Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Overview

General Information

Sample name:SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
Analysis ID:1477394
MD5:c0d645827131ac1166dbe06d45511323
SHA1:1dfa4d4a7ad6817f3d774ecf1fea7b6730f6cbac
SHA256:3b0dc5d40dc74076656f303aa3652910d44ac2cf6492a4a405c6652a4e777714
Tags:exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to delete services
Contains functionality to detect virtual machines (STR)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Spawns drivers
Stores files to the Windows start menu directory
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe (PID: 1432 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe" MD5: C0D645827131AC1166DBE06D45511323)
    • setx.exe (PID: 4948 cmdline: setx /M IDmelonMode access-key MD5: 5B700BC00E451033B2F9EEF349A91D1C)
      • conhost.exe (PID: 4160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 4552 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyService "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 400 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Application "C:\Program Files (x86)\IDmelon\Accesskey"\Service.exe MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 4868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 2612 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 5172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 2988 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 3940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 6460 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderr "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 6456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 2812 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Description "Coordinates the communications for using IDmelon solution as a roaming authenticator" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 2448 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdoutCreationDisposition 4 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 1924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 4896 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderrCreationDisposition 4 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 4156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 1616 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateFiles 1 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 7004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 2820 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateOnline 0 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 1628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 3556 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateSeconds 14400 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 2524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 4568 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateBytes 5000000 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 2912 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Start SERVICE_AUTO_START MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 2988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 6456 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" restart AccesskeyService MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 2632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 1624 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" status AccesskeyService MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 3928 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" start AccesskeyService MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 3940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • devcon.exe (PID: 5112 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccesskeyHid MD5: 6EA4F64D02AE236A6B60E5E665079A89)
      • conhost.exe (PID: 5432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • devcon.exe (PID: 2912 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccessKeyFidoVhid MD5: 6EA4F64D02AE236A6B60E5E665079A89)
      • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • devcon.exe (PID: 6432 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" install "C:\Program Files (x86)\IDmelon\Accesskey\driver\accesskeyfidovhid.inf" root\AccessKeyFidoVhid MD5: 6EA4F64D02AE236A6B60E5E665079A89)
      • conhost.exe (PID: 2100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 5712 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyReaderService "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
    • nssm.exe (PID: 3204 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService Application "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 2784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 736 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 3804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nssm.exe (PID: 3940 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\service_logs.log" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
    • nssm.exe (PID: 736 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStderr "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\service_logs.log" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
      • conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • nssm.exe (PID: 6856 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)
    • conhost.exe (PID: 3632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Service.exe (PID: 3924 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe" MD5: 9E99F6F2DC43830D3959E55EDDDDB422)
      • conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • dsregcmd.exe (PID: 3004 cmdline: "C:\Windows\System32\dsregcmd.exe" /status MD5: 866989AA656CF67780143376C12DF510)
  • svchost.exe (PID: 3268 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • drvinst.exe (PID: 5712 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\accesskeyfidovhid.inf" "9" "4196477d7" "000000000000015C" "WinSta0\Default" "0000000000000164" "208" "c:\program files (x86)\idmelon\accesskey\driver" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
      • conhost.exe (PID: 3940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • drvinst.exe (PID: 2612 cmdline: DrvInst.exe "2" "211" "ROOT\HIDCLASS\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:50ab71fe221ae399:AccessKeyFidoVhid:21.4.53.488:root\accesskeyfidovhid," "4196477d7" "000000000000017C" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
    • drvinst.exe (PID: 6824 cmdline: DrvInst.exe "1" "0" "HID\HIDCLASS\1&2d595ca7&0&0000" "" "" "4eeb73e57" "0000000000000000" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
  • WUDFRd.sys (PID: 4 cmdline: MD5: 0B7A5464602DA68DA6BEFC2A1B5BE4C5)
  • mshidumdf.sys (PID: 4 cmdline: MD5: 9E90FE6DF363D2427A5C773120E7B27D)
  • WUDFHost.exe (PID: 5840 cmdline: "C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-97f4f2de-0b6d-4708-9672-29cbfafe41c2 -SystemEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-ed4957c4-0381-42c5-b015-dd634ba9f208 -IoCancelEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-6f2c6ea5-0b65-4a5a-8a6d-a02cb8e867d5 -NonStateChangingEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-d0cce0e5-6853-4eca-8ea9-ec55e74c196f -LifetimeId:46a3174a-9ab4-4718-a9ea-f0f3d3c57b11 -DeviceGroupId:WudfDefaultDevicePool -HostArg:0 MD5: 00E2EF3D2C9309CA4135195A049CC79C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Execution of Suspicious File Type Extension
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\WUDFRd.sys, NewProcessName: C:\Windows\System32\drivers\WUDFRd.sys, OriginalFileName: C:\Windows\System32\drivers\WUDFRd.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: WUDFRd.sys
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, ProcessId: 3268, ProcessName: svchost.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeReversingLabs: Detection: 13%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeReversingLabs: Detection: 15%
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeVirustotal: Detection: 6%Perma Link
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 52.35.62.19:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: /_/src/Grpc.Core.Api/obj/Release/net462/Grpc.Core.Api.pdbSHA256 source: Service.exe, 00000022.00000002.4615232663.00000208B2632000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: Service.exe, 00000022.00000002.4618271478.00000208B35D2000.00000002.00000001.01000000.00000029.sdmp, SQLitePCLRaw.core.dll.0.dr
Source: Binary string: /_/csharp/src/Google.Protobuf/obj/Release/net45/Google.Protobuf.pdbSHA256 source: Service.exe, 00000022.00000002.4617920165.00000208B2EE2000.00000002.00000001.01000000.00000027.sdmp
Source: Binary string: /_/artifacts/obj/System.Text.Encodings.Web/Release/net462/System.Text.Encodings.Web.pdbSHA256 source: System.Text.Encodings.Web.dll.0.dr
Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: Service.exe, 00000022.00000002.4618386784.00000208B3612000.00000002.00000001.01000000.0000002B.sdmp
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\GrpcClients\obj\Release\GrpcClients.pdb source: GrpcClients.dll.0.dr
Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.ValueTuple/net47\System.ValueTuple.pdb62P2 B2_CorDllMainmscoree.dll source: Service.exe, 00000022.00000002.4618333774.00000208B35F2000.00000002.00000001.01000000.0000002A.sdmp, System.ValueTuple.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\IDmelonVirtualHidAPI\obj\Release\IDmelonVirtualHidAPI.pdb source: Service.exe, 00000022.00000002.4612253177.0000020899DA2000.00000002.00000001.01000000.00000014.sdmp, IDmelonVirtualHidAPI.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\ServerApi\obj\Release\ServerApi.pdb source: Service.exe, 00000022.00000002.4612407479.0000020899DB2000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: /_/src/DeviceId/obj/Release/net40/DeviceId.pdbSHA256 source: Service.exe, 00000022.00000002.4612627519.0000020899DF2000.00000002.00000001.01000000.00000018.sdmp, DeviceId.dll.0.dr
Source: Binary string: T:\altsrc\github\grpc\workspace_csharp_ext_windows_x64\cmake\build\x64\grpc_csharp_ext.pdb source: Service.exe, 00000022.00000002.4632445211.00007FFD8ED5A000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\DB\obj\Release\DB.pdbg_ source: Service.exe, 00000022.00000002.4617484536.00000208B2E22000.00000002.00000001.01000000.00000023.sdmp, DB.dll.0.dr
Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdbSHA256 source: Service.exe, 00000022.00000002.4617630505.00000208B2E52000.00000002.00000001.01000000.00000025.sdmp, SQLitePCLRaw.batteries_v2.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\DB\obj\Release\DB.pdb source: Service.exe, 00000022.00000002.4617484536.00000208B2E22000.00000002.00000001.01000000.00000023.sdmp, DB.dll.0.dr
Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: System.Buffers.dll.0.dr
Source: Binary string: /var/local/git/grpc/src/csharp/Grpc.Core/obj/Release/net45/Grpc.Core.pdbSHA256n source: Service.exe, 00000022.00000002.4617703023.00000208B2E62000.00000002.00000001.01000000.00000026.sdmp, Grpc.Core.dll.0.dr
Source: Binary string: C:\Users\Jafar\source\repos\EllipticCurve\EllipticCurve\obj\Release\EllipticCurve.pdb source: EllipticCurve.dll.0.dr
Source: Binary string: /var/local/git/grpc/src/csharp/Grpc.Core/obj/Release/net45/Grpc.Core.pdb source: Service.exe, 00000022.00000002.4617703023.00000208B2E62000.00000002.00000001.01000000.00000026.sdmp, Grpc.Core.dll.0.dr
Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Numerics.Vectors/net46\System.Numerics.Vectors.pdb source: System.Numerics.Vectors.dll.0.dr
Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: Service.exe, 00000022.00000002.4615292315.00000208B2682000.00000002.00000001.01000000.0000001B.sdmp, System.Threading.Tasks.Extensions.dll.0.dr
Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256N source: Service.exe, 00000022.00000002.4618386784.00000208B3612000.00000002.00000001.01000000.0000002B.sdmp
Source: Binary string: C:\Users\Jafar\source\repos\EllipticCurve\EllipticCurve\obj\Release\EllipticCurve.pdb~y source: EllipticCurve.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\GrpcProtoCompiler\obj\Release\TagReaderGRPC.pdb source: Service.exe, 00000022.00000002.4612565205.0000020899DD2000.00000002.00000001.01000000.00000017.sdmp, TagReaderGRPC.dll.0.dr
Source: Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v142\plain\arm\e_sqlite3.pdb source: e_sqlite3.dll.0.dr
Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: Service.exe, 00000022.00000002.4617310364.00000208B2DE2000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: c:\dev\sqlite\core\sqlite3.pdb source: sqlite3.dll0.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: Service.exe, 00000022.00000002.4615989693.00000208B28D2000.00000002.00000001.01000000.0000001F.sdmp
Source: Binary string: /home/vsts/work/1/s/src/SocketIO.Serializer.Core/obj/Release/netstandard2.0/SocketIO.Serializer.Core.pdbSHA256w#NtW source: SocketIO.Serializer.Core.dll.0.dr
Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdb source: Service.exe, 00000022.00000002.4617630505.00000208B2E52000.00000002.00000001.01000000.00000025.sdmp, SQLitePCLRaw.batteries_v2.dll.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: Service.exe, 00000022.00000002.4615989693.00000208B28D2000.00000002.00000001.01000000.0000001F.sdmp
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\Suprema\obj\Release\Suprema.pdb source: Service.exe, 00000022.00000002.4617402283.00000208B2E12000.00000002.00000001.01000000.00000022.sdmp
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\Logger\obj\Release\Logger.pdb source: Service.exe, 00000022.00000002.4612186527.0000020899D72000.00000002.00000001.01000000.00000013.sdmp, Logger.dll.0.dr
Source: Binary string: C:\Program Files (x86)\Jenkins\workspace\pcProxAPI-sdk-release-bot\pcProxAPI\runtime\win\x64\Release\USBWejAPI.pdb source: pcProxAPI.dll0.0.dr
Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256CM source: Service.exe, 00000022.00000002.4618271478.00000208B35D2000.00000002.00000001.01000000.00000029.sdmp, SQLitePCLRaw.core.dll.0.dr
Source: Binary string: /home/runner/work/RestSharp/RestSharp/src/RestSharp/obj/Release/net471/RestSharp.pdbSHA256 source: Service.exe, 00000022.00000002.4615735176.00000208B27D2000.00000002.00000001.01000000.0000001C.sdmp, RestSharp.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\Service\obj\Release\Service.pdb source: Service.exe, 00000022.00000000.2242976539.0000020899552000.00000002.00000001.01000000.00000008.sdmp, Service.exe.0.dr
Source: Binary string: /_/csharp/src/Google.Protobuf/obj/Release/net45/Google.Protobuf.pdb source: Service.exe, 00000022.00000002.4617920165.00000208B2EE2000.00000002.00000001.01000000.00000027.sdmp
Source: Binary string: /home/runner/work/RestSharp/RestSharp/src/RestSharp/obj/Release/net471/RestSharp.pdb source: Service.exe, 00000022.00000002.4615735176.00000208B27D2000.00000002.00000001.01000000.0000001C.sdmp, RestSharp.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\Fido\obj\Release\Fido.pdb source: Service.exe, 00000022.00000002.4615894664.00000208B28A2000.00000002.00000001.01000000.0000001E.sdmp, Fido.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\BioKey\obj\Release\BioKey.pdb source: Service.exe, 00000022.00000002.4617542668.00000208B2E32000.00000002.00000001.01000000.00000024.sdmp, BioKey.dll.0.dr
Source: Binary string: C:\projects\websocket-sharp\websocket-sharp\obj\Release\net45\websocket-sharp.pdb source: websocket-sharp.dll.0.dr
Source: Binary string: devcon.pdb source: devcon.exe, 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 00000029.00000000.2266613773.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002B.00000000.2269070923.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002B.00000002.2270785966.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002D.00000002.2312651685.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002D.00000000.2271554771.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe.0.dr
Source: Binary string: /home/vsts/work/1/s/src/SocketIO.Serializer.Core/obj/Release/netstandard2.0/SocketIO.Serializer.Core.pdb source: SocketIO.Serializer.Core.dll.0.dr
Source: Binary string: /_/src/Grpc.Core.Api/obj/Release/net462/Grpc.Core.Api.pdb source: Service.exe, 00000022.00000002.4615232663.00000208B2632000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: devcon.pdbGCTL source: devcon.exe, 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 00000029.00000000.2266613773.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002B.00000000.2269070923.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002B.00000002.2270785966.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002D.00000002.2312651685.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002D.00000000.2271554771.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe.0.dr
Source: Binary string: C:\projects\websocket-sharp\websocket-sharp\obj\Release\net45\websocket-sharp.pdb* source: websocket-sharp.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\Encryption\obj\Release\Encryption.pdb source: Service.exe, 00000022.00000002.4612503866.0000020899DC2000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\GrpcClients\obj\Release\GrpcClients.pdbAF[F MF_CorDllMainmscoree.dll source: GrpcClients.dll.0.dr
Source: Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v142\plain\x64\e_sqlite3.pdb source: Service.exe, 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmp, e_sqlite3.dll0.0.dr
Source: Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdb source: Service.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Json.dll.0.dr
Source: Binary string: /_/src/DeviceId/obj/Release/net40/DeviceId.pdb source: Service.exe, 00000022.00000002.4612627519.0000020899DF2000.00000002.00000001.01000000.00000018.sdmp, DeviceId.dll.0.dr
Source: Binary string: /_/artifacts/obj/System.Text.Encodings.Web/Release/net462/System.Text.Encodings.Web.pdb source: System.Text.Encodings.Web.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\WindowsDriverDevelopment\virtual_hid_fido\driver\umdf2\AccessKey\x64\Release\AccessKeyFidoVhid.pdb source: drvinst.exe, 00000030.00000003.2291043123.00000277C3619000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000030.00000003.2288648920.00000277C357B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000031.00000003.2307974008.00000242EF2B8000.00000004.00000020.00020000.00000000.sdmp, WUDFHost.exe, 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmp, SET42C8.tmp.45.dr, AccessKeyFidoVhid.dll.0.dr, SET44BC.tmp.48.dr
Source: Binary string: C:\Users\Amini\Downloads\WpfToggleSwitchs\WpfToggleSwitch\CSharp\CSharpControls.Wpf\obj\Release\CSharpControls.Wpf.pdb source: CSharpControls.Wpf.dll.0.dr
Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.ValueTuple/net47\System.ValueTuple.pdb source: Service.exe, 00000022.00000002.4618333774.00000208B35F2000.00000002.00000001.01000000.0000002A.sdmp, System.ValueTuple.dll.0.dr
Source: Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdbSHA256 source: Service.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Json.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\Suprema\obj\Release\Suprema.pdbqI source: Service.exe, 00000022.00000002.4617402283.00000208B2E12000.00000002.00000001.01000000.00000022.sdmp
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\BioKey\obj\Release\BioKey.pdbo source: Service.exe, 00000022.00000002.4617542668.00000208B2E32000.00000002.00000001.01000000.00000024.sdmp, BioKey.dll.0.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeCode function: 0_2_004068D4 FindFirstFileW,FindClose,0_2_004068D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeCode function: 0_2_00405C83 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C83
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeCode function: 41_2_00007FF7DF2369C0 GetWindowsDirectoryW,FindFirstFileW,FindNextFileW,FindClose,41_2_00007FF7DF2369C0
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: skm.idmelon.com
Source: unknownHTTP traffic detected: POST /apis/access-key-cli/v1/apps HTTP/1.1Accept: application/json, text/json, text/x-json, text/javascript, application/xml, text/xmlUser-Agent: RestSharp/110.2.0.0Content-Type: application/jsonHost: skm.idmelon.comContent-Length: 348Expect: 100-continueAccept-Encoding: gzipConnection: Keep-Alive
Source: Grpc.Core.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Grpc.Core.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Grpc.Core.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Grpc.Core.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: pcProxAPI.dll0.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: devcon.exe, 0000002D.00000003.2310425206.0000022D74824000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000030.00000003.2291043123.00000277C3619000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000030.00000003.2288648920.00000277C357B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000031.00000003.2307974008.00000242EF2B8000.00000004.00000020.00020000.00000000.sdmp, Service.exe.0.dr, SET42C8.tmp.45.dr, AccessKeyFidoVhid.dll.0.dr, SET44BC.tmp.48.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: devcon.exe, 0000002D.00000003.2310425206.0000022D74824000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000030.00000003.2291043123.00000277C3619000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000030.00000003.2288648920.00000277C357B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000031.00000003.2307974008.00000242EF2B8000.00000004.00000020.00020000.00000000.sdmp, Service.exe.0.dr, SET42C8.tmp.45.dr, AccessKeyFidoVhid.dll.0.dr, SET44BC.tmp.48.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: pcProxAPI.dll0.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: pcProxAPI.dll0.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: pcProxAPI.dll0.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Grpc.Core.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Grpc.Core.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Grpc.Core.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Grpc.Core.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Grpc.Core.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: pcProxAPI.dll0.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: pcProxAPI.dll0.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: pcProxAPI.dll0.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Service.exe, 00000022.00000002.4612713278.000002089A0B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://idmelon.com
Source: Service.exe, 00000022.00000000.2242976539.0000020899552000.00000002.00000001.01000000.00000008.sdmp, Service.exe.0.drString found in binary or memory: http://idmelon.com9Failed
Source: Service.exe, 00000022.00000002.4612407479.0000020899DB2000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://idmelon.comoThe
Source: Service.exe, 00000022.00000002.4615989693.00000208B28D2000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
Source: Service.exe, 00000022.00000002.4615120681.00000208B25E2000.00000002.00000001.01000000.00000019.sdmp, log4net.dll.0.drString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: Service.exe, 00000022.00000002.4616598483.00000208B2C1D000.00000004.00000020.00020000.00000000.sdmp, Service.exe, 00000022.00000002.4617703023.00000208B2E62000.00000002.00000001.01000000.00000026.sdmp, Service.exe, 00000022.00000002.4614663103.00000208A9E33000.00000004.00000800.00020000.00000000.sdmp, Grpc.Core.dll.0.drString found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: nssm.exe, nssm.exe, 00000004.00000000.2206047108.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000006.00000000.2208574349.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000008.00000002.2212494047.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000000A.00000000.2213502015.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000000C.00000002.2217449909.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000000E.00000000.2218317950.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000010.00000000.2220822953.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000012.00000000.2223206621.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000014.00000000.2227930232.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000016.00000000.2230547196.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000018.00000002.2234464657.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000001A.00000000.2235696174.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000001C.00000000.2238174858.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000001E.00000002.2259235944.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000020.00000000.2242032623.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000025.00000002.2262316238.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000027.00000000.2263428963.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000037.00000002.2326468848.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000039.00000002.2328969197.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000003B.00000000.2329500663.0000000140065000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://nssm.cc/
Source: pcProxAPI.dll0.0.drString found in binary or memory: http://ocsp.comodoca.com0
Source: Grpc.Core.dll.0.drString found in binary or memory: http://ocsp.digicert.com0
