle.cpp, xrefs: 00A7444C, 00A74621, 00A74668
        • Failed to recreate command-line arguments., xrefs: 00A746D8
        • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 00A7462E
        • Failed to copy key for passthrough pseudo bundle payload., xrefs: 00A74635
        • Failed to copy key for passthrough pseudo bundle., xrefs: 00A7460C
        • Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 00A74459
        • Failed to copy local source path for passthrough pseudo bundle., xrefs: 00A74649
        • Failed to copy install arguments for passthrough bundle package, xrefs: 00A746F6
        • Failed to copy related arguments for passthrough bundle package, xrefs: 00A74714
        • Failed to copy uninstall arguments for passthrough bundle package, xrefs: 00A74738
        • Failed to copy filename for passthrough pseudo bundle., xrefs: 00A7463F
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Heap$AllocateProcess_memcpy_s
        • String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
        • API String ID: 1343786421-115096447
        • Opcode ID: 9a3a741bcab32dbdae9f482be8d5f4f4cd1e80547e28ecfb9fe720745f4ba790
        • Instruction ID: 14f916ea21821b6bf6f1c0f986013a7f74d15e947bd26e4a8ee32c9b713dda22
        • Opcode Fuzzy Hash: 9a3a741bcab32dbdae9f482be8d5f4f4cd1e80547e28ecfb9fe720745f4ba790
        • Instruction Fuzzy Hash: 21B13474600B05EFCB11DF68CD81F6ABBF9BF09304F208959E929AB261D730E951CB40
        Function 00A60A5C Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 236COMMON
        Download Yara Rule
        APIs
        Strings
        • Failed to read parent hwnd., xrefs: 00A60AE0
        • Failed to execute MSP package., xrefs: 00A60C95
        • Failed to read ordered patch order number., xrefs: 00A60C34
        • Failed to read rollback flag., xrefs: 00A60C6A
        • Failed to read UI level., xrefs: 00A60B3A
        • Failed to read action., xrefs: 00A60A9F
        • Failed to read ordered patch package id., xrefs: 00A60C3B
        • Failed to read package log., xrefs: 00A60B06
        • Failed to allocate memory for ordered patches., xrefs: 00A60BAE
        • elevation.cpp, xrefs: 00A60BA4
        • Failed to find package: %ls, xrefs: 00A60AC1
        • Failed to read count of ordered patches., xrefs: 00A60B72
        • Failed to find ordered patch package: %ls, xrefs: 00A60C45
        • Failed to read variables., xrefs: 00A60C2D
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memset
        • String ID: Failed to allocate memory for ordered patches.$Failed to execute MSP package.$Failed to find ordered patch package: %ls$Failed to find package: %ls$Failed to read UI level.$Failed to read action.$Failed to read count of ordered patches.$Failed to read ordered patch order number.$Failed to read ordered patch package id.$Failed to read package log.$Failed to read parent hwnd.$Failed to read rollback flag.$Failed to read variables.$elevation.cpp
        • API String ID: 2102423945-908036492
        • Opcode ID: a44fe15eb9f0814ee6bde0246442c6519c29b550a015eac4a5640b5d35eca736
        • Instruction ID: c37baf538e6e492c2c0d299fc6eeaf137b21a9cc3b6681526935cb5e1564e803
        • Opcode Fuzzy Hash: a44fe15eb9f0814ee6bde0246442c6519c29b550a015eac4a5640b5d35eca736
        • Instruction Fuzzy Hash: 4F714A72D41629BACF12EA94CD41EEFBABCEF54750F114666F901B6241D730DE848BE0
        Function 00A77A58 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 207stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,00000000,?,?,?,00000000,?,00000000), ref: 00A77A74
        Strings
        • Failed to add file to BITS job., xrefs: 00A77B48
        • bitsengine.cpp, xrefs: 00A77A8A, 00A77B86
        • Invalid BITS engine URL: %ls, xrefs: 00A77A96
        • Falied to start BITS job., xrefs: 00A77C1A
        • Failed to complete BITS job., xrefs: 00A77C34
        • Failed to create BITS job callback., xrefs: 00A77B90
        • Failed to set callback interface for BITS job., xrefs: 00A77BB6
        • Failed to set credentials for BITS job., xrefs: 00A77B2C
        • Failed while waiting for BITS download., xrefs: 00A77C21
        • Failed to create BITS job., xrefs: 00A77B06
        • Failed to initialize BITS job callback., xrefs: 00A77B9F
        • Failed to download BITS job., xrefs: 00A77C13
        • Failed to copy download URL., xrefs: 00A77ABB
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: lstrlen
        • String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS engine URL: %ls$bitsengine.cpp
        • API String ID: 1659193697-2382896028
        • Opcode ID: f4827b53d82c27a161098cf4f96ad8aaea8dec62128019b8823934373ea4f60c
        • Instruction ID: c4c1d919a51a5f4a5490b98c68068189d16f47b7dee2d6705bec0480d8bee6b7
        • Opcode Fuzzy Hash: f4827b53d82c27a161098cf4f96ad8aaea8dec62128019b8823934373ea4f60c
        • Instruction Fuzzy Hash: 4B61EE35A04225FBCB12DF94CD85E6EBBB8AF48710B21C596F80AAB251DB709D009B91
        Function 00A76D0B Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 173networkstringCOMMON
        Download Yara Rule
        APIs
        • InternetCloseHandle.WININET(00000000), ref: 00A76D30
        • InternetCloseHandle.WININET(00000000), ref: 00A76D3E
        • InternetConnectW.WININET(?,00000000,?,00000000,?,?,00000000,00000000), ref: 00A76D9D
        • lstrlenW.KERNEL32(00000000), ref: 00A76DC8
        • InternetSetOptionW.WININET(00000000,0000002B,00000000,00000000), ref: 00A76DD5
        • lstrlenW.KERNEL32(00000001), ref: 00A76DDE
        • InternetSetOptionW.WININET(00000000,0000002C,00000001,00000000), ref: 00A76DE7
        • InternetCloseHandle.WININET(00000000), ref: 00A76E5C
        • InternetCloseHandle.WININET(00000000), ref: 00A76E67
        • GetLastError.KERNEL32 ref: 00A76E84
        Strings
        • downloadengine.cpp, xrefs: 00A76EA9
        • Failed to open internet URL: %ls, xrefs: 00A76EC4
        • Failed to break URL into server and resource parts., xrefs: 00A76E75
        • Failed to send request to URL: %ls, xrefs: 00A76ED0
        • Failed to connect to URL: %ls, xrefs: 00A76EB8
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Internet$CloseHandle$Optionlstrlen$ConnectErrorLast
        • String ID: Failed to break URL into server and resource parts.$Failed to connect to URL: %ls$Failed to open internet URL: %ls$Failed to send request to URL: %ls$downloadengine.cpp
        • API String ID: 1028609564-2897276973
        • Opcode ID: a4b04d8c875f3590e95ba829f4b707d57e9133da81d9ed4fa5b9a3e70d1ef047
        • Instruction ID: c32d6563fb940dc5ba3e2b28b48236886d156be0cef9c45b01a94de4f36869b3
        • Opcode Fuzzy Hash: a4b04d8c875f3590e95ba829f4b707d57e9133da81d9ed4fa5b9a3e70d1ef047
        • Instruction Fuzzy Hash: 3C51BF3AA00A19EFDF21DF94CD40AAE7BB6EF88700F15C029F904AB151DB71DD119BA1
        Function 00A6E857 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 144serviceCOMMON
        Download Yara Rule
        APIs
        • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,00000000,00000002,?,?,?,?,?,?,?,?,?,00A6EC56,?), ref: 00A6E888
        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00A6EC56,?,?), ref: 00A6E895
        • OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,?,00A6EC56,?,?), ref: 00A6E8D6
        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00A6EC56,?,?), ref: 00A6E8E3
        • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00A6EC56,?,?), ref: 00A6E921
        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00A6EC56,?,?), ref: 00A6E92B
          • Part of subcall function 00A6E774: ChangeServiceConfigW.ADVAPI32(?,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,?,00A6E9AA,?), ref: 00A6E78E
          • Part of subcall function 00A6E774: GetLastError.KERNEL32(?,00A6E9AA,?,00000003,?,?), ref: 00A6E798
        • CloseServiceHandle.ADVAPI32(00000000), ref: 00A6E9EA
        • CloseServiceHandle.ADVAPI32(00000000), ref: 00A6E9F5
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Service$ErrorLast$CloseHandleOpen$ChangeConfigManagerQueryStatus
        • String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$msuengine.cpp$wuauserv
        • API String ID: 2017831661-301359130
        • Opcode ID: 4187901200a7a68775226e0fc9ec8b72d64b62865fac1c3e28d32e12ab78ef6e
        • Instruction ID: c2f34b6fc9e632aaa9514478cdcd0710e69faf541675e7d85cc947492854ad3a
        • Opcode Fuzzy Hash: 4187901200a7a68775226e0fc9ec8b72d64b62865fac1c3e28d32e12ab78ef6e
        • Instruction Fuzzy Hash: DD41A437E41225ABDB21DBA4CD0ABEEFAF4BF15B10F144125E500FA290D6798D018BD1
        Function 00A83D19 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 66libraryloaderCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A82A2D: _memset.LIBCMT ref: 00A82A54
          • Part of subcall function 00A82A2D: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00A82A69
          • Part of subcall function 00A82A2D: LoadLibraryW.KERNELBASE(?,?,00000104,00A51C3B), ref: 00A82AB7
          • Part of subcall function 00A82A2D: GetLastError.KERNEL32 ref: 00A82AC3
        • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,0000011C), ref: 00A83D48
        • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00A83D67
        • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00A83D86
        • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00A83DA5
        • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00A83DC4
        • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00A83DE3
        • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00A83E02
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: AddressProc$DirectoryErrorLastLibraryLoadSystem_memset
        • String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
        • API String ID: 3669249573-1735120554
        • Opcode ID: d6f9b31321e9867ccc62ebda8779c22a23b6e07f367c85b588230a3bc990ac81
        • Instruction ID: e7e267f7c6b4756b2ed02f5ffa15b4eef4f20a01d8dad5f5fdd914466395c104
        • Opcode Fuzzy Hash: d6f9b31321e9867ccc62ebda8779c22a23b6e07f367c85b588230a3bc990ac81
        • Instruction Fuzzy Hash: A821B371D51E52BEDB32EFB4ED455293AE5F75BB61714082BE0008A1F4E3F10A928F48
        Function 00A558D0 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 163COMMON
        Download Yara Rule
        APIs
        • SysFreeString.OLEAUT32(?), ref: 00A55A47
          • Part of subcall function 00A8233B: GetProcessHeap.KERNEL32(?,?,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000), ref: 00A8234C
          • Part of subcall function 00A8233B: RtlAllocateHeap.NTDLL(00000000,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000,00000000), ref: 00A82353
        • SysFreeString.OLEAUT32(?), ref: 00A55A01
        Strings
        • Regid, xrefs: 00A559B3
        • Failed to get software tag count., xrefs: 00A5591A
        • Failed to allocate memory for software tag structs., xrefs: 00A5595F
        • Failed to get next node., xrefs: 00A55A7C
        • Failed to get @Regid., xrefs: 00A55A8A
        • Failed to get @Filename., xrefs: 00A55A83
        • SoftwareTag, xrefs: 00A558DE
        • Failed to get SoftwareTag text., xrefs: 00A55A91
        • Failed to select software tag nodes., xrefs: 00A55900
        • registration.cpp, xrefs: 00A55955
        • Failed to convert SoftwareTag text to UTF-8, xrefs: 00A55A98
        • Filename, xrefs: 00A55998
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: FreeHeapString$AllocateProcess
        • String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Regid$SoftwareTag$registration.cpp
        • API String ID: 336948655-11506941
        • Opcode ID: a40c5cee3a29652d406036a15c6205481cf7d19d3f035796bae07c5bfcd759be
        • Instruction ID: 99d994320355f2d7e21f19d2cbacbdcaa36db42c299a34e5289eddb5599184d4
        • Opcode Fuzzy Hash: a40c5cee3a29652d406036a15c6205481cf7d19d3f035796bae07c5bfcd759be
        • Instruction Fuzzy Hash: 7D515BB2E0061AFFCB10FFB4C9D98ADBBB5FB04352B144669EA15BB240D3318E459B51
        Function 00A57807 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 140registryCOMMON
        Download Yara Rule
        APIs
        • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A5783B
        • RegCloseKey.ADVAPI32(?,00000000,?,?,00A58B4A,?), ref: 00A57991
          • Part of subcall function 00A8378B: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00A61F19,?,00000009,00000000,?,00A61BE1,80000002,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,?,00000001), ref: 00A8379F
        • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A57883
        • RegQueryValueExW.ADVAPI32(?,?,00000000,00A58B4A,00000000,00000000,?,?,?,00000000,?,?,00000001,?,?,?), ref: 00A578D0
        Strings
        • Failed to query registry key value., xrefs: 00A5790B
        • Registry key not found. Key = '%ls'; variable = '%ls', xrefs: 00A578A6
        • Failed to format key string., xrefs: 00A57846
        • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00A57918
        • search.cpp, xrefs: 00A57901
        • Failed to format value string., xrefs: 00A5788E
        • Failed to set variable., xrefs: 00A5794B
        • Failed to open registry key. Key = '%ls', xrefs: 00A578B0
        • RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 00A57960
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Open@16$CloseOpenQueryValue
        • String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'; variable = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
        • API String ID: 3932663376-1654530643
        • Opcode ID: 0e119f1f894f8b755ba5b2c78ad1f4bbdd887421d68151840370c4a3a449984a
        • Instruction ID: dbf2aa5a4207371ff1f0126d3864a7fd06b22194d56865bb88a87faa32c1c932
        • Opcode Fuzzy Hash: 0e119f1f894f8b755ba5b2c78ad1f4bbdd887421d68151840370c4a3a449984a
        • Instruction Fuzzy Hash: 6541E372904209FFDF10AFE4DD85DAEBBBAFB14301F104839FA0172151E6714A48DB61
        Function 00A61D5C Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 118COMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A61D80
        • GetTempPathW.KERNEL32(00000104,?,?,00000001,00000009), ref: 00A61DAD
        • GetLastError.KERNEL32(?,00000001,00000009), ref: 00A61DB7
        • GetCurrentProcessId.KERNEL32(?,?,00000104,?,?,00000001,00000009), ref: 00A61E1B
        • ProcessIdToSessionId.KERNEL32(00000000,?,00000001,00000009), ref: 00A61E22
        Strings
        • Failed to get temp folder., xrefs: 00A61DE6
        • Failed to get length of temp folder., xrefs: 00A61E0A
        • Failed to copy temp folder., xrefs: 00A61ECD
        • Failed to get length of session id string., xrefs: 00A61E74
        • Failed to format session id as a string., xrefs: 00A61E50
        • %u\, xrefs: 00A61E3C
        • logging.cpp, xrefs: 00A61DDC
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Process$CurrentErrorLastPathSessionTemp_memset
        • String ID: %u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$logging.cpp
        • API String ID: 1047854834-1016737523
        • Opcode ID: 90aa6d31648ab9fdf62a3c6ee0ba37e44b5e74faf9830d380a6252e8fc1079e6
        • Instruction ID: e85dadce60c1799cc038e087eacb7217ec025cfdceaf931dd4b23e11b273657f
        • Opcode Fuzzy Hash: 90aa6d31648ab9fdf62a3c6ee0ba37e44b5e74faf9830d380a6252e8fc1079e6
        • Instruction Fuzzy Hash: BA418871D8022DAACF21AB648D4DEEEBBB8BF64710F140AD5E819F3150D6758E818F91
        Function 00A6059B Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 200COMMON
        Download Yara Rule
        APIs
        Strings
        • Failed to execute EXE package., xrefs: 00A6075D
        • Failed to allocate the list of ancestors., xrefs: 00A60735
        • Failed to read exe package., xrefs: 00A605E4
        • Failed to read rollback., xrefs: 00A60626
        • Failed to read exe package execution mode., xrefs: 00A60647
        • Failed to allocate the list of dependencies to ignore., xrefs: 00A60711
        • Failed to find package: %ls, xrefs: 00A606E4
        • Failed to read action., xrefs: 00A60605
        • Failed to read variables., xrefs: 00A606A9
        • Failed to read the list of dependencies to ignore., xrefs: 00A60668
        • Failed to read the list of ancestors., xrefs: 00A60689
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memset
        • String ID: Failed to allocate the list of ancestors.$Failed to allocate the list of dependencies to ignore.$Failed to execute EXE package.$Failed to find package: %ls$Failed to read action.$Failed to read exe package execution mode.$Failed to read exe package.$Failed to read rollback.$Failed to read the list of ancestors.$Failed to read the list of dependencies to ignore.$Failed to read variables.