Source: Grpc.Core.dll.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: Grpc.Core.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: Grpc.Core.dll.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: devcon.exe, 0000002D.00000003.2310425206.0000022D74824000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000030.00000003.2291043123.00000277C3619000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000030.00000003.2288648920.00000277C357B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000031.00000003.2307974008.00000242EF2B8000.00000004.00000020.00020000.00000000.sdmp, Service.exe.0.dr, SET42C8.tmp.45.dr, AccessKeyFidoVhid.dll.0.dr, SET44BC.tmp.48.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: devcon.exe, 0000002D.00000003.2310425206.0000022D74824000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000030.00000003.2291043123.00000277C3619000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000030.00000003.2288648920.00000277C357B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000031.00000003.2307974008.00000242EF2B8000.00000004.00000020.00020000.00000000.sdmp, Service.exe.0.dr, SET42C8.tmp.45.dr, AccessKeyFidoVhid.dll.0.dr, SET44BC.tmp.48.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: pcProxAPI.dll0.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: pcProxAPI.dll0.0.drString found in binary or memory: http://ocsp.sectigo.com0A
Source: Service.exe, 00000022.00000002.4612713278.0000020899EB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Service.exe, 00000022.00000002.4612713278.0000020899E53000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Service.exe, 00000022.00000002.4612713278.0000020899F0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: devcon.exe, 0000002D.00000003.2310425206.0000022D74824000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000030.00000003.2291043123.00000277C3619000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000030.00000003.2288648920.00000277C357B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000031.00000003.2307974008.00000242EF2B8000.00000004.00000020.00020000.00000000.sdmp, Service.exe.0.dr, SET42C8.tmp.45.dr, AccessKeyFidoVhid.dll.0.dr, SET44BC.tmp.48.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: devcon.exe, 0000002D.00000003.2310425206.0000022D74824000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000030.00000003.2291043123.00000277C3619000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000030.00000003.2288648920.00000277C357B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000031.00000003.2307974008.00000242EF2B8000.00000004.00000020.00020000.00000000.sdmp, Service.exe.0.dr, SET42C8.tmp.45.dr, AccessKeyFidoVhid.dll.0.dr, SET44BC.tmp.48.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Grpc.Core.dll.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, 00000000.00000002.2446274237.0000000000550000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, 00000000.00000003.2445593546.000000000054D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.idmelon.com
Source: sqlite3.dll0.0.drString found in binary or memory: http://www.sqlite.org/copyright.html.
Source: Service.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Json.dll.0.drString found in binary or memory: https://aka.ms/binaryformatter
Source: System.Text.Json.dll.0.drString found in binary or memory: https://aka.ms/dotnet-warnings/
Source: Service.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Json.dll.0.drString found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
Source: Service.exe, 00000022.00000002.4615989693.00000208B28D2000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SocketIO.Serializer.Core.dll.0.drString found in binary or memory: https://github.com/doghappy/socket.io-client-csharp
Source: SocketIO.Serializer.Core.dll.0.drString found in binary or memory: https://github.com/doghappy/socket.io-client-csharp&
Source: Service.exe, 00000022.00000002.4618333774.00000208B35F2000.00000002.00000001.01000000.0000002A.sdmp, System.ValueTuple.dll.0.dr, System.Numerics.Vectors.dll.0.drString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: Service.exe, 00000022.00000002.4618333774.00000208B35F2000.00000002.00000001.01000000.0000002A.sdmp, System.ValueTuple.dll.0.dr, System.Numerics.Vectors.dll.0.drString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: Service.exe, 00000022.00000002.4617310364.00000208B2DE2000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
Source: Service.exe, 00000022.00000002.4617310364.00000208B2DE2000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
Source: Service.exe, 00000022.00000002.4615292315.00000208B2682000.00000002.00000001.01000000.0000001B.sdmp, System.Buffers.dll.0.dr, System.Threading.Tasks.Extensions.dll.0.drString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
Source: Service.exe, 00000022.00000002.4615292315.00000208B2682000.00000002.00000001.01000000.0000001B.sdmp, Service.exe, 00000022.00000002.4615845352.00000208B2822000.00000002.00000001.01000000.0000001D.sdmp, System.Buffers.dll.0.dr, System.Threading.Tasks.Extensions.dll.0.dr, System.Runtime.CompilerServices.Unsafe.dll.0.drString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
Source: Service.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Json.dll.0.drString found in binary or memory: https://github.com/dotnet/roslyn/issues/46646
Source: Service.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Json.dll.0.drString found in binary or memory: https://github.com/dotnet/roslyn/issues/46646~
Source: Service.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Encodings.Web.dll.0.dr, System.Text.Json.dll.0.drString found in binary or memory: https://github.com/dotnet/runtime
Source: Service.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Json.dll.0.drString found in binary or memory: https://github.com/dotnet/runtime/issues/73124.
Source: Service.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Json.dll.0.drString found in binary or memory: https://github.com/dotnet/runtime8
Source: Service.exe, 00000022.00000002.4617630505.00000208B2E52000.00000002.00000001.01000000.00000025.sdmp, Service.exe, 00000022.00000002.4618386784.00000208B3612000.00000002.00000001.01000000.0000002B.sdmp, Service.exe, 00000022.00000002.4618271478.00000208B35D2000.00000002.00000001.01000000.00000029.sdmp, SQLitePCLRaw.core.dll.0.dr, SQLitePCLRaw.batteries_v2.dll.0.drString found in binary or memory: https://github.com/ericsink/SQLitePCL.raw
Source: Service.exe, 00000022.00000002.4618386784.00000208B3612000.00000002.00000001.01000000.0000002B.sdmpString found in binary or memory: https://github.com/ericsink/SQLitePCL.rawH
Source: Service.exe, 00000022.00000002.4618271478.00000208B35D2000.00000002.00000001.01000000.00000029.sdmp, SQLitePCLRaw.core.dll.0.drString found in binary or memory: https://github.com/ericsink/SQLitePCL.rawX
Source: Service.exe, 00000022.00000002.4615232663.00000208B2632000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: https://github.com/grpc/grpc-dotnet.git
Source: Service.exe, 00000022.00000002.4617703023.00000208B2E62000.00000002.00000001.01000000.00000026.sdmp, Grpc.Core.dll.0.drString found in binary or memory: https://github.com/grpc/grpc.git
Source: Service.exe, 00000022.00000002.4617703023.00000208B2E62000.00000002.00000001.01000000.00000026.sdmp, Grpc.Core.dll.0.drString found in binary or memory: https://github.com/grpc/grpc.git6
Source: Service.exe, 00000022.00000002.4632445211.00007FFD8EBDD000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://github.com/netty/netty/issues/6520.
Source: Service.exe, 00000022.00000002.4632445211.00007FFD8EBDD000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://github.com/netty/netty/issues/6520.s
Source: Service.exe, 00000022.00000002.4618163920.00000208B3592000.00000002.00000001.01000000.00000028.sdmpString found in binary or memory: https://github.com/praeclarum/sqlite-net.git
Source: Service.exe, 00000022.00000002.4618163920.00000208B3592000.00000002.00000001.01000000.00000028.sdmpString found in binary or memory: https://github.com/praeclarum/sqlite-net.git7
Source: Service.exe, 00000022.00000002.4617920165.00000208B2EE2000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://github.com/protocolbuffers/protobuf.git
Source: Service.exe, 00000022.00000002.4615735176.00000208B27D2000.00000002.00000001.01000000.0000001C.sdmp, RestSharp.dll.0.drString found in binary or memory: https://github.com/restsharp/RestSharp.git
Source: Service.exe, 00000022.00000002.4612407479.0000020899DB2000.00000002.00000001.01000000.00000015.sdmp, Service.exe, 00000022.00000002.4612713278.0000020899E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://idmp.idmelon.com/v2
Source: Service.exe, 00000022.00000000.2242976539.0000020899552000.00000002.00000001.01000000.00000008.sdmp, Service.exe.0.drString found in binary or memory: https://idmp.idmelon.com/v2/Received
Source: pcProxAPI.dll0.0.drString found in binary or memory: https://sectigo.com/CPS0
Source: pcProxAPI.dll0.0.drString found in binary or memory: https://sectigo.com/CPS0D
Source: Service.exe, 00000022.00000002.4612713278.0000020899E53000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://skm.idmelon.com
Source: Service.exe, 00000022.00000002.4612713278.000002089A243000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://skm.idmelon.com/apis/access-key
Source: Service.exe, 00000022.00000002.4612407479.0000020899DB2000.00000002.00000001.01000000.00000015.sdmp, Service.exe, 00000022.00000000.2242976539.0000020899552000.00000002.00000001.01000000.00000008.sdmp, Service.exe, 00000022.00000002.4612713278.0000020899E11000.00000004.00000800.00020000.00000000.sdmp, Service.exe.0.drString found in binary or memory: https://skm.idmelon.com/apis/access-key-cli/v1
Source: Service.exe, 00000022.00000002.4612713278.0000020899E53000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://skm.idmelon.com/apis/access-key-cli/v1/apps
Source: Service.exe, 00000022.00000002.4612713278.000002089A243000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://skm.idmelon.com/apis/access-key-cli/v18
Source: Grpc.Core.dll.0.drString found in binary or memory: https://www.catcert.net/verarrel
Source: devcon.exe, 0000002D.00000003.2310425206.0000022D74824000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000030.00000003.2291043123.00000277C3619000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000030.00000003.2288648920.00000277C357B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000031.00000003.2307974008.00000242EF2B8000.00000004.00000020.00020000.00000000.sdmp, Service.exe.0.dr, SET42C8.tmp.45.dr, AccessKeyFidoVhid.dll.0.dr, SET44BC.tmp.48.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: Service.exe, 00000022.00000002.4632445211.00007FFD8EBDD000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://www.googleapis.com/auth/cloud-platform
Source: Service.exe, 00000022.00000002.4632445211.00007FFD8EBDD000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://www.googleapis.com/auth/cloud-platformExternalAccountCredentials
Source: Service.exe, 00000022.00000002.4612407479.0000020899DB2000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: https://www.idmelon.com/downloads/pairing_tool/setup.exe?v=
Source: Service.exe, 00000022.00000002.4612407479.0000020899DB2000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: https://www.idmelon.com/downloads/pairing_tool/version.json
Source: Service.exe, 00000022.00000002.4615989693.00000208B28D2000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Service.exe, 00000022.00000002.4615989693.00000208B28D2000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownHTTPS traffic detected: 52.35.62.19:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeCode function: 0_2_0040573B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040573B
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\wudf.catJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\SET44ED.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\wudf.cat (copy)Jump to dropped file
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeFile created: C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\SET42E9.tmpJump to dropped file
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeFile created: C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\wudf.cat (copy)Jump to dropped file
Source: nssm.exeProcess created: 40
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess Stats: CPU usage > 49%
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_00000001400133A0 _snwprintf_s,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,4_2_00000001400133A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeCode function: 0_2_00403552 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403552
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\FileRepository\accesskeyfidovhid.inf_amd64_cf0f0293add529ac
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\inf\oem4.inf
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\UMDF\SET4B63.tmp
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\UMDF\SET4B63.tmp
Source: C:\Windows\System32\drvinst.exeFile deleted: C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\SET44BC.tmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeCode function: 0_2_00406DE60_2_00406DE6
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeCode function: 0_2_004075BD0_2_004075BD
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_000000014000D2D04_2_000000014000D2D0
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_00000001400238644_2_0000000140023864
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_00000001400104704_2_0000000140010470
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_00000001400070A04_2_00000001400070A0
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140019CB44_2_0000000140019CB4
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_00000001400030D04_2_00000001400030D0
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_000000014000F5004_2_000000014000F500
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140013D104_2_0000000140013D10
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140005D204_2_0000000140005D20
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_000000014000DD404_2_000000014000DD40
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_00000001400125504_2_0000000140012550
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140022D604_2_0000000140022D60
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_000000014001CDD44_2_000000014001CDD4
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140012E004_2_0000000140012E00
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140008E204_2_0000000140008E20
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140020A2C4_2_0000000140020A2C
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_000000014000EE504_2_000000014000EE50
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140021B404_2_0000000140021B40
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140002B504_2_0000000140002B50
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_000000014001ABAC4_2_000000014001ABAC
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_000000014001DBB84_2_000000014001DBB8
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E25DC6034_2_00007FFD8E25DC60
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2C7D2034_2_00007FFD8E2C7D20
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E291BF034_2_00007FFD8E291BF0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E28A3C034_2_00007FFD8E28A3C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1D83B034_2_00007FFD8E1D83B0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2420F034_2_00007FFD8E2420F0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1CC0E034_2_00007FFD8E1CC0E0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1F0ED034_2_00007FFD8E1F0ED0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1D7EB034_2_00007FFD8E1D7EB0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E284F0034_2_00007FFD8E284F00
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E26DEF034_2_00007FFD8E26DEF0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E255EF034_2_00007FFD8E255EF0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E238F9034_2_00007FFD8E238F90
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E206F7034_2_00007FFD8E206F70
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2D0F6034_2_00007FFD8E2D0F60
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1C2FB034_2_00007FFD8E1C2FB0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2CDFF034_2_00007FFD8E2CDFF0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E27B05034_2_00007FFD8E27B050
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2B505034_2_00007FFD8E2B5050
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E214CC034_2_00007FFD8E214CC0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E20BD0034_2_00007FFD8E20BD00
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E21ACE034_2_00007FFD8E21ACE0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E279DD034_2_00007FFD8E279DD0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E262DB034_2_00007FFD8E262DB0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E27DDE034_2_00007FFD8E27DDE0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2D3DE034_2_00007FFD8E2D3DE0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2DAE5034_2_00007FFD8E2DAE50
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E234E3034_2_00007FFD8E234E30
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E264A9034_2_00007FFD8E264A90
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E243A8034_2_00007FFD8E243A80
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E251A6034_2_00007FFD8E251A60
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E254AA034_2_00007FFD8E254AA0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1D2B0134_2_00007FFD8E1D2B01
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E22EB0034_2_00007FFD8E22EB00
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E23FB5034_2_00007FFD8E23FB50
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E201B8034_2_00007FFD8E201B80
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1C8B8034_2_00007FFD8E1C8B80
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1FABA034_2_00007FFD8E1FABA0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1E4BA034_2_00007FFD8E1E4BA0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E208C0034_2_00007FFD8E208C00
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1FEC1034_2_00007FFD8E1FEC10
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2CEC0034_2_00007FFD8E2CEC00
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1FFC4034_2_00007FFD8E1FFC40
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1DBC2034_2_00007FFD8E1DBC20
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1F688034_2_00007FFD8E1F6880
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E22F86034_2_00007FFD8E22F860
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2118C034_2_00007FFD8E2118C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2D58B034_2_00007FFD8E2D58B0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2C191034_2_00007FFD8E2C1910
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2268F034_2_00007FFD8E2268F0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E28A92034_2_00007FFD8E28A920
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1D498034_2_00007FFD8E1D4980
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E23B98034_2_00007FFD8E23B980
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1D09C034_2_00007FFD8E1D09C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2D09B034_2_00007FFD8E2D09B0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2879E034_2_00007FFD8E2879E0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E227A2034_2_00007FFD8E227A20
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E256A2034_2_00007FFD8E256A20
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2B468034_2_00007FFD8E2B4680
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E21B6D034_2_00007FFD8E21B6D0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1C06C034_2_00007FFD8E1C06C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E22A6C034_2_00007FFD8E22A6C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1D271E34_2_00007FFD8E1D271E
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E26078034_2_00007FFD8E260780
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1FC77034_2_00007FFD8E1FC770
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E21F7C034_2_00007FFD8E21F7C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E20384034_2_00007FFD8E203840
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1F248034_2_00007FFD8E1F2480
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E21D48034_2_00007FFD8E21D480
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E21946034_2_00007FFD8E219460
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E26F46034_2_00007FFD8E26F460
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2724D034_2_00007FFD8E2724D0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1E950034_2_00007FFD8E1E9500
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1F050F34_2_00007FFD8E1F050F
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2054F034_2_00007FFD8E2054F0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E21853034_2_00007FFD8E218530
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E23652034_2_00007FFD8E236520
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1E057034_2_00007FFD8E1E0570
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1D65C034_2_00007FFD8E1D65C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1E35D034_2_00007FFD8E1E35D0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1EA5E034_2_00007FFD8E1EA5E0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E26126034_2_00007FFD8E261260
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2502F034_2_00007FFD8E2502F0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2B934034_2_00007FFD8E2B9340
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1B335034_2_00007FFD8E1B3350
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E22733034_2_00007FFD8E227330
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E23432034_2_00007FFD8E234320
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1D536034_2_00007FFD8E1D5360
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2293C034_2_00007FFD8E2293C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E20F3C034_2_00007FFD8E20F3C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E26D3A034_2_00007FFD8E26D3A0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1F73B034_2_00007FFD8E1F73B0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1C63F034_2_00007FFD8E1C63F0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1F645034_2_00007FFD8E1F6450
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1ED08034_2_00007FFD8E1ED080
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2C708034_2_00007FFD8E2C7080
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E1D70C034_2_00007FFD8E1D70C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E23F0A034_2_00007FFD8E23F0A0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2160A034_2_00007FFD8E2160A0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E25B0A034_2_00007FFD8E25B0A0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2920F034_2_00007FFD8E2920F0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E20C0E034_2_00007FFD8E20C0E0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2CD1A034_2_00007FFD8E2CD1A0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E21A21034_2_00007FFD8E21A210
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E20A25034_2_00007FFD8E20A250
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E27724034_2_00007FFD8E277240
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeCode function: 41_2_00007FF7DF231A2041_2_00007FF7DF231A20
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeCode function: 41_2_00007FF7DF23418041_2_00007FF7DF234180
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeCode function: 41_2_00007FF7DF235C8041_2_00007FF7DF235C80
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeCode function: 41_2_00007FF7DF232A0441_2_00007FF7DF232A04
Source: C:\Windows\System32\WUDFHost.exeCode function: 52_2_00007FFDA549103C52_2_00007FFDA549103C
Source: C:\Windows\System32\WUDFHost.exeCode function: 52_2_00007FFDA54927CC52_2_00007FFDA54927CC
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess token adjusted: Load Driver
Source: C:\Windows\System32\svchost.exeProcess token adjusted: Security
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: String function: 00007FFD8E1C61E0 appears 105 times
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: String function: 00007FFD8E267070 appears 87 times
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: String function: 00007FFD8E28F040 appears 34 times
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: String function: 00007FFD8E1D5660 appears 253 times
Source: C:\Windows\System32\WUDFHost.exeCode function: String function: 00007FFDA5491768 appears 42 times
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeStatic PE information: invalid certificate
Source: unknownDriver loaded: C:\Windows\System32\drivers\WUDFRd.sys
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: AccesskeyCli.exe.0.dr, Constants.csBase64 encoded string: 'ICBfX18gX19fXyAgICAgICAgICAgICAgICAgXyAgICAgICAgICAgICAgICAgIF8gICAgICAgICAgICAgICAgICAgICAgICAgXyAgICAgICAgICAgICAgCiB8XyBffCAgXyBcIF8gX18gX19fICAgX19ffCB8IF9fXyAgXyBfXyAgICAgIC8gXCAgIF9fXyBfX18gX19fICBfX18gX19ffCB8IF9fX19fIF8gICBfIAogIHwgfHwgfCB8IHwgJ18gYCBfIFwgLyBfIFwgfC8gXyBcfCAnXyBcICAgIC8gXyBcIC8gX18vIF9fLyBfIFwvIF9fLyBfX3wgfC8gLyBfIFwgfCB8IHwKICB8IHx8IHxffCB8IHwgfCB8IHwgfCAgX18vIHwgKF8pIHwgfCB8IHwgIC8gX19fIFwgKF98IChffCAgX18vXF9fIFxfXyBcICAgPCAgX18vIHxffCB8CiB8X19ffF9fX18vfF98IHxffCB8X3xcX19ffF98XF9fXy98X3wgfF98IC9fLyAgIFxfXF9fX1xfX19cX19ffHxfX18vX19fL198XF9cX19ffFxfXywgfAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8X19fLyA='
Source: classification engineClassification label: mal60.evad.winEXE@98/120@1/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeCode function: 0_2_00403552 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403552
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_000000014000A810 GetCurrentThread,OpenThreadToken,GetLastError,ImpersonateSelf,GetCurrentThread,OpenThreadToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,4_2_000000014000A810
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeCode function: 41_2_00007FF7DF2311C4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,InitiateSystemShutdownExW,41_2_00007FF7DF2311C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeCode function: 0_2_004049E7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004049E7
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: _snwprintf_s,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,4_2_00000001400133A0
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_000000014000ACB0 CreateToolhelp32Snapshot,GetLastError,GetLastError,CloseHandle,PostThreadMessageW,Thread32Next,PostThreadMessageW,Thread32Next,GetLastError,GetLastError,CloseHandle,4_2_000000014000ACB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeCode function: 0_2_004021CF CoCreateInstance,0_2_004021CF
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140002840 GetUserDefaultLangID,FindResourceExW,GetLastError,FindResourceExW,LoadResource,CreateDialogIndirectParamW,4_2_0000000140002840
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140012160 _snwprintf_s,GetProcessHeap,HeapAlloc,ChangeServiceConfigW,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,ChangeServiceConfig2W,GetLastError,4_2_0000000140012160
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_000000014000A2E0 _snwprintf_s,PathQuoteSpacesW,GetModuleFileNameW,GetModuleFileNameW,PathQuoteSpacesW,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError,4_2_000000014000A2E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelonJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDmelonJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3632:120:WilError_03
Source: C:\Windows\System32\drvinst.exeMutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2524:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2988:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:964:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2784:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1628:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4156:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7004:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2100:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2632:120:WilError_03
Source: C:\Windows\System32\WUDFHost.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1924:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3804:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5764:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5172:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4868:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4160:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3940:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Users\user\AppData\Local\Temp\nsiA72.tmpJump to behavior
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: sqlite3.dll0.0.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: sqlite3.dll0.0.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Service.exe, 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmp, e_sqlite3.dll.0.dr, e_sqlite3.dll0.0.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: sqlite3.dll0.0.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: sqlite3.dll0.0.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: Service.exe, Service.exe, 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmp, sqlite3.dll0.0.dr, e_sqlite3.dll.0.dr, e_sqlite3.dll0.0.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Service.exe, Service.exe, 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmp, sqlite3.dll0.0.dr, e_sqlite3.dll.0.dr, e_sqlite3.dll0.0.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Service.exe, Service.exe, 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmp, sqlite3.dll0.0.dr, e_sqlite3.dll.0.dr, e_sqlite3.dll0.0.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sqlite3.dll0.0.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: sqlite3.dll0.0.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Service.exe, Service.exe, 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmp, e_sqlite3.dll.0.dr, e_sqlite3.dll0.0.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Service.exe, Service.exe, 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmp, sqlite3.dll0.0.dr, e_sqlite3.dll.0.dr, e_sqlite3.dll0.0.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: sqlite3.dll0.0.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Service.exe, Service.exe, 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmp, e_sqlite3.dll.0.dr, e_sqlite3.dll0.0.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: sqlite3.dll0.0.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: sqlite3.dll0.0.drBinary or memory string: CREATE TABLE xx( name STRING, /* Name of table or index */ path INTEGER, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype STRING, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeReversingLabs: Detection: 15%
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeVirustotal: Detection: 6%
Source: devcon.exeString found in binary or memory: positioned on the newly-added filter. ! Deletes the next occurrence of the specified filter. When the subcommand
Source: devcon.exeString found in binary or memory: ng of the list. When the subcommand completes, the cursor is positioned on the newly-added filter. + Add after
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Windows\SysWOW64\setx.exe setx /M IDmelonMode access-key
Source: C:\Windows\SysWOW64\setx.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyService "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Application "C:\Program Files (x86)\IDmelon\Accesskey"\Service.exe
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderr "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Description "Coordinates the communications for using IDmelon solution as a roaming authenticator"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdoutCreationDisposition 4
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderrCreationDisposition 4
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateFiles 1
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateOnline 0
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateSeconds 14400
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateBytes 5000000
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Start SERVICE_AUTO_START
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" restart AccesskeyService
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe"
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe"
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess created: C:\Windows\System32\dsregcmd.exe "C:\Windows\System32\dsregcmd.exe" /status
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" status AccesskeyService
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" start AccesskeyService
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccesskeyHid
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccessKeyFidoVhid
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" install "C:\Program Files (x86)\IDmelon\Accesskey\driver\accesskeyfidovhid.inf" root\AccessKeyFidoVhid
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\accesskeyfidovhid.inf" "9" "4196477d7" "000000000000015C" "WinSta0\Default" "0000000000000164" "208" "c:\program files (x86)\idmelon\accesskey\driver"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\HIDCLASS\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:50ab71fe221ae399:AccessKeyFidoVhid:21.4.53.488:root\accesskeyfidovhid," "4196477d7" "000000000000017C"
Source: unknownProcess created: C:\Windows\System32\WUDFHost.exe "C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-97f4f2de-0b6d-4708-9672-29cbfafe41c2 -SystemEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-ed4957c4-0381-42c5-b015-dd634ba9f208 -IoCancelEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-6f2c6ea5-0b65-4a5a-8a6d-a02cb8e867d5 -NonStateChangingEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-d0cce0e5-6853-4eca-8ea9-ec55e74c196f -LifetimeId:46a3174a-9ab4-4718-a9ea-f0f3d3c57b11 -DeviceGroupId:WudfDefaultDevicePool -HostArg:0
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "1" "0" "HID\HIDCLASS\1&2d595ca7&0&0000" "" "" "4eeb73e57" "0000000000000000"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyReaderService "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService Application "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\service_logs.log"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Windows\SysWOW64\setx.exe setx /M IDmelonMode access-keyJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyService "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Application "C:\Program Files (x86)\IDmelon\Accesskey"\Service.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderr "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Description "Coordinates the communications for using IDmelon solution as a roaming authenticator"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdoutCreationDisposition 4Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderrCreationDisposition 4Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateFiles 1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateOnline 0Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateSeconds 14400Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateBytes 5000000Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Start SERVICE_AUTO_STARTJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" status AccesskeyServiceJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" start AccesskeyServiceJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccesskeyHidJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Start SERVICE_AUTO_STARTJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" install "C:\Program Files (x86)\IDmelon\Accesskey\driver\accesskeyfidovhid.inf" root\AccessKeyFidoVhidJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService Application "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" status AccesskeyServiceJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe" Jump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess created: C:\Windows\System32\dsregcmd.exe "C:\Windows\System32\dsregcmd.exe" /status
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\accesskeyfidovhid.inf" "9" "4196477d7" "000000000000015C" "WinSta0\Default" "0000000000000164" "208" "c:\program files (x86)\idmelon\accesskey\driver"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\HIDCLASS\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:50ab71fe221ae399:AccessKeyFidoVhid:21.4.53.488:root\accesskeyfidovhid," "4196477d7" "000000000000017C"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "1" "0" "HID\HIDCLASS\1&2d595ca7&0&0000" "" "" "4eeb73e57" "0000000000000000"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\setx.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: mscoree.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: version.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: windows.storage.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: wldp.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: profapi.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: ncrypt.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: ntasn1.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: ncrypt.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: ntasn1.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: ncryptprov.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: dnsapi.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: winnsi.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: wbemcomn.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: amsi.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: sspicli.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: rasapi32.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: rasman.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: rtutils.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: winhttp.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: rasadhlp.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: secur32.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: schannel.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: gpapi.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: dsreg.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: wininet.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: userenv.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: secur32.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: netutils.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: profapi.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: cryptngc.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: devobj.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: winsta.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\dsregcmd.exeSection loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeSection loaded: devobj.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeSection loaded: devobj.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeSection loaded: devrtl.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeSection loaded: spinf.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeSection loaded: drvstore.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeSection loaded: devobj.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeSection loaded: newdev.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeSection loaded: gpapi.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeSection loaded: cabinet.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpnpmgr.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: devobj.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\WUDFHost.exeSection loaded: devobj.dll
Source: C:\Windows\System32\WUDFHost.exeSection loaded: wudfplatform.dll
Source: C:\Windows\System32\WUDFHost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WUDFHost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WUDFHost.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\WUDFHost.exeSection loaded: wudfx02000.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exeSection loaded: devobj.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeSection loaded: cryptbase.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile written: C:\Users\user\AppData\Local\Temp\nstB00.tmp\ioSpecial.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeStatic file information: File size 32784232 > 1048576
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: /_/src/Grpc.Core.Api/obj/Release/net462/Grpc.Core.Api.pdbSHA256 source: Service.exe, 00000022.00000002.4615232663.00000208B2632000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: Service.exe, 00000022.00000002.4618271478.00000208B35D2000.00000002.00000001.01000000.00000029.sdmp, SQLitePCLRaw.core.dll.0.dr
Source: Binary string: /_/csharp/src/Google.Protobuf/obj/Release/net45/Google.Protobuf.pdbSHA256 source: Service.exe, 00000022.00000002.4617920165.00000208B2EE2000.00000002.00000001.01000000.00000027.sdmp
Source: Binary string: /_/artifacts/obj/System.Text.Encodings.Web/Release/net462/System.Text.Encodings.Web.pdbSHA256 source: System.Text.Encodings.Web.dll.0.dr
Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: Service.exe, 00000022.00000002.4618386784.00000208B3612000.00000002.00000001.01000000.0000002B.sdmp
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\GrpcClients\obj\Release\GrpcClients.pdb source: GrpcClients.dll.0.dr
Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.ValueTuple/net47\System.ValueTuple.pdb62P2 B2_CorDllMainmscoree.dll source: Service.exe, 00000022.00000002.4618333774.00000208B35F2000.00000002.00000001.01000000.0000002A.sdmp, System.ValueTuple.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\IDmelonVirtualHidAPI\obj\Release\IDmelonVirtualHidAPI.pdb source: Service.exe, 00000022.00000002.4612253177.0000020899DA2000.00000002.00000001.01000000.00000014.sdmp, IDmelonVirtualHidAPI.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\ServerApi\obj\Release\ServerApi.pdb source: Service.exe, 00000022.00000002.4612407479.0000020899DB2000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: /_/src/DeviceId/obj/Release/net40/DeviceId.pdbSHA256 source: Service.exe, 00000022.00000002.4612627519.0000020899DF2000.00000002.00000001.01000000.00000018.sdmp, DeviceId.dll.0.dr
Source: Binary string: T:\altsrc\github\grpc\workspace_csharp_ext_windows_x64\cmake\build\x64\grpc_csharp_ext.pdb source: Service.exe, 00000022.00000002.4632445211.00007FFD8ED5A000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\DB\obj\Release\DB.pdbg_ source: Service.exe, 00000022.00000002.4617484536.00000208B2E22000.00000002.00000001.01000000.00000023.sdmp, DB.dll.0.dr
Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdbSHA256 source: Service.exe, 00000022.00000002.4617630505.00000208B2E52000.00000002.00000001.01000000.00000025.sdmp, SQLitePCLRaw.batteries_v2.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\DB\obj\Release\DB.pdb source: Service.exe, 00000022.00000002.4617484536.00000208B2E22000.00000002.00000001.01000000.00000023.sdmp, DB.dll.0.dr
Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: System.Buffers.dll.0.dr
Source: Binary string: /var/local/git/grpc/src/csharp/Grpc.Core/obj/Release/net45/Grpc.Core.pdbSHA256n source: Service.exe, 00000022.00000002.4617703023.00000208B2E62000.00000002.00000001.01000000.00000026.sdmp, Grpc.Core.dll.0.dr
Source: Binary string: C:\Users\Jafar\source\repos\EllipticCurve\EllipticCurve\obj\Release\EllipticCurve.pdb source: EllipticCurve.dll.0.dr
Source: Binary string: /var/local/git/grpc/src/csharp/Grpc.Core/obj/Release/net45/Grpc.Core.pdb source: Service.exe, 00000022.00000002.4617703023.00000208B2E62000.00000002.00000001.01000000.00000026.sdmp, Grpc.Core.dll.0.dr
Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Numerics.Vectors/net46\System.Numerics.Vectors.pdb source: System.Numerics.Vectors.dll.0.dr
Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: Service.exe, 00000022.00000002.4615292315.00000208B2682000.00000002.00000001.01000000.0000001B.sdmp, System.Threading.Tasks.Extensions.dll.0.dr
Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256N source: Service.exe, 00000022.00000002.4618386784.00000208B3612000.00000002.00000001.01000000.0000002B.sdmp
Source: Binary string: C:\Users\Jafar\source\repos\EllipticCurve\EllipticCurve\obj\Release\EllipticCurve.pdb~y source: EllipticCurve.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\GrpcProtoCompiler\obj\Release\TagReaderGRPC.pdb source: Service.exe, 00000022.00000002.4612565205.0000020899DD2000.00000002.00000001.01000000.00000017.sdmp, TagReaderGRPC.dll.0.dr
Source: Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v142\plain\arm\e_sqlite3.pdb source: e_sqlite3.dll.0.dr
Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: Service.exe, 00000022.00000002.4617310364.00000208B2DE2000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: c:\dev\sqlite\core\sqlite3.pdb source: sqlite3.dll0.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: Service.exe, 00000022.00000002.4615989693.00000208B28D2000.00000002.00000001.01000000.0000001F.sdmp
Source: Binary string: /home/vsts/work/1/s/src/SocketIO.Serializer.Core/obj/Release/netstandard2.0/SocketIO.Serializer.Core.pdbSHA256w#NtW source: SocketIO.Serializer.Core.dll.0.dr
Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdb source: Service.exe, 00000022.00000002.4617630505.00000208B2E52000.00000002.00000001.01000000.00000025.sdmp, SQLitePCLRaw.batteries_v2.dll.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: Service.exe, 00000022.00000002.4615989693.00000208B28D2000.00000002.00000001.01000000.0000001F.sdmp
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\Suprema\obj\Release\Suprema.pdb source: Service.exe, 00000022.00000002.4617402283.00000208B2E12000.00000002.00000001.01000000.00000022.sdmp
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\Logger\obj\Release\Logger.pdb source: Service.exe, 00000022.00000002.4612186527.0000020899D72000.00000002.00000001.01000000.00000013.sdmp, Logger.dll.0.dr
Source: Binary string: C:\Program Files (x86)\Jenkins\workspace\pcProxAPI-sdk-release-bot\pcProxAPI\runtime\win\x64\Release\USBWejAPI.pdb source: pcProxAPI.dll0.0.dr
Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256CM source: Service.exe, 00000022.00000002.4618271478.00000208B35D2000.00000002.00000001.01000000.00000029.sdmp, SQLitePCLRaw.core.dll.0.dr
Source: Binary string: /home/runner/work/RestSharp/RestSharp/src/RestSharp/obj/Release/net471/RestSharp.pdbSHA256 source: Service.exe, 00000022.00000002.4615735176.00000208B27D2000.00000002.00000001.01000000.0000001C.sdmp, RestSharp.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\Service\obj\Release\Service.pdb source: Service.exe, 00000022.00000000.2242976539.0000020899552000.00000002.00000001.01000000.00000008.sdmp, Service.exe.0.dr
Source: Binary string: /_/csharp/src/Google.Protobuf/obj/Release/net45/Google.Protobuf.pdb source: Service.exe, 00000022.00000002.4617920165.00000208B2EE2000.00000002.00000001.01000000.00000027.sdmp
Source: Binary string: /home/runner/work/RestSharp/RestSharp/src/RestSharp/obj/Release/net471/RestSharp.pdb source: Service.exe, 00000022.00000002.4615735176.00000208B27D2000.00000002.00000001.01000000.0000001C.sdmp, RestSharp.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\Fido\obj\Release\Fido.pdb source: Service.exe, 00000022.00000002.4615894664.00000208B28A2000.00000002.00000001.01000000.0000001E.sdmp, Fido.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\BioKey\obj\Release\BioKey.pdb source: Service.exe, 00000022.00000002.4617542668.00000208B2E32000.00000002.00000001.01000000.00000024.sdmp, BioKey.dll.0.dr
Source: Binary string: C:\projects\websocket-sharp\websocket-sharp\obj\Release\net45\websocket-sharp.pdb source: websocket-sharp.dll.0.dr
Source: Binary string: devcon.pdb source: devcon.exe, 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 00000029.00000000.2266613773.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002B.00000000.2269070923.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002B.00000002.2270785966.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002D.00000002.2312651685.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002D.00000000.2271554771.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe.0.dr
Source: Binary string: /home/vsts/work/1/s/src/SocketIO.Serializer.Core/obj/Release/netstandard2.0/SocketIO.Serializer.Core.pdb source: SocketIO.Serializer.Core.dll.0.dr
Source: Binary string: /_/src/Grpc.Core.Api/obj/Release/net462/Grpc.Core.Api.pdb source: Service.exe, 00000022.00000002.4615232663.00000208B2632000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: devcon.pdbGCTL source: devcon.exe, 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 00000029.00000000.2266613773.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002B.00000000.2269070923.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002B.00000002.2270785966.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002D.00000002.2312651685.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002D.00000000.2271554771.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe.0.dr
Source: Binary string: C:\projects\websocket-sharp\websocket-sharp\obj\Release\net45\websocket-sharp.pdb* source: websocket-sharp.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\Encryption\obj\Release\Encryption.pdb source: Service.exe, 00000022.00000002.4612503866.0000020899DC2000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\GrpcClients\obj\Release\GrpcClients.pdbAF[F MF_CorDllMainmscoree.dll source: GrpcClients.dll.0.dr
Source: Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v142\plain\x64\e_sqlite3.pdb source: Service.exe, 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmp, e_sqlite3.dll0.0.dr
Source: Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdb source: Service.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Json.dll.0.dr
Source: Binary string: /_/src/DeviceId/obj/Release/net40/DeviceId.pdb source: Service.exe, 00000022.00000002.4612627519.0000020899DF2000.00000002.00000001.01000000.00000018.sdmp, DeviceId.dll.0.dr
Source: Binary string: /_/artifacts/obj/System.Text.Encodings.Web/Release/net462/System.Text.Encodings.Web.pdb source: System.Text.Encodings.Web.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\WindowsDriverDevelopment\virtual_hid_fido\driver\umdf2\AccessKey\x64\Release\AccessKeyFidoVhid.pdb source: drvinst.exe, 00000030.00000003.2291043123.00000277C3619000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000030.00000003.2288648920.00000277C357B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000031.00000003.2307974008.00000242EF2B8000.00000004.00000020.00020000.00000000.sdmp, WUDFHost.exe, 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmp, SET42C8.tmp.45.dr, AccessKeyFidoVhid.dll.0.dr, SET44BC.tmp.48.dr
Source: Binary string: C:\Users\Amini\Downloads\WpfToggleSwitchs\WpfToggleSwitch\CSharp\CSharpControls.Wpf\obj\Release\CSharpControls.Wpf.pdb source: CSharpControls.Wpf.dll.0.dr
Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.ValueTuple/net47\System.ValueTuple.pdb source: Service.exe, 00000022.00000002.4618333774.00000208B35F2000.00000002.00000001.01000000.0000002A.sdmp, System.ValueTuple.dll.0.dr
Source: Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdbSHA256 source: Service.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Json.dll.0.dr
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\Suprema\obj\Release\Suprema.pdbqI source: Service.exe, 00000022.00000002.4617402283.00000208B2E12000.00000002.00000001.01000000.00000022.sdmp
Source: Binary string: C:\Users\Public\Documents\Work\accesskey\src\BioKey\obj\Release\BioKey.pdbo source: Service.exe, 00000022.00000002.4617542668.00000208B2E32000.00000002.00000001.01000000.00000024.sdmp, BioKey.dll.0.dr