        • API String ID: 2102423945-2912315823
        • Opcode ID: 18008474c26731ea6bd719404305e45fd5548458b0add1e357ad942e9ce17735
        • Instruction ID: 8ae8dacccefe460a8c28f2854f0211ea0fad994e5952fa40956e9759da5b67c6
        • Opcode Fuzzy Hash: 18008474c26731ea6bd719404305e45fd5548458b0add1e357ad942e9ce17735
        • Instruction Fuzzy Hash: 12516172D40929BECF11EB90CE85CFFB7BCAF64350B100662F912B3151E2715E959B91
        Function 00A59DA3 Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 151COMMON
        Download Yara Rule
        APIs
        • EnterCriticalSection.KERNEL32(00000001,00A51D56,00000000,00000000,?,00A5A72F,00A52222,00A51E8E,00000000,00000001), ref: 00A59DB0
          • Part of subcall function 00A58E63: CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,?,000000FF,?,00000000,00000030,00A5982F,?,00A5ADF0,?,00000030,00000000,00000030), ref: 00A58E9C
        • LeaveCriticalSection.KERNEL32(00000001,00000008,WixBundleElevated,00000001,00000000,00000000,?,00A5A72F,00A52222,00A51E8E,00000000,00000001), ref: 00A59F32
        Strings
        • Setting string variable '%ls' to value '%ls', xrefs: 00A59EDE
        • Failed to set value of variable: %ls, xrefs: 00A59F20
        • Failed to insert variable '%ls'., xrefs: 00A59E00
        • Failed to find variable value '%ls'., xrefs: 00A59DCE
        • variable.cpp, xrefs: 00A59E38
        • Setting hidden variable '%ls', xrefs: 00A59E77
        • WixBundleElevated, xrefs: 00A59DE1
        • Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00A59F46
        • Unsetting variable '%ls', xrefs: 00A59ED3
        • Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00A59EB8
        • Setting numeric variable '%ls' to value %lld, xrefs: 00A59EF7
        • Attempt to set built-in variable value: %ls, xrefs: 00A59E45
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalSection$CompareEnterLeaveString
        • String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$WixBundleElevated$variable.cpp
        • API String ID: 2612025200-3866887438
        • Opcode ID: 2eb270af0562f7fbf78b5c4ced71280f8f0dd204e17b4124b32102ab860c85e2
        • Instruction ID: d3f1f9a907a99ea894f456402c456d19953d84f8138f2476102b1abcb0d3eb56
        • Opcode Fuzzy Hash: 2eb270af0562f7fbf78b5c4ced71280f8f0dd204e17b4124b32102ab860c85e2
        • Instruction Fuzzy Hash: 0951BD71A4021AFFDF11AF44CD46E6B7769FB14712F00812AFC09AE291E371DE689B91
        Function 00A68FE4 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 120fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,?,00A6955E,00000000,?,00000000,?), ref: 00A68FFF
        • GetLastError.KERNEL32(?,?,00A6955E,00000000,?,00000000,?,?,00000000,00000000,?,?,?,00A5F207,?,?), ref: 00A6900D
          • Part of subcall function 00A67E2A: _memset.LIBCMT ref: 00A67E54
          • Part of subcall function 00A85A1F: Sleep.KERNEL32(00000000,?,?,00A67736,00000000,?,00000001,00000003,000007D0,?,?,00A69676,00000000,00000000,00000000,00000000), ref: 00A85A36
        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000003,000007D0,?,?), ref: 00A69116
        Strings
        • Failed to verify payload hash: %ls, xrefs: 00A6909A
        • Failed to copy %ls to %ls, xrefs: 00A69105
        • Failed to open payload in working path: %ls, xrefs: 00A6903D
        • Copying, xrefs: 00A690B5, 00A690BF
        • %ls payload from working path '%ls' to path '%ls', xrefs: 00A690C0
        • cache.cpp, xrefs: 00A69032
        • Failed to verify payload signature: %ls, xrefs: 00A69076
        • Failed to move %ls to %ls, xrefs: 00A690EF
        • Moving, xrefs: 00A690AE
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseCreateErrorFileHandleLastSleep_memset
        • String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
        • API String ID: 2828417756-1604654059
        • Opcode ID: 30396d3fdc57bc525ce7fdc59e86144f55d9319a7efec8b7b3260734da5878f7
        • Instruction ID: b223d045739df208bd98c4dcfae52cbf1eac9ed3fa169f70156830619da4b24c
        • Opcode Fuzzy Hash: 30396d3fdc57bc525ce7fdc59e86144f55d9319a7efec8b7b3260734da5878f7
        • Instruction Fuzzy Hash: BA31F772B40625BBEB326664CD0AF6F29BCEF52BA0F114121F905BA2C1D675DE0087F1
        Function 00A64319 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 280COMMON
        Download Yara Rule
        Strings
        • Failed to copy ancestors and self to related bundle ancestors., xrefs: 00A64429
        • plan.cpp, xrefs: 00A64617
        • Failed to add the package provider key "%ls" to the planned list., xrefs: 00A64632
        • Failed to create dictionary from ancestors array., xrefs: 00A64376
        • %ls;%ls, xrefs: 00A64411
        • Unexpected relation type encountered during plan: %d, xrefs: 00A645F9
        • Failed to lookup the bundle ID in the ancestors dictionary., xrefs: 00A64603
        • Failed to copy self to related bundle ancestors., xrefs: 00A6460A
        • Failed to create string array from ancestors., xrefs: 00A64355
        • UX aborted plan related bundle., xrefs: 00A64621
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID:
        • String ID: %ls;%ls$Failed to add the package provider key "%ls" to the planned list.$Failed to copy ancestors and self to related bundle ancestors.$Failed to copy self to related bundle ancestors.$Failed to create dictionary from ancestors array.$Failed to create string array from ancestors.$Failed to lookup the bundle ID in the ancestors dictionary.$UX aborted plan related bundle.$Unexpected relation type encountered during plan: %d$plan.cpp
        • API String ID: 0-489706565
        • Opcode ID: af12e4cbecff3196ef31a221c9e07e4baac1084c109573fca16d7dc0c6cace3e
        • Instruction ID: 6ed3f9d512ad9cf2e88d30301a5eaa3dc03d949d9bb1d91ddf1ddfcc1781bad2
        • Opcode Fuzzy Hash: af12e4cbecff3196ef31a221c9e07e4baac1084c109573fca16d7dc0c6cace3e
        • Instruction Fuzzy Hash: F3A18E70A00706EFDF21DFA4C886BAAB7F5FF19305F204829E552AB2A1D771AD50CB51
        Function 00A59049 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165COMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A59077
          • Part of subcall function 00A58FD2: _memset.LIBCMT ref: 00A58FEA
          • Part of subcall function 00A58FD2: GetVersionExW.KERNEL32(?,?,00000000,00A59096), ref: 00A58FF9
          • Part of subcall function 00A58FD2: GetLastError.KERNEL32 ref: 00A59003
        • GetLastError.KERNEL32 ref: 00A5909A
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast_memset$Version
        • String ID: Failed to get OS info.$Failed to set variant value.$variable.cpp
        • API String ID: 3644159973-1971907631
        • Opcode ID: 4a468a35712ca444229134094ecda47535eddec6277a61954aec25768d8b59cb
        • Instruction ID: c06373b50cf7e00652f1c5530ce328646a434c3af65cf3b4f04a93ec701acb7c
        • Opcode Fuzzy Hash: 4a468a35712ca444229134094ecda47535eddec6277a61954aec25768d8b59cb
        • Instruction Fuzzy Hash: EE51ED71900229EADB609B68CC89FFF7AB8FB48711F0045AAF945EA181D6748E85CB51
        Function 00A68ED9 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,00000000,?,?,00A6949F,?,?,?,?,00000000), ref: 00A68EF3
        • GetLastError.KERNEL32(?,?,00A6949F,?,?,?,?,00000000,00000000,00000000,?,?,00A5F1E8,?,?,?), ref: 00A68F03
          • Part of subcall function 00A85A1F: Sleep.KERNEL32(00000000,?,?,00A67736,00000000,?,00000001,00000003,000007D0,?,?,00A69676,00000000,00000000,00000000,00000000), ref: 00A85A36
        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000003,000007D0,?,?,?), ref: 00A68FD7
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseCreateErrorFileHandleLastSleep
        • String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
        • API String ID: 1275171361-1187406825
        • Opcode ID: 722cab693a19c33029bd3145f56f968ef50d8bc41e6677c0ecaa8a1f62ff0233
        • Instruction ID: bf0c070c6dc41cfbb067e248aa1ec40b0436dc9541c076b374eb293e7ffe7e44
        • Opcode Fuzzy Hash: 722cab693a19c33029bd3145f56f968ef50d8bc41e6677c0ecaa8a1f62ff0233
        • Instruction Fuzzy Hash: 4B21FB71B846257AEA3223288D4BF7F25BDDF11F64F104224FA05FA2D0E999DD0082B6
        Function 00A85EAA Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 252fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,00000001,000000F9,00000000,00000000,?,?,?), ref: 00A85F28
        • GetLastError.KERNEL32 ref: 00A85F36
        • GetFileSizeEx.KERNEL32(?,?), ref: 00A85F9D
        • GetLastError.KERNEL32 ref: 00A85FA7
        • SetFilePointer.KERNEL32(?,?,?,00000001), ref: 00A85FFE
        • GetLastError.KERNEL32 ref: 00A86009
        • ReadFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,00000001), ref: 00A860D5
        • GetLastError.KERNEL32 ref: 00A8611A
        • CloseHandle.KERNEL32(000000FF), ref: 00A86173
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFileLast$CloseCreateHandlePointerReadSize
        • String ID: fileutil.cpp
        • API String ID: 1273122604-2967768451
        • Opcode ID: f417d0223b959b4b37e4404220774268f95274c31faf8f265c174c83d52f0868
        • Instruction ID: 46c98daad78705b7cc0fe02af6641eadb702642506727567e2f16caa601c7e09
        • Opcode Fuzzy Hash: f417d0223b959b4b37e4404220774268f95274c31faf8f265c174c83d52f0868
        • Instruction Fuzzy Hash: C881E531A10606EBFB20BF64CD49BAB36B5AB41760F254139FE01EB191D779CD018B61
        Function 00A82086 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 195sleepfiletimeCOMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A820D5
        • GetTempPathW.KERNEL32(00000104,?,00000001,00000009,00000000), ref: 00A82124
        • GetLastError.KERNEL32 ref: 00A8212E
        • GetLocalTime.KERNEL32(?,?,?,?,00000000,?), ref: 00A821C7
        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00A82257
        • GetLastError.KERNEL32 ref: 00A82268
        • Sleep.KERNEL32(00000064), ref: 00A8227A
        • CloseHandle.KERNEL32(000000FF), ref: 00A822E9
        Strings
        • %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00A82229
        • pathutil.cpp, xrefs: 00A82153
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime_memset
        • String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
        • API String ID: 820914711-1101990113
        • Opcode ID: c33e3a550a9e6bd5158b2bfee5304403cbe1ee60bd8f2e516d5a1a12144cf8e3
        • Instruction ID: 159891f34c39d31a6ad24263224e00805bc197e6c7e1cc97d835654f12e156a3
        • Opcode Fuzzy Hash: c33e3a550a9e6bd5158b2bfee5304403cbe1ee60bd8f2e516d5a1a12144cf8e3
        • Instruction Fuzzy Hash: 56717371940129AEDB30BBA4DD8DBEDB6B9AB58710F2006E5F519E61A0E7358EC0CF50
        Function 00A653D2 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 194COMMON
        Download Yara Rule
        APIs
        • CompareStringW.KERNEL32(00000000,00000000,?,000000FF,00A516FB,000000FF,?,00000000,00A516FB), ref: 00A6540C
        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00A5139F,00A5139F,00A5139F,00A5139F,?,00000000,00A516FB), ref: 00A655A7
        • GetLastError.KERNEL32 ref: 00A655B4
        Strings
        • Failed to append payload cache action., xrefs: 00A65592
        • plan.cpp, xrefs: 00A655DE
        • Failed to append cache action., xrefs: 00A6558A
        • Failed to append package start action., xrefs: 00A6547C
        • Failed to create syncpoint event., xrefs: 00A655E8
        • Failed to append rollback cache action., xrefs: 00A654D6
        • (, xrefs: 00A65419
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CompareCreateErrorEventLastString
        • String ID: ($Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$plan.cpp
        • API String ID: 801187047-794669014
        • Opcode ID: 730ba5aad52ca6365a35eb56855f72bbc1b72b15765b0345b188dfb878fd9349
        • Instruction ID: 0ff2a4910c81d5a24b7bfbbb3e832e20a90a70603b1ca9ae5254b9e1992f6c6e
        • Opcode Fuzzy Hash: 730ba5aad52ca6365a35eb56855f72bbc1b72b15765b0345b188dfb878fd9349
        • Instruction Fuzzy Hash: C1713975E00606EFCB15CFA4C995A99BBF5FF08304F1085AAE516DB251E775EA40CF10
        Function 00A551BD Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 147COMMON
        Download Yara Rule
        APIs
        • CompareStringW.KERNEL32(0000007F,00000000,FFFFFEE3,000000FF,00A52146,000000FF,00A52146,00A51F0E,00A52146,00A521D2,00A51E8E,00000000,00A521D2,00A51E8E,00A51E22,F08B8007), ref: 00A5522B
        Strings
        • Failed to concat file paths., xrefs: 00A55327
        • Failed to get next stream., xrefs: 00A55315
        • Failed to get directory portion of local file path, xrefs: 00A5532E
        • Failed to extract file., xrefs: 00A5533C
        • Failed to find embedded payload: %ls, xrefs: 00A5531F
        • Failed to ensure directory exists, xrefs: 00A55335
        • payload.cpp, xrefs: 00A552F7
        • X, xrefs: 00A5523A
        • Payload was not found in container: %ls, xrefs: 00A55305
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CompareString
        • String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$X$payload.cpp
        • API String ID: 1825529933-3888727562
        • Opcode ID: a3ca0e38004dc05809b72d09011da333eb02b821d8566a3367dbca98d549a88e
        • Instruction ID: 22b6ed3a466632a5920aac2677d5d3f79dfd73902064d3730d5332598eae1d26
        • Opcode Fuzzy Hash: a3ca0e38004dc05809b72d09011da333eb02b821d8566a3367dbca98d549a88e
        • Instruction Fuzzy Hash: 6841F231D00A04FBCF01AF65CD65A9E7BB2BF407B2F218065EC19AB290E6B1D949DF10
        Function 00A528DB Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 118COMMON
        Download Yara Rule
        APIs
        • UuidCreate.RPCRT4(?), ref: 00A52912
        • StringFromGUID2.OLE32(?,?,00000027), ref: 00A52925
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CreateFromStringUuid
        • String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$pipe.cpp
        • API String ID: 4041566446-2510341293
        • Opcode ID: 32d5d1b5391118c2a7b1211270b3d571a0611582ac865476b936dc0c7f3156be
        • Instruction ID: 4a1c2b7299cd9d4f79b88de8ef46e9e090724be73808d85918f3d43dc27f5004
        • Opcode Fuzzy Hash: 32d5d1b5391118c2a7b1211270b3d571a0611582ac865476b936dc0c7f3156be
        • Instruction Fuzzy Hash: A3317C32E00318EADB10EBE4CD49BEEB7B8BF45711F204526E909FB251D7749909CBA1
        Function 00A7662A Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 117networkCOMMON
        Download Yara Rule
        APIs
        • HttpOpenRequestW.WININET(84400200,?,00000000,00000000,00000000,00AA4078,84400200,00000000), ref: 00A766A7
        • GetLastError.KERNEL32(?,?,?,00A76E02,00000000,00000000), ref: 00A766B3
        • HttpAddRequestHeadersW.WININET(00000000,00000000,000000FF,40000000), ref: 00A76701
        • GetLastError.KERNEL32(?,?,?,00A76E02,00000000,00000000), ref: 00A7670B
        • InternetCloseHandle.WININET(00000000), ref: 00A76755
        Strings
        • downloadengine.cpp, xrefs: 00A766D8, 00A76730
        • Failed to allocate string for resource URI., xrefs: 00A76660
        • Failed to append query strong to resource from URI., xrefs: 00A7668C
        • Failed to open internet request., xrefs: 00A766E2
        • Failed to add header to HTTP request., xrefs: 00A7673A
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorHttpLastRequest$CloseHandleHeadersInternetOpen
        • String ID: Failed to add header to HTTP request.$Failed to allocate string for resource URI.$Failed to append query strong to resource from URI.$Failed to open internet request.$downloadengine.cpp
        • API String ID: 3883690129-2273796897
        • Opcode ID: 71ad1ef122de1c5fd2b9d3a60cb81894707091ea2e44522268e2a1fdd87196dd
        • Instruction ID: f536b5bc0de3a6d6485ab68db24e2a4bc1a2ebef1874631976de84a4f94a5ea0
        • Opcode Fuzzy Hash: 71ad1ef122de1c5fd2b9d3a60cb81894707091ea2e44522268e2a1fdd87196dd
        • Instruction Fuzzy Hash: 6D318931340718FFDB21ABA0DD89F6E7AB9EB44F90F20C525F109E6041D6748D404790
        Function 00A59885 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 107timeCOMMON
        Download Yara Rule
        APIs
        • GetSystemTime.KERNEL32(?), ref: 00A598B0
        • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 00A598CB
        • GetLastError.KERNEL32 ref: 00A598D4
        • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,?,?,?), ref: 00A5992D
        • GetLastError.KERNEL32 ref: 00A59933
        Strings
        • variable.cpp, xrefs: 00A598F4, 00A59953
        • Failed to get the required buffer length for the Date., xrefs: 00A598FE
        • Failed to get the Date., xrefs: 00A5995D
        • Failed to set variant value., xrefs: 00A59978
        • Failed to allocate the buffer for the Date., xrefs: 00A59917
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: DateErrorFormatLast$SystemTime
        • String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
        • API String ID: 2700948981-3682088697
        • Opcode ID: 743c880e0161dd9ee2acf71826fa4ea791b649dcad32b96924ed047517b4ea61
        • Instruction ID: 0ab18d84c0515db689139429c7f014b84a7090ff0e9cb00b600802afb01cfda6
        • Opcode Fuzzy Hash: 743c880e0161dd9ee2acf71826fa4ea791b649dcad32b96924ed047517b4ea61
        • Instruction Fuzzy Hash: A1319471B0020BFEEB01ABE8CD82FBF76B8BB09705F104439F605F5161E67999098751
        Function 00A6638E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98threadCOMMON
        Download Yara Rule
        APIs
        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,00A51E12,?), ref: 00A663B0
        • GetLastError.KERNEL32(?,?,?,00A51E12,?), ref: 00A663BD
        • CreateThread.KERNEL32(00000000,00000000,00A661CC,?,00000000,00000000), ref: 00A66415
        • GetLastError.KERNEL32(?,?,?,00A51E12,?), ref: 00A66422
        • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,00A51E12,?), ref: 00A66466
        • CloseHandle.KERNEL32(00000001,?,?,?,00A51E12,?), ref: 00A6647A
        • CloseHandle.KERNEL32(?,?,?,?,00A51E12,?), ref: 00A66487
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
        • String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
        • API String ID: 2351989216-1977201954
        • Opcode ID: b813820c36d5d35666f5ef7b5ac6497eb4b867836b3de1a9afaad72bed50f0be
        • Instruction ID: 05fe88f535d81ebe8435df500616b7abf06b8f50763564bcb21358d8ea954639
        • Opcode Fuzzy Hash: b813820c36d5d35666f5ef7b5ac6497eb4b867836b3de1a9afaad72bed50f0be
        • Instruction Fuzzy Hash: 2031D472D40119BEDB219BA8CD49AAFBBB4EF85710F104526E915F7150E6784E40CBA1
        Function 00A594EF Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 93COMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A59515
        • GetSystemWow64DirectoryW.KERNEL32(?,00000104), ref: 00A59530
        • GetLastError.KERNEL32 ref: 00A5953A
        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00A59579
        • GetLastError.KERNEL32 ref: 00A59583
        Strings
        • Failed to get 32-bit system folder., xrefs: 00A59572
        • Failed to backslash terminate system folder., xrefs: 00A595D6
        • Failed to get 64-bit system folder., xrefs: 00A595B2
        • variable.cpp, xrefs: 00A59568, 00A595A8
        • Failed to set system folder variant value., xrefs: 00A595F2
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: DirectoryErrorLastSystem$Wow64_memset
        • String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
        • API String ID: 3186313095-1590374846
        • Opcode ID: aebdc6436177287f9cfd3740304e886307ae77aca827936e82dbf858541138a7
        • Instruction ID: d1468d6b865cf0d476f2eb72ec6b69c48441556602574b2013eaffe8e00c84a4
        • Opcode Fuzzy Hash: aebdc6436177287f9cfd3740304e886307ae77aca827936e82dbf858541138a7
        • Instruction Fuzzy Hash: EA21E6B2A41226E6D732A7648D09B6B37687F00711F144275FC05EA191FA78CD5C87D1
        Function 00A75BB3 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90threadCOMMON
        Download Yara Rule
        APIs
        • WaitForMultipleObjects.KERNEL32(00000002,00A51D72,00000000,000000FF,74DF2F60,00000000,00A51D72,?), ref: 00A75BDC
        • GetLastError.KERNEL32 ref: 00A75BEF
        • GetExitCodeThread.KERNEL32(?,000000FF), ref: 00A75C3E
        • GetLastError.KERNEL32 ref: 00A75C4C
        • ResetEvent.KERNEL32(?), ref: 00A75C8A
        • GetLastError.KERNEL32 ref: 00A75C94
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
        • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
        • API String ID: 2979751695-3400260300
        • Opcode ID: 0895eebd02abfbd2f4e9dcf991fa1dec4b4290d699945bcc0a83b6707439b81a
        • Instruction ID: 2b38ae2f0d637ffb4e542e69238bfb7cf7a98e957c72125a9aa39464215d4aac
        • Opcode Fuzzy Hash: 0895eebd02abfbd2f4e9dcf991fa1dec4b4290d699945bcc0a83b6707439b81a
        • Instruction Fuzzy Hash: B4314F71E40709FFEB11DFA4DE85AADBBB5BB04710F20C979E209E6160E2B59A449B01
        Function 00A75AA9 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 89synchronizationCOMMON
        Download Yara Rule
        APIs
        • SetEvent.KERNEL32(526A5680,00A52222,00A51E22,?,?,00A700ED,00A52222,00000000,00A51AAE,?,00A5D97B,?,00A51AAE,00A51E12,00A51E12,00000000), ref: 00A75ACA
        • GetLastError.KERNEL32(?,?,00A700ED,00A52222,00000000,00A51AAE,?,00A5D97B,?,00A51AAE,00A51E12,00A51E12,00000000,?,00A51E22,A8AB1868), ref: 00A75AD4
        • WaitForSingleObject.KERNEL32(004005BE,000000FF,?,?,00A700ED,00A52222,00000000,00A51AAE,?,00A5D97B,?,00A51AAE,00A51E12,00A51E12,00000000,?), ref: 00A75B14
        • GetLastError.KERNEL32(?,?,00A700ED,00A52222,00000000,00A51AAE,?,00A5D97B,?,00A51AAE,00A51E12,00A51E12,00000000,?,00A51E22,A8AB1868), ref: 00A75B1E
        • CloseHandle.KERNEL32(004005BE,00000000,00A52222,00A51E22,?,?,00A700ED,00A52222,00000000,00A51AAE,?,00A5D97B,?,00A51AAE,00A51E12,00A51E12), ref: 00A75B70
        • CloseHandle.KERNEL32(526A5680,00000000,00A52222,00A51E22,?,?,00A700ED,00A52222,00000000,00A51AAE,?,00A5D97B,?,00A51AAE,00A51E12,00A51E12), ref: 00A75B7D
        • CloseHandle.KERNEL32(A8AD1468,00000000,00A52222,00A51E22,?,?,00A700ED,00A52222,00000000,00A51AAE,?,00A5D97B,?,00A51AAE,00A51E12,00A51E12), ref: 00A75B8A
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseHandle$ErrorLast$EventObjectSingleWait
        • String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
        • API String ID: 1206859064-226982402
        • Opcode ID: 5b14af40e6319f701b159f6620ca4eeb3999bc23f39c5e70f98679e661a9456f
        • Instruction ID: cf0167e128895348f34a9549ec40fdee864a2185bd3600c8dbd6c7bd20ca7c95
        • Opcode Fuzzy Hash: 5b14af40e6319f701b159f6620ca4eeb3999bc23f39c5e70f98679e661a9456f
        • Instruction Fuzzy Hash: B6318072A00A05EBDB20AFB9CE8596EF7F4BF44310B648A3DE149E3150E7B5ED409B50
        Function 00A59611 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 87COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast_memset$DirectoryNamePathVolumeWindows
        • String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$variable.cpp
        • API String ID: 2690897267-4026719079
        • Opcode ID: 82283c931feb711c06719939a86c53b387f565a78990730d0cdc7a5cc631a1e1
        • Instruction ID: bec5cb3bfcbcb5626ef6d867b6d5ea5b4c998d7285898cbd7ddf1c1ed7318ccc
        • Opcode Fuzzy Hash: 82283c931feb711c06719939a86c53b387f565a78990730d0cdc7a5cc631a1e1
        • Instruction Fuzzy Hash: CC210BB2A41225B6D720ABA49D09F9B765CBF04710F014176FD09FB181E678DE0847E5
        Function 00A65FEB Relevance: 16.6, APIs: 11, Instructions: 88windowCOMMON
        Download Yara Rule
        APIs
        • GetWindowLongW.USER32(?,000000EB), ref: 00A65FF6
        • DefWindowProcW.USER32(?,00000082,?,?), ref: 00A6602F
        • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00A6603C
        • SetWindowLongW.USER32(?,000000EB,?), ref: 00A6604B
        • DefWindowProcW.USER32(?,?,?,?), ref: 00A66059
        • CreateCompatibleDC.GDI32(?), ref: 00A66065
        • SelectObject.GDI32(00000000,00000000), ref: 00A66076
        • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00A66094
        • SelectObject.GDI32(00000000,?), ref: 00A6609E
        • DeleteDC.GDI32(00000000), ref: 00A660A1
        • PostQuitMessage.USER32(00000000), ref: 00A660AF
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
        • String ID:
        • API String ID: 409979828-0
        • Opcode ID: ecb40727d9ebb1a70f63e287572e3144ade39016b1326676e3b49ce138007f8f
        • Instruction ID: 46d38b2e9e1aa14a79f77b33fa75cb9b294777b384de97198e3152db7340b567
        • Opcode Fuzzy Hash: ecb40727d9ebb1a70f63e287572e3144ade39016b1326676e3b49ce138007f8f
        • Instruction Fuzzy Hash: F4218376100104BFEB219FA4DC4CD7B3B78FB59360F118526FA16D61A0D6719C11AB61
        Function 00A63FCA Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 279COMMON
        Download Yara Rule
        APIs
        • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00A51317,00A51717,00A51333,00A516FB,?,00A5139F,00A51717,00A515CF,00A513CF), ref: 00A6403F
        Strings
        • Failed to add registration action for dependent related bundle., xrefs: 00A6430F
        • Failed to allocate registration action., xrefs: 00A640AE
        • Failed to create the string dictionary., xrefs: 00A6407D
        • Failed to add dependent bundle provider key to ignore dependents., xrefs: 00A64191
        • Failed to add registration action for self dependent., xrefs: 00A642D9
        • Failed to add dependents ignored from command-line., xrefs: 00A640F7
        • Failed to check for remaining dependents during planning., xrefs: 00A641D3
        • Failed to add self-dependent to ignore dependents., xrefs: 00A640C7
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CompareString
        • String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.