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: CBOR.dll.0.dr, PropertyMap.cs.Net Code: TypeToObject
Source: BioKey.dll.0.drStatic PE information: 0xC929BB55 [Fri Dec 11 23:35:49 2076 UTC]
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140023A88 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,4_2_0000000140023A88
Source: accesskey-reader-service.exe.0.drStatic PE information: section name: _RDATA
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_00000001400055DB push rcx; iretd 4_2_00000001400055DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\Fido.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Users\user\AppData\Local\Temp\nstB00.tmp\EnVar.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Users\user\AppData\Local\Temp\nstB00.tmp\nsExec.dllJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\AccessKeyFidoVhid.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\CBOR.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\EllipticCurve.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\ServerApi.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\grpc_csharp_ext.x86.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Users\user\AppData\Local\Temp\nstB00.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\DB.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\Logger.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\URIUtility.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\System.Buffers.dllJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\UMDF\AccessKeyFidoVhid.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.core.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\Encryption.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\System.ValueTuple.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\x64\sqlite3.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\System.Threading.Tasks.Extensions.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Encodings.Web.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\RestSharp.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\x86\sqlite3.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-x86\native\e_sqlite3.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\SQLite-net.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\64\pcProxAPI.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.batteries_v2.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\AccessKeyFidoVhid.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\Suprema.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Json.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\WebKeyLocalServiceDotNetx64.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\GrpcClients.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Serializer.SystemTextJson.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\uninstall.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Serializer.Core.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\websocket-sharp.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\32\pcProxAPI.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\IDmelonVirtualHidAPI.dllJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\UMDF\SET4B63.tmpJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\grpc_csharp_ext.x64.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\Newtonsoft.Json.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\System.Numerics.Vectors.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeJump to dropped file
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeFile created: C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\SET42C8.tmpJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\AccesskeyCli.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFScanner.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\FontAwesome.WPF.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-arm\native\e_sqlite3.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeFile created: C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\AccessKeyFidoVhid.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Users\user\AppData\Local\Temp\nstB00.tmp\InstallOptions.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\TagReaderGRPC.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFMatcher.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.Api.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\Google.Protobuf.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\CommandLine.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\SocketIOClient.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\Microsoft.Bcl.AsyncInterfaces.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\System.Memory.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\WpfAnimatedGif.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\log4net.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\CSharpControls.Wpf.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\Numbers.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Core.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-x64\native\e_sqlite3.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\DeviceId.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\BioKey.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.provider.dynamic_cdecl.dllJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\SET44BC.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\UMDF\SET4B63.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\AccessKeyFidoVhid.dll (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\UMDF\AccessKeyFidoVhid.dll (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\SET44BC.tmpJump to dropped file
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\NSSMJump to behavior
Source: C:\Windows\System32\drvinst.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WUDFRd
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDmelonJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDmelon\Accesskey.lnkJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDmelon\Uninstall Accesskey.lnkJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDmelon\Accesskey Website.lnkJump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_000000014000A2E0 _snwprintf_s,PathQuoteSpacesW,GetModuleFileNameW,GetModuleFileNameW,PathQuoteSpacesW,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError,4_2_000000014000A2E0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\setx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\setx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WUDFHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WUDFHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeMemory allocated: 20899990000 memory reserve | memory write watch
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeMemory allocated: 208B1E10000 memory reserve | memory write watch
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E22B9FA str word ptr [rax-75h]34_2_00007FFD8E22B9FA
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: OpenServiceW,GetServiceDisplayNameW,GetServiceKeyNameW,GetLastError,GetLastError,EnumServicesStatusExW,GetLastError,GetProcessHeap,HeapAlloc,EnumServicesStatusExW,GetLastError,GetProcessHeap,HeapFree,GetLastError,_snwprintf_s,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,4_2_000000014000EE50
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: EnumServicesStatusExW,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,EnumServicesStatusExW,GetLastError,_snwprintf_s,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,4_2_0000000140011A80
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeCode function: 41_2_00007FF7DF2315E8 GetLastError,SetupDiGetDeviceRegistryPropertyW,41_2_00007FF7DF2315E8
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeThread delayed: delay time: 268435455
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeWindow / User API: threadDelayed 3120
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeWindow / User API: threadDelayed 6685
Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 473
Source: C:\Windows\System32\WUDFHost.exeWindow / User API: threadDelayed 570
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstB00.tmp\EnVar.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Fido.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstB00.tmp\nsExec.dllJump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\AccessKeyFidoVhid.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\CBOR.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\EllipticCurve.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\ServerApi.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\grpc_csharp_ext.x86.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstB00.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\DB.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Logger.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\URIUtility.dllJump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\drivers\UMDF\AccessKeyFidoVhid.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\System.Buffers.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.core.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\System.ValueTuple.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\x64\sqlite3.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Encryption.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\System.Threading.Tasks.Extensions.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Encodings.Web.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\RestSharp.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\x86\sqlite3.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-x86\native\e_sqlite3.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\SQLite-net.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\64\pcProxAPI.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.batteries_v2.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Driver\AccessKeyFidoVhid.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Suprema.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Json.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\WebKeyLocalServiceDotNetx64.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\GrpcClients.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Serializer.SystemTextJson.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\uninstall.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Serializer.Core.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\websocket-sharp.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\32\pcProxAPI.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\IDmelonVirtualHidAPI.dllJump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\drivers\UMDF\SET4B63.tmpJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\grpc_csharp_ext.x64.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Newtonsoft.Json.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\System.Numerics.Vectors.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\SET42C8.tmpJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\AccesskeyCli.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFScanner.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\FontAwesome.WPF.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-arm\native\e_sqlite3.dllJump to dropped file
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\AccessKeyFidoVhid.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\TagReaderGRPC.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstB00.tmp\InstallOptions.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFMatcher.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.Api.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Google.Protobuf.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\CommandLine.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\SocketIOClient.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Microsoft.Bcl.AsyncInterfaces.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\System.Memory.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\WpfAnimatedGif.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\log4net.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\CSharpControls.Wpf.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Numbers.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-x64\native\e_sqlite3.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Core.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\DeviceId.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\BioKey.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeDropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.provider.dynamic_cdecl.dllJump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\SET44BC.tmpJump to dropped file
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_4-14909
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeAPI coverage: 4.3 %
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeAPI coverage: 7.3 %
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe TID: 4868Thread sleep count: 36 > 30
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe TID: 4868Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe TID: 4868Thread sleep time: -268435455s >= -30000s
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe TID: 6556Thread sleep count: 3120 > 30
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe TID: 6556Thread sleep count: 6685 > 30
Source: C:\Windows\System32\WUDFHost.exe TID: 5432Thread sleep count: 570 > 30
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WUDFHost.exeLast function: Thread delayed
Source: C:\Windows\System32\WUDFHost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeCode function: 0_2_004068D4 FindFirstFileW,FindClose,0_2_004068D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeCode function: 0_2_00405C83 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C83
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeCode function: 41_2_00007FF7DF2369C0 GetWindowsDirectoryW,FindFirstFileW,FindNextFileW,FindClose,41_2_00007FF7DF2369C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2C35E0 GetSystemInfo,34_2_00007FFD8E2C35E0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeThread delayed: delay time: 268435455
Source: setupapi.dev.log.45.drBinary or memory string: set: BIOS Vendor: VMware, Inc.
Source: setupapi.dev.log.45.drBinary or memory string: sig: Key = vmci.inf
Source: setupapi.dev.log.45.drBinary or memory string: dvs: {Driver Setup Import Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.178
Source: setupapi.dev.log.45.drBinary or memory string: idb: Activating driver package 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.45.drBinary or memory string: cpy: Published 'vmci.inf_amd64_68ed49469341f563\vmci.inf' to 'oem2.inf'.
Source: setupapi.dev.log.45.drBinary or memory string: inf: {Add Service: vmci}
Source: setupapi.dev.log.45.drBinary or memory string: inf: Created new service 'vmci'.
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeBinary or memory string: qeMuI
Source: setupapi.dev.log.45.drBinary or memory string: inf: Display Name = VMware VMCI Bus Driver
Source: setupapi.dev.log.45.drBinary or memory string: set: PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3F -> Configured [oem2.inf:PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD,vmci.install.x64.NT] and started (ConfigFlags = 0x00000000).
Source: setupapi.dev.log.45.drBinary or memory string: inf: Service Name = vmci
Source: setupapi.dev.log.45.drBinary or memory string: set: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000 -> Configured [disk.inf:GenDisk,disk_install.NT] and started (ConfigFlags = 0x00000000).
Source: setupapi.dev.log.45.drBinary or memory string: idb: {Publish Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: setupapi.dev.log.45.drBinary or memory string: idb: Indexed 4 device IDs for 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.45.drBinary or memory string: utl: Driver INF - oem2.inf (C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf)
Source: setupapi.dev.log.45.drBinary or memory string: set: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000 -> Configured [cdrom.inf:GenCdRom,cdrom_install] and started (ConfigFlags = 0x00000000).
Source: setupapi.dev.log.45.drBinary or memory string: set: System Product Name: VMware20,1
Source: setupapi.dev.log.45.drBinary or memory string: sto: {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf}
Source: Grpc.Core.dll.0.drBinary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd
Source: Service.exe, 00000022.00000002.4615405150.00000208B274E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: setupapi.dev.log.45.drBinary or memory string: sto: {Stage Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.634
Source: setupapi.dev.log.45.drBinary or memory string: sig: Installed catalog 'vmci.cat' as 'oem2.cat'.
Source: setupapi.dev.log.45.drBinary or memory string: cpy: Target Path = C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563
Source: setupapi.dev.log.45.drBinary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.inf' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf'.
Source: setupapi.dev.log.45.drBinary or memory string: sig: FilePath = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf
Source: setupapi.dev.log.45.drBinary or memory string: inf: {Configure Driver Configuration: vmci.install.x64.NT}
Source: setupapi.dev.log.45.drBinary or memory string: idb: Created driver package object 'vmci.inf_amd64_68ed49469341f563' in SYSTEM database node.
Source: setupapi.dev.log.45.drBinary or memory string: inf: Image Path = System32\drivers\vmci.sys
Source: setupapi.dev.log.45.drBinary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.cat' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat'.
Source: dsregcmd.exe, 00000024.00000003.2255349021.000001E80AD86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
Source: setupapi.dev.log.45.drBinary or memory string: sig: Catalog = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat
Source: setupapi.dev.log.45.drBinary or memory string: inf: Section Name = vmci.install.x64.NT
Source: setupapi.dev.log.45.drBinary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.sys' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.sys'.
Source: setupapi.dev.log.45.drBinary or memory string: idb: Registered driver package 'vmci.inf_amd64_68ed49469341f563' with 'oem2.inf'.
Source: setupapi.dev.log.45.drBinary or memory string: inf: Driver package 'vmci.inf' is configurable.
Source: setupapi.dev.log.45.drBinary or memory string: inf: {Configure Driver: VMware VMCI Bus Device}
Source: setupapi.dev.log.45.drBinary or memory string: inf: {Query Configurability: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.636
Source: setupapi.dev.log.45.drBinary or memory string: sto: {Core Driver Package Import: vmci.inf_amd64_68ed49469341f563} 11:48:39.704
Source: setupapi.dev.log.45.drBinary or memory string: idb: {Register Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: setupapi.dev.log.45.drBinary or memory string: flq: Copying 'C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.sys' to 'C:\Windows\System32\drivers\vmci.sys'.
Source: setupapi.dev.log.45.drBinary or memory string: set: System Manufacturer: VMware, Inc.
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeAPI call chain: ExitProcess graph end nodegraph_0-3399
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeAPI call chain: ExitProcess graph end nodegraph_4-14911
Source: C:\Windows\System32\drivers\WUDFRd.sysSystem information queried: ModuleInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140018800 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0000000140018800
Source: C:\Windows\System32\WUDFHost.exeCode function: 52_2_00007FFDA54911A0 SleepEx,CreateNamedPipeW,swprintf,OutputDebugStringA,swprintf,OutputDebugStringA,ConnectNamedPipe,GetLastError,swprintf,OutputDebugStringA,WriteFile,SleepEx,ReadFile,CloseHandle,WaitForSingleObject,ReadFile,FindCloseChangeNotification,ReleaseMutex,ReleaseMutex,52_2_00007FFDA54911A0
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140023A88 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,4_2_0000000140023A88
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140002530 GetUserDefaultLangID,FormatMessageW,FormatMessageW,GetProcessHeap,HeapAlloc,_snwprintf_s,4_2_0000000140002530
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess token adjusted: Debug
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140018800 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0000000140018800
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140023D20 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0000000140023D20
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140020180 SetUnhandledExceptionFilter,4_2_0000000140020180
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_000000014001B6C4 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_000000014001B6C4
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2DF728 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,34_2_00007FFD8E2DF728
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeCode function: 34_2_00007FFD8E2E44B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,34_2_00007FFD8E2E44B0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeCode function: 41_2_00007FF7DF237130 SetUnhandledExceptionFilter,41_2_00007FF7DF237130
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeCode function: 41_2_00007FF7DF236F14 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,41_2_00007FF7DF236F14
Source: C:\Windows\System32\WUDFHost.exeCode function: 52_2_00007FFDA54946C8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,52_2_00007FFDA54946C8
Source: C:\Windows\System32\WUDFHost.exeCode function: 52_2_00007FFDA5494110 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,52_2_00007FFDA5494110
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeMemory allocated: page read and write | page guard
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_000000014000A180 GetProcessHeap,HeapAlloc,GetCommandLineW,_snwprintf_s,ShellExecuteExW,GetProcessHeap,HeapFree,4_2_000000014000A180
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Windows\SysWOW64\setx.exe setx /M IDmelonMode access-keyJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyService "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Application "C:\Program Files (x86)\IDmelon\Accesskey"\Service.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderr "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Description "Coordinates the communications for using IDmelon solution as a roaming authenticator"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdoutCreationDisposition 4Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderrCreationDisposition 4Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateFiles 1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateOnline 0Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateSeconds 14400Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateBytes 5000000Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Start SERVICE_AUTO_STARTJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" status AccesskeyServiceJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" start AccesskeyServiceJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccesskeyHidJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Start SERVICE_AUTO_STARTJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" install "C:\Program Files (x86)\IDmelon\Accesskey\driver\accesskeyfidovhid.inf" root\AccessKeyFidoVhidJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService Application "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" status AccesskeyServiceJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeProcess created: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe" Jump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeProcess created: C:\Windows\System32\dsregcmd.exe "C:\Windows\System32\dsregcmd.exe" /status
Source: unknownProcess created: C:\Windows\System32\WUDFHost.exe "c:\windows\system32\wudfhost.exe" -hostguid:{193a1820-d9ac-4997-8c55-be817523f6aa} -ioeventportname:\umdfcommunicationports\wudf\hostprocess-97f4f2de-0b6d-4708-9672-29cbfafe41c2 -systemeventportname:\umdfcommunicationports\wudf\hostprocess-ed4957c4-0381-42c5-b015-dd634ba9f208 -iocanceleventportname:\umdfcommunicationports\wudf\hostprocess-6f2c6ea5-0b65-4a5a-8a6d-a02cb8e867d5 -nonstatechangingeventportname:\umdfcommunicationports\wudf\hostprocess-d0cce0e5-6853-4eca-8ea9-ec55e74c196f -lifetimeid:46a3174a-9ab4-4718-a9ea-f0f3d3c57b11 -devicegroupid:wudfdefaultdevicepool -hostarg:0
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_000000014000A050 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,4_2_000000014000A050
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: GetLocaleInfoA,4_2_00000001400245E8
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeCode function: 41_2_00007FF7DF2315E8 GetLastError,SetupDiGetDeviceRegistryPropertyW,41_2_00007FF7DF2315E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Logger.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\log4net.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\IDmelonVirtualHidAPI.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\TagReaderGRPC.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.Api.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\ServerApi.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Encryption.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\RestSharp.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\DeviceId.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Json.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\System.Threading.Tasks.Extensions.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\System.Runtime.CompilerServices.Unsafe.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Google.Protobuf.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\System.Memory.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Fido.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Suprema.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\BioKey.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\DB.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\SQLite-net.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.core.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.batteries_v2.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.provider.dynamic_cdecl.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.RuntimeInformation\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.RuntimeInformation.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\System.ValueTuple.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exeQueries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Driver\wudf.cat VolumeInformation
Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\wudf.cat VolumeInformation
Source: C:\Windows\System32\WUDFHost.exeCode function: 52_2_00007FFDA54911A0 SleepEx,CreateNamedPipeW,swprintf,OutputDebugStringA,swprintf,OutputDebugStringA,ConnectNamedPipe,GetLastError,swprintf,OutputDebugStringA,WriteFile,SleepEx,ReadFile,CloseHandle,WaitForSingleObject,ReadFile,FindCloseChangeNotification,ReleaseMutex,ReleaseMutex,52_2_00007FFDA54911A0
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exeCode function: 4_2_0000000140008480 GetSystemTime,CreateFileW,GetFileInformationByHandle,SystemTimeToFileTime,CloseHandle,SystemTimeToFileTime,CompareFileTime,GetLastError,SystemTimeToFileTime,FileTimeToSystemTime,CopyFileW,Sleep,SetFilePointer,SetEndOfFile,CloseHandle,MoveFileW,GetLastError,4_2_0000000140008480
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeCode function: 0_2_00403552 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403552
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Native API		2
LSASS Driver		1
Exploitation for Privilege Escalation		1
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts12
Command and Scripting Interpreter		1
DLL Side-Loading		2
LSASS Driver		1
Deobfuscate/Decode Files or Information		LSASS Memory1
System Service Discovery		Remote Desktop Protocol1
Clipboard Data		2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts12
Service Execution		33
Windows Service		1
DLL Side-Loading		21
Obfuscated Files or Information		Security Account Manager3
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron1
Registry Run Keys / Startup Folder		1
Access Token Manipulation		1
Software Packing		NTDS37
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script33
Windows Service		1
Timestomp		LSA Secrets2
Query Registry		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts12
Process Injection		1
DLL Side-Loading		Cached Domain Credentials131
Security Software Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
Registry Run Keys / Startup Folder		1
File Deletion		DCSync41
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job32
Masquerading		Proc Filesystem1
Process Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt41
Virtualization/Sandbox Evasion		/etc/passwd and /etc/shadow1
Application Window Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Access Token Manipulation		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd12
Process Injection		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1477394 Sample: SecuriteInfo.com.PUA.Tool.I... Startdate: 21/07/2024 Architecture: WINDOWS Score: 60 78 skm.idmelon.com 2->78 80 k8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.com 2->80 86 Multi AV Scanner detection for dropped file 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 .NET source code contains potential unpacker 2->90 9 SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe 9 158 2->9         started        12 svchost.exe 2->12         started        14 nssm.exe 2 2->14         started        16 3 other processes 2->16 signatures3 process4 file5 70 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->70 dropped 72 C:\Users\user\AppData\Local\...\System.dll, PE32 9->72 dropped 74 C:\Users\user\AppData\...\InstallOptions.dll, PE32 9->74 dropped 76 63 other files (9 malicious) 9->76 dropped 18 devcon.exe 9->18         started        21 nssm.exe 1 9->21         started        23 nssm.exe 1 9->23         started        36 22 other processes 9->36 25 drvinst.exe 12->25         started        27 drvinst.exe 12->27         started        29 drvinst.exe 12->29         started        31 Service.exe 14->31         started        34 conhost.exe 14->34         started        process6 dnsIp7 58 C:\Users\user\AppData\Local\...\SET42C8.tmp, PE32+ 18->58 dropped 60 C:\Users\...\AccessKeyFidoVhid.dll (copy), PE32+ 18->60 dropped 38 conhost.exe 18->38         started        40 conhost.exe 21->40         started        42 conhost.exe 23->42         started        62 C:\Windows\System32\...\SET44BC.tmp, PE32+ 25->62 dropped 64 C:\Windows\...\AccessKeyFidoVhid.dll (copy), PE32+ 25->64 dropped 44 conhost.exe 25->44         started        66 C:\Windows\System32\drivers\...\SET4B63.tmp, PE32+ 27->66 dropped 68 C:\Windows\...\AccessKeyFidoVhid.dll (copy), PE32+ 27->68 dropped 82 8.8.8.8 GOOGLEUS United States 31->82 84 k8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.com 52.35.62.19, 443, 49714 AMAZON-02US United States 31->84 52 2 other processes 31->52 46 conhost.exe 36->46         started        48 conhost.exe 36->48         started        50 conhost.exe 36->50         started        54 17 other processes 36->54 file8 process9 process10 56 conhost.exe 44->56         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe16%ReversingLabs
SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe7%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\IDmelon\Accesskey\AccesskeyCli.exe0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\BioKey.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFMatcher.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFScanner.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\CBOR.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\CSharpControls.Wpf.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\CommandLine.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\DB.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\DeviceId.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Driver\AccessKeyFidoVhid.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\EllipticCurve.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Encryption.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Fido.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\FontAwesome.WPF.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Google.Protobuf.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.Api.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\GrpcClients.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\IDmelonVirtualHidAPI.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Logger.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Microsoft.Bcl.AsyncInterfaces.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Newtonsoft.Json.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Numbers.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\RestSharp.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\SQLite-net.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.batteries_v2.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.core.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.provider.dynamic_cdecl.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\ServerApi.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Service.exe0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Core.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Serializer.Core.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Serializer.SystemTextJson.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\SocketIOClient.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Suprema.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\System.Buffers.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\System.Memory.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\System.Numerics.Vectors.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\System.Runtime.CompilerServices.Unsafe.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Encodings.Web.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Json.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\System.Threading.Tasks.Extensions.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\System.ValueTuple.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\TagReaderGRPC.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\URIUtility.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\WebKeyLocalServiceDotNetx64.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\WpfAnimatedGif.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\32\pcProxAPI.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\64\pcProxAPI.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\grpc_csharp_ext.x64.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\grpc_csharp_ext.x86.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\log4net.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe14%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-arm\native\e_sqlite3.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-x64\native\e_sqlite3.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-x86\native\e_sqlite3.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\uninstall.exe0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\websocket-sharp.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\x64\sqlite3.dll0%ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\x86\sqlite3.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nstB00.tmp\EnVar.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nstB00.tmp\InstallOptions.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nstB00.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nstB00.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\AccessKeyFidoVhid.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\SET42C8.tmp0%ReversingLabs
C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\AccessKeyFidoVhid.dll (copy)0%ReversingLabs
C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\SET44BC.tmp0%ReversingLabs
C:\Windows\System32\drivers\UMDF\AccessKeyFidoVhid.dll (copy)0%ReversingLabs
C:\Windows\System32\drivers\UMDF\SET4B63.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
k8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.com0%VirustotalBrowse
skm.idmelon.com1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%URL Reputationsafe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
http://mozilla.org/MPL/2.0/.0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://www.sqlite.org/copyright.html.0%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
http://james.newtonking.com/projects/json0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
https://www.newtonsoft.com/jsonschema0%URL Reputationsafe
https://www.nuget.org/packages/Newtonsoft.Json.Bson0%URL Reputationsafe
https://github.com/dotnet/runtime80%Avira URL Cloudsafe
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f80%Avira URL Cloudsafe
https://skm.idmelon.com0%Avira URL Cloudsafe
https://skm.idmelon.com/apis/access-key-cli/v180%Avira URL Cloudsafe
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog0%Avira URL Cloudsafe
https://github.com/dotnet/runtime80%VirustotalBrowse
https://skm.idmelon.com/apis/access-key-cli/v181%VirustotalBrowse
https://skm.idmelon.com0%VirustotalBrowse
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog0%VirustotalBrowse
https://idmp.idmelon.com/v20%Avira URL Cloudsafe
https://github.com/restsharp/RestSharp.git0%Avira URL Cloudsafe
https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf0%Avira URL Cloudsafe
https://idmp.idmelon.com/v2/Received0%Avira URL Cloudsafe
https://idmp.idmelon.com/v20%VirustotalBrowse
https://github.com/restsharp/RestSharp.git0%VirustotalBrowse
https://skm.idmelon.com/apis/access-key0%Avira URL Cloudsafe
https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf0%VirustotalBrowse
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f80%VirustotalBrowse
https://github.com/protocolbuffers/protobuf.git0%Avira URL Cloudsafe
https://github.com/dotnet/runtime0%Avira URL Cloudsafe
http://idmelon.com9Failed0%Avira URL Cloudsafe
https://aka.ms/dotnet-warnings/0%Avira URL Cloudsafe
https://aka.ms/serializationformat-binary-obsolete0%Avira URL Cloudsafe
https://sectigo.com/CPS0D0%Avira URL Cloudsafe
https://aka.ms/binaryformatter0%Avira URL Cloudsafe
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e395880%Avira URL Cloudsafe
https://github.com/netty/netty/issues/6520.s0%Avira URL Cloudsafe
https://github.com/JamesNK/Newtonsoft.Json0%Avira URL Cloudsafe
https://github.com/doghappy/socket.io-client-csharp&0%Avira URL Cloudsafe
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39580%Avira URL Cloudsafe
https://github.com/grpc/grpc.git60%Avira URL Cloudsafe
http://nssm.cc/0%Avira URL Cloudsafe
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f0%Avira URL Cloudsafe
https://github.com/dotnet/roslyn/issues/46646~0%Avira URL Cloudsafe
https://github.com/ericsink/SQLitePCL.rawX0%Avira URL Cloudsafe
https://github.com/netty/netty/issues/6520.0%Avira URL Cloudsafe
https://github.com/dotnet/runtime/issues/73124.0%Avira URL Cloudsafe
https://github.com/grpc/grpc.git0%Avira URL Cloudsafe
https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf80%Avira URL Cloudsafe
https://skm.idmelon.com/apis/access-key-cli/v1/apps0%Avira URL Cloudsafe
https://www.idmelon.com/downloads/pairing_tool/version.json0%Avira URL Cloudsafe
http://idmelon.comoThe0%Avira URL Cloudsafe
http://idmelon.com0%Avira URL Cloudsafe
https://github.com/ericsink/SQLitePCL.rawH0%Avira URL Cloudsafe
https://github.com/dotnet/roslyn/issues/466460%Avira URL Cloudsafe
https://github.com/praeclarum/sqlite-net.git70%Avira URL Cloudsafe
https://www.idmelon.com/downloads/pairing_tool/setup.exe?v=0%Avira URL Cloudsafe
https://www.catcert.net/verarrel0%Avira URL Cloudsafe
https://github.com/grpc/grpc-dotnet.git0%Avira URL Cloudsafe
https://github.com/doghappy/socket.io-client-csharp0%Avira URL Cloudsafe
https://skm.idmelon.com/apis/access-key-cli/v10%Avira URL Cloudsafe
http://ocsp.sectigo.com0A0%Avira URL Cloudsafe
https://github.com/ericsink/SQLitePCL.raw0%Avira URL Cloudsafe
http://www.idmelon.com0%Avira URL Cloudsafe
https://github.com/praeclarum/sqlite-net.git0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
k8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.com
52.35.62.19
truefalseunknown
skm.idmelon.com
unknown
unknownfalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://skm.idmelon.com/apis/access-key-cli/v1/appsfalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8Service.exe, 00000022.00000002.4615292315.00000208B2682000.00000002.00000001.01000000.0000001B.sdmp, Service.exe, 00000022.00000002.4615845352.00000208B2822000.00000002.00000001.01000000.0000001D.sdmp, System.Buffers.dll.0.dr, System.Threading.Tasks.Extensions.dll.0.dr, System.Runtime.CompilerServices.Unsafe.dll.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/dotnet/runtime8Service.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Json.dll.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0pcProxAPI.dll0.0.drfalse
  • URL Reputation: safe
unknown
http://ocsp.sectigo.com0pcProxAPI.dll0.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://skm.idmelon.comService.exe, 00000022.00000002.4612713278.0000020899E53000.00000004.00000800.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://skm.idmelon.com/apis/access-key-cli/v18Service.exe, 00000022.00000002.4612713278.000002089A243000.00000004.00000800.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#pcProxAPI.dll0.0.drfalse
  • URL Reputation: safe
unknown
http://logging.apache.org/log4net/release/faq.html#trouble-EventLogService.exe, 00000022.00000002.4615120681.00000208B25E2000.00000002.00000001.01000000.00000019.sdmp, log4net.dll.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://idmp.idmelon.com/v2Service.exe, 00000022.00000002.4612407479.0000020899DB2000.00000002.00000001.01000000.00000015.sdmp, Service.exe, 00000022.00000002.4612713278.0000020899E11000.00000004.00000800.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/restsharp/RestSharp.gitService.exe, 00000022.00000002.4615735176.00000208B27D2000.00000002.00000001.01000000.0000001C.sdmp, RestSharp.dll.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#pcProxAPI.dll0.0.drfalse
  • URL Reputation: safe
unknown
https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbfService.exe, 00000022.00000002.4618333774.00000208B35F2000.00000002.00000001.01000000.0000002A.sdmp, System.ValueTuple.dll.0.dr, System.Numerics.Vectors.dll.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://idmp.idmelon.com/v2/ReceivedService.exe, 00000022.00000000.2242976539.0000020899552000.00000002.00000001.01000000.00000008.sdmp, Service.exe.0.drfalse
  • Avira URL Cloud: safe
unknown
https://skm.idmelon.com/apis/access-keyService.exe, 00000022.00000002.4612713278.000002089A243000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/protocolbuffers/protobuf.gitService.exe, 00000022.00000002.4617920165.00000208B2EE2000.00000002.00000001.01000000.00000027.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://mozilla.org/MPL/2.0/.Service.exe, 00000022.00000002.4616598483.00000208B2C1D000.00000004.00000020.00020000.00000000.sdmp, Service.exe, 00000022.00000002.4617703023.00000208B2E62000.00000002.00000001.01000000.00000026.sdmp, Service.exe, 00000022.00000002.4614663103.00000208A9E33000.00000004.00000800.00020000.00000000.sdmp, Grpc.Core.dll.0.drfalse
  • URL Reputation: safe
unknown
https://github.com/dotnet/runtimeService.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Encodings.Web.dll.0.dr, System.Text.Json.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
https://aka.ms/dotnet-warnings/System.Text.Json.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
http://idmelon.com9FailedService.exe, 00000022.00000000.2242976539.0000020899552000.00000002.00000001.01000000.00000008.sdmp, Service.exe.0.drfalse
  • Avira URL Cloud: safe
unknown
https://aka.ms/serializationformat-binary-obsoleteService.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Json.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
https://sectigo.com/CPS0DpcProxAPI.dll0.0.drfalse
  • Avira URL Cloud: safe
unknown
https://aka.ms/binaryformatterService.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Json.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588Service.exe, 00000022.00000002.4617310364.00000208B2DE2000.00000002.00000001.01000000.00000021.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameService.exe, 00000022.00000002.4612713278.0000020899E53000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://github.com/netty/netty/issues/6520.sService.exe, 00000022.00000002.4632445211.00007FFD8EBDD000.00000002.00000001.01000000.0000000D.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.sqlite.org/copyright.html.sqlite3.dll0.0.drfalse
  • URL Reputation: safe
unknown
https://github.com/JamesNK/Newtonsoft.JsonService.exe, 00000022.00000002.4615989693.00000208B28D2000.00000002.00000001.01000000.0000001F.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/doghappy/socket.io-client-csharp&SocketIO.Serializer.Core.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0pcProxAPI.dll0.0.drfalse
  • URL Reputation: safe
unknown
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958Service.exe, 00000022.00000002.4617310364.00000208B2DE2000.00000002.00000001.01000000.00000021.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/grpc/grpc.git6Service.exe, 00000022.00000002.4617703023.00000208B2E62000.00000002.00000001.01000000.00000026.sdmp, Grpc.Core.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
https://sectigo.com/CPS0pcProxAPI.dll0.0.drfalse
  • URL Reputation: safe
unknown
http://schemas.xmlsoap.org/soap/encoding/Service.exe, 00000022.00000002.4612713278.0000020899EB6000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://nssm.cc/nssm.exe, nssm.exe, 00000004.00000000.2206047108.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000006.00000000.2208574349.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000008.00000002.2212494047.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000000A.00000000.2213502015.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000000C.00000002.2217449909.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000000E.00000000.2218317950.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000010.00000000.2220822953.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000012.00000000.2223206621.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000014.00000000.2227930232.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000016.00000000.2230547196.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000018.00000002.2234464657.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000001A.00000000.2235696174.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000001C.00000000.2238174858.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000001E.00000002.2259235944.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000020.00000000.2242032623.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000025.00000002.2262316238.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000027.00000000.2263428963.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000037.00000002.2326468848.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000039.00000002.2328969197.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000003B.00000000.2329500663.0000000140065000.00000002.00000001.01000000.00000007.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4fService.exe, 00000022.00000002.4615292315.00000208B2682000.00000002.00000001.01000000.0000001B.sdmp, System.Buffers.dll.0.dr, System.Threading.Tasks.Extensions.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
https://github.com/dotnet/roslyn/issues/46646~Service.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Json.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
https://github.com/ericsink/SQLitePCL.rawXService.exe, 00000022.00000002.4618271478.00000208B35D2000.00000002.00000001.01000000.00000029.sdmp, SQLitePCLRaw.core.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
https://github.com/netty/netty/issues/6520.Service.exe, 00000022.00000002.4632445211.00007FFD8EBDD000.00000002.00000001.01000000.0000000D.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/dotnet/runtime/issues/73124.Service.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Json.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
http://nsis.sf.net/NSIS_ErrorErrorSecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exefalse
  • URL Reputation: safe
unknown
https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8Service.exe, 00000022.00000002.4618333774.00000208B35F2000.00000002.00000001.01000000.0000002A.sdmp, System.ValueTuple.dll.0.dr, System.Numerics.Vectors.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
https://github.com/grpc/grpc.gitService.exe, 00000022.00000002.4617703023.00000208B2E62000.00000002.00000001.01000000.00000026.sdmp, Grpc.Core.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
https://www.idmelon.com/downloads/pairing_tool/version.jsonService.exe, 00000022.00000002.4612407479.0000020899DB2000.00000002.00000001.01000000.00000015.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://idmelon.comoTheService.exe, 00000022.00000002.4612407479.0000020899DB2000.00000002.00000001.01000000.00000015.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://idmelon.comService.exe, 00000022.00000002.4612713278.000002089A0B3000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://james.newtonking.com/projects/jsonService.exe, 00000022.00000002.4615989693.00000208B28D2000.00000002.00000001.01000000.0000001F.sdmpfalse
  • URL Reputation: safe
unknown
https://github.com/ericsink/SQLitePCL.rawHService.exe, 00000022.00000002.4618386784.00000208B3612000.00000002.00000001.01000000.0000002B.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://github.com/dotnet/roslyn/issues/46646Service.exe, 00000022.00000002.4616236977.00000208B2992000.00000002.00000001.01000000.00000020.sdmp, System.Text.Json.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
https://github.com/praeclarum/sqlite-net.git7Service.exe, 00000022.00000002.4618163920.00000208B3592000.00000002.00000001.01000000.00000028.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.idmelon.com/downloads/pairing_tool/setup.exe?v=Service.exe, 00000022.00000002.4612407479.0000020899DB2000.00000002.00000001.01000000.00000015.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tpcProxAPI.dll0.0.drfalse
  • URL Reputation: safe
unknown
https://www.catcert.net/verarrelGrpc.Core.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
https://github.com/grpc/grpc-dotnet.gitService.exe, 00000022.00000002.4615232663.00000208B2632000.00000002.00000001.01000000.0000001A.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#pcProxAPI.dll0.0.drfalse
  • URL Reputation: safe
unknown
http://schemas.xmlsoap.org/wsdl/Service.exe, 00000022.00000002.4612713278.0000020899F0B000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://github.com/doghappy/socket.io-client-csharpSocketIO.Serializer.Core.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
https://www.newtonsoft.com/jsonschemaService.exe, 00000022.00000002.4615989693.00000208B28D2000.00000002.00000001.01000000.0000001F.sdmpfalse
  • URL Reputation: safe
unknown
https://skm.idmelon.com/apis/access-key-cli/v1Service.exe, 00000022.00000002.4612407479.0000020899DB2000.00000002.00000001.01000000.00000015.sdmp, Service.exe, 00000022.00000000.2242976539.0000020899552000.00000002.00000001.01000000.00000008.sdmp, Service.exe, 00000022.00000002.4612713278.0000020899E11000.00000004.00000800.00020000.00000000.sdmp, Service.exe.0.drfalse
  • Avira URL Cloud: safe
unknown
http://ocsp.sectigo.com0ApcProxAPI.dll0.0.drfalse
  • Avira URL Cloud: safe
unknown
https://github.com/ericsink/SQLitePCL.rawService.exe, 00000022.00000002.4617630505.00000208B2E52000.00000002.00000001.01000000.00000025.sdmp, Service.exe, 00000022.00000002.4618386784.00000208B3612000.00000002.00000001.01000000.0000002B.sdmp, Service.exe, 00000022.00000002.4618271478.00000208B35D2000.00000002.00000001.01000000.00000029.sdmp, SQLitePCLRaw.core.dll.0.dr, SQLitePCLRaw.batteries_v2.dll.0.drfalse
  • Avira URL Cloud: safe
unknown
https://www.nuget.org/packages/Newtonsoft.Json.BsonService.exe, 00000022.00000002.4615989693.00000208B28D2000.00000002.00000001.01000000.0000001F.sdmpfalse
  • URL Reputation: safe
unknown
https://github.com/praeclarum/sqlite-net.gitService.exe, 00000022.00000002.4618163920.00000208B3592000.00000002.00000001.01000000.00000028.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.idmelon.comSecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, 00000000.00000002.2446274237.0000000000550000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, 00000000.00000003.2445593546.000000000054D000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
8.8.8.8
unknownUnited States
15169GOOGLEUSfalse
52.35.62.19
k8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.comUnited States
16509AMAZON-02USfalse