        • API String ID: 1825529933-2086987450
        • Opcode ID: 5a68489c369aa5cd4a87140d6ed748697ffea55bc78d8a5f9bac8f5347d6b660
        • Instruction ID: 8c3a30b4c353ce8ab634a2f453d9aff471354d346c3ffede6f79cefc104eb4b3
        • Opcode Fuzzy Hash: 5a68489c369aa5cd4a87140d6ed748697ffea55bc78d8a5f9bac8f5347d6b660
        • Instruction Fuzzy Hash: E9B17D71A0071AEFCF20DFA4C981AAEBBB5FF18304F20452AFA15A7151D3719A90DF91
        Function 00A81B10 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207COMMON
        Download Yara Rule
        APIs
        • ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,00000040,74DEDFD0,?,00000002), ref: 00A81B57
        • GetLastError.KERNEL32 ref: 00A81B5D
        • ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,00000000), ref: 00A81BAC
        • GetLastError.KERNEL32 ref: 00A81BB2
        • GetFullPathNameW.KERNEL32(00000000,00000040,?,00000000,?,00000040,74DEDFD0,?,00000002), ref: 00A81C73
        • GetLastError.KERNEL32 ref: 00A81C79
        • GetFullPathNameW.KERNEL32(00000000,00000000,?,00000000,?,00000000), ref: 00A81CCF
        • GetLastError.KERNEL32 ref: 00A81CD5
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
        • String ID: pathutil.cpp
        • API String ID: 1547313835-741606033
        • Opcode ID: 14277fd2459a00fdbc4cd3838834bf85ed5a09ddca2be01126be63e3eb5b88c1
        • Instruction ID: 45c1d68e1e1bed1faf1f8c8700c11cb8ad86086b2b9a94be60443d213b5280db
        • Opcode Fuzzy Hash: 14277fd2459a00fdbc4cd3838834bf85ed5a09ddca2be01126be63e3eb5b88c1
        • Instruction Fuzzy Hash: B4619576D4022AABDB21BBA4CC44FAEBABCAF14750F114565ED01FB150E379DE029B90
        Function 00A71C3A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 126COMMON
        Download Yara Rule
        APIs
        • SetFileAttributesW.KERNEL32(?,000000FE,?,00000000,?,?,?,?,?), ref: 00A71CC4
        • GetLastError.KERNEL32(?,?,?,?,?), ref: 00A71CCE
        • CopyFileExW.KERNEL32(?,?,00A7145D,?,?,00000000,?,00000000,?,?,?,?,?,00000000,00000000), ref: 00A71D25
        • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000000,?,?,00A72120,?,00000000,?,00000000,00000001,00000000), ref: 00A71D58
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFileLast$AttributesCopy
        • String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$copy
        • API String ID: 1969131206-836986073
        • Opcode ID: 76891b8d83b8365d6b1813a9fe74ff3a99580642b6e73e7841a7a9fed0d641e8
        • Instruction ID: 149dbf93037aa613a04462bdb3962deaadfbb0e27bf7b6c3c191540016179f5e
        • Opcode Fuzzy Hash: 76891b8d83b8365d6b1813a9fe74ff3a99580642b6e73e7841a7a9fed0d641e8
        • Instruction Fuzzy Hash: 1741E332740606FBEB219F99CD82E7A37E9BF14750F64C438FA0D9A1A1E6B5CD009B50
        Function 00A76851 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 108fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,000000FF,?,00000000,?,?,?,00A77355,?), ref: 00A768A1
        • GetLastError.KERNEL32(?,?,?,00A77355,?,?,000000FF,?,000000FF,00000000,?,00000001,?,?,WiX\Burn,DownloadTimeout), ref: 00A768AF
        • ReadFile.KERNEL32(00000000,00000008,00000008,00000000,00000000,?,?,?,00A77355,?,?,000000FF,?,000000FF,00000000,?), ref: 00A76904
        • CloseHandle.KERNEL32(000000FF,000000FF), ref: 00A7693A
        • GetLastError.KERNEL32(?,?,?,00A77355,?,?,000000FF,?,000000FF,00000000,?,00000001,?,?,WiX\Burn,DownloadTimeout), ref: 00A76949
        Strings
        • downloadengine.cpp, xrefs: 00A768D9, 00A76973
        • Failed to read resume file: %ls, xrefs: 00A76982
        • Failed to create resume file: %ls, xrefs: 00A768E8
        • Failed to calculate resume path from working path: %ls, xrefs: 00A76879
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFileLast$CloseCreateHandleRead
        • String ID: Failed to calculate resume path from working path: %ls$Failed to create resume file: %ls$Failed to read resume file: %ls$downloadengine.cpp
        • API String ID: 3160720760-919322122
        • Opcode ID: 70f1231f6eddfca57883ea293fa23073df7face75f3243f9345ea8413b92d061
        • Instruction ID: 040850ed1eacc255c5c0fee43e4fdbbba3b1bd5b8a14b7b3b57a2c600b7364d2
        • Opcode Fuzzy Hash: 70f1231f6eddfca57883ea293fa23073df7face75f3243f9345ea8413b92d061
        • Instruction Fuzzy Hash: 80417872A00609FFDB20DFA4CD85B9D7BB5FF08310F20C529F659EA1A0D7719A409B52
        Function 00A660BD Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 101windowCOMMON
        Download Yara Rule
        APIs
        • LoadBitmapW.USER32(?,00000001), ref: 00A660ED
        • GetLastError.KERNEL32(?,00000001), ref: 00A660F9
        • GetObjectW.GDI32(00000000,00000018,?), ref: 00A66141
        • GetCursorPos.USER32(?), ref: 00A66162
        • MonitorFromPoint.USER32(?,?,00000002), ref: 00A66174
        • GetMonitorInfoW.USER32(00000000,?), ref: 00A6618A
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
        • String ID: ($Failed to load splash screen bitmap.$splashscreen.cpp
        • API String ID: 2342928100-598475503
        • Opcode ID: 46c1bc96127097954ad474cbd3ab6c32dbdc9d3b520bf156bbc3a3815f1e7afd
        • Instruction ID: 16678acd9be4e07357b6b9fd47ffcf4399bacf3e1b4f7feb5a5e19f98940122f
        • Opcode Fuzzy Hash: 46c1bc96127097954ad474cbd3ab6c32dbdc9d3b520bf156bbc3a3815f1e7afd
        • Instruction Fuzzy Hash: D8315E71A0070AAFEB10DFB8DD45AAEBBF5EF08700F10852DE515E7291EB74E9048B51
        Function 00A58C2E Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98stringCOMMON
        Download Yara Rule
        APIs
        Strings
        • Failed to copy string., xrefs: 00A58CE7
        • Failed to format escape sequence., xrefs: 00A58CEE
        • Failed to allocate buffer for escaped string., xrefs: 00A58C58
        • Failed to append characters., xrefs: 00A58CCD
        • []{}, xrefs: 00A58C6B
        • Failed to append escape sequence., xrefs: 00A58CF5
        • [\%c], xrefs: 00A58CA0
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _wcscspnlstrlen
        • String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
        • API String ID: 2089742776-3250950999
        • Opcode ID: f5c54bfc3b793251990221b6f97b030171bf0d459fc03f437f5a977bcde34c77
        • Instruction ID: c5bf75a07aeaf94fca0a44968167b7f5617d55db4a6ec0ef1add1e521ab22722
        • Opcode Fuzzy Hash: f5c54bfc3b793251990221b6f97b030171bf0d459fc03f437f5a977bcde34c77
        • Instruction Fuzzy Hash: E721F533902216BADB12B6948D06BAEB6BCFF10726F200125FD01B6181DE7C9E0897A4
        Function 00A85C53 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memoryCOMMON
        Download Yara Rule
        APIs
        • GetFileVersionInfoSizeW.VERSION(?,?,00AA0B94,00000208,00000000,?,00A7F7A5,?,?,?), ref: 00A85C6E
        • GetLastError.KERNEL32(?,?,00AA0B94,00000208,00000000,?,00A7F7A5,?,?,?), ref: 00A85C84
        • GlobalAlloc.KERNEL32(00000000,?,?,?,00AA0B94,00000208,00000000,?,00A7F7A5,?,?,?), ref: 00A85CB2
        • GetFileVersionInfoW.VERSION(?,?,?,00000000,?,00A7F7A5,?,?,?), ref: 00A85CD6
        • GetLastError.KERNEL32(?,?,?,00000000,?,00A7F7A5,?,?,?), ref: 00A85CDF
        • VerQueryValueW.VERSION(00A7F7A5,00AA0F74,?,?,?,?,?,00000000,?,00A7F7A5,?,?,?), ref: 00A85D0B
        • GetLastError.KERNEL32(00A7F7A5,00AA0F74,?,?,?,?,?,00000000,?,00A7F7A5,?,?,?), ref: 00A85D14
        • GlobalFree.KERNEL32(00A7F7A5), ref: 00A85D50
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$FileGlobalInfoVersion$AllocFreeQuerySizeValue
        • String ID: fileutil.cpp
        • API String ID: 2342464106-2967768451
        • Opcode ID: ab9e3ffea2e85076cc85af512d66b781b252883cee44d9f4a9cd06d1bdd3e66c
        • Instruction ID: e3a67d5d9821d3c8b56b006ac1f8ca002dc20975105b950061834b8c63bed7e7
        • Opcode Fuzzy Hash: ab9e3ffea2e85076cc85af512d66b781b252883cee44d9f4a9cd06d1bdd3e66c
        • Instruction Fuzzy Hash: FD318271E0061ABBDB21AFB9CD05AEEBBB8EF25750F104166FD05E6260E774D9008B91
        Function 00A52ADE Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 81COMMON
        Download Yara Rule
        APIs
        • GetCurrentProcessId.KERNEL32(00000000,00A5130D,80070642,?,?,00A5130D), ref: 00A52AE7
        • CloseHandle.KERNEL32(000000FF), ref: 00A52B9C
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseCurrentHandleProcess
        • String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
        • API String ID: 2391145178-1352204306
        • Opcode ID: 7ca2c9c729ca03f2f1580656bdbf3e31a36c6487fc42752d9e0989d839f1caf3
        • Instruction ID: d560b5003273a1ecf348369c4bcee370fff95296e42d3fc0eaf2048a9f030291
        • Opcode Fuzzy Hash: 7ca2c9c729ca03f2f1580656bdbf3e31a36c6487fc42752d9e0989d839f1caf3
        • Instruction Fuzzy Hash: D6214A71900208FFDF12EF94CD45DEEBBB8FF59311B10846AF815A2221E7714A59AB61
        Function 00A59314 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 74libraryloaderCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 00A5933E
        • GetProcAddress.KERNEL32(00000000), ref: 00A59345
        • GetLastError.KERNEL32 ref: 00A5934F
        Strings
        • DllGetVersion, xrefs: 00A59333
        • Failed to find DllGetVersion entry point in msi.dll., xrefs: 00A5937E
        • Failed to get msi.dll version info., xrefs: 00A59398
        • variable.cpp, xrefs: 00A59374
        • msi, xrefs: 00A59338
        • Failed to set variant value., xrefs: 00A593BC
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: AddressErrorHandleLastModuleProc
        • String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$msi$variable.cpp
        • API String ID: 4275029093-842451892
        • Opcode ID: 9385da64e09e6426f9dc3b5ef3848b1b9cd9328cb955a28bee3a22952529606c
        • Instruction ID: 0e6d9d4564f5d3cb65d243d1613e93893f4db8662e005564f407241d5956ea68
        • Opcode Fuzzy Hash: 9385da64e09e6426f9dc3b5ef3848b1b9cd9328cb955a28bee3a22952529606c
        • Instruction Fuzzy Hash: 0A11EC72600626FAD710ABFDDD05ABFB6A8BF08721F010539FA05EE1D1D674D90443D1
        Function 00A5BA46 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 62libraryloaderCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryW.KERNEL32(?,?,?,00A517CA,?,00000000,?,?,00000000,00000000,?,?,?,00A51E12,?), ref: 00A5BA53
        • GetLastError.KERNEL32(?,00A517CA,?,00000000,?,?,00000000,00000000,?,?,?,00A51E12,?), ref: 00A5BA60
        • GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 00A5BA99
        • GetLastError.KERNEL32(?,00A517CA,?,00000000,?,?,00000000,00000000,?,?,?,00A51E12,?), ref: 00A5BAA3
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$AddressLibraryLoadProc
        • String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
        • API String ID: 1866314245-2276003667
        • Opcode ID: 65896f18fb9ce20dcb8828fcd752cf658e6554224215f87d2532bb14e8851177
        • Instruction ID: f793ddfe0fea630ba7b1c633540bab4a5b3b814ebfd7d76da36968931d65c731
        • Opcode Fuzzy Hash: 65896f18fb9ce20dcb8828fcd752cf658e6554224215f87d2532bb14e8851177
        • Instruction Fuzzy Hash: E711C632B91723BBD72157689C09F563AD4BF10BF3F054525FE04E6250E765C80047E0
        Function 00A6255A Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 156COMMON
        Download Yara Rule
        APIs
        • EnterCriticalSection.KERNEL32(?), ref: 00A62570
        • LeaveCriticalSection.KERNEL32(?), ref: 00A626E3
        Strings
        • Engine is active, cannot change engine state., xrefs: 00A6258A
        • UX requested unknown payload with id: %ls, xrefs: 00A625BD
        • UX did not provide container or payload id., xrefs: 00A62655
        • UX denied while trying to set download URL on embedded payload: %ls, xrefs: 00A625D3
        • Failed to set download user., xrefs: 00A6267C
        • Failed to set download URL., xrefs: 00A62602
        • UX requested unknown container with id: %ls, xrefs: 00A62635
        • Failed to set download password., xrefs: 00A626A0
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalSection$EnterLeave
        • String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
        • API String ID: 3168844106-2615595102
        • Opcode ID: 3c73af6ea4386e83f3e1896d8483b7f8992cf9d1306b3efd18084b3f0c5353a2
        • Instruction ID: 59a875db41e56ddb43653d737489ffa875ea8e5bd2e9aa154f7101fc68312727
        • Opcode Fuzzy Hash: 3c73af6ea4386e83f3e1896d8483b7f8992cf9d1306b3efd18084b3f0c5353a2
        • Instruction Fuzzy Hash: 7E41B179740A04AFCB20EF98CD85EAAB3FCEF497507648905F905E7251E3B5ED818B60
        Function 00A58D27 Relevance: 15.1, APIs: 2, Strings: 8, Instructions: 118COMMON
        Download Yara Rule
        APIs
        • EnterCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,00A5FBE7,00000001,00000000,?,00A7387B,?,00A7387B,?,?,00A7387B), ref: 00A58D32
        • LeaveCriticalSection.KERNEL32(?,?,00A7387B,?,?,?,?,00A5FBE7,00000001,00000000,?,00A7387B,?,00A7387B,?,?), ref: 00A58E55
        Strings
        • Failed to write variable name., xrefs: 00A58E36
        • Failed to write variable value type., xrefs: 00A58E3D
        • Failed to write variable value as string., xrefs: 00A58E1C
        • Failed to write variable count., xrefs: 00A58D4E
        • 0, xrefs: 00A58DFA
        • Unsupported variable type., xrefs: 00A58E28
        • Failed to write included flag., xrefs: 00A58E2F
        • Failed to write variable value as number., xrefs: 00A58E44
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalSection$EnterLeave
        • String ID: 0$Failed to write included flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.
        • API String ID: 3168844106-1107513445
        • Opcode ID: 06145b1840124603d71b4ea8782cc273b09817be3b5b01f1093552f52992d4c4
        • Instruction ID: c11bcc7030cd89bd754aaa5f684d505d7d32c6daf04b3ec32d45a0543cb60c13
        • Opcode Fuzzy Hash: 06145b1840124603d71b4ea8782cc273b09817be3b5b01f1093552f52992d4c4
        • Instruction Fuzzy Hash: 27318F3650060AEF8F12AF64CC4296E3BB6FF54751B144829FD16B62A0DE35EC15AB10
        Function 00A57D2E Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 148COMMON
        Download Yara Rule
        APIs
        • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A57D4F
        • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A57D74
        Strings
        • Failed to format product code string., xrefs: 00A57D7F
        • Failed to get component path: %d, xrefs: 00A57DD7
        • MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 00A57E65
        • Failed to set variable., xrefs: 00A57E55
        • Failed to format component id string., xrefs: 00A57D5A
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Open@16
        • String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
        • API String ID: 3613110473-1671347822
        • Opcode ID: 79ed09c8800437ec6a8bf917bbdedddff1e9323e8884671f09db819486569846
        • Instruction ID: 6bd61c2508915e81047dc1c241336907c37599f3aad1002175c5b7b679fd2d30
        • Opcode Fuzzy Hash: 79ed09c8800437ec6a8bf917bbdedddff1e9323e8884671f09db819486569846
        • Instruction Fuzzy Hash: 6F41D772908309BECF25AB94ED87C7E7676FF40312B64496AFD05B1151D7308E489B11
        Function 00A60CDC Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 130COMMON
        Download Yara Rule
        APIs
        Strings
        • Failed to read package id., xrefs: 00A60D22
        • Failed to execute MSU package., xrefs: 00A60DF3
        • Failed to read rollback., xrefs: 00A60D85
        • Failed to find package: %ls, xrefs: 00A60DC2
        • Failed to read action., xrefs: 00A60D64
        • Failed to read StopWusaService., xrefs: 00A60DA3
        • Failed to read package log., xrefs: 00A60D43
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memset
        • String ID: Failed to execute MSU package.$Failed to find package: %ls$Failed to read StopWusaService.$Failed to read action.$Failed to read package id.$Failed to read package log.$Failed to read rollback.
        • API String ID: 2102423945-2413426928
        • Opcode ID: e8cb65969f6d145495cd67ca7c0cadb4f594ec9b4ca7e6d207d671a4656b24f1
        • Instruction ID: 6fa3cdffe10df4e2856fd8c92133b78229b7c20b68008c835b3e00b5d7755cdf
        • Opcode Fuzzy Hash: e8cb65969f6d145495cd67ca7c0cadb4f594ec9b4ca7e6d207d671a4656b24f1
        • Instruction Fuzzy Hash: 58416C72D40528FFCF11EAE0CE41DEFB7BCAE54750B204A62F925B2110E2715F959BA1
        Function 00A77496 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 116comCOMMON
        Download Yara Rule
        APIs
        • CoCreateInstance.OLE32(00A9E7C0,00000000,00000017,00A9E7D0,?,00000000,00000000,?,?,?,?,?,?,?,00A77AFD,?), ref: 00A774D1
        Strings
        • Failed to set notification flags for BITS job., xrefs: 00A7751C
        • Failed to set BITS job to low priority., xrefs: 00A77539
        • WixBurn, xrefs: 00A774F5
        • Failed to create BITS job., xrefs: 00A77504
        • Failed to set BITS job to foreground., xrefs: 00A77563
        • Failed to set progress timeout., xrefs: 00A7754C
        • Failed to create IBackgroundCopyManager., xrefs: 00A774DD
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CreateInstance
        • String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set BITS job to low priority.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
        • API String ID: 542301482-4242919803
        • Opcode ID: 0e553fee36768c96070a4eea6dc1834d863dff9ed49f79bedc130debf58db577
        • Instruction ID: 0f147183873104f9e561bd2d73ee9aa827f0ff91af30a75524b358d68c3a0063
        • Opcode Fuzzy Hash: 0e553fee36768c96070a4eea6dc1834d863dff9ed49f79bedc130debf58db577
        • Instruction Fuzzy Hash: AD316D71A04219EFDB10DFA4CC85CAEB7F8AB48714B10C969E60AEB280D6749D42CB91
        Function 00A537BE Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 92synchronizationCOMMON
        Download Yara Rule
        APIs
        • WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,00000000,?,00000000,00000000,00A51E12,00000000,00000000,?,?), ref: 00A53866
        • GetLastError.KERNEL32(?,?,?,00A51AC0,?,?,00000000,?,?,00000000,?,?,?,?,?,00000001), ref: 00A53871
        Strings
        • Failed to post terminate message to child process cache thread., xrefs: 00A53836
        • pipe.cpp, xrefs: 00A53896
        • Failed to write restart to message buffer., xrefs: 00A537FF
        • Failed to wait for child process exit., xrefs: 00A538A0
        • Failed to write exit code to message buffer., xrefs: 00A537E2
        • Failed to post terminate message to child process., xrefs: 00A53852
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLastObjectSingleWait
        • String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
        • API String ID: 1211598281-2161881128
        • Opcode ID: ed4971d26197fd74eb6ccd451d95db71ffd5e0f38e53419cbb68870b4cfdeeb1
        • Instruction ID: 88ff42b01223c817c5170f521e808025759c1698b1172e28defc86ea97ccf34f
        • Opcode Fuzzy Hash: ed4971d26197fd74eb6ccd451d95db71ffd5e0f38e53419cbb68870b4cfdeeb1
        • Instruction Fuzzy Hash: DD21E533A00225BBDF169AA4CC45E9E7B68BF54772F104665FE00F6290D774DB0857A0
        Function 00A575AD Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 83COMMON
        Download Yara Rule
        APIs
        • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A575C3
        • GetFileAttributesW.KERNEL32(?,?,?,?,00000000,?,?,00000000,?,00A58B70,?,?,?,?,?,?), ref: 00A575DB
        • GetLastError.KERNEL32(?,00A58B70,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00A575E6
        Strings
        • Failed to format variable string., xrefs: 00A575CE
        • search.cpp, xrefs: 00A57617
        • File search: %ls, did not find path: %ls, xrefs: 00A57639
        • Failed to set variable., xrefs: 00A5766C
        • Failed get to file attributes. '%ls', xrefs: 00A57624
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: AttributesErrorFileLastOpen@16
        • String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
        • API String ID: 1811509786-2053429945
        • Opcode ID: f27557f9a285bc0d2dc43568627f3607486d4ecd857436da68dc40b4ad4ff831
        • Instruction ID: 62f8d122ac6bb61a4b27b658053e07d7f9e18c6c7c69bb45fe062c91fdaa5b29
        • Opcode Fuzzy Hash: f27557f9a285bc0d2dc43568627f3607486d4ecd857436da68dc40b4ad4ff831
        • Instruction Fuzzy Hash: 6F216832A44915FAEB126BACED4AA7D7A26FF21352F104161FD00B6190D731CE18A3A1
        Function 00A59AF9 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 53registryCOMMON
        Download Yara Rule
        APIs
        • RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00A59B7F
          • Part of subcall function 00A831D0: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00A61F19,00000000,00A61F19,00000002,00000009,00000000,00A61F19,00000000,?,?,?), ref: 00A83241
          • Part of subcall function 00A831D0: RegQueryValueExW.ADVAPI32(?,00A61F19,00000000,?,00A61F19,?,00A61F19,?), ref: 00A8327A
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: QueryValue$Close
        • String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
        • API String ID: 1979452859-3209209246
        • Opcode ID: fb85087fa4842907c47f7964ec2afebd3a01b314e625be0d87b197b6ef8b77d9
        • Instruction ID: da67dc6400e4ba6b76b5b708c50024d60affc2ce8dba074a715d7efecfea372f
        • Opcode Fuzzy Hash: fb85087fa4842907c47f7964ec2afebd3a01b314e625be0d87b197b6ef8b77d9
        • Instruction Fuzzy Hash: 7701F532E40129FBEB22B654EC06E9F7668FB64B62F214235FC04BA210D7B08F1493D1
        Function 00A61EFD Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 222sleepCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A61BBB: RegCloseKey.ADVAPI32(?,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,?,00000001,?,?,?,00A61F19,00000000,?,?,?), ref: 00A61C48
        • Sleep.KERNEL32(000007D0,00000001,00000000,Setup,00000000,log,0000000D,00000000,00000000,?,?,?), ref: 00A61FA8
        Strings
        • Failed to copy log extension to extension., xrefs: 00A62101
        • Failed to open log: %ls, xrefs: 00A62022
        • Setup, xrefs: 00A61F5D
        • Failed to get current directory., xrefs: 00A61F94
        • Failed to copy log path to prefix., xrefs: 00A620E2
        • Failed to copy full log path to prefix., xrefs: 00A6211C
        • log, xrefs: 00A61F57
        • Failed to get non-session specific TEMP folder., xrefs: 00A6205A
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseSleep
        • String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$log
        • API String ID: 2834455192-2818506709
        • Opcode ID: ca97f05cc2fbd345b0680241e9cfe9412d5dd3ffd1025beb33d6b58af27ac902
        • Instruction ID: b28228a9204cc257f51c6251f3442e5ced3f13c817ebd2ba6af575428a58df7d
        • Opcode Fuzzy Hash: ca97f05cc2fbd345b0680241e9cfe9412d5dd3ffd1025beb33d6b58af27ac902
        • Instruction Fuzzy Hash: C971C471A0460AFFCF20AFA0CD81AADBBB9FF05344F24892AF60597151D3719E81DB51
        Function 00A68558 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 174COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A81AE4: lstrlenW.KERNEL32(00000000,00000000,?,00A82045,?,00000000,00000000,?,?,00A675E5,?,00000000,00000000,00000000), ref: 00A81AEC
          • Part of subcall function 00A85710: _memset.LIBCMT ref: 00A8573B
          • Part of subcall function 00A85710: FindFirstFileW.KERNELBASE(00000000,?,00000000,?,80070002), ref: 00A8574B
          • Part of subcall function 00A85710: FindClose.KERNEL32(00000000), ref: 00A85757
        • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 00A68674
        Strings
        • Failed to copy source path., xrefs: 00A686C2, 00A686E9
        • Failed to combine last source with source., xrefs: 00A68630
        • WixBundleLastUsedSource, xrefs: 00A6859F
        • WixBundleOriginalSource, xrefs: 00A685BA
        • Failed to get current process directory., xrefs: 00A68615
        • Failed to get path to current process., xrefs: 00A685F7
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Find$CloseCompareFileFirstString_memsetlstrlen
        • String ID: Failed to combine last source with source.$Failed to copy source path.$Failed to get current process directory.$Failed to get path to current process.$WixBundleLastUsedSource$WixBundleOriginalSource
        • API String ID: 263632599-10224182
        • Opcode ID: a75fbf1e553718a9bed4bd1d0ac23595239042ed491175f5b9f4b746d17a5f68
        • Instruction ID: ec9fb28afa1a1b2fc7f72d99f8b3d0dd9c0b22b038f00b6b14eeb585f873d1a8
        • Opcode Fuzzy Hash: a75fbf1e553718a9bed4bd1d0ac23595239042ed491175f5b9f4b746d17a5f68
        • Instruction Fuzzy Hash: 61514CB1D0121AEFCF10EFA0CE858EEBBB9FF08344F20463AE615B2151DB759A419B55
        Function 00A76B3D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 161networkCOMMON
        Download Yara Rule
        APIs
        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A76B50
        • GetLastError.KERNEL32(?,?,?,00A76E24,00000000,?,00000000,?,00000000,00000000,00000001,?), ref: 00A76B5A
        Strings
        • Failed to get redirect url: %ls, xrefs: 00A76CF6
        • Unknown HTTP status code %d, returned from URL: %ls, xrefs: 00A76BF4
        • Failed to send request to URL: %ls, trying to process HTTP status code anyway., xrefs: 00A76B72
        • Failed to get HTTP status code for failed request to URL: %ls, xrefs: 00A76B92
        • Failed to get HTTP status code for request to URL: %ls, xrefs: 00A76CED
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorHttpLastRequestSend
        • String ID: Failed to get HTTP status code for failed request to URL: %ls$Failed to get HTTP status code for request to URL: %ls$Failed to get redirect url: %ls$Failed to send request to URL: %ls, trying to process HTTP status code anyway.$Unknown HTTP status code %d, returned from URL: %ls
        • API String ID: 4088757929-2903077892
        • Opcode ID: 559d73cbd43abd5b7c9132b6df1eaa7c5858e0deefa91991e5f0b5a3ce9a6bc8
        • Instruction ID: 5ed2059f6b707ab7eb2e5943fdc485ac3bed312ead685e345423fb7a75e64882
        • Opcode Fuzzy Hash: 559d73cbd43abd5b7c9132b6df1eaa7c5858e0deefa91991e5f0b5a3ce9a6bc8
        • Instruction Fuzzy Hash: 94410672A50C26E7DF369B68CD49FAA3A68EB05350F24C125FC4DEB251E2648D00D7E1
        Function 00A7FB2B Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A8233B: GetProcessHeap.KERNEL32(?,?,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000), ref: 00A8234C
          • Part of subcall function 00A8233B: RtlAllocateHeap.NTDLL(00000000,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000,00000000), ref: 00A82353
        • LookupAccountNameW.ADVAPI32(00000000,000000FF,?,?,00000000,000000FF,?), ref: 00A7FBA2
        • GetLastError.KERNEL32 ref: 00A7FBB2
        • GetLastError.KERNEL32(?,00000044,00000001), ref: 00A7FBD4
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorHeapLast$AccountAllocateLookupNameProcess
        • String ID: D$aclutil.cpp
        • API String ID: 1410359055-2185417647
        • Opcode ID: 5e663d15ef552408b3a8f1f2569b77804014c01dde7aa45613118341fe057335
        • Instruction ID: f38333b8491101d2a5488d30ea7a712da570bdcf5643703ce9fd94c702ce5bd4
        • Opcode Fuzzy Hash: 5e663d15ef552408b3a8f1f2569b77804014c01dde7aa45613118341fe057335
        • Instruction Fuzzy Hash: ED417F72D0021EBEDF229B94CD55BAEBBB8AF00354F14C175A908FA150D375CF04AB90
        Function 00A5568B Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 120registryCOMMON
        Download Yara Rule
        APIs
        • RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,00000000,00000001,?,000000F9,00000001,?,00000105,00000000,?,?), ref: 00A557A3
        • RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,00000000,00000001,?,000000F9,00000001,?,00000105,00000000,?,?), ref: 00A557B0
        Strings
        • Failed to open registration key., xrefs: 00A55713
        • %ls.RebootRequired, xrefs: 00A5569F
        • Failed to read Resume value., xrefs: 00A5573E
        • Failed to format pending restart registry key to read., xrefs: 00A556BF
        • Resume, xrefs: 00A5571E
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Close
        • String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
        • API String ID: 3535843008-3890505273
        • Opcode ID: ccc349088160ebc8bfb370777a65b85b4651ecd18238a06e54b18e9d3046182f
        • Instruction ID: b569c557e5ff2ea0e1835f2c4add14fc82fcc6a02c1a2b8e4a4a064938085174
        • Opcode Fuzzy Hash: ccc349088160ebc8bfb370777a65b85b4651ecd18238a06e54b18e9d3046182f
        • Instruction Fuzzy Hash: 7E416076D00A08EFCB11AFA4C890AAEB7B5FF48711F55886AED15A7250D7709E04DB50
        Function 00A69336 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 113COMMON
        Download Yara Rule
        APIs
        • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?,7FFFFFFF,?,?,7FFFFFFF,?,00000000,?,00000000), ref: 00A693B7
        • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,00A7244D,000000FF,00A7244D,WixBundleLastUsedSource,00A7244D,?,?,?,?,?,00A7244D,?), ref: 00A693FE
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CompareString
        • String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
        • API String ID: 1825529933-660234312
        • Opcode ID: 8c5432b1108d5f80d85645b0cdc1b344a364d7f329da3f9f803ba235808fafdd
        • Instruction ID: b7add37d61d20ad7bc55ce3719474a375bd9bd6587498457c32ef578e9299e14
        • Opcode Fuzzy Hash: 8c5432b1108d5f80d85645b0cdc1b344a364d7f329da3f9f803ba235808fafdd
        • Instruction Fuzzy Hash: 6C31A031A04219BBCF019FA5CC49EAFBBBDBF54360F208626F524EA1D0DB709A01DB50
        Function 00A5F554 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106COMMON
        Download Yara Rule
        APIs
        Strings
        • Failed to read package id from message buffer., xrefs: 00A5F593
        • Failed to copy installed ProductCode., xrefs: 00A5F620
        • Failed to find package: %ls, xrefs: 00A5F5B5
        • Failed to load compatible package., xrefs: 00A5F651
        • Failed to read installed version from message buffer., xrefs: 00A5F601
        • Failed to read installed ProductCode from message buffer., xrefs: 00A5F5E1
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memset
        • String ID: Failed to copy installed ProductCode.$Failed to find package: %ls$Failed to load compatible package.$Failed to read installed ProductCode from message buffer.$Failed to read installed version from message buffer.$Failed to read package id from message buffer.
        • API String ID: 2102423945-2628348887
        • Opcode ID: da7aa8e1e6e70a900472be2482dea9b2155072c31ee031093d38a3b634ce1c90
        • Instruction ID: 7afe5387bebc5560cc2b6f635f0ce5122b25f4145c2f12dc349b478e46fbcc4b
        • Opcode Fuzzy Hash: da7aa8e1e6e70a900472be2482dea9b2155072c31ee031093d38a3b634ce1c90
        • Instruction Fuzzy Hash: 69316972900118BFCF11EAA4DE41DEEBBB9BF68311F104666FD14B7120E7318A599B90
        Function 00A53D13 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 93fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A54D1E: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,?,000000FF,00000000,00000000,?,?,?,00A5F152,?,?,?,?), ref: 00A54D43
        • CreateFileW.KERNEL32(00A5222A,80000000,00000005,00000000,00000003,08000000,00000000,00A5222A,390002D6,00000000,00A51E8E,15FF3675,00A51F0E,00A51AAE,00A51E22,00000000), ref: 00A53D7B
          • Part of subcall function 00A68A1A: _memset.LIBCMT ref: 00A68A74
        • GetLastError.KERNEL32 ref: 00A53DC4
        Strings
        • Failed to verify catalog signature: %ls, xrefs: 00A53DFD
        • Failed to get catalog local file path, xrefs: 00A53DB5
        • catalog.cpp, xrefs: 00A53DE6
        • Failed to open catalog in working path: %ls, xrefs: 00A53DF3
        • Failed to find payload for catalog file., xrefs: 00A53DAE
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CompareCreateErrorFileLastString_memset
        • String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$catalog.cpp
        • API String ID: 3205693548-48089280
        • Opcode ID: 086bc30a395c836a438d6a22bfcf73f5a074352bc8ab3ddd9a933e78525a930c
        • Instruction ID: bf1f938875d573979e70b3a5b9548489ae9af9f652cd706ecd32b27d0a595d92
        • Opcode Fuzzy Hash: 086bc30a395c836a438d6a22bfcf73f5a074352bc8ab3ddd9a933e78525a930c
        • Instruction Fuzzy Hash: 7A31E237500205BBDB11AB98CD02F5EBBF5BFC4791F208415FD05AB2A0D771EA059B50
        Function 00A7493F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 91synchronizationCOMMON
        Download Yara Rule
        APIs
        • WaitForSingleObject.KERNEL32(?,000000FF,74DF30B0,?,00000000), ref: 00A7495D
        • ReleaseMutex.KERNEL32(?), ref: 00A7497D
        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A749BF
        • ReleaseMutex.KERNEL32(?), ref: 00A749D2
        • SetEvent.KERNEL32(?), ref: 00A749DB
        Strings
        • Failed to send files in use message from netfx chainer., xrefs: 00A74A1C
        • Failed to get message from netfx chainer., xrefs: 00A749F6
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: MutexObjectReleaseSingleWait$Event
        • String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
        • API String ID: 2608678126-3424578679
        • Opcode ID: 28ead585c83ad16d4929455c1ac0f3d67c305773a47da221c37c398b881ae858
        • Instruction ID: 3f9913dd8f7749cd250a9ee99af971b9e1a37ce38ab330be94040c5f8696ad2e
        • Opcode Fuzzy Hash: 28ead585c83ad16d4929455c1ac0f3d67c305773a47da221c37c398b881ae858
        • Instruction Fuzzy Hash: 1A31E631500204AFCF128BA9CC45EDEFBF5AF58320F14C629E569A61A1D775D545CB50
        Function 00A574DD Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 73COMMON
        Download Yara Rule
        APIs
        • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A574F2
        • GetFileAttributesW.KERNEL32(00000000,?,?,00000000,00000000,?,00000000,?,00A58B81,?,?,?), ref: 00A57507
        • GetLastError.KERNEL32(?,00A58B81,?,?,?), ref: 00A57512
        Strings
        • Failed to format variable string., xrefs: 00A574FD
        • Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 00A57587
        • Failed while searching directory search: %ls, for path: %ls, xrefs: 00A57571
        • Failed to set directory search path variable., xrefs: 00A57544
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: AttributesErrorFileLastOpen@16
        • String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
        • API String ID: 1811509786-2966038646
        • Opcode ID: 5e9d6beda22e6cc34899dd90e2892f9539f4e69760672694864159cf5d0bb8ba
        • Instruction ID: 728dab558e9250d82f1ea7093d0f63a1ec903eaefd966662998972f91427f091
        • Opcode Fuzzy Hash: 5e9d6beda22e6cc34899dd90e2892f9539f4e69760672694864159cf5d0bb8ba
        • Instruction Fuzzy Hash: 35210532944121FBDB22AB94ED06B9D7A25FF15362F204221FD04B61A0E7369F18E7D1
        Function 00A67654 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57COMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A67678
        • GetTempPathW.KERNEL32(00000104,?,?,?,?), ref: 00A6768C
        • GetLastError.KERNEL32(?,?,?), ref: 00A67696
        Strings
        • Failed to append bundle id on to temp path for working folder., xrefs: 00A676E8
        • Failed to get temp path for working folder., xrefs: 00A676C5
        • %ls%ls\, xrefs: 00A676D4
        • cache.cpp, xrefs: 00A676BB
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLastPathTemp_memset
        • String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to get temp path for working folder.$cache.cpp
        • API String ID: 623060366-3390808230
        • Opcode ID: 19abf5d5cc2ade04c1c0f999afa5bd462659d5c13a5eee24723e9914f4300002
        • Instruction ID: f02468ecbb32094463252e9294641742c1259f370ad1865fbf745bef330f3f34
        • Opcode Fuzzy Hash: 19abf5d5cc2ade04c1c0f999afa5bd462659d5c13a5eee24723e9914f4300002
        • Instruction Fuzzy Hash: 4A014E75B4572577E720B768DD0AF6E37E89F00B14F104565FD04E62C1FAA88E0047D5
        Function 00A5E8A3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54synchronizationthreadCOMMON
        Download Yara Rule
        APIs
        • WaitForSingleObject.KERNEL32(?,000493E0,00000000,?,?,00A61236,00000000,?,00A60EE7,?,00000000,?,?,?,00A51DEA,?), ref: 00A5E8B5
        • GetLastError.KERNEL32(?,?,00A61236,00000000,?,00A60EE7,?,00000000,?,?,?,00A51DEA,?,?), ref: 00A5E8BF
        • GetExitCodeThread.KERNEL32(?,?,?,?,00A61236,00000000,?,00A60EE7,?,00000000,?,?,?,00A51DEA,?,?), ref: 00A5E8FC
        • GetLastError.KERNEL32(?,?,00A61236,00000000,?,00A60EE7,?,00000000,?,?,?,00A51DEA,?,?), ref: 00A5E906
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$CodeExitObjectSingleThreadWait
        • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$elevation.cpp
        • API String ID: 3686190907-1954264426
        • Opcode ID: 65cd4ed503890975a7306ffd2190a66c428f7291593a84200002cf276a095ebc
        • Instruction ID: 37882e4c65602ccb247e51e5f686c6d6729c771bb2197415f8eecde6a5034bfb
        • Opcode Fuzzy Hash: 65cd4ed503890975a7306ffd2190a66c428f7291593a84200002cf276a095ebc
        • Instruction Fuzzy Hash: 7A012872B41222B7E734DBA59D0AB6BB9D8BF04BA2F004135FD08F9191E678CE0143D5
        Function 00A5C1E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 51synchronizationthreadCOMMON
        Download Yara Rule
        APIs
        • WaitForSingleObject.KERNEL32(00000001,000000FF,?,?,00A5C689,?,00A5138B,00000000,?,00A513BB,00000001), ref: 00A5C1ED
        • GetLastError.KERNEL32(?,?,00A5C689,?,00A5138B,00000000,?,00A513BB,00000001), ref: 00A5C1F7
        • GetExitCodeThread.KERNEL32(00000001,00000000,?,?,00A5C689,?,00A5138B,00000000,?,00A513BB,00000001), ref: 00A5C239
        • GetLastError.KERNEL32(?,?,00A5C689,?,00A5138B,00000000,?,00A513BB,00000001), ref: 00A5C243
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$CodeExitObjectSingleThreadWait
        • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
        • API String ID: 3686190907-2546940223
        • Opcode ID: 07fb043aafbf157ed263d79e1dafc49079e6800db98ea605bad069b9d5f97dd2
        • Instruction ID: 5a2b3c68ed1c3c9c9e78eff709526595f85d42730917eba47ac7e974f8136e23
        • Opcode Fuzzy Hash: 07fb043aafbf157ed263d79e1dafc49079e6800db98ea605bad069b9d5f97dd2
        • Instruction Fuzzy Hash: 6E117071A4030BFEEF10EBE1DE06B9D7AA4BF14762F204129A800E51A0E779CB009B55
        Function 00A55EBF Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 105stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A81FE9: SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00A6745F,-0000001C,00000000,00000000,?,?,00A68DEB), ref: 00A8200A
        • lstrlenA.KERNEL32(E900A8E1,00000000,00A513BB,00000000,00A513BB,00A57081,00A57081,?,DC683C79,00A513BB,00A57065,?,UninstallString,00A513BB), ref: 00A55F5B
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: FolderPathlstrlen
        • String ID: Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to find local %hs appdata directory.$Failed to write tag xml to file: %ls$UninstallString$per-machine$per-user
        • API String ID: 3664928333-3308940114
        • Opcode ID: 0a828c06ff37c21c714f129643e2cfcbe2933c6a8dc52fe565ea69e4bb1223d7
        • Instruction ID: b4eb8a03ebd4985be8d7935541fd85a794b78c8070e59e4db4883a99bc89c143
        • Opcode Fuzzy Hash: 0a828c06ff37c21c714f129643e2cfcbe2933c6a8dc52fe565ea69e4bb1223d7
        • Instruction Fuzzy Hash: 2A31BE72D00A19FBCF12BBA4CD0199DBBB5FF44B12F208066F805A7251DB31DA48AB90
        Function 00A71DA4 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 164COMMON
        Download Yara Rule
        APIs
        • SetFileAttributesW.KERNEL32(?,000000FE,?,00000000,?,?,?,00000000,?,00000000), ref: 00A71E66
        • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00A71E70
        Strings
        • download, xrefs: 00A71E31
        • Failed attempt to download URL: '%ls' to: '%ls', xrefs: 00A71F35
        • Failed to clear readonly bit on payload destination path: %ls, xrefs: 00A71EA0
        • apply.cpp, xrefs: 00A71E95
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: AttributesErrorFileLast
        • String ID: Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
        • API String ID: 1799206407-2688335605
        • Opcode ID: a5a19f7bd34773b2593d95a04632ac2e096fc059cd61fd5eb9a669f2325aeec0
        • Instruction ID: a2c4a7fe92cb22901f1b4ee6348d46619355b780f4a137e1045ad41c6ea5e2f9
        • Opcode Fuzzy Hash: a5a19f7bd34773b2593d95a04632ac2e096fc059cd61fd5eb9a669f2325aeec0
        • Instruction Fuzzy Hash: 3B519072A0021AAFDB219FA8CD41FBAB7F5FF04720F14C45AE509AA191E375DA40DB91
        Function 00A57EA3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133COMMON
        Download Yara Rule
        APIs
        Strings
        • Failed to enum related products., xrefs: 00A57FB9
        • Failed to get version for product in machine context: %ls, xrefs: 00A57FCC
        • VersionString, xrefs: 00A57F0E, 00A57F47
        • Failed to get version for product in user unmanaged context: %ls, xrefs: 00A57F39
        • Failed to convert version: %ls to DWORD64 for ProductCode: %ls, xrefs: 00A57FE3
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memset
        • String ID: Failed to convert version: %ls to DWORD64 for ProductCode: %ls$Failed to enum related products.$Failed to get version for product in machine context: %ls$Failed to get version for product in user unmanaged context: %ls$VersionString
        • API String ID: 2102423945-1979147598
        • Opcode ID: 96e65fbb7971486274f7fe049885b9c42b04272189aa2994d6a0366eff64ecb9
        • Instruction ID: 0117c63c9612121d62d1e521b6a5c22cb4f4daf5354d472da5996fdf508130df
        • Opcode Fuzzy Hash: 96e65fbb7971486274f7fe049885b9c42b04272189aa2994d6a0366eff64ecb9
        • Instruction Fuzzy Hash: AE415872D04218AFDB20EFE89D81CEDF7B9BB08341B21852AF909BB115E6345E4DCB51
        Function 00A71267 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 123COMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A71278
          • Part of subcall function 00A81A74: GetModuleFileNameW.KERNEL32(00A52136,?,00000104,?,00000104,?,00000000,?,?,00A52136,?,00000000,?,?,?,76EEC3F0), ref: 00A81A95
        • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?), ref: 00A712F3
          • Part of subcall function 00A81D72: CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?,00000000,00000003,?,?,00000003,00000001,00000000), ref: 00A81DB6
        Strings
        • Failed to extract payload: %ls from container: %ls, xrefs: 00A7138E
        • Failed to extract all payloads from container: %ls, xrefs: 00A7133E
        • Failed to open container: %ls., xrefs: 00A712D1
        • Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 00A7139A
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CompareString$FileModuleName_memset
        • String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
        • API String ID: 3323778125-3891707333
        • Opcode ID: c65ea66015a6b1c0f84b71f5a7663ee5c4e258a967862d28b19f51114872ca74
        • Instruction ID: 0c5c4a993c6b00c09d3ae409a0645d1888ad0c3c7d8f8c443aad74b70542a097
        • Opcode Fuzzy Hash: c65ea66015a6b1c0f84b71f5a7663ee5c4e258a967862d28b19f51114872ca74
        • Instruction Fuzzy Hash: 37415F72D00628FBCF21EB98CE45CDEB7F9AF44710B20C661F92DAB151E2319B519B91
        Function 00A81E7E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123COMMON
        Download Yara Rule
        APIs
        • CreateDirectoryW.KERNEL32(00A52142,00000000,?,?,?,?,00A51E8E,00A52222), ref: 00A81F16
        • GetLastError.KERNEL32(?,?,?,?,00A51E8E,00A52222), ref: 00A81F24
        • GetTempPathW.KERNEL32(00000104,00000000,00000000,00000104,00000000,00000000,00A51E22,?,?,?,00A5B78A,00000000,.ba%d,000F423F,00A51E8E,00A52222), ref: 00A81F5A
        • GetLastError.KERNEL32(?,?,?,00A5B78A,00000000,.ba%d,000F423F,00A51E8E,00A52222,00000000,00A51D56,?,?,00A5D91E,A8AB1868,00A51E22), ref: 00A81F68
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$CreateDirectoryPathTemp
        • String ID: %s%s$pathutil.cpp
        • API String ID: 2804724334-3961969462
        • Opcode ID: 295aebc928463db80a16f11cef0ecc2870e6c28dfea0c40e91644f1434da0cc1
        • Instruction ID: 07ed3bb78c62880fc726b58ac833f6d9b9a6d14cc359f581dfa3e8003f603985
        • Opcode Fuzzy Hash: 295aebc928463db80a16f11cef0ecc2870e6c28dfea0c40e91644f1434da0cc1
        • Instruction Fuzzy Hash: 4531B572D00125BBDB20BBA4CD85ADEBAECAF10360F150666FA01F7150D3398D439791
        Function 00A7F8AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118fileCOMMON
        Download Yara Rule
        APIs
        • EnterCriticalSection.KERNEL32(00AA5D9C,00000001,00000000,00000001,?,?,00A62083,00000001,?,00000000,?,00000000,00000000,0000000D,00000000,Setup), ref: 00A7F8BD
        • CreateFileW.KERNEL32(40000000,00000001,00000000,?,00000080,00000000,?,00000000,?,?,00000000,00AA5D94,?,?,00A62083,00000001), ref: 00A7F95E
        • GetLastError.KERNEL32(?,?,00A62083,00000001,?,00000000,?,00000000,00000000,0000000D,00000000,Setup,00000000,log,0000000D,00000000), ref: 00A7F96E
        • SetFilePointer.KERNEL32(00000000,00000000,00000002,?,?,00A62083,00000001,?,00000000,?,00000000,00000000,0000000D,00000000,Setup,00000000), ref: 00A7F9A9
          • Part of subcall function 00A82086: _memset.LIBCMT ref: 00A820D5
          • Part of subcall function 00A82086: GetLocalTime.KERNEL32(?,?,?,?,00000000,?), ref: 00A821C7
        • LeaveCriticalSection.KERNEL32(00AA5D9C,?,00000000,00AA5D94,?,?,00A62083,00000001,?,00000000,?,00000000,00000000,0000000D,00000000,Setup), ref: 00A7F9FE
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime_memset
        • String ID: logutil.cpp
        • API String ID: 654766419-3545173039
        • Opcode ID: 2ffc8494bdaf79b4429044752ac07c413764ad19f2ff92b738750ca54baacd5e
        • Instruction ID: a2fa764aeaae768fbb58d0ae15d6b5c8d5e7089254da80e5e055d810f80b7186
        • Opcode Fuzzy Hash: 2ffc8494bdaf79b4429044752ac07c413764ad19f2ff92b738750ca54baacd5e
        • Instruction Fuzzy Hash: 3831A031501125FFCB21EB60DD49E9E7E66FB45B60F20C532F109964A1DB328E42D790
        Function 00A66DF1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(?,0000000E,?,00000000,00000002,?,00A67024,0000000E,?,?,?,?), ref: 00A66E0E
        • lstrlenW.KERNEL32(?,?,00A67024,0000000E,?,?,?,?), ref: 00A66E15
        • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00A67024,0000000E,?,?,?,?), ref: 00A66E5C
        • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00A67024,0000000E,?,?,?,?), ref: 00A66EB5
        • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00A67024,0000000E,?,?,?,?), ref: 00A66EE6
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CompareString$lstrlen
        • String ID: W
        • API String ID: 1657112622-655174618
        • Opcode ID: e7e84bb9f6b2befcc06fa404e79b4de1b4f4721f783ee79c3def0724da15e34b
        • Instruction ID: f63ec37fdd15e735ce0eaa307dd3601d4ea282ea346212d3c93d4629f497ec09
        • Opcode Fuzzy Hash: e7e84bb9f6b2befcc06fa404e79b4de1b4f4721f783ee79c3def0724da15e34b
        • Instruction Fuzzy Hash: 29319E7A500249BBCF218F89CC89EAF3B79EB89750F248816F915DB150C376DD90CB61
        Function 00A5F9CA Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 108COMMON
        Download Yara Rule
        APIs
        • CloseHandle.KERNEL32(00000000,8900011A,00A517A1,00000001,?,00A517A1,00000001,000000FF,00A517A1,00A517A5,00000000,00A513C5,00000001,00000000,?,00A5BD3C), ref: 00A5FADA
        Strings
        • elevation.cpp, xrefs: 00A5F9FE
        • Failed to connect to elevated child process., xrefs: 00A5FAB8
        • Failed to create pipe and cache pipe., xrefs: 00A5FA50
        • UX aborted elevation requirement., xrefs: 00A5FA08