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1477394
Start date and time:2024-07-21 06:18:11 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 14m 47s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:65
Number of new started drivers analysed:2
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
Detection:MAL
Classification:mal60.evad.winEXE@98/120@1/2
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 95%
  • Number of executed functions: 89
  • Number of non-executed functions: 214
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

TimeTypeDescription
00:19:15API Interceptor16662632x Sleep call for process: Service.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
k8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.comSecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exeGet hashmaliciousUnknownBrowse
  • 54.213.11.204
SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exeGet hashmaliciousUnknownBrowse
  • 54.70.179.63

ASNs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
AMAZON-02USfile.exeGet hashmaliciousBabadedaBrowse
  • 143.204.215.122
file.exeGet hashmaliciousBabadedaBrowse
  • 143.204.215.18
arm7.elfGet hashmaliciousMiraiBrowse
  • 130.177.187.248
arm5.elfGet hashmaliciousMiraiBrowse
  • 54.171.230.55
https://www.svb.com/learning-central/go/contactGet hashmaliciousUnknownBrowse
  • 18.245.46.101
file.exeGet hashmaliciousBabadedaBrowse
  • 143.204.215.115
file.exeGet hashmaliciousBabadedaBrowse
  • 143.204.215.18
file.exeGet hashmaliciousBabadedaBrowse
  • 143.204.215.115
https://xv-dna-idx-com.resmi-v1.biz.id/Get hashmaliciousUnknownBrowse
  • 18.239.18.5
https://5228753.webku.buzz/Get hashmaliciousUnknownBrowse
  • 18.239.36.119