        • Failed to create pipe name and client token., xrefs: 00A5FA34
        • Failed to elevate., xrefs: 00A5FAC3
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseHandle
        • String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
        • API String ID: 2962429428-3003415917
        • Opcode ID: f9acc885c84091c2c7c9123c5f7dbfc43f0549e619c074e813a30f3b74d6add8
        • Instruction ID: 39da8ecbfdb06ddcfb63d2b29aca206b5f28b15a7afbe932a52da83eb7013689
        • Opcode Fuzzy Hash: f9acc885c84091c2c7c9123c5f7dbfc43f0549e619c074e813a30f3b74d6add8
        • Instruction Fuzzy Hash: 0931F772241705BEEF11D664CD41FAB32ADBB80392F214439FE1EE7281EA7199494325
        Function 00A7FCB8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90memoryCOMMON
        Download Yara Rule
        APIs
        • CheckTokenMembership.ADVAPI32(?,?,?,?,?,?,00A7FE02,?,?,76EEC3F0,?,00000000), ref: 00A7FCFE
        • GetLastError.KERNEL32(?,?,?,00A7FE02,?,?,76EEC3F0,?,00000000), ref: 00A7FD0C
        • AllocateAndInitializeSid.ADVAPI32(00A7FDF6,EC83EC8B,FFFFFEB6,5FFC4D8B,5BCD335E,FF809BE8,04C2C9FF,EC8B5500,FC5D89F6,FFF45D89,?,?,?), ref: 00A7FD5F
        • GetLastError.KERNEL32(?,?,?,00A7FE02,?,?,76EEC3F0,?,00000000), ref: 00A7FD69
        • FreeSid.ADVAPI32(?,?,?,?,00A7FE02,?,?,76EEC3F0,?,00000000), ref: 00A7FD9F
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$AllocateCheckFreeInitializeMembershipToken
        • String ID: aclutil.cpp
        • API String ID: 1125035699-2159165307
        • Opcode ID: 1b15d82aedebe77b40a09c2d904ada5020986741c310cafdcfd576f13f513a0f
        • Instruction ID: c3b8a1e784b6a638f940aed15404808e6fb6fc2327b7bb161eb95c8d3f8f05e6
        • Opcode Fuzzy Hash: 1b15d82aedebe77b40a09c2d904ada5020986741c310cafdcfd576f13f513a0f
        • Instruction Fuzzy Hash: 6721A232510114FFDB229B94CD48DAABAB9EF48360F25C5B5E509EB062E3358F109B90
        Function 00A75966 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75fileCOMMON
        Download Yara Rule
        APIs
        Strings
        • cabextract.cpp, xrefs: 00A75A02
        • Failed to write during cabinet extraction., xrefs: 00A75A0C
        • Unexpected call to CabWrite()., xrefs: 00A75995
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFileLastWrite_memcpy_s
        • String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
        • API String ID: 1970631241-3111339858
        • Opcode ID: 25bd56220cea12406650fb38d5045b2857293b9d6deae69184ca3d3b241b90b6
        • Instruction ID: 77b47be2ca9e876160bca46cdb4bf7716fa43a1a6e7267f89b86eb798b740fbe
        • Opcode Fuzzy Hash: 25bd56220cea12406650fb38d5045b2857293b9d6deae69184ca3d3b241b90b6
        • Instruction Fuzzy Hash: 5821C232A10A05EFDB10CB68DD44E7A77F9FB88764B10852DFA09D7290D6B5E900DB14
        Function 00A75899 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74timeCOMMON
        Download Yara Rule
        APIs
        • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00A758FA
        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A7590C
        • SetFileTime.KERNEL32(?,?,?,?), ref: 00A7591F
        • CloseHandle.KERNEL32(?), ref: 00A7592E
        Strings
        • cabextract.cpp, xrefs: 00A758CA
        • Invalid operation for this state., xrefs: 00A758D6
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Time$File$CloseDateHandleLocal
        • String ID: Invalid operation for this state.$cabextract.cpp
        • API String ID: 609741386-1751360545
        • Opcode ID: 05a95b66d7bbf6c7ec512c1810edc379866ea8ed66767f99e361122763874bf8
        • Instruction ID: f9ae8a01382f15cabb9d1e5094c8ba5fe33538af5f470186c40a6f1531be200e
        • Opcode Fuzzy Hash: 05a95b66d7bbf6c7ec512c1810edc379866ea8ed66767f99e361122763874bf8
        • Instruction Fuzzy Hash: 6A11B931600A09FFA710DBF8CC499BBB7FCFB04720750862AE615D61A0DBB4E946D721
        Function 00A5741B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 73COMMON
        Download Yara Rule
        APIs
        • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A57435
        • GetFileAttributesW.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000000,?,00A58B89,?,?,?,?,?), ref: 00A5744A
        • GetLastError.KERNEL32(?,00A58B89,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00A57455
        Strings
        • Failed to format variable string., xrefs: 00A57440
        • Failed to set variable., xrefs: 00A574BB
        • Failed while searching directory search: %ls, for path: %ls, xrefs: 00A57493
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: AttributesErrorFileLastOpen@16
        • String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
        • API String ID: 1811509786-402580132
        • Opcode ID: e5651027c187587b3fc5a99426bf0da9e1a5baf2a0f0a94bcfd0ea80dce2e1e3
        • Instruction ID: 9fdada9b5fb0b3b0bdfe6c1820813f49611b8a3d9761cb81df676963dc4c7e2c
        • Opcode Fuzzy Hash: e5651027c187587b3fc5a99426bf0da9e1a5baf2a0f0a94bcfd0ea80dce2e1e3
        • Instruction Fuzzy Hash: 99113372904119FEDB11BFA4ED829ADBE79FB10312F208639FD11B3050E3754E889B91
        Function 00A59443 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 55COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLastPathTemp_memset
        • String ID: Failed to get temp path.$Failed to set variant value.$variable.cpp
        • API String ID: 623060366-2915113195
        • Opcode ID: 2bcf77dbc7342a9aed744f8f0bf5ffeec39d77bedeb5f4e808f226c6ccb5df03
        • Instruction ID: 9255af63a8c6354a2b46e51d778f80dab12f522778828672f0c0e8b0e4627ce4
        • Opcode Fuzzy Hash: 2bcf77dbc7342a9aed744f8f0bf5ffeec39d77bedeb5f4e808f226c6ccb5df03
        • Instruction Fuzzy Hash: 03019672A41729BAE720EBA49D06BAF73A87B04711F108265FD08EB281EA74DE0547D5
        Function 00A7FEDA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40libraryloaderCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,00000000,?,?,00A5911F,00000000), ref: 00A7FEEE
        • GetProcAddress.KERNEL32(00000000), ref: 00A7FEF5
        • GetLastError.KERNEL32(?,?,00A5911F,00000000), ref: 00A7FF0C
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: AddressErrorHandleLastModuleProc
        • String ID: IsWow64Process$kernel32$procutil.cpp
        • API String ID: 4275029093-1586155540
        • Opcode ID: 9c3456bd15bf2143b79d3dab17bf57e9f276b985fd3a91b6a09b05b7fda47ba9
        • Instruction ID: 152f0bfbe3b942e15a698be8bf471109cb630b396e842eb4d3f30e332be1f10d
        • Opcode Fuzzy Hash: 9c3456bd15bf2143b79d3dab17bf57e9f276b985fd3a91b6a09b05b7fda47ba9
        • Instruction Fuzzy Hash: 84F06232A51216BFD7209BD9DC09E6A7A68EF16B60B008135FD09E7190EA74EF0187A5
        Function 00A622AC Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 135COMMON
        Download Yara Rule
        APIs
        • EnterCriticalSection.KERNEL32(?), ref: 00A622C4
        • LeaveCriticalSection.KERNEL32(?,?), ref: 00A6240B
          • Part of subcall function 00A5B6F2: _memset.LIBCMT ref: 00A5B717
        Strings
        • update\%ls, xrefs: 00A6231F
        • Failed to set update bundle., xrefs: 00A623DC
        • Failed to recreate command-line for update bundle., xrefs: 00A62384
        • Failed to default local update source, xrefs: 00A62333
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalSection$EnterLeave_memset
        • String ID: Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
        • API String ID: 3751686142-1266646976
        • Opcode ID: 5fb414e1ee1a7bc033b7ef76b0d5e19d55bcbf1049641853ebfd229410ea4f62
        • Instruction ID: e58b74ce1b92688b9c3e5d9c23ba8ba32acef704478c046901c323d36f236b99
        • Opcode Fuzzy Hash: 5fb414e1ee1a7bc033b7ef76b0d5e19d55bcbf1049641853ebfd229410ea4f62
        • Instruction Fuzzy Hash: 6241BB31640A04EFCF22DF84CD89EAE7BB6FB48710F20856AF5496B261D7759D90DB10
        Function 00A808BB Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 120COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000), ref: 00A80909
        • GetLastError.KERNEL32(?,?,?,00A7F6D3,?,?,00000000,00000000,?,75C0B390,?,?,?,00A7FA98,?,?), ref: 00A8090F
          • Part of subcall function 00A82382: GetProcessHeap.KERNEL32(00000000,?,?,00A808DD,?,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000,00000000), ref: 00A8238A
          • Part of subcall function 00A82382: HeapSize.KERNEL32(00000000,?,00A808DD,?,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000,00000000,?), ref: 00A82391
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
        • String ID: W$strutil.cpp
        • API String ID: 3662877508-3697633219
        • Opcode ID: aacbba5532ec94e4a89260086b54cf121f7c1a6e5587cf379d04f3957bc71d76
        • Instruction ID: 5a7dfd1d4d4bd3b169ae39a4672bffe4e857a1307e61ff5576d1fc02d4c6aa7d
        • Opcode Fuzzy Hash: aacbba5532ec94e4a89260086b54cf121f7c1a6e5587cf379d04f3957bc71d76
        • Instruction Fuzzy Hash: A74161B160020AEFEB50EFA4CD41E6E77A8EF04320F204629F955EB292E775DE449B50
        Function 00A7C5B1 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • __getptd.LIBCMT ref: 00A7C5BD
          • Part of subcall function 00A79852: __getptd_noexit.LIBCMT ref: 00A79855
          • Part of subcall function 00A79852: __amsg_exit.LIBCMT ref: 00A79862
        • __amsg_exit.LIBCMT ref: 00A7C5DD
        • __lock.LIBCMT ref: 00A7C5ED
        • InterlockedDecrement.KERNEL32(?), ref: 00A7C60A
        • _free.LIBCMT ref: 00A7C61D
        • InterlockedIncrement.KERNEL32(00C32D08), ref: 00A7C635
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
        • String ID:
        • API String ID: 3470314060-0
        • Opcode ID: a0288ad527864ba13ff3eb6431d4d1eb20ebcf609af7d19c7a130ec17834da3b
        • Instruction ID: 92464d487abe4a401786898bec358f62ad8ee2e3e606351b81eca1f7278bb078
        • Opcode Fuzzy Hash: a0288ad527864ba13ff3eb6431d4d1eb20ebcf609af7d19c7a130ec17834da3b
        • Instruction Fuzzy Hash: 2601C431981611ABD721ABA4AC4574DB360BF49731F05C11DF80CE72C0CB746E42CBD5
        Function 00A6D623 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 211COMMON
        Download Yara Rule
        APIs
        • CompareStringW.KERNEL32(00000000,00000000,?,000000FF,00000008,000000FF,00000000,00000000,00000000), ref: 00A6D688
        Strings
        • Failed to plan action for target product., xrefs: 00A6D6D5
        • Failed to copy target product code., xrefs: 00A6D74C
        • Failed grow array of ordered patches., xrefs: 00A6D7E4
        • Failed to insert execute action., xrefs: 00A6D7A3
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CompareString
        • String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.
        • API String ID: 1825529933-3432308488
        • Opcode ID: c2bf84eb7a448c24ff0ddc94a7561638759810a8ab393e3b4d5bd8051fe2a189
        • Instruction ID: f56255d853e8de76ddbe0bffc4123f44d17c452b45c0763daf022273819a0798
        • Opcode Fuzzy Hash: c2bf84eb7a448c24ff0ddc94a7561638759810a8ab393e3b4d5bd8051fe2a189
        • Instruction Fuzzy Hash: 6F8137B9A00205EFCB04DF58CA85DA9B7F5FF58360B2185AAE8099B361D730EE51DF40
        Function 00A73CEF Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146COMMON
        Download Yara Rule
        APIs
        • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,?,?,?,?,?,?,00000001,00000000), ref: 00A73D22
        • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF), ref: 00A73DA7
        Strings
        • detect.cpp, xrefs: 00A73E02
        • Failed to initialize update bundle., xrefs: 00A73E3E
        • BA aborted detect forward compatible bundle., xrefs: 00A73E0C
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CompareString
        • String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$detect.cpp
        • API String ID: 1825529933-918857910
        • Opcode ID: e72c5dff66e9b6a123386188972527e257f29cee23948fdfc9568eb5801075e4
        • Instruction ID: d4c5f025a349592a11af05b59edce6e6f332101b54c73115d437a92b608af02b
        • Opcode Fuzzy Hash: e72c5dff66e9b6a123386188972527e257f29cee23948fdfc9568eb5801075e4
        • Instruction Fuzzy Hash: 9051AF32600715FFDF259F54CD81EAABBB6FF04710F11CA19F929961A1C371AA60EB50
        Function 00A560CD Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON
        Download Yara Rule
        APIs
        • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,?,000000FF,00A572B0,PackageVersion,?,?,00000001,00000001,00A572B0,00000001,00020006,00000001), ref: 00A56142
        • RegCloseKey.ADVAPI32(00A572B0,00A572B0,PackageVersion,?,?,00000001,00000001,00A572B0,00000001,00020006,00000001,00000000), ref: 00A56158
        Strings
        • PackageVersion, xrefs: 00A56124
        • Failed to format key for update registration., xrefs: 00A560F9
        • Failed to remove update registration key: %ls, xrefs: 00A56186
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseCompareString
        • String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
        • API String ID: 446873843-3222553582
        • Opcode ID: 674016215a5d0ccee3d0d09756e97ea986a03a8e717abd4353b2e84b577851fe
        • Instruction ID: 143bd3cd5a68c8e30736e7f91c81a42eb12356b070a6d08c31fc50c01f9efb62
        • Opcode Fuzzy Hash: 674016215a5d0ccee3d0d09756e97ea986a03a8e717abd4353b2e84b577851fe
        • Instruction Fuzzy Hash: 0A21B171D00608BFCF11ABE9CD42DAEBBB9BF44711F604766F920A3192D7B25A44DB00
        Function 00A55FE4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A81FE9: SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00A6745F,-0000001C,00000000,00000000,?,?,00A68DEB), ref: 00A8200A
        • RemoveDirectoryW.KERNEL32(00000001,00000001,00000001,00000001,00000001,00A572BD,?,00000001,-0000001B,00A572BD,00000001,00000000,?,00A572BD,00000001,00000001), ref: 00A56078
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: DirectoryFolderPathRemove
        • String ID: Failed to allocate regid folder path.$Failed to find local %hs appdata directory.$per-machine$per-user
        • API String ID: 293476170-2037127396
        • Opcode ID: bc73b16bc119c173bdab5250c5921b25eb7006d7e1e03d20ddf80e738a52ba63
        • Instruction ID: ef7d24aa7acd55e35e23c5f827d28597fae4822d0124d1d2c30cda26849b8a06
        • Opcode Fuzzy Hash: bc73b16bc119c173bdab5250c5921b25eb7006d7e1e03d20ddf80e738a52ba63
        • Instruction Fuzzy Hash: DC2159B1D00229FBCF12BFA4CD8189DBBB9FF04745B508166F805A7252D7719E589B80
        Function 00A875ED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84encryptionCOMMON
        Download Yara Rule
        APIs
        • CertGetCertificateContextProperty.CRYPT32(?,00A681B7,00000000,00000003), ref: 00A87609
        • GetLastError.KERNEL32(?,00A681B7,?,00000003,00AAC56B,?), ref: 00A8760F
        • CertGetCertificateContextProperty.CRYPT32(?,00A681B7,00000000,00000003), ref: 00A87672
        • GetLastError.KERNEL32(?,00A681B7,?,00000003,00AAC56B,?), ref: 00A87678
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CertCertificateContextErrorLastProperty
        • String ID: certutil.cpp
        • API String ID: 980632616-2692845373
        • Opcode ID: 050b0721e8a1941f6e1d33d98b5f529447c9d52b64a52547c0236ad623be5fba
        • Instruction ID: 53a2ab376e4f8e48b537f21d0a707aeeb052b9396e289e80d7c8948fccb8dcd2
        • Opcode Fuzzy Hash: 050b0721e8a1941f6e1d33d98b5f529447c9d52b64a52547c0236ad623be5fba
        • Instruction Fuzzy Hash: 1B21F57130460BBBEB10AF9DCD85F7E3AA9AF45754F200035B904EA160F6B5CD015761
        Function 00A876CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON
        Download Yara Rule
        APIs
        • QueryServiceConfigW.ADVAPI32(?,00000000,00000000,?,00000001,00000000,?,?,?,?,00A6E98A,?,?), ref: 00A876EB
        • GetLastError.KERNEL32(?,?,?,00A6E98A,?,?), ref: 00A876FB
          • Part of subcall function 00A8233B: GetProcessHeap.KERNEL32(?,?,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000), ref: 00A8234C
          • Part of subcall function 00A8233B: RtlAllocateHeap.NTDLL(00000000,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000,00000000), ref: 00A82353
        • QueryServiceConfigW.ADVAPI32(?,00000000,?,?,?,00000001,?,?,?,00A6E98A,?,?), ref: 00A87734
        • GetLastError.KERNEL32(?,?,?,00A6E98A,?,?), ref: 00A8773A
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ConfigErrorHeapLastQueryService$AllocateProcess
        • String ID: svcutil.cpp
        • API String ID: 355237494-1746323212
        • Opcode ID: d67afd16c8d3762694ed68a03a986205e1633ce67ee9f343f0aaf7c355fa4ea5
        • Instruction ID: d67a00e8058b7fe91c4aea7a82a2b72e715b8202b3c267ada792c581ec8ada7a
        • Opcode Fuzzy Hash: d67afd16c8d3762694ed68a03a986205e1633ce67ee9f343f0aaf7c355fa4ea5
        • Instruction Fuzzy Hash: D7214271A0430AFFEB11AF99CD81FBE7AA8AB14754F204175B900EA251E6B5DE40DB60
        Function 00A5F36D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 81COMMON
        Download Yara Rule
        APIs
        Strings
        • Failed to read package id from message buffer., xrefs: 00A5F3AC
        • Failed to execute package provider action., xrefs: 00A5F423
        • Failed to find package: %ls, xrefs: 00A5F404
        • Failed to read action., xrefs: 00A5F3CC
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memset
        • String ID: Failed to execute package provider action.$Failed to find package: %ls$Failed to read action.$Failed to read package id from message buffer.
        • API String ID: 2102423945-384206569
        • Opcode ID: 6bd825393e2232a226d9244844aad5902f4cdfda33a8091dc717fbbef259bfa7
        • Instruction ID: 5df3b58c134147c086388068716047015a2b1430b86506a933aa847a8526145c
        • Opcode Fuzzy Hash: 6bd825393e2232a226d9244844aad5902f4cdfda33a8091dc717fbbef259bfa7
        • Instruction Fuzzy Hash: 53215772D50228BFDF02EAA4EE41EEE7AB8AF14325F104161FD00A6191D7749F1997A0
        Function 00A878C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80networkCOMMON
        Download Yara Rule
        APIs
        • HttpQueryInfoW.WININET(?,?,00000001,00000000,?), ref: 00A8791A
        • GetLastError.KERNEL32(?,00A76CA8,00000000,00000033,?,00000000,00000013,00000000,?,?,?,00A76E24,00000000,?,00000000,?), ref: 00A87920
        • HttpQueryInfoW.WININET(?,?,00000001,00000000,?), ref: 00A87953
        • GetLastError.KERNEL32(?,00A76CA8,00000000,00000033,?,00000000,00000013,00000000,?,?,?,00A76E24,00000000,?,00000000,?), ref: 00A87959
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorHttpInfoLastQuery
        • String ID: inetutil.cpp
        • API String ID: 4218848986-2900720265
        • Opcode ID: 8bea1424839a1fbf33ccfbaa6a893f87abf622ba4af33513d8488c618c0ee876
        • Instruction ID: b71da3f2ad572ed0175011ab2c6cb0fa05d02e0b9d6415bd5c23a6563622ee44
        • Opcode Fuzzy Hash: 8bea1424839a1fbf33ccfbaa6a893f87abf622ba4af33513d8488c618c0ee876
        • Instruction Fuzzy Hash: 1F21C37260410ABFDB41AFD4CD80EAEB7BDEF54344F200565F500E6120E771DE549B60
        Function 00A86B16 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
        Download Yara Rule
        APIs
        • GetCurrentDirectoryW.KERNEL32(?,00000000,00000001,00000009,00000000,?,?,?,00A61F8D,00000001,00000000,Setup,00000000,log,0000000D,00000000), ref: 00A86B5D
        • GetLastError.KERNEL32(?,?,?,00A61F8D,00000001,00000000,Setup,00000000,log,0000000D,00000000,00000000,?,?,?), ref: 00A86B65
        • GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,?,00A61F8D,00000001,00000000,Setup,00000000,log,0000000D,00000000,00000000), ref: 00A86BA7
        • GetLastError.KERNEL32(?,?,?,00A61F8D,00000001,00000000,Setup,00000000,log,0000000D,00000000,00000000,?,?,?), ref: 00A86BAD
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CurrentDirectoryErrorLast
        • String ID: dirutil.cpp
        • API String ID: 152501406-2193988115
        • Opcode ID: d3b2e7741cf252e28116bc381003069c53f562ab8ef4d5c651aa7eebf1df870c
        • Instruction ID: f1f5401f12d9c894b5976dcb8e6d5a2e39ee96913b947cf867315f5d3a09bd00
        • Opcode Fuzzy Hash: d3b2e7741cf252e28116bc381003069c53f562ab8ef4d5c651aa7eebf1df870c
        • Instruction Fuzzy Hash: 0D218471A80216FBEB11FFA4CD4AAAEBAB8EF15744F20446AE500E7110E775DE009B90
        Function 00A7485C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77synchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A8233B: GetProcessHeap.KERNEL32(?,?,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000), ref: 00A8234C
          • Part of subcall function 00A8233B: RtlAllocateHeap.NTDLL(00000000,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000,00000000), ref: 00A82353
        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A748F2
        • ReleaseMutex.KERNEL32(?), ref: 00A74921
        • SetEvent.KERNEL32(?), ref: 00A7492A
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
        • String ID: Failed to allocate buffer.$NetFxChainer.cpp
        • API String ID: 944053411-3611226795
        • Opcode ID: 35073835dc5e36170a967344930c8f6a58beb6408c4f8d44e52c362cb5be06c1
        • Instruction ID: 8f17ef7391da34adfde74ff18f7829f70b9bfbb8bb17bd320384636c51aa26d3
        • Opcode Fuzzy Hash: 35073835dc5e36170a967344930c8f6a58beb6408c4f8d44e52c362cb5be06c1
        • Instruction Fuzzy Hash: ED21EF71900204EFDB10DF64C889B9EBBB1FB49324F10C1A9E915AB251C7769A42CBA1
        Function 00A76EE3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73networktimeCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A76D0B: InternetCloseHandle.WININET(00000000), ref: 00A76D30
          • Part of subcall function 00A76D0B: InternetCloseHandle.WININET(00000000), ref: 00A76D3E
          • Part of subcall function 00A76D0B: InternetConnectW.WININET(?,00000000,?,00000000,?,?,00000000,00000000), ref: 00A76D9D
          • Part of subcall function 00A76D0B: lstrlenW.KERNEL32(00000000), ref: 00A76DC8
          • Part of subcall function 00A76D0B: InternetSetOptionW.WININET(00000000,0000002B,00000000,00000000), ref: 00A76DD5
          • Part of subcall function 00A76D0B: lstrlenW.KERNEL32(00000001), ref: 00A76DDE
          • Part of subcall function 00A76D0B: InternetSetOptionW.WININET(00000000,0000002C,00000001,00000000), ref: 00A76DE7
        • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,00000000,000000FF,?,00000000,HEAD,00000000,00000000,?,00000000,?,?), ref: 00A76F75
        • InternetCloseHandle.WININET(?), ref: 00A76F8B
        • InternetCloseHandle.WININET(00000000), ref: 00A76F95
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Internet$CloseHandle$OptionTimelstrlen$ConnectFileSystem
        • String ID: Failed to connect to URL: %ls$HEAD
        • API String ID: 1677864904-290634988
        • Opcode ID: 4a46a39f8803904baa26cd0e227d27431a262808afb942556338e43803535b82
        • Instruction ID: 4e21c07a43e0d90ca618bd1f1fcf147cd35b35750f9e7280ba3cce9a68ce2856
        • Opcode Fuzzy Hash: 4a46a39f8803904baa26cd0e227d27431a262808afb942556338e43803535b82
        • Instruction Fuzzy Hash: 82211671A00219FFCF02EF95DD449DEBFB9FF18750B108066F919A2221D3729A61EB90
        Function 00A8780B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70timenetworkCOMMON
        Download Yara Rule
        APIs
        • HttpQueryInfoW.WININET(00000000,4000000B,?,00000000,00000000), ref: 00A8784A
        • GetLastError.KERNEL32 ref: 00A87854
        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A8787D
        • GetLastError.KERNEL32 ref: 00A87887
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLastTime$FileHttpInfoQuerySystem
        • String ID: inetutil.cpp
        • API String ID: 3487154604-2900720265
        • Opcode ID: 62016895df44c672fabc0a70acd054f15cf8cd31180f7b8d69bb1ff991bacde3
        • Instruction ID: bde4bb4006c667a433a43ab57146b564e07ca831719e645f5cbbb6ec477d4c65
        • Opcode Fuzzy Hash: 62016895df44c672fabc0a70acd054f15cf8cd31180f7b8d69bb1ff991bacde3
        • Instruction Fuzzy Hash: F111D632A04116BBE720DBE9DD49BEFBBACEF14750F100035A905EB150E668CD00C7E2
        Function 00A66CDB Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memcpy_s
        • String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
        • API String ID: 2001391462-1605196437
        • Opcode ID: d0d62cd0ba89a8ab2f0ef0c23e89459c14edf35b30b70d489e25c55141804303
        • Instruction ID: 29b2420b76cb0e3f8c878e4df01733e040e9b96f7447ea5faebe8b2c90facedb
        • Opcode Fuzzy Hash: d0d62cd0ba89a8ab2f0ef0c23e89459c14edf35b30b70d489e25c55141804303
        • Instruction Fuzzy Hash: 06114C32380E04FAEB212B6CCD06F6775B5EF94750F14892DF648A61A1D962E80153E6
        Function 00A52EA6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65COMMON
        Download Yara Rule
        APIs
        • _memcpy_s.LIBCMT ref: 00A52EF9
        • _memcpy_s.LIBCMT ref: 00A52F0C
        • _memcpy_s.LIBCMT ref: 00A52F27
          • Part of subcall function 00A78221: _memmove.LIBCMT ref: 00A7825D
          • Part of subcall function 00A78221: _memset.LIBCMT ref: 00A7826F
        Strings
        • pipe.cpp, xrefs: 00A52ED6
        • Failed to allocate memory for message., xrefs: 00A52EE2
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memcpy_s$_memmove_memset
        • String ID: Failed to allocate memory for message.$pipe.cpp
        • API String ID: 3316475362-1914209504
        • Opcode ID: 108c5fcbca7c8a10be90a5c98a17229660e439f1a3ec2859ed63f637b09d9a7e
        • Instruction ID: efb59a6837407cb99836783cae679d13e2bf4f330c54335e10039d7d7cd0fabd
        • Opcode Fuzzy Hash: 108c5fcbca7c8a10be90a5c98a17229660e439f1a3ec2859ed63f637b09d9a7e
        • Instruction Fuzzy Hash: BF11A3B2640219BBDB11AF94DC85DDB37ACFF09711F004526FE14A7201E774AA188BF0
        Function 00A5768F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 65COMMON
        Download Yara Rule
        APIs
        • _MREFOpen@16.MSPDB140-MSVCRT ref: 00A576AD
        Strings
        • File search: %ls, did not find path: %ls, xrefs: 00A57719
        • Failed to set variable., xrefs: 00A57705
        • Failed get file version., xrefs: 00A576E5
        • Failed to format path string., xrefs: 00A576B8
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Open@16
        • String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
        • API String ID: 3613110473-2458530209
        • Opcode ID: 8849f01ae69a8dd54699e9393474d7a26b36a3e8653f916a4766c85f6ce5d304
        • Instruction ID: 968718b5f5bcaf2cf49f274534706a55aebf183931cb057d8c2e64f3c7567c22
        • Opcode Fuzzy Hash: 8849f01ae69a8dd54699e9393474d7a26b36a3e8653f916a4766c85f6ce5d304
        • Instruction Fuzzy Hash: 9D112B37944604FADF03BAA8ED02FAD7676BF98712F214065FD1876060EB719B58A710
        Function 00A59275 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON
        Download Yara Rule
        APIs
        • GetComputerNameW.KERNEL32(?,?), ref: 00A592A3
        • GetLastError.KERNEL32 ref: 00A592AD
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ComputerErrorLastName
        • String ID: Failed to get computer name.$Failed to set variant value.$variable.cpp
        • API String ID: 3560734967-484636765
        • Opcode ID: 536911cfb592ce4e3946c8b7379f7e78c25a86de065b238d0528b88d69dbdc61
        • Instruction ID: 7ce6085af808f2219cd6b2ce38e90e8e2c5b44bdabec8b79b8a6c64113efa708
        • Opcode Fuzzy Hash: 536911cfb592ce4e3946c8b7379f7e78c25a86de065b238d0528b88d69dbdc61
        • Instruction Fuzzy Hash: 8801E532A0111ABAD710EBA89D02BEF77E8BF09711F004126F904FB180EA74ED0447A5
        Function 00A59FCF Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 58COMMON
        Download Yara Rule
        APIs
        • GetCurrentProcess.KERNEL32(?), ref: 00A59FE2
          • Part of subcall function 00A7FEDA: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,00000000,?,?,00A5911F,00000000), ref: 00A7FEEE
          • Part of subcall function 00A7FEDA: GetProcAddress.KERNEL32(00000000), ref: 00A7FEF5
          • Part of subcall function 00A7FEDA: GetLastError.KERNEL32(?,?,00A5911F,00000000), ref: 00A7FF0C
          • Part of subcall function 00A86226: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00A86253
        Strings
        • Failed to get shell folder., xrefs: 00A5A015
        • variable.cpp, xrefs: 00A5A00B
        • Failed to get 64-bit folder., xrefs: 00A5A02B
        • Failed to set variant value., xrefs: 00A5A044
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
        • String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$variable.cpp
        • API String ID: 2084161155-3906113122
        • Opcode ID: 8ba0da68e68a43e8bcc36b7a30036e40c740554f13bf286939f1e7cc1e25fd66
        • Instruction ID: e7492a1ad384e28efde8be8911db0f0d850ce17abd67d0e6625897a7894dd4ad
        • Opcode Fuzzy Hash: 8ba0da68e68a43e8bcc36b7a30036e40c740554f13bf286939f1e7cc1e25fd66
        • Instruction Fuzzy Hash: DC012632A40118FECF31BBA49E06CDEBBB8FE747A1B108222F80472091F2704F419791
        Function 00A85BBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A85710: _memset.LIBCMT ref: 00A8573B
          • Part of subcall function 00A85710: FindFirstFileW.KERNELBASE(00000000,?,00000000,?,80070002), ref: 00A8574B
          • Part of subcall function 00A85710: FindClose.KERNEL32(00000000), ref: 00A85757
        • SetFileAttributesW.KERNEL32(00000000,00000080,00000000,?,00000000,000000FF,00000000,?,?,00A696F7,?,00000000,E0000136,00000000,?,?), ref: 00A85BF3
        • GetLastError.KERNEL32(?,?,00A696F7,?,00000000,E0000136,00000000,?,?,00000000,?,00000000,?,?,00000000,00000000), ref: 00A85BFD
        • DeleteFileW.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,?,?,00A696F7,?,00000000,E0000136,00000000,?,?,00000000), ref: 00A85C1C
        • GetLastError.KERNEL32(?,?,00A696F7,?,00000000,E0000136,00000000,?,?,00000000,?,00000000,?,?,00000000,00000000), ref: 00A85C26
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: File$ErrorFindLast$AttributesCloseDeleteFirst_memset
        • String ID: fileutil.cpp
        • API String ID: 1255660700-2967768451
        • Opcode ID: f8af14c67e1adb9a02512df0c3e15110165fbea0a5e1fb564754691e0a668397
        • Instruction ID: df986f0e5c0b76aefeb599703a717cfbf4e7607fe0580c05d13a404e4a21a7ab
        • Opcode Fuzzy Hash: f8af14c67e1adb9a02512df0c3e15110165fbea0a5e1fb564754691e0a668397
        • Instruction Fuzzy Hash: 7C01D8B1F10B0ABBE7217BB9CE45FAB7A9DAF20754F040135BE45D50A1F6A5CD004B50
        Function 00A6648F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON
        Download Yara Rule
        APIs
        • SysFreeString.OLEAUT32(00000000), ref: 00A66506
        Strings
        • Failed to copy condition string from BSTR, xrefs: 00A664F0
        • Condition, xrefs: 00A664A1
        • Failed to get Condition inner text., xrefs: 00A664D6
        • Failed to select condition node., xrefs: 00A664BD
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: FreeString
        • String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.
        • API String ID: 3341692771-3600577998
        • Opcode ID: 02cd6eedebf6063688710cbfe687ddcc871f8b74124229cb92180e3b9741bd3a
        • Instruction ID: 86a1d58e8a1949d057f3502b3c132b55b0a22e75bc1c55dca7e7a7c18a31f86b
        • Opcode Fuzzy Hash: 02cd6eedebf6063688710cbfe687ddcc871f8b74124229cb92180e3b9741bd3a
        • Instruction Fuzzy Hash: 5D11C432A40228BBDF12AB90DE0AFADB7B8AF14B11F118164FC01B6250DB71DE00DB90
        Function 00A80034 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55synchronizationCOMMON
        Download Yara Rule
        APIs
        • WaitForSingleObject.KERNEL32(000001F4,?,00A7387B,?,?,00A6A802,?,000001F4,?,?,?,?,?,?,?,?), ref: 00A80044
        • GetLastError.KERNEL32(?,?,00A6A802,?,000001F4,?,?,?,?,?,?,?,?), ref: 00A80052
        • GetExitCodeProcess.KERNEL32(000001F4,?), ref: 00A8008E
        • GetLastError.KERNEL32(?,?,00A6A802,?,000001F4,?,?,?,?,?,?,?,?), ref: 00A80098
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLast$CodeExitObjectProcessSingleWait
        • String ID: procutil.cpp
        • API String ID: 590199018-1178289305
        • Opcode ID: 9c8763dd61d62eb0589c437d240a3139056e3892d78f68678a9ed8270624ac20
        • Instruction ID: 788d132117e55a18465407de8296d357530d1ee2a56b02430b1e53396aba66d1
        • Opcode Fuzzy Hash: 9c8763dd61d62eb0589c437d240a3139056e3892d78f68678a9ed8270624ac20
        • Instruction Fuzzy Hash: 8011C872A41226EFD720AB94CC09FAA7E74EF15771F114225FC05EB2A0D279CE4497D2
        Function 00A747B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54synchronizationCOMMON
        Download Yara Rule
        APIs
        • WaitForSingleObject.KERNEL32(?,000000FF,00000002,?,?,00A749F0), ref: 00A747C9
        • ReleaseMutex.KERNEL32(?,?,?,00A749F0), ref: 00A7484E
          • Part of subcall function 00A8233B: GetProcessHeap.KERNEL32(?,?,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000), ref: 00A8234C
          • Part of subcall function 00A8233B: RtlAllocateHeap.NTDLL(00000000,?,00A80989,?,00000001,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000,00000000), ref: 00A82353
        • _memmove.LIBCMT ref: 00A74835
        Strings
        • NetFxChainer.cpp, xrefs: 00A74808
        • Failed to allocate memory for message data, xrefs: 00A74815
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait_memmove
        • String ID: Failed to allocate memory for message data$NetFxChainer.cpp
        • API String ID: 2689949979-1624333943
        • Opcode ID: 7505e5bad62f2fd5aae989166e63c9ccd80ce59c67bc495b7fc18f70ed2a08d1
        • Instruction ID: aa4d3bb77444556e5a06875907a95b456a201010d785bfc2af1f52bb13e0062f
        • Opcode Fuzzy Hash: 7505e5bad62f2fd5aae989166e63c9ccd80ce59c67bc495b7fc18f70ed2a08d1
        • Instruction Fuzzy Hash: A31188B1200304EFDB20DF68DC89E6A7BF1FB59314F208668F90A9B391E735A801CB15
        Function 00A779DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON
        Download Yara Rule
        APIs
        • EnterCriticalSection.KERNEL32(?), ref: 00A779F0
        • LeaveCriticalSection.KERNEL32(?), ref: 00A77A35
        • SetEvent.KERNEL32(?,?,?,?), ref: 00A77A49
        Strings
        • Failure while sending progress during BITS job modification., xrefs: 00A77A24
        • Failed to get state during job modification., xrefs: 00A77A09
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalSection$EnterEventLeave
        • String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
        • API String ID: 3094578987-1258544340
        • Opcode ID: 81f94d0b9fd0f78a43263d96f36318827d1487f3ea693eea1d787c899f540636
        • Instruction ID: d3ff5bde4f7decfac3b459ce2fa65bae2190dc7cf65db3e4e0b3a72da1a8e507
        • Opcode Fuzzy Hash: 81f94d0b9fd0f78a43263d96f36318827d1487f3ea693eea1d787c899f540636
        • Instruction Fuzzy Hash: 65019E76204605AFEB12DF98DC89EAF77F8EB98361B10891EE40E93200DB74EA008711
        Function 00A77611 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
        Download Yara Rule
        APIs
        • EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,00A7777B), ref: 00A77625
        • LeaveCriticalSection.KERNEL32(00000008,?,00A7777B), ref: 00A7766A
        • SetEvent.KERNEL32(?,?,00A7777B), ref: 00A7767E
        Strings
        • Failure while sending progress., xrefs: 00A77659
        • Failed to get BITS job state., xrefs: 00A7763E
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalSection$EnterEventLeave
        • String ID: Failed to get BITS job state.$Failure while sending progress.
        • API String ID: 3094578987-2876445054
        • Opcode ID: 9f747b9a2c583ae902af97f25b1a1c1c20d30350fe096862eb1feb19f78dc63f
        • Instruction ID: c4b1e9e3d65d807ce5eb179a79bc92ecfd731e70bee332a83e01deabb784caea
        • Opcode Fuzzy Hash: 9f747b9a2c583ae902af97f25b1a1c1c20d30350fe096862eb1feb19f78dc63f
        • Instruction Fuzzy Hash: 99017176204B04AFDB12DB98DC49DAE77F8EB94365B10851AE50ED3214EB74E9008755
        Function 00A5BB5E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON
        Download Yara Rule
        APIs
        • EnterCriticalSection.KERNEL32(?,?,?,00000000,?,00A5D9E6,?,00000000,75C0B390,?,00000000), ref: 00A5BB6D
        • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 00A5BB7A
        • LeaveCriticalSection.KERNEL32(?,?,00A5D9E6,?,00000000,75C0B390,?,00000000), ref: 00A5BB8F
        Strings
        • userexperience.cpp, xrefs: 00A5BBA8
        • Engine active cannot be changed because it was already in that state., xrefs: 00A5BBB2
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
        • String ID: Engine active cannot be changed because it was already in that state.$userexperience.cpp
        • API String ID: 3376869089-1544469594
        • Opcode ID: 2456773de84b84b6ec01137575dfbe1884e0c1749773f306848718d3bb13ab2e
        • Instruction ID: 0a882c59e951e585431994d40af94b90aa517a0e6de72b026da30a0c198bc8c0
        • Opcode Fuzzy Hash: 2456773de84b84b6ec01137575dfbe1884e0c1749773f306848718d3bb13ab2e
        • Instruction Fuzzy Hash: 53F0F672305314BFE7106FA59C85DA777ACFB14BA7F014126FD01A6144CAB5AC0583B1
        Function 00A87E80 Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A8378B: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00A61F19,?,00000009,00000000,?,00A61BE1,80000002,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,?,00000001), ref: 00A8379F
        • RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00A513BB,00A513BB,00020019,00000000,00000001), ref: 00A87F49
        • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 00A87F8A
        • RegCloseKey.ADVAPI32(00000001,00000001,00020019,00A513BB,?,00A513BB,00000000,00000000,?,00A513BB,00000001,00000000), ref: 00A87FAB
        • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00A513BB,?,00A513BB,00000000,00000000,?,00A513BB,00000001,00000000), ref: 00A87FBC
        • RegCloseKey.ADVAPI32(00A513BB,?,00A513BB,00000000,00000000,?,00A513BB,00000001,00000000), ref: 00A87FD0
          • Part of subcall function 00A8396D: RegCloseKey.ADVAPI32(00000000), ref: 00A83AD3
          • Part of subcall function 00A83677: RegQueryInfoKeyW.ADVAPI32(00A513BB,00000000,00000000,00000000,?,00000000,00000000,00A513BB,00000000,00000000,00000000,00000000,80070002,00000000,?,00A87F35), ref: 00A83692
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Close$InfoOpenQuery
        • String ID:
        • API String ID: 796878624-0
        • Opcode ID: 601c272b75349749eb5a854479b725e3c9ae75754980f3d9f598d84746ac87e4
        • Instruction ID: 962f3165590e9919a2e971d7d6c4311f9def30117ae103cf5002d4668adf748c
        • Opcode Fuzzy Hash: 601c272b75349749eb5a854479b725e3c9ae75754980f3d9f598d84746ac87e4
        • Instruction Fuzzy Hash: 3A41C5B1805128FFCF12AF91DD8499EFF7AEF04B54F208466F519A6120D3718B91DBA1
        Function 00A510DC Relevance: 7.6, APIs: 5, Instructions: 98COMMON
        Download Yara Rule
        APIs
        • CloseHandle.KERNEL32(?,00000000,?,?,00A51ED4,?,?,?,?,?), ref: 00A51120
        • DeleteCriticalSection.KERNEL32(?,00000000,?,?,00A51ED4,?,?,?,?,?), ref: 00A5113A
        • TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00A5120B
        • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00A51212
        • _memset.LIBCMT ref: 00A5121C
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalDeleteSection$CloseFreeHandle_memset
        • String ID:
        • API String ID: 3611737199-0
        • Opcode ID: 6ddc2c7ba5f44d45cc7a8bd7157bc029e4b800be17fd1868102e9ac0a3c4378c
        • Instruction ID: 429b116aef8c3bde499e7e2ae7f5be7281f9c4eb4bb33e4534f6057154be4cf0
        • Opcode Fuzzy Hash: 6ddc2c7ba5f44d45cc7a8bd7157bc029e4b800be17fd1868102e9ac0a3c4378c
        • Instruction Fuzzy Hash: DD31E8B1600B0267DAA0FBB58989FAF73DCBF05352F440A19BA59D3051DB38E60D8720
        Function 00A5A63B Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • EnterCriticalSection.KERNEL32(-00000001,00000000,00000000,00000000,?,?,00A5AAC0,?,?,00000000,?,00000001,?,00000002,-00000001,00A58B89), ref: 00A5A64B
        • LeaveCriticalSection.KERNEL32(-00000001,00000002,00A58B89,?,00A5AAC0,?,?,00000000,?,00000001,?,00000002,-00000001,00A58B89,00000001), ref: 00A5A6E6
        Strings
        • Failed to format value '%ls' of variable: %ls, xrefs: 00A5A6B0
        • Failed to get variable: %ls, xrefs: 00A5A681
        • Failed to get value as string for variable: %ls, xrefs: 00A5A6D5
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalSection$EnterLeave
        • String ID: Failed to format value '%ls' of variable: %ls$Failed to get value as string for variable: %ls$Failed to get variable: %ls
        • API String ID: 3168844106-1273532094
        • Opcode ID: f2e159c7033256cb335e9067d94dc8f9de01d16e18aaf18ecd4a6cabd31be64f
        • Instruction ID: aea3bf6ed4e63e591c1b157393264040552af18ac9aa6a8b7eb6ea62d4db6956
        • Opcode Fuzzy Hash: f2e159c7033256cb335e9067d94dc8f9de01d16e18aaf18ecd4a6cabd31be64f
        • Instruction Fuzzy Hash: 3F11B431300604FFCF22AF60CC84C9B3BA9FB68312B288625FD1955911D3725A159B52
        Function 00A7DB75 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • _malloc.LIBCMT ref: 00A7DB83
          • Part of subcall function 00A7B4D0: __FF_MSGBANNER.LIBCMT ref: 00A7B4E9
          • Part of subcall function 00A7B4D0: __NMSG_WRITE.LIBCMT ref: 00A7B4F0
          • Part of subcall function 00A7B4D0: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00A7BF87,00000000,00000001,00000000,?,00A7B736,00000018,00AA1FB0,0000000C,00A7B7C6), ref: 00A7B515
        • _free.LIBCMT ref: 00A7DB96
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: AllocHeap_free_malloc
        • String ID:
        • API String ID: 2734353464-0
        • Opcode ID: 6f4c0c171d767dc8d2bd0229bcea4595a4a7e07948b9f992be9a8fd0fdc3e131
        • Instruction ID: 01ea072758b809f05587a02260cacd540dceed434db81fdc370dcb6d2e8f35c2
        • Opcode Fuzzy Hash: 6f4c0c171d767dc8d2bd0229bcea4595a4a7e07948b9f992be9a8fd0fdc3e131
        • Instruction Fuzzy Hash: 5711C132904615ABCF217FB4EE08B9E3BB89FD13B0F21C026F80D9A171DB35894187A5
        Function 00A7C315 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • __getptd.LIBCMT ref: 00A7C321
          • Part of subcall function 00A79852: __getptd_noexit.LIBCMT ref: 00A79855
          • Part of subcall function 00A79852: __amsg_exit.LIBCMT ref: 00A79862
        • __getptd.LIBCMT ref: 00A7C338
        • __amsg_exit.LIBCMT ref: 00A7C346
        • __lock.LIBCMT ref: 00A7C356
        • __updatetlocinfoEx_nolock.LIBCMT ref: 00A7C36A
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
        • String ID:
        • API String ID: 938513278-0
        • Opcode ID: c08cbf691f2cc233c8caf631ba53465a1fe07d1fa0354e81867c6d46bf07538f
        • Instruction ID: fd8bbf6c1555ed4f8e88c0724b3854181d1f18e297fcf58f85d7254214949ba7
        • Opcode Fuzzy Hash: c08cbf691f2cc233c8caf631ba53465a1fe07d1fa0354e81867c6d46bf07538f
        • Instruction Fuzzy Hash: E2F096329402009AE724BB786D07B5A76A06F45730F15C12DF45C9F1D3CF6449019A96
        Function 00A87A4A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145networkCOMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A87AB4
        • InternetCrackUrlW.WININET(?,00000000,90000000,?), ref: 00A87B63
        • GetLastError.KERNEL32 ref: 00A87B6D
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CrackErrorInternetLast_memset
        • String ID: uriutil.cpp
        • API String ID: 2372571340-476456875
        • Opcode ID: 59a97a43242d68d40c1f27507a3b70bd1cb1eccbbeef6c930df4fc5b36de196f
        • Instruction ID: 0974d8e0ccb8a9d976663ec4c6bd08c5357426e04a0024f63c763840dbf40245
        • Opcode Fuzzy Hash: 59a97a43242d68d40c1f27507a3b70bd1cb1eccbbeef6c930df4fc5b36de196f
        • Instruction Fuzzy Hash: 8D61F271D05238DBCB22EF65CD88ADDBBB5BB08704F5084EAE509A7211D7309ED98F91
        Function 00A86285 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON
        Download Yara Rule
        APIs
        • _memset.LIBCMT ref: 00A86295
        • ShellExecuteExW.SHELL32(?), ref: 00A862D3
        • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00A86364
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseExecuteHandleShell_memset
        • String ID: <
        • API String ID: 1378689676-4251816714
        • Opcode ID: 017d1586379f4151c66918c64966277f0542a865006d0acb1211f71f949aed9f
        • Instruction ID: 38414d89beea74a1000fc6f214a97c488abe0154c847f6d95da113b4f7d884d9
        • Opcode Fuzzy Hash: 017d1586379f4151c66918c64966277f0542a865006d0acb1211f71f949aed9f
        • Instruction Fuzzy Hash: E7317E75D1451AEBEB10EFA8D988BADB6B5FB04360F288016E816EF240D638CD41DB95
        Function 00A672F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75COMMON
        Download Yara Rule
        APIs
        Strings
        • Failed to expect end symbol., xrefs: 00A6735B
        • Failed to parse expression., xrefs: 00A67344
        • Failed to read next symbol., xrefs: 00A6732A
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memset
        • String ID: Failed to expect end symbol.$Failed to parse expression.$Failed to read next symbol.