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
3b5074b1b5d032e5620f69f9f700ff0ehttps://xv-dna-idx-com.resmi-v1.biz.id/Get hashmaliciousUnknownBrowse
  • 52.35.62.19
https://help-metaprotectextension.gitbook.io/Get hashmaliciousUnknownBrowse
  • 52.35.62.19
https://bet3659981.com/Get hashmaliciousUnknownBrowse
  • 52.35.62.19
http://madive-bunde-thinkkjhgf.pages.dev/help/contact/728719822901550/Get hashmaliciousHTMLPhisherBrowse
  • 52.35.62.19
http://www.829347219502.com/Get hashmaliciousUnknownBrowse
  • 52.35.62.19
https://helps-org---metamskk.gitbook.io/Get hashmaliciousUnknownBrowse
  • 52.35.62.19
https://vishalyadav30301.github.io/Instagram-login-pageGet hashmaliciousHTMLPhisherBrowse
  • 52.35.62.19
http://help--chomre-metaamsk.gitbook.io/Get hashmaliciousUnknownBrowse
  • 52.35.62.19
https://mjai.2fe.cn/Get hashmaliciousUnknownBrowse
  • 52.35.62.19
http://stanpatterson2.wixsite.com/my-site-1/Get hashmaliciousUnknownBrowse
  • 52.35.62.19

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\Program Files (x86)\IDmelon\Accesskey\CBOR.dllEmbravaConnect.msiGet hashmaliciousPrivateLoaderBrowse
    SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exeGet hashmaliciousUnknownBrowse
      SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exeGet hashmaliciousUnknownBrowse
        C:\Program Files (x86)\IDmelon\Accesskey\CSharpControls.Wpf.dllSecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exeGet hashmaliciousUnknownBrowse
          SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exeGet hashmaliciousUnknownBrowse

            Created / dropped Files

            C:\Program Files (x86)\IDmelon\Accesskey\.accesskey

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
            Category:dropped
            Size (bytes):41
            Entropy (8bit):4.045980358012783
            Encrypted:false
            SSDEEP:3:TdRPZCALEZWp3aV:TfZdLZZe
            MD5:C1D68091F5550E6D1E8EFD8A74BBAEDD
            SHA1:ADE9C2C175686A3A077E496C286EC1361401137F
            SHA-256:F4D11E83230D4B84579A1E456A71C020ECA8C8F221B23196AE1B37D8BF3E6B4F
            SHA-512:F97D2ACD20028EA2BF1D4F73F555316F1C6D6A69A2CDFADD486254ED76872C96172EA38A2CDAE7B2A0E18E04576205E8FA25DBD2E523A6A3A67076428B6EA4F6
            Malicious:false
            Preview:.sxdflgkjhngljkhnasdfoplkhngoljwehnfrop

            C:\Program Files (x86)\IDmelon\Accesskey\Accesskey website.url

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:MS Windows 95 Internet shortcut text (URL=<http://www.idmelon.com>), ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):48
            Entropy (8bit):4.532268229617389
            Encrypted:false
            SSDEEP:3:HRAbABGQYm/0S4aQLdVv:HRYFVm/r4aezv
            MD5:4382924CD029D894827F113225475D20
            SHA1:8A962CFB320B887119C03BF4B0A8BB456661632F
            SHA-256:41074075E517313974A00A633A82522B481F8AE4B867AF10271985D07995BADE
            SHA-512:3B1FD0ECE3554DFA0C3CE82E4B2A6184E4F3982B17DE67EF63B4E670FB288A31E3B3D1ADEA2ADF16726D3C4F914B3D2F46F33C9BE676681634A358B813AB01BA
            Malicious:false
            Preview:[InternetShortcut]..URL=http://www.idmelon.com..

            C:\Program Files (x86)\IDmelon\Accesskey\AccesskeyCli.exe

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):228392
            Entropy (8bit):5.3227611841816005
            Encrypted:false
            SSDEEP:1536:jPETvxZODI/y64HbnYLYLBPsM8mb8QsnGU3bsOlI/AZ5lfr/30Qh2RApO+T3QvNa:IvxAR77ELmb8QMGUrsOlEQh2n83QVa
            MD5:5C68F548BED2D865DAEEFB1708493351
            SHA1:B99B5482BF003EFC9729D3F291E1700A1C268741
            SHA-256:809CEAFD55FE53B235DB101586BF5CB5A4CCBC4815175CF0F89C2F228F5EB442
            SHA-512:FC7B6A6E46C4FCF7DC55800DF3610B7900CF9FF4EDD7EBCAA696B64BC2DA291669ABF67292890E4555B225261D8CF488037E85E8096F5ECBF77571258B1B7A6A
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ..............................E.....`.................................7...O.......L............j..(...............8............................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc...............h..............@..B................k.......H........z...............a...x...........................................~....*..(....*Vs....(....t.........*..( ...*..{....*"..}....*..( ...*..{....*"..}....*..( ...*..( ...*.r...p.....*6(.....(....&*....0..........r...p(!.......9.......o"....>.......(....9....(....(#.....o$......(%....3.s....%...(....o&...o'...&+4.o$......(%....3.....s....o....+.r...pr"..p...((...&.W.rF..p.()...(*....D..,&...o"....1....i.Y.(....,....i.Y.(....*.-.(#.... . ..(+.....(....*.........m........0..

            C:\Program Files (x86)\IDmelon\Accesskey\AccesskeyCli.exe.config

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):2158
            Entropy (8bit):5.001906641704252
            Encrypted:false
            SSDEEP:48:327Yg+mOwg1Sg+CBOg1gg+w3mgDSag+FIsg+w3w:Kkf6YKwDTwg
            MD5:0CC816CC5B23BFDF1B3201CFF674DBD1
            SHA1:2651C52CAE238FFD27D1D8374EBBE7D7974462AF
            SHA-256:FA516EFA039B73FF56E559789A38E74BCC164F65F7B7C56C6FC364D5EAF56A55
            SHA-512:A51FE6749E38D2F8D779DB9A075B3A92B98403CD912551347CFC0010A09EDDC46F14E449595508AD1C42373BAE75D8ACD3FC8831CF359D90D9B762797D350E19
            Malicious:false
            Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.1.4.0" newVersion="4.1.4.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.2" newVersion="4.0.1.2" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.batteries_v2" publicKeyToken="8226ea5df37bcae9" culture="neu

            C:\Program Files (x86)\IDmelon\Accesskey\BioKey.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):28672
            Entropy (8bit):4.949607387291885
            Encrypted:false
            SSDEEP:384:C3HwUZ3sK1F2v1I23ou3wHQp9t66S1DFlrMdOREjeJxxICzZhK/vNX3Y2zI0vUIa:C3sK1/W93wwbO3kcE0d9NN
            MD5:18D8F8729A887B835D49D296FE579A85
            SHA1:9ED4A1BF1AD5075BFC71746E55979A6444F766AB
            SHA-256:21FC933D379AD710F889BC07E921420539E3C96F4FC99BA5AC7175956059485A
            SHA-512:A26026885940C246A0C49B56401E2DFEAB7CAED6717C8714CFA840505B8BFB30D1AE84B23E34B86C1A73DABF3C82BE40BCB454770FBE757DCE0D0D6710551B77
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.)..........." ..0..h............... ........... ....................................`.................................G...O.......h...............................8............................................ ............... ..H............text....f... ...h.................. ..`.rsrc...h............j..............@..@.reloc...............n..............@..B................{.......H.......(A...D...........................................................0............s....}......s....}......s....}......s....}......s....}.....(.....s....}.....{......$...%...})....{.....}'....-..{.....}&....{.....}(...+..{.....}&....{.....}(....(....-.r...ps....z..}......}.....s....}.....s....}.....s....}.....s....}....*....0............s....}......s....}......s....}......s....}......s....}.....(......}.....{......$...%...})....{.....}'....-..{.....}&....{.....}(...+..{...

            C:\Program Files (x86)\IDmelon\Accesskey\BioKey.dll.config

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):1439
            Entropy (8bit):5.043688272837476
            Encrypted:false
            SSDEEP:24:JduPF7NruH2/+mVV+TkH2/17zVUrPH2/+CVVXBOH2/17zVQ7uH2/X9y:327Yg+mOwg1Sg+CBOg1SagXw
            MD5:92908A348BDC4D9C1F69A8C951BF2137
            SHA1:A4ECC68E91EDCF1FB1DA52C4A56CA627D6D71366
            SHA-256:4A18461C471A3BFF1139472062BEC545680EB63CAA28588E75BCC54882737B3C
            SHA-512:1E27B3AA7A6E284EC92F93A17BC0DD7CD65C8225C224A37BD15366D3B1AF6C2C43BCC76EFE1F49B34599B9AEA83345CBDE4141030E447F4FD310407B1F6A7714
            Malicious:false
            Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.1.4.0" newVersion="4.1.4.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.2" newVersion="4.0.1.2" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.batteries_v2" publicKeyToken="8226ea5df37bcae9" culture="neu

            C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFMatcher.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):24576
            Entropy (8bit):3.2308666869663676
            Encrypted:false
            SSDEEP:384:kBTJPM/MtwWRGfo6QQFuiwuXAhOKbjo7U:GPwWQfo64l07U
            MD5:AB04E46306767BD337068AA8D06FD030
            SHA1:A414059F2233666740D04663925F05A9D62FE38F
            SHA-256:CA821422D66B5F8F828A33F7FA63D2E3DCF37FFF349486699AF60C9BE3A9A78C
            SHA-512:0B8BA392975292FF3739BA8906E3A655C4F096C6AC8A64B025348383BBBD926626734494120226F9D7051C9841EDC5C89934663DCE18B3E3A73FBA4D63A33710
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dm.d.........." ..0..0... ......"J... ...`....... ....................................@..................................I..O....`..8............................................................................ ............... ..H............text...(*... ...0.................. ..`.rsrc...8....`.......@..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFScanner.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):57344
            Entropy (8bit):4.657614516436592
            Encrypted:false
            SSDEEP:768:gQg4Qrw97g3TGIsPJKop0TDQBIxRSX56GxVgeT:QnkqkOoIDI1Vp
            MD5:EA82AE4604A655B2FCDA992EC6214930
            SHA1:1CD5636CF38085B28394DC99A1B9AC361B0E8DE5
            SHA-256:7F435BD4091FB4544F996DA9C31940F2D1A86388382045D95EA9FBB6DC49F7E4
            SHA-512:F94337618B2BBE802981DF10094AE9FF925BDC3F9F9AB55F7E05F931730B228F503B7BF232E1E897A565BEA18FFA1D02CEF9C38C0762CFC086AC26106802D250
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...bm.d.........." ..0...... ........... ........... ....................... ......sZ....@.................................<...O.......8............................................................................ ............... ..H............text........ ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\CBOR.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):192512
            Entropy (8bit):5.922763836627469
            Encrypted:false
            SSDEEP:3072:xdkYH1ptN/+HyzN7HFcix3Y18912gMyCN0W7wPzozc+j+oYQ0kFz8RN:vdQOHFluq8GCcn
            MD5:8DEF7E1FC741E9D8CBCE2E8F4D4E11B4
            SHA1:85BA62180D7ED3BAA15BD2E4DFDDB3091FF8675E
            SHA-256:442ADD0037FF9593C3737F5C77BF77B198AFD5DD3A8DA0714F3C50D990EA733C
            SHA-512:199AC50D872069BF915CA15C3EDB55DCAFE5465DB2319DB755572A6C66CC71695AF008EF075B2E3CD8B13F862C0341756F0A488730E3F0E3B0D52BA0A08E22D6
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Joe Sandbox View:
            • Filename: EmbravaConnect.msi, Detection: malicious, Browse
            • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exe, Detection: malicious, Browse
            • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exe, Detection: malicious, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....N.a.........." ..0.................. ... ....... .......................`......,M....@.................................P...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H............6...........................................................0..4........-.r...ps!...zs"........i..(....,.r...ps#...z.o$...*.0..:........-.r)..ps!...z....+...(.......X... ..../..+..X...o%...2..*...0..!........-.r...ps!...z../.r1..p..(&...rA..p('...s#...z...i1'r1..p..(&...rc..p..i...(&...((...s#...z../.r...p..(&...rA..p('...s#...z...i1'r...p..(&...rc..p..i...(&...((...s#...z..i.Y./M..E...%.r...p.%...(&....%.r...p.%...i.Y...(&....%.r...p.%...(&....()...s#...zs".....

            C:\Program Files (x86)\IDmelon\Accesskey\CSharpControls.Wpf.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):30720
            Entropy (8bit):5.748915622125059
            Encrypted:false
            SSDEEP:768:fmUjegUxTULjdDGaP5zAzU48RZWupurud70IRRY4GNRzglX6TL6:m2RDGaP5zAzULKupurud70IvY4GNRzgb
            MD5:48BAF45D80E6625E61088522D673F4DE
            SHA1:B87C4B3C272EE344AC6A3CFE0F47A8D8FEE49715
            SHA-256:B6AD6A470BA086174871F88F33C9B8F45406E99765E56809DAB0806A2C1A17BF
            SHA-512:E48662A726558CDB9628C153F53D84F6ECDD71509C50D07076149298BE2F04E8193461DF683768E925A73C6703B265CDC7EA05D81B0E00F9F5F96B6E7C349571
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Joe Sandbox View:
            • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exe, Detection: malicious, Browse
            • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exe, Detection: malicious, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I..a.........." ..0..p............... ........... ....................................`.................................\...O...................................$................................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B........................H........+..D2...........]..(/..........................................>. 4......(....*2......o....*:........o....*.0..,........o....r...p $...........%...%....o....t....*&...o....*..(....*...u...............q............*..0..2........(......,&.o.....o ...-..o.....(!...,..*..(....*.*...0..N.......~"........#........s#........#........s#........#...... @#........#...... @#........s$..........c ....(%...s&........ .... .... ....(%...s&..........c ....(%...s&........ .... ....