        • API String ID: 2102423945-1316734955
        • Opcode ID: e32fa62607c2d7f572a8e1fbf01e3833f8a550087c48587da77e05f1e55e1f7c
        • Instruction ID: b7fa1993a4a183d734afe9857c7800563d0fae74b917955f95b88d90af830d0d
        • Opcode Fuzzy Hash: e32fa62607c2d7f572a8e1fbf01e3833f8a550087c48587da77e05f1e55e1f7c
        • Instruction Fuzzy Hash: 9F117F72A15228BADB11FFA49E82D9EB7BCAF04758F104526F905BB240E6705F0197E0
        Function 00A7F0FA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60filestringCOMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00A7F2EC,?,?,?,00000000,0000FDE9), ref: 00A7F10C
        • WriteFile.KERNEL32(00000000,00000000,0000FDE9,00000000,?,?,00A7F2EC,?,?,?,00000000,0000FDE9), ref: 00A7F14E
        • GetLastError.KERNEL32(?,?,00A7F2EC,?,?,?,00000000,0000FDE9), ref: 00A7F158
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFileLastWritelstrlen
        • String ID: logutil.cpp
        • API String ID: 606256338-3545173039
        • Opcode ID: 616d687b1432754a987cd93647b509f5171c04c2647bdf31d50ab99ee8f10096
        • Instruction ID: 6d6665d38f68cfe289c2d85d056e76ea130eacfe2ec467cc94b8999c8ebe95be
        • Opcode Fuzzy Hash: 616d687b1432754a987cd93647b509f5171c04c2647bdf31d50ab99ee8f10096
        • Instruction Fuzzy Hash: 5011C271700306FED7209F99CD84A9B7AACEB1A7A4F408239BA09D7090D7B0DE01C7A0
        Function 00A8151C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
        Download Yara Rule
        APIs
        • FormatMessageW.KERNEL32(000011FF,00000000,00000000,00000000,00000000,00000000,?,00000001,00000000,?,?,?,00A65F95,00000000,00000000,00000000), ref: 00A8154E
        • GetLastError.KERNEL32(?,?,?,00A65F95,00000000,00000000,00000000,00000000,?,?,00A62015,?,?,80070656,00000001,?), ref: 00A8155B
        • LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,00A65F95,00000000,00000000,00000000,00000000,?,?,00A62015,?), ref: 00A815A2
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFormatFreeLastLocalMessage
        • String ID: strutil.cpp
        • API String ID: 1365068426-3612885251
        • Opcode ID: e53de1b2c829c3df18174345b1f6096e1a39cb95d4055e97fb2b8fba222faf17
        • Instruction ID: 8b7fbe31fcbaec738fa648f37dff64b050b839fd27d8a986e36341bccc74d935
        • Opcode Fuzzy Hash: e53de1b2c829c3df18174345b1f6096e1a39cb95d4055e97fb2b8fba222faf17
        • Instruction Fuzzy Hash: 94116D76900104FFDB15AF98DD098EEBB7DEB95750F20056AF902E6160E2758E02DBA1
        Function 00A85E1C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,?,00000000,?,00A70751,00000000,?,?,BundleCachePath,00000000), ref: 00A85E52
        • GetLastError.KERNEL32(?,00A70751,00000000,?,?,BundleCachePath,00000000,?,BundleVersion,?,?,EngineVersion,?,00000000), ref: 00A85E5F
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CreateErrorFileLast
        • String ID: fileutil.cpp
        • API String ID: 1214770103-2967768451
        • Opcode ID: 25bc979fee48b9f982b47dba9e0a3bfcf49d3c33c6992b22ac9511937df5a538
        • Instruction ID: d729dc5b2334d36d9ec4ec19ee790b6a6bed8079e8b76d5d56f537f82ff2c98d
        • Opcode Fuzzy Hash: 25bc979fee48b9f982b47dba9e0a3bfcf49d3c33c6992b22ac9511937df5a538
        • Instruction Fuzzy Hash: 2B01D632A406117BE73136B8DC09F7A7558AB21BB0F504226FE04FB1E0D6A9CE0053D0
        Function 00A628DD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39threadwindowCOMMON
        Download Yara Rule
        APIs
        • PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 00A62906
        • GetLastError.KERNEL32 ref: 00A62910
        Strings
        • EngineForApplication.cpp, xrefs: 00A62935
        • Failed to post elevate message., xrefs: 00A6293F
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLastMessagePostThread
        • String ID: EngineForApplication.cpp$Failed to post elevate message.
        • API String ID: 2609174426-4098423239
        • Opcode ID: 56a4d333ecbb5959353933950d7a98b9292721eb8138f119b026e691983ebda1
        • Instruction ID: 0b645da19d69a7a4edd7abfb57896438ec05478fe896366b0ee3a11a812851e6
        • Opcode Fuzzy Hash: 56a4d333ecbb5959353933950d7a98b9292721eb8138f119b026e691983ebda1
        • Instruction Fuzzy Hash: BBF0F633751721AFE7315A98DC0AF5677A4AF44B70F118135FA18EE1E1D665CC0147C5
        Function 00A5BAFC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38libraryloaderCOMMON
        Download Yara Rule
        APIs
        • GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 00A5BB23
        • FreeLibrary.KERNEL32(?,?,00A518A2,?,?,?,?,00A51E12,?), ref: 00A5BB32
        • GetLastError.KERNEL32(?,00A518A2,?,?,?,?,00A51E12,?), ref: 00A5BB3C
        Strings
        • BootstrapperApplicationDestroy, xrefs: 00A5BB1D
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: AddressErrorFreeLastLibraryProc
        • String ID: BootstrapperApplicationDestroy
        • API String ID: 1144718084-3186005537
        • Opcode ID: 125949d5d288bc938efd76ea09933878463a974a982bc37149143222053ed278
        • Instruction ID: 439ff1f59124251dd9b8353351220684954e2479ca17f91b135a7b5187d8073b
        • Opcode Fuzzy Hash: 125949d5d288bc938efd76ea09933878463a974a982bc37149143222053ed278
        • Instruction Fuzzy Hash: ABF03C327103055BD7208FA6D808A22B7E8BF907A3B058529E916C7150E779D8058B71
        Function 00A6281B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
        Download Yara Rule
        APIs
        • PostThreadMessageW.USER32(?,00009000,00000000,00000000), ref: 00A6282E
        • GetLastError.KERNEL32 ref: 00A62838
        Strings
        • Failed to post detect message., xrefs: 00A62867
        • EngineForApplication.cpp, xrefs: 00A6285D
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLastMessagePostThread
        • String ID: EngineForApplication.cpp$Failed to post detect message.
        • API String ID: 2609174426-598219917
        • Opcode ID: 7c96f226797422effaf2df08b06203a90c46d15742e6a9dce64db4fa8754402b
        • Instruction ID: 9bf21013737d6c0dbcda76e7e447e48a03f81c07bebd80d534ed37030ce32a27
        • Opcode Fuzzy Hash: 7c96f226797422effaf2df08b06203a90c46d15742e6a9dce64db4fa8754402b
        • Instruction Fuzzy Hash: 1AF0EC3274163177E23056995D09F577E9CEF14BE0F014135F50CEB191D554DC0183D5
        Function 00A6287B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
        Download Yara Rule
        APIs
        • PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 00A62890
        • GetLastError.KERNEL32 ref: 00A6289A
        Strings
        • Failed to post plan message., xrefs: 00A628C9
        • EngineForApplication.cpp, xrefs: 00A628BF
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLastMessagePostThread
        • String ID: EngineForApplication.cpp$Failed to post plan message.
        • API String ID: 2609174426-2952114608
        • Opcode ID: d5602359313bcad6ca65c895b8b3eeb1f1e8e251a38c7be66d29e2d3f5a51f8b
        • Instruction ID: f1dfd99c386219b4dfca4e72d667fb1c722278613bc57952e0f0390e0a2e3c0c
        • Opcode Fuzzy Hash: d5602359313bcad6ca65c895b8b3eeb1f1e8e251a38c7be66d29e2d3f5a51f8b
        • Instruction Fuzzy Hash: 56F0A732B4162576E6306B99AD09F577ED8EF14BB1F014135F90CEA291E555C80087D1
        Function 00A629B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
        Download Yara Rule
        APIs
        • PostThreadMessageW.USER32(?,00009004,?,00000000), ref: 00A629CA
        • GetLastError.KERNEL32 ref: 00A629D4
        Strings
        • Failed to post shutdown message., xrefs: 00A62A03
        • EngineForApplication.cpp, xrefs: 00A629F9
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLastMessagePostThread
        • String ID: EngineForApplication.cpp$Failed to post shutdown message.
        • API String ID: 2609174426-188808143
        • Opcode ID: 988ebb8ac4dcf1efd58cb9f90462119940dd9adb9f293fc753cb5a270ae1bf5a
        • Instruction ID: f83764cedaed6e4473c78297a0a8c0542be93188c56a7db4f07520038bf8ac54
        • Opcode Fuzzy Hash: 988ebb8ac4dcf1efd58cb9f90462119940dd9adb9f293fc753cb5a270ae1bf5a
        • Instruction Fuzzy Hash: 85F02033B41221BBE7302AD89C0AF9B7A98BF04BB0F004035FA0CEA1A0E658C80083D5
        Function 00A62953 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
        Download Yara Rule
        APIs
        • PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 00A62968
        • GetLastError.KERNEL32 ref: 00A62972
        Strings
        • EngineForApplication.cpp, xrefs: 00A62997
        • Failed to post apply message., xrefs: 00A629A1
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLastMessagePostThread
        • String ID: EngineForApplication.cpp$Failed to post apply message.
        • API String ID: 2609174426-1304321051
        • Opcode ID: 69b6bd98dc6d2dc91138d6a63e8629a6a7bd6b10dafa61c513bc817abe2f9a08
        • Instruction ID: f8d972e6995b4ac837798152c3a87ce675ad4328c79fe713bec6396604120ed3
        • Opcode Fuzzy Hash: 69b6bd98dc6d2dc91138d6a63e8629a6a7bd6b10dafa61c513bc817abe2f9a08
        • Instruction Fuzzy Hash: 3AF0A73374572276E63156999D09F577F98EF54BB1F014135F90CEA1A1D655C80083D1
        Function 00A75ECA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON
        Download Yara Rule
        APIs
        • SetEvent.KERNEL32(526A5680,00A51D56,00A7614F,00A51D56,?,00A70082,00A52222,00A51E8E,?,00A5D887,?,00A51D56,00A51D9E,?,00A51DDE,WixBundleElevated), ref: 00A75ED0
        • GetLastError.KERNEL32(?,00A70082,00A52222,00A51E8E,?,00A5D887,?,00A51D56,00A51D9E,?,00A51DDE,WixBundleElevated,00000000,00000000,00000001,00A51DDE), ref: 00A75EDA
        Strings
        • Failed to set begin operation event., xrefs: 00A75F09
        • cabextract.cpp, xrefs: 00A75EFF
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorEventLast
        • String ID: Failed to set begin operation event.$cabextract.cpp
        • API String ID: 3848097054-4159625223
        • Opcode ID: bd1e0d79393b97132ed51a22a55808e8035a65b8bc35686a1387e83b7bdc037c
        • Instruction ID: 54c187947a6375ec97ef072ecdaccfa4d7b13d56e07f2f54f7b10d1e799a62d7
        • Opcode Fuzzy Hash: bd1e0d79393b97132ed51a22a55808e8035a65b8bc35686a1387e83b7bdc037c
        • Instruction Fuzzy Hash: 81E0D133F5693266F73063796E06B6525C45F04BA0B15C175F90DE7290F5C4CC4043D1
        Function 00A7E78E Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
        Download Yara Rule
        APIs
        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A7E7C2
        • __isleadbyte_l.LIBCMT ref: 00A7E7F5
        • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,00000000,00000000,?,?,?,?,?,00000000), ref: 00A7E826
        • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,?,?,?,?,00000000), ref: 00A7E894
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
        • String ID:
        • API String ID: 3058430110-0
        • Opcode ID: 9b21b937f02069e2d92ebf3d526dbb03ba17c2cc0fe22cd3731450d300dd58f0
        • Instruction ID: f1d5933101b5384daa9e310851fb7ff63c1b673b7ad917a68effaf62ad5ce176
        • Opcode Fuzzy Hash: 9b21b937f02069e2d92ebf3d526dbb03ba17c2cc0fe22cd3731450d300dd58f0
        • Instruction Fuzzy Hash: 00318D31A00255EFEB24DFA4CC84AAE7BB5AF09310B18C5ADE4699B1E1E731DD40DB51
        Function 00A69225 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 101sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(000007D0,?,00000000,00000000,?), ref: 00A692C3
        Strings
        • Failed to combine id to root cache path., xrefs: 00A69267
        • Failed to ensure cache directory to remove was backslash terminated., xrefs: 00A6927D
        • Failed to calculate root cache path., xrefs: 00A6924B
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Sleep
        • String ID: Failed to calculate root cache path.$Failed to combine id to root cache path.$Failed to ensure cache directory to remove was backslash terminated.
        • API String ID: 3472027048-541824359
        • Opcode ID: 4075fbd0b4b76a9abf1cff11a817b41e08f7114c9ccac94e84f38dafaec5f3ef
        • Instruction ID: b9820ca2fb0535b2acf8f10694084ecac4c38253905aafae83426570311b6c10
        • Opcode Fuzzy Hash: 4075fbd0b4b76a9abf1cff11a817b41e08f7114c9ccac94e84f38dafaec5f3ef
        • Instruction Fuzzy Hash: 1231EEB2900119FADF10BFB48E8A9EEBA7CAB44354F510439FA06B6151D2314E92A791
        Function 00A8535F Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON
        Download Yara Rule
        APIs
        • SysAllocString.OLEAUT32(?), ref: 00A85372
        • VariantInit.OLEAUT32(?), ref: 00A8537E
        • VariantClear.OLEAUT32(?), ref: 00A853F2
        • SysFreeString.OLEAUT32(00000000), ref: 00A853FD
          • Part of subcall function 00A84F42: SysAllocString.OLEAUT32(?), ref: 00A84F57
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: String$AllocVariant$ClearFreeInit
        • String ID:
        • API String ID: 347726874-0
        • Opcode ID: 813d0b5e853853dd2e14c010eeaa203fc5629d462213938ef9774dcdc073a617
        • Instruction ID: 08fe49798c5c1c45ff9b1b1a59cf30684387ba6c016d86817dae1d97bb73e68b
        • Opcode Fuzzy Hash: 813d0b5e853853dd2e14c010eeaa203fc5629d462213938ef9774dcdc073a617
        • Instruction Fuzzy Hash: 0F211875E00619AFDB10EBA4C898AAEBBB8EF44795F144458ED01EF210DBB0DD01CBA0
        Function 00A51226 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 67COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A55873: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,?,?,?,00A51245,?,?,00000000), ref: 00A558C3
        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,?), ref: 00A512AC
        Strings
        • Unable to get resume command line from the registry, xrefs: 00A5124B
        • Failed to re-launch bundle process after RunOnce: %ls, xrefs: 00A51296
        • Failed to get current process path., xrefs: 00A51262
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Close$Handle
        • String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
        • API String ID: 187904097-642631345
        • Opcode ID: 2f2032fe165edbd510f9a0a1f601ed3aacc1b03ce145f7de13e40423bcc26ed0
        • Instruction ID: 891e14c944b746013bf7c21f111568e658d9b8e5d2988d40065d6650d5bbc381
        • Opcode Fuzzy Hash: 2f2032fe165edbd510f9a0a1f601ed3aacc1b03ce145f7de13e40423bcc26ed0
        • Instruction Fuzzy Hash: AC118B72D00518FACF12BBA4DD418EDFBB8BEA4751F2082A6F814B2120E6714F859B41
        Function 00A5A4D2 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 47COMMON
        Download Yara Rule
        APIs
        • EnterCriticalSection.KERNEL32(?,00000000,00000000,?,?,00A68347,?,WixBundleOriginalSource,?,00000000,?,00A51E12,00000001,?,?,00000001), ref: 00A5A4E0
        • LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,00A68347,?,WixBundleOriginalSource,?,00000000,?,00A51E12,00000001,?,?,00000001), ref: 00A5A542
        Strings
        • Failed to get value of variable: %ls, xrefs: 00A5A517
        • Failed to get value as string for variable: %ls, xrefs: 00A5A533
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalSection$EnterLeave
        • String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls
        • API String ID: 3168844106-2100416246
        • Opcode ID: f42a6d94e78f82ed87e2873969665a85e160592a43ff8955e8fdc39919e7e0a3
        • Instruction ID: 15d5be460785654f760a52ed5e196bdec07650910bb8bb84e4ebd75cc43f0b44
        • Opcode Fuzzy Hash: f42a6d94e78f82ed87e2873969665a85e160592a43ff8955e8fdc39919e7e0a3
        • Instruction Fuzzy Hash: 7A01DB72B41229FFCF115F98DC45E9E7B68BF24726F118621FD05E6211D238DE044792
        Function 00A5A454 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 47COMMON
        Download Yara Rule
        APIs
        • EnterCriticalSection.KERNEL32(?), ref: 00A5A462
        • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 00A5A4C4
        Strings
        • Failed to get value of variable: %ls, xrefs: 00A5A499
        • Failed to get value as numeric for variable: %ls, xrefs: 00A5A4B5
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalSection$EnterLeave
        • String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
        • API String ID: 3168844106-4270472870
        • Opcode ID: 31146fe7622e500cc39bc58f1dd3bc3f6ac8fa26a8358650bd667ebe4e186cd9
        • Instruction ID: 6d96b3391e0fce21340594c16185c49f18d324d7d055167c1e85eb3fa97f239d
        • Opcode Fuzzy Hash: 31146fe7622e500cc39bc58f1dd3bc3f6ac8fa26a8358650bd667ebe4e186cd9
        • Instruction Fuzzy Hash: 27018473A01225FBCB115FD4DC49E9E7778BB24326F118621FD18E6211C2B8EA0447A2
        Function 00A5A550 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 47COMMON
        Download Yara Rule
        APIs
        • EnterCriticalSection.KERNEL32(?), ref: 00A5A55E
        • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 00A5A5C0
        Strings
        • Failed to get value of variable: %ls, xrefs: 00A5A595
        • Failed to get value as version for variable: %ls, xrefs: 00A5A5B1
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalSection$EnterLeave
        • String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
        • API String ID: 3168844106-1851729331
        • Opcode ID: d74dbb975414bca204308b995919126cf364427e5793c9ddf4fa87e62bc07528
        • Instruction ID: db2c07b2b1c00cc9bc56dfd670d15ca53a4b63c948c3d448199dd92e488bfb5d
        • Opcode Fuzzy Hash: d74dbb975414bca204308b995919126cf364427e5793c9ddf4fa87e62bc07528
        • Instruction Fuzzy Hash: 1601A773A01229FFCB119F94CC45E8E7B68BB24367F108221FD05E6211E239DE088793
        Function 00A793B9 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
        Download Yara Rule
        APIs
        • GetEnvironmentStringsW.KERNEL32(00000000,00A77D70), ref: 00A793BC
        • __malloc_crt.LIBCMT ref: 00A793EB
        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A793F8
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: EnvironmentStrings$Free__malloc_crt
        • String ID:
        • API String ID: 237123855-0
        • Opcode ID: a4ba6ca138a443f5912b5e8abc1b8327e490718f8f65f80108385d2a5103b85e
        • Instruction ID: 962f0667526c33349d2de3ed511ee27ed72332fec069ca1cb58e64c250406049
        • Opcode Fuzzy Hash: a4ba6ca138a443f5912b5e8abc1b8327e490718f8f65f80108385d2a5103b85e
        • Instruction Fuzzy Hash: B2F0277B5040106B8B307734BC8589B2339DAD136431AC45FF44DC7280F624CE8287A1
        Function 00A5A5CE Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 41COMMON
        Download Yara Rule
        APIs
        • EnterCriticalSection.KERNEL32(?,?,00000000,?,?,00A66D32,?,?,?,?,?,?,00A67221,?,?,?), ref: 00A5A5DC
        • LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,00A66D32,?,?,?,?,?,?,00A67221,?,?,?), ref: 00A5A62D
        Strings
        • Failed to get value of variable: %ls, xrefs: 00A5A5FF
        • Failed to copy value of variable: %ls, xrefs: 00A5A61E
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CriticalSection$EnterLeave
        • String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
        • API String ID: 3168844106-2936390398
        • Opcode ID: 143fdc38177c07d3991d1cd351ec7abe5096c2212a4d3be75ac14613ae2885d9
        • Instruction ID: b2d721e7006b32d00b37f47e8935c2c7264ef8b81f68b2a0959fa987d9eeb25c
        • Opcode Fuzzy Hash: 143fdc38177c07d3991d1cd351ec7abe5096c2212a4d3be75ac14613ae2885d9
        • Instruction Fuzzy Hash: ACF0C873A00125FBCB016FA8DC45D8E7B68FF24362F148511FD05E6211C239DE0487A6
        Function 00A787EC Relevance: 6.0, APIs: 4, Instructions: 41COMMON
        Download Yara Rule
        APIs
        • _malloc.LIBCMT ref: 00A78806
          • Part of subcall function 00A7B4D0: __FF_MSGBANNER.LIBCMT ref: 00A7B4E9
          • Part of subcall function 00A7B4D0: __NMSG_WRITE.LIBCMT ref: 00A7B4F0
          • Part of subcall function 00A7B4D0: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00A7BF87,00000000,00000001,00000000,?,00A7B736,00000018,00AA1FB0,0000000C,00A7B7C6), ref: 00A7B515
        • std::exception::exception.LIBCMT ref: 00A7883B
        • std::exception::exception.LIBCMT ref: 00A78855
        • __CxxThrowException@8.LIBCMT ref: 00A78866
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: std::exception::exception$AllocException@8HeapThrow_malloc
        • String ID:
        • API String ID: 1414122017-0
        • Opcode ID: 624584724f881884027ba34ddb57bc9893dd1218847a4de91ee379ec90a6fe41
        • Instruction ID: 7e42e4422fc345b146fcefeb5f171c4675b6dacd040eb07630e27ef1bd2821fc
        • Opcode Fuzzy Hash: 624584724f881884027ba34ddb57bc9893dd1218847a4de91ee379ec90a6fe41
        • Instruction Fuzzy Hash: 28F02871900109AECF04EB54EE1ABAE3BE8BB45B54F60C429F409971D2CFB08A01C3A1
        Function 00A8396D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144registryCOMMON
        Download Yara Rule
        APIs
        • RegCloseKey.ADVAPI32(00000000), ref: 00A83AD3
          • Part of subcall function 00A8378B: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00A61F19,?,00000009,00000000,?,00A61BE1,80000002,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,?,00000001), ref: 00A8379F
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseOpen
        • String ID: regutil.cpp
        • API String ID: 47109696-955085611
        • Opcode ID: 7170ab8a43f7883ab8f1a259d39d0a3cda6c77f3e833571e44d6e6e67d371dcd
        • Instruction ID: 8ae08059395181c732b90a462d5163aa6911c771fc972f4204fcfba21d2adffc
        • Opcode Fuzzy Hash: 7170ab8a43f7883ab8f1a259d39d0a3cda6c77f3e833571e44d6e6e67d371dcd
        • Instruction Fuzzy Hash: 9941D437900116BBDF19BB98CC05ABEF676AF80B90F294129E991A7150D777CF019740
        Function 00A831D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132registryCOMMON
        Download Yara Rule
        APIs
        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00A61F19,00000000,00A61F19,00000002,00000009,00000000,00A61F19,00000000,?,?,?), ref: 00A83241
        • RegQueryValueExW.ADVAPI32(?,00A61F19,00000000,?,00A61F19,?,00A61F19,?), ref: 00A8327A
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: QueryValue
        • String ID: regutil.cpp
        • API String ID: 3660427363-955085611
        • Opcode ID: c0ea98e0e4106ce8b71306f5cec77005db0345956a7aa47a68c6e85bef2886f0
        • Instruction ID: 0affb2ad7479719ef61e7d826a56245e88521e1bde15a04f40a8706d41bd9308
        • Opcode Fuzzy Hash: c0ea98e0e4106ce8b71306f5cec77005db0345956a7aa47a68c6e85bef2886f0
        • Instruction Fuzzy Hash: 9A413C72A0024AAFDF10EF94CD859EEBBB9FF14700F10496AFA11E6151E7718B548B90
        Function 00A857EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95fileCOMMON
        Download Yara Rule
        APIs
        • ReadFile.KERNEL32(?,?,?,?,00000000,00000000,75C0B390,00000000,?,00A67B78,?,?,?,00000000,00000000,?), ref: 00A85887
        • GetLastError.KERNEL32(?,00A67B78,?,?,?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00A5130D,?,?), ref: 00A858FE
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFileLastRead
        • String ID: fileutil.cpp
        • API String ID: 1948546556-2967768451
        • Opcode ID: 2369dda18d3808a7731c9884a060c15a8229d4d044e702d2c48a0a6874236b64
        • Instruction ID: ea5c393f5496c3f9cc397b5c23e9a4f5079bd5011518a830f7af3f6317730395
        • Opcode Fuzzy Hash: 2369dda18d3808a7731c9884a060c15a8229d4d044e702d2c48a0a6874236b64
        • Instruction Fuzzy Hash: B6314E35D00599DBDF21AF25CD407DDBBF4AF48301F1080EBA949E6150D6B49EC4AF61
        Function 00A8125F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
        Download Yara Rule
        APIs
        • _memmove.LIBCMT ref: 00A812FF
        • _memmove.LIBCMT ref: 00A8130A
          • Part of subcall function 00A82382: GetProcessHeap.KERNEL32(00000000,?,?,00A808DD,?,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000,00000000), ref: 00A8238A
          • Part of subcall function 00A82382: HeapSize.KERNEL32(00000000,?,00A808DD,?,?,00000000,00000000,?,?,?,00A7F6D3,?,?,00000000,00000000,?), ref: 00A82391
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: Heap_memmove$ProcessSize
        • String ID: W
        • API String ID: 3606272560-655174618
        • Opcode ID: 4337d811ab13aa5c2fe4b0058768c62c44b60dd9dc8479738dd8d0c6da4f175d
        • Instruction ID: 5f5344097fbb1c4bb5c7a38450fd77d009e9c1d8d04838c7323fa9e39a52c13f
        • Opcode Fuzzy Hash: 4337d811ab13aa5c2fe4b0058768c62c44b60dd9dc8479738dd8d0c6da4f175d
        • Instruction Fuzzy Hash: 2F218371A0020AFBDB00EFA9CC81DEE77BDEF44324B204669F951DB245EB31DA019760
        Function 00A819CF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: _memmove_s
        • String ID: \\?\$\\?\UNC
        • API String ID: 800865076-2523517826
        • Opcode ID: fec2fc872ac0970471ff71ea018a25661be0fe723501498c070540cd2a4bcdda
        • Instruction ID: 8652ea21e198659d03cd8821f3537bf7d757401e8d34c55c150b45c79109f376
        • Opcode Fuzzy Hash: fec2fc872ac0970471ff71ea018a25661be0fe723501498c070540cd2a4bcdda
        • Instruction Fuzzy Hash: 03118672241200B5E639B745DC45EFAF35DEB51FE4FC04426F5495B081E261A6C3C765
        Function 00A540BB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
        Download Yara Rule
        APIs
        • CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,?,00A6F8DA,00000000,IGNOREDEPENDENCIES,00000000,?), ref: 00A5410E
        Strings
        • IGNOREDEPENDENCIES, xrefs: 00A540CA
        • Failed to copy the property value., xrefs: 00A5413E
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CompareString
        • String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
        • API String ID: 1825529933-1412343224
        • Opcode ID: c8ea40695fc64707105c1ffd3254b468de58ccd708b49a30300be0b7c0a3454a
        • Instruction ID: d9e35e73a2283da6ebb9630c75518cd30d7fcbdc28754798fd1f1055c7cfe194
        • Opcode Fuzzy Hash: c8ea40695fc64707105c1ffd3254b468de58ccd708b49a30300be0b7c0a3454a
        • Instruction Fuzzy Hash: 6811BF32904218EFCF108F94CC849AA7BB5FB18369F21867AFE29A7291C7305DC4CB50
        Function 00A61BBB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A8378B: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00A61F19,?,00000009,00000000,?,00A61BE1,80000002,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,?,00000001), ref: 00A8379F
        • RegCloseKey.ADVAPI32(?,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,?,00000001,?,?,?,00A61F19,00000000,?,?,?), ref: 00A61C48
          • Part of subcall function 00A831D0: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00A61F19,00000000,00A61F19,00000002,00000009,00000000,00A61F19,00000000,?,?,?), ref: 00A83241
          • Part of subcall function 00A831D0: RegQueryValueExW.ADVAPI32(?,00A61F19,00000000,?,00A61F19,?,00A61F19,?), ref: 00A8327A
        Strings
        • Logging, xrefs: 00A61BE9
        • SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00A61BCA
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: QueryValue$CloseOpen
        • String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer
        • API String ID: 1586453840-387823766
        • Opcode ID: a3ac8db83737023321139a0ed990fae8576bcca72dc5e089bf62a0c7c785f317
        • Instruction ID: cd37d91da11987a9fac818498bc0de53e0d32cf1a97c3f6bfe633b369677df8c
        • Opcode Fuzzy Hash: a3ac8db83737023321139a0ed990fae8576bcca72dc5e089bf62a0c7c785f317
        • Instruction Fuzzy Hash: 0E118471B80209BFDF30AB50DE429BEBFB9FF90710FA84466E541A6050E6759F81E711
        Function 00A5C157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
        Download Yara Rule
        APIs
        • CoInitializeEx.OLE32(00000000,00000000), ref: 00A5C170
        • CoUninitialize.OLE32(?,?,?,?,?,?), ref: 00A5C1D3
        Strings
        • Failed to initialize COM on cache thread., xrefs: 00A5C17D
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: InitializeUninitialize
        • String ID: Failed to initialize COM on cache thread.
        • API String ID: 3442037557-3629645316
        • Opcode ID: 8d1e02c42de26d66371619a1e788d0c1bd3c08fd545aa5bd293a8cb16ace9c51
        • Instruction ID: 490950a35feba7c86ca522772438b544675ead823a1572343d4d982aea2c07f2
        • Opcode Fuzzy Hash: 8d1e02c42de26d66371619a1e788d0c1bd3c08fd545aa5bd293a8cb16ace9c51
        • Instruction Fuzzy Hash: 27016DB2500609FFDB10DFA4C844E9BBBECFF08355F10852AF909D7211DA70AA488BA0
        Function 00A8649C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A8378B: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00A61F19,?,00000009,00000000,?,00A61BE1,80000002,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,?,00000001), ref: 00A8379F
        • RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,?,?,?,00000000,?,?,?,00A86548,?), ref: 00A8650A
          • Part of subcall function 00A8359D: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000105,00000000,00000000,?,?,?,?,00A55653,00000000,Installed,00000000,?), ref: 00A835C2
        Strings
        • EnableLUA, xrefs: 00A864DC
        • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00A864BA
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseOpenQueryValue
        • String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
        • API String ID: 3677997916-3551287084
        • Opcode ID: ed604689af67333536b23d5a3aa387a7329410b3e73be5919b366489a24240cf
        • Instruction ID: af19f058c8d6e734f822102464e29e0a6e32c4a9d9ca3317142da53a0039d44f
        • Opcode Fuzzy Hash: ed604689af67333536b23d5a3aa387a7329410b3e73be5919b366489a24240cf
        • Instruction Fuzzy Hash: 1201A776A00218FFEB11EFE8C945A9EBAF9EB84750F200479E605D3141EB719E409791
        Function 00A816F5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
        Download Yara Rule
        APIs
        • LCMapStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00A817A4,00000000,?,00000200), ref: 00A81739
        • GetLastError.KERNEL32(?,00A817A4,00000000,?,00000200,?,00A86E3E,00000000,00000000,00000000,00000000,?,00000000,?,00A8721A,00000000), ref: 00A81743
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorLastString
        • String ID: strutil.cpp
        • API String ID: 3728238275-3612885251
        • Opcode ID: c4a7a88d3cd0fa7eedf5044c300db9d00934b21a769d49e7fd9f12c86fc9bbfa
        • Instruction ID: bd3d36b0d466e9ea01e4af0de54f52f65b5938552cd587c2d32426f94fa2dd35
        • Opcode Fuzzy Hash: c4a7a88d3cd0fa7eedf5044c300db9d00934b21a769d49e7fd9f12c86fc9bbfa
        • Instruction Fuzzy Hash: E7018436240116BBDB216F558C04E9B7FADEF81770F15812DFD6C9A260EA36D8129B50
        Function 00A84EA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49memoryCOMMON
        Download Yara Rule
        APIs
        • SysAllocString.OLEAUT32(?), ref: 00A84EEC
        • SysFreeString.OLEAUT32(00000000), ref: 00A84F21
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: String$AllocFree
        • String ID: xmlutil.cpp
        • API String ID: 344208780-1270936966
        • Opcode ID: 63ecaa6e2c116ef6ac0426033feda1b63c481cc265b6e9b51212a1df54420531
        • Instruction ID: 622023e82effd73c40e52e3c6c01a3dc5534cf4e54967a63b77c01e4063ad736
        • Opcode Fuzzy Hash: 63ecaa6e2c116ef6ac0426033feda1b63c481cc265b6e9b51212a1df54420531
        • Instruction Fuzzy Hash: 1D01A231640216B7EB206B685C08EB636D9FF5AB61F11052AF904DB390D774CD019791
        Function 00A84F9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49memoryCOMMON
        Download Yara Rule
        APIs
        • SysAllocString.OLEAUT32(?), ref: 00A84FE3
        • SysFreeString.OLEAUT32(00000000), ref: 00A85018
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: String$AllocFree
        • String ID: xmlutil.cpp
        • API String ID: 344208780-1270936966
        • Opcode ID: 5b641a8198b5bb15a470333e22daba0030938f2ffedf3b36b65e8155fb923d54
        • Instruction ID: 9de4aa3d2d6cd2ce482c3c0c1e619b05194a2137d1ec2140909f303b73d6b847
        • Opcode Fuzzy Hash: 5b641a8198b5bb15a470333e22daba0030938f2ffedf3b36b65e8155fb923d54
        • Instruction Fuzzy Hash: 1A01A231B4020ABBEB206A694C04FBA36E8EF56B71F11013AFE05DB351DA74CC4097E1
        Function 00A81A74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
        Download Yara Rule
        APIs
        • GetModuleFileNameW.KERNEL32(00A52136,?,00000104,?,00000104,?,00000000,?,?,00A52136,?,00000000,?,?,?,76EEC3F0), ref: 00A81A95
        • GetLastError.KERNEL32(?,00A52136,?,00000000,?,?,?,76EEC3F0,?,00000000), ref: 00A81AAC
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFileLastModuleName
        • String ID: pathutil.cpp
        • API String ID: 2776309574-741606033
        • Opcode ID: bcdfda6290001fe2dc298f7b9a19e1e29c5c4b2d770f8db13ad123c74899095d
        • Instruction ID: 05f5995ca9c30567c34315fe431509c2a33b017a9862d36b1cce211ad1beaaee
        • Opcode Fuzzy Hash: bcdfda6290001fe2dc298f7b9a19e1e29c5c4b2d770f8db13ad123c74899095d
        • Instruction Fuzzy Hash: 06F0CD32A022266BA3207A59DC84E6AFAACDF01BF0B154526FD04EB160E765DC0253E0
        Function 00A57196 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A8378B: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00A61F19,?,00000009,00000000,?,00A61BE1,80000002,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,?,00000001), ref: 00A8379F
        • RegCloseKey.ADVAPI32(00000000,00000000,00000000,?,?,00020006,00000000,00000000,00000001,?,?,00A71835,000000F9,00000000,000000B9,00000000), ref: 00A571ED
        Strings
        • Failed to open registration key., xrefs: 00A571BD
        • Failed to update resume mode., xrefs: 00A571D7
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseOpen
        • String ID: Failed to open registration key.$Failed to update resume mode.
        • API String ID: 47109696-3366686031
        • Opcode ID: 251f38d99f7f388ab993608ac31c8572bac0f82c27674361852483d5340fafa4
        • Instruction ID: 3746f259d0b5cc51c22b8b8031ea137c824520135e52ecfd612bbcf4cff21ffa
        • Opcode Fuzzy Hash: 251f38d99f7f388ab993608ac31c8572bac0f82c27674361852483d5340fafa4
        • Instruction Fuzzy Hash: 8CF0C276644614BBDB12AA94EC02F9E77BABB80716F200529FD01B2290DAB0EA049710
        Function 00A856AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
        Download Yara Rule
        APIs
        • GetFileSizeEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00A5277F,?,?,?,00000000,00000000), ref: 00A856C2
        • GetLastError.KERNEL32(?,?,?,00A5277F,?,?,?,00000000,00000000,?,?,?,76EEC3F0,?,00000000), ref: 00A856CC
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorFileLastSize
        • String ID: fileutil.cpp
        • API String ID: 464720113-2967768451
        • Opcode ID: 746c36d7ee2ed0d0e794b202065c2414519abcf3e1bbf2bfd6e318739cc5592f
        • Instruction ID: f3355dec06b3a4d31bef209276ea7c50dcafee521b90549eea1706ac210ceb16
        • Opcode Fuzzy Hash: 746c36d7ee2ed0d0e794b202065c2414519abcf3e1bbf2bfd6e318739cc5592f
        • Instruction Fuzzy Hash: 5BF0C276A10605ABD720AF69CC05AAA7BF8EF85730F544429F985D7210F234E9008B60
        Function 00A700D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
        Download Yara Rule
        APIs
        • CloseHandle.KERNEL32(F08B8006,00000000,00A51AAE,?,00A5D97B,?,00A51AAE,00A51E12,00A51E12,00000000,?,00A51E22,A8AB1868,00A51E22,?,?), ref: 00A70108
        • _memset.LIBCMT ref: 00A7011A
          • Part of subcall function 00A75AA9: SetEvent.KERNEL32(526A5680,00A52222,00A51E22,?,?,00A700ED,00A52222,00000000,00A51AAE,?,00A5D97B,?,00A51AAE,00A51E12,00A51E12,00000000), ref: 00A75ACA
          • Part of subcall function 00A75AA9: GetLastError.KERNEL32(?,?,00A700ED,00A52222,00000000,00A51AAE,?,00A5D97B,?,00A51AAE,00A51E12,00A51E12,00000000,?,00A51E22,A8AB1868), ref: 00A75AD4
          • Part of subcall function 00A75AA9: CloseHandle.KERNEL32(004005BE,00000000,00A52222,00A51E22,?,?,00A700ED,00A52222,00000000,00A51AAE,?,00A5D97B,?,00A51AAE,00A51E12,00A51E12), ref: 00A75B70
          • Part of subcall function 00A75AA9: CloseHandle.KERNEL32(526A5680,00000000,00A52222,00A51E22,?,?,00A700ED,00A52222,00000000,00A51AAE,?,00A5D97B,?,00A51AAE,00A51E12,00A51E12), ref: 00A75B7D
          • Part of subcall function 00A75AA9: CloseHandle.KERNEL32(A8AD1468,00000000,00A52222,00A51E22,?,?,00A700ED,00A52222,00000000,00A51AAE,?,00A5D97B,?,00A51AAE,00A51E12,00A51E12), ref: 00A75B8A
        Strings
        • Failed to close cabinet., xrefs: 00A700F3
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: CloseHandle$ErrorEventLast_memset
        • String ID: Failed to close cabinet.
        • API String ID: 1352847294-2920093955
        • Opcode ID: a2e02854dc790088a2ea4eefdcca2f7e70c42defbbd2a128f464076f79579f3c
        • Instruction ID: f0d99034403c154091094c5179bcbe133705257cbb26a88bdec7d3f7345fd2d7
        • Opcode Fuzzy Hash: a2e02854dc790088a2ea4eefdcca2f7e70c42defbbd2a128f464076f79579f3c
        • Instruction Fuzzy Hash: D4F02732340A00B6D2219A6DAC02E4B73999FD1370F20C329F9ACD32D1EB60A80202A8
        Function 00A8798D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
        Download Yara Rule
        APIs
        • HttpQueryInfoW.WININET(?,?,00000001,?,00000000), ref: 00A879B6
        • GetLastError.KERNEL32(?,?,?,00A76BA9,00000000,00000013,00000000,?,?,?,00A76E24,00000000,?,00000000,?,00000000), ref: 00A879C0
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorHttpInfoLastQuery
        • String ID: inetutil.cpp
        • API String ID: 4218848986-2900720265
        • Opcode ID: 8a7584bd4ca6ff86b453390eb172b29c40a99ed8090192e7ae628ff2afa78783
        • Instruction ID: b8698aa41886749b1b999402caa366f540924972207a859475465b00a8ddf306
        • Opcode Fuzzy Hash: 8a7584bd4ca6ff86b453390eb172b29c40a99ed8090192e7ae628ff2afa78783
        • Instruction Fuzzy Hash: 07F036B2610116BBEB60AB95CC05FEF7EACEF04760F104155FD41EA150E675DE0097E0
        Function 00A877A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
        Download Yara Rule
        APIs
        • HttpQueryInfoW.WININET(00000000,20000005,00000000,00000000,00000000), ref: 00A877C5
        • GetLastError.KERNEL32(?,?,00A76F4C,?,?,00000000,000000FF,?,00000000,HEAD,00000000,00000000,?,00000000,?,?), ref: 00A877CF
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: ErrorHttpInfoLastQuery
        • String ID: inetutil.cpp
        • API String ID: 4218848986-2900720265
        • Opcode ID: 7193f5cd74f0c57f893b30f8d99568bcf411dfedf8754571daf35e52ad04ac00
        • Instruction ID: a9c337351df37b81073eb0087fb69b49eb7ab066ee0e72d14788c66a54a382de
        • Opcode Fuzzy Hash: 7193f5cd74f0c57f893b30f8d99568bcf411dfedf8754571daf35e52ad04ac00
        • Instruction Fuzzy Hash: 51F06D72640216BBEB21AF94CD49FAA7AA8EF11760F108025F909DB250E674DA00C7E0
        Function 00A84E4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36memoryCOMMON
        Download Yara Rule
        APIs
        • SysAllocString.OLEAUT32(00000000), ref: 00A84E60
        • SysFreeString.OLEAUT32(00000000), ref: 00A84E92
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: String$AllocFree
        • String ID: xmlutil.cpp
        • API String ID: 344208780-1270936966
        • Opcode ID: 29576b528d74e4a9b8d5ffb2a87500f452c00837d124318b4200ab61a826491d
        • Instruction ID: 5f7611a6866477f61d7aa6654ca34600fa8077df564fe58cdad4dad6a34163d3
        • Opcode Fuzzy Hash: 29576b528d74e4a9b8d5ffb2a87500f452c00837d124318b4200ab61a826491d
        • Instruction Fuzzy Hash: 5CF0B432240355A7CB216F549C08F9A77A9BB55761F154529FD48AB260C774CD108BD0
        Function 00A8315B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryloaderCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00A82A2D: _memset.LIBCMT ref: 00A82A54
          • Part of subcall function 00A82A2D: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00A82A69
          • Part of subcall function 00A82A2D: LoadLibraryW.KERNELBASE(?,?,00000104,00A51C3B), ref: 00A82AB7
          • Part of subcall function 00A82A2D: GetLastError.KERNEL32 ref: 00A82AC3
        • GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00A8317C
        Strings
        Memory Dump Source
        • Source File: 0000000B.00000002.2922844963.0000000000A51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00A50000, based on PE: true
        • Associated: 0000000B.00000002.2922756054.0000000000A50000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923068329.0000000000AA4000.00000004.00000001.01000000.0000000B.sdmpDownload File
        • Associated: 0000000B.00000002.2923154955.0000000000AAA000.00000002.00000001.01000000.0000000B.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_11_2_a50000_vcredist_x86_vs2013_en.jbxd
        Similarity
        • API ID: AddressDirectoryErrorLastLibraryLoadProcSystem_memset
        • String ID: AdvApi32.dll$RegDeleteKeyExW
        • API String ID: 2769571726-850864035
        • Opcode ID: c9a42644b8665fcb1b3ca89ca704e28f185d72d749f122b53cd36e1efd2b5704
        • Instruction ID: 200a01c68a8c35a2a2d43b3789457ddcc3a16f51982578b2292f88efe395ed98
        • Opcode Fuzzy Hash: c9a42644b8665fcb1b3ca89ca704e28f185d72d749f122b53cd36e1efd2b5704
        • Instruction Fuzzy Hash: FBE0EC71D02B22BBCB11EBB6FC0D7453E61B702F95F400616ED05AB1E5E7B548428788