            C:\Program Files (x86)\IDmelon\Accesskey\ClientLog.config

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):552
            Entropy (8bit):5.06340490227939
            Encrypted:false
            SSDEEP:12:HW0M+dHJn4FS+MbFEmczXX6FIPqapEyyIcGRN6zqpUF06J3puellQEmsZwnv:HW0MKHz+UbmXqFIPGHINNULxpueQbsq
            MD5:561E19225AECC736A141C75ACDF39E96
            SHA1:8EB13CD4FC8F25C6076FD16B32A1D24415057176
            SHA-256:AA53894994BE24945B4578A5DC29F552787C0F00A70D816014C456DDD3E0EB08
            SHA-512:DEC25F23C2F9298FD905E4A984D57E3C3D934352471109CB97D6CA393049C5A44F172E1862C82B326E0C885192EA993C5FEB64F83F1A1335D6EE284ADD09304E
            Malicious:false
            Preview:.<log4net>...<appender name="file" type="log4net.Appender.RollingFileAppender">....<file value="C:\ProgramData\IDmelon\Accesskey\clientLog.log" />....<appendToFile value="true" />....<rollingStyle value="Size" />....<maxSizeRollBackups value="5" />....<maximumFileSize value="10MB" />....<staticLogFileName value="true" />....<layout type="log4net.Layout.PatternLayout">.....<conversionPattern value="%date %level - %message%newline" />....</layout>...</appender>...<root>....<level value="ALL" />....<appender-ref ref="file" />...</root>..</log4net>

            C:\Program Files (x86)\IDmelon\Accesskey\CommandLine.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):225280
            Entropy (8bit):6.201066097308408
            Encrypted:false
            SSDEEP:6144:sG/zAnUPpKO6acJ8Ha+VbR9HGzIuIliUtf:syzAUPMeaIDGcfi
            MD5:2F345B6D207489E52DB3F85C2E4E617D
            SHA1:D0CD77AA88B8ED0AE5F07A8132EACA857DEA7795
            SHA-256:2135B40FA819E58CF1942453E4409BFDEA2BE631077A354B878DE8402BE7E026
            SHA-512:24AD3B3620E5E093EA57C1BEC486379853D625DBF962210B2DEB823115A45F9EC4083B6D4BB69610A9DAE4B6076284C11E3663430DB4EA739224E6DE93D88E8D
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..f............... ........... ...............................d....`.................................b...O.......................................T............................................ ............... ..H............text....e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H.......dJ...9............................................................{....*..{/...*V.(0.....}......}/...*...0..A........u........4.,/(1....{.....{....o2...,.(3....{/....{/...o4...*.*.*. a.(. )UU.Z(1....{....o5...X )UU.Z(3....{/...o6...X*...0..b........r...p......%..{.......%q!....!...-.&.+...!...o7....%..{/......%q"...."...-.&.+..."...o7....(8...*..{9...*..{:...*V.(0.....}9.....}:...*.0..A........u#.......4.,/(1....{9....{9...o2...,.(3....{:....{:...o4...*.*.*. ..% )UU.

            C:\Program Files (x86)\IDmelon\Accesskey\DB.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):18432
            Entropy (8bit):5.299901416152227
            Encrypted:false
            SSDEEP:384:1E44E69TJN6eOuJ0wOs6tx/nQv50DNmfVS6rM/c9:h6dbdwxM0DI9S6rM/c9
            MD5:A03CAA1272CEF60DC2B0064FAC645DF9
            SHA1:0658FA611454F9A9502DD1B5D37AC588E715B8A8
            SHA-256:B976CA18F96DD9BCCF14B33F9832517B966FA2E57CF601BD75C7E8F6DBD175E6
            SHA-512:CFA1EE365F4C37C8BC22A748F7EB8D038C9A72EF07FD8A6DC11E1AFA907A58B3E0D268FA4DA49A38C99BD1FCA0DBB12D4656752A92691DDCF3C6EAE1B85091B1
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8..........." ..0..@..........._... ...`....... ....................................`.................................?_..O....`..H............................^..8............................................ ............... ..H............text....?... ...@.................. ..`.rsrc...H....`.......B..............@..@.reloc...............F..............@..B................s_......H.......(....0...........................................................~....{....*.0...........(....o....(....r...p(....}.....(......{.....s....}.....{....o...+&.{....o...+&.{....o...+&.{....o...+&.{....o...+&.{.....o...+&.{.....o...+&.{.....o...+&.{.....o...+&.{.....o...+&*.s.........*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}.

            C:\Program Files (x86)\IDmelon\Accesskey\DB.dll.config

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):693
            Entropy (8bit):5.1233623193005275
            Encrypted:false
            SSDEEP:12:MMHdGzNFF7ap+5Xl+Tkf/2/1ZFUSFip+5XlXBorf/2/1ZFUSFicYo4xT:JduPF7NV+TkH2/17zVVXBOH2/17z9y
            MD5:75A1EDD6FC9985FBD0D5824D40B58B35
            SHA1:C4F6C27B5F34254288A7369B5D28F835F6ECABE8
            SHA-256:55DA44B00F8B5B2F9D1AE0C7741E1A55DEFA08BC3033AA22E0D47848D5AA4D4A
            SHA-512:8CCFDFC6C769439CD2F741F3C34CEA4A5550DA89D5EB5532EF167E52CD3AACAB8C32E0F41C007A11F93AE967C1A66D4834670CF2FFF6B3E10ED825A414744FF0
            Malicious:false
            Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.batteries_v2" publicKeyToken="8226ea5df37bcae9" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

            C:\Program Files (x86)\IDmelon\Accesskey\DefaultLog.config

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):311
            Entropy (8bit):4.791338764275588
            Encrypted:false
            SSDEEP:6:HW0MvN7dDv/+qpcLrSu0AOMJyNQKmuellozEmsDyEpWKAO:HW0MvFdrHpUF06J3puellQEmsZpNv
            MD5:6A3D6D149385B00DE23C87B4B1BFD4F4
            SHA1:D4ACA7ABA9ADB086F4FB66888EC1B799CC3F8829
            SHA-256:94F3425B94B3ADAB9CC851D1236D44ACAC3D4528BDAA8400FE492F2804A5B096
            SHA-512:DA66005E9BD319C6296D1A13014BD409A3F98150B7F627B120FF78B8D13BE8BB157B9C40C5AD0EDD6CCEEA1C38851B4F3A46A061E1713669B2FB61426DB586B3
            Malicious:false
            Preview:.<log4net>...<appender name="console" type="log4net.Appender.ConsoleAppender">....<layout type="log4net.Layout.PatternLayout">.....<conversionPattern value="%date %level - %message%newline" />....</layout>...</appender>...<root>....<level value="ALL" />....<appender-ref ref="console" />...</root>..</log4net>

            C:\Program Files (x86)\IDmelon\Accesskey\DeviceId.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):22528
            Entropy (8bit):5.675149624141371
            Encrypted:false
            SSDEEP:384:QYCdkWmMEJAEUGz0PylRukCA+OYD0vRbqslxEmwlYu2:tCdkWmMQiylQHA+KvRbqslxEmeY5
            MD5:AF01286DFD69ABEB06AB1537E374628C
            SHA1:10D16C22B588AFE22FF330176200515D0192CE63
            SHA-256:3793DCB2D3C25D22577E9B8836FD11C5870BE01B068F2DBF04BEF4F32E6C83E7
            SHA-512:29CDD5647D751B459EABBFB60D6F8D404497FE2C8845DD6994A0D1F279CB63E0B4E4CD116C652266AD0BEC90056CCE5D1090C7CF659EBDBDD019C091D9828609
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)..........." ..0..N..........Rm... ........... ....................................@..................................l..O...................................<l..T............................................ ............... ..H............text...XM... ...N.................. ..`.rsrc................P..............@..@.reloc...............V..............@..B................2m......H......../..0<...................k........................................(....*:.(......}....*..{....*"..}....*..{....*..(.....(....(.....(....s....}....*>.(......o.....*..(....-.r...ps....z.(.....(....o!...*&..o.....*Z.r...p(....sX...o....*Z.r...p(....sX...o....*Z.r...p(,...sX...o....*N.r...p..sb...o....*.0..$.......r...p.o.....,...(........s^...o....*.~....*.~....*.(&...sI...s6........(&...($...s6........*v.(.....s....}.....s....}....*&..}.....*>.{......o.....*.0..........

            C:\Program Files (x86)\IDmelon\Accesskey\Driver\AccessKeyFidoVhid.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):52944
            Entropy (8bit):6.483483863603903
            Encrypted:false
            SSDEEP:1536:nXVCxosSAPn6cWynO6SUJhUZnY1PdBmz:XVzsZPnNWykLnYBm
            MD5:42BB134409EB5B648998844608434CD7
            SHA1:492284DD87E06372E6DDCA23D64C8B2FC771077B
            SHA-256:0B502F92BF3B6B975D88EA60A2288134C18B3B28BC93A3482ED4C336B7DC674B
            SHA-512:DAF807A2384A22425812DE390CCB33491874E206F5E9F6A9CCD16180D653A9F3DD2D659E1E668A32AAE5E974B800620CF9246355CF6FE02B0172E67BD62B010A
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................[..............................F.....F.....F.7....F.....Rich...........................PE..d.....+d.........." ...".P...J.......@...................................................`A............................................X.......x........................8......D...0...8............................~..@............`...............................text...`O.......P.................. ..`.rdata...0...`...2...T..............@..@.data...P...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D...........................@..B................................................................................................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\Driver\accesskeyfidovhid.inf

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:Windows setup INFormation
            Category:dropped
            Size (bytes):4836
            Entropy (8bit):3.7387330079455343
            Encrypted:false
            SSDEEP:48:rRxR/zoP0dlUlyFxloQPxWmxxvVARfmwCfi6gDVkf3iQLt97Hu6/OgTgy7dCrXL5:rh/z9YRfmwCfiTQR97O4p4v9lsqs0sI
            MD5:8A71F48313969317868E08E1B8009DEF
            SHA1:3AE7FDACC7BEF1ECCDBEE2427E97ED90EFE2CF04
            SHA-256:09BB78FDE1F9681AACAA95880DB62B439DD6A25418D5E6BB44FB6EB90E66E12D
            SHA-512:32480914934142D1FB808CABF9651AF6295228766C39AB22CE4E1BC4E50555F03415E798D5117139AFE1482F7FFE8DE5F1014D5A3A0AF2DB490039621210EA31
            Malicious:false
            Preview:..[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.I.N.D.O.W.S. .N.T.$.".....C.l.a.s.s.=.H.I.D.C.l.a.s.s.....C.l.a.s.s.G.u.i.d.=.{.7.4.5.a.1.7.a.0.-.7.4.d.3.-.1.1.d.0.-.b.6.f.e.-.0.0.a.0.c.9.0.f.5.7.d.a.}.....P.r.o.v.i.d.e.r.=.%.P.r.o.v.i.d.e.r.S.t.r.i.n.g.%.....D.r.i.v.e.r.V.e.r. .=. .0.4./.0.3./.2.0.2.3.,.2.1...4...5.3...4.8.8.....C.a.t.a.l.o.g.F.i.l.e.=.w.u.d.f...c.a.t.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .C.l.a.s.s. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........;.[.C.l.a.s.s.I.n.s.t.a.l.l.3.2.].....;.A.d.d.r.e.g.=.F.I.D.O.C.l.a.s.s.R.e.g.........;.[.F.I.D.O.C.l.a.s.s.R.e.g.].....;.H.K.R.,.,.,.0.,.%.C.l.a.s.s.N.a.m.e.%.....;.H.K.R.,.,.I.c.o.n.,.,.-.5.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .D.e.v.i.c.e. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.S.t.r.i.n.g.%.=.I.D.m.e.l.o.n.,. .N.T.a.m.d.6.4...6...3.........[.I.D.m.e.l.o.n...N.T.a.m.d.6.4...6...3.].....%.D.e.v.i.c.

            C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32+ executable (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):83456
            Entropy (8bit):4.915846781735663
            Encrypted:false
            SSDEEP:1536:q1Hclj1z7qfAHwFj9f5G9RN5CJp+T8Atgwd7Fc5VzGwFMqO7W0:q182fAHwwouT8TOpcLG2M3W
            MD5:6EA4F64D02AE236A6B60E5E665079A89
            SHA1:DB974A620B2D766E8D0E7FEED4F95C8D5B01F4AB
            SHA-256:40AC07FEC5D9204CBB87D52BCE95AAEC67D37233BC3FFD9E9BAF02D0B55AB912
            SHA-512:EFC8520CCF8B712479AF23ADC4587FCAF9F8AC6E565F1073C2F97AEF45F7382FCA49E8E1E3A87B98BD66DD69D2CF8C46EE9EFB4B1DBB40DC2747145891BBB411
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F...'...'...'...L...'...L...'...L...'...L...'...'...'...L...'...L...'...L...'..Rich.'..........PE..d....p..........."......f...........n.........@..........................................`.......... ......................................t...........p...............................T...........................................(................................text....e.......f.................. ..`.rdata... ......."...j..............@..@.data...............................@....pdata..............................@..@.rsrc...p...........................@..@.reloc...............D..............@..B................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\Driver\disabledrv.bat

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:DOS batch file, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):61
            Entropy (8bit):4.460399887206969
            Encrypted:false
            SSDEEP:3:mKDDFAR+SZxvBAKeBeJ+dDDFBRyn:hmRBp2e+PBAn
            MD5:BC77DB060E792626050D496B5263979B
            SHA1:AC4DC60491EDBFCC9419971618DF44C97E4B2E73
            SHA-256:0F87882948A3F4F775CFAF5B2375CBFB9842C4FB85E0660320ED28513CCAB3BF
            SHA-512:728DA3F09EA11494F6D80EF964B27D716031F3D7C12F99EA322D36E40DE5AF0293635900190FB810BA50B3B8F19B06DE675260D88FECF36B55B85941B29E2B32
            Malicious:false
            Preview:@echo off..set args1=%1..devcon.exe disable %args1% && exit..

            C:\Program Files (x86)\IDmelon\Accesskey\Driver\enabledrv.bat

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:DOS batch file, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.426990803617332
            Encrypted:false
            SSDEEP:3:mKDDFAR+SZxvBAKeALEHOvdDDFBRyn:hmRBp2+LEHOvPBAn
            MD5:7BF5E5460E19DA15BC50E4CB525FFE47
            SHA1:253F0562AE28E3E2B3C48EB0FFF58572BEDABC7C
            SHA-256:B968760E9B5E613B8D3E7C746F45256D204E71CA2D577EC19911BDF251555D89
            SHA-512:5AEB53187279B6621CDEF0A27099FC6960C190F9B7D376AD386E26C398DC7E11C968125A2818AA976BE7A5D7865A6EEFE3C232BE0EA18578FEBE98E8F3D3F905
            Malicious:false
            Preview:@echo off..set args1=%1..devcon.exe enable %args1% && exit..

            C:\Program Files (x86)\IDmelon\Accesskey\Driver\installdrv.bat

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):81
            Entropy (8bit):4.346542017363296
            Encrypted:false
            SSDEEP:3:jb6+SZxvWA4SSiheMLVLzAQDn:36BpWRiJLVoQD
            MD5:DE964C03675D7068BE42F3F269A40EB9
            SHA1:5F49AD4D74AB33FBB571A44A75079FF41A7356D5
            SHA-256:EFA52F366577471E8E304663EA30756D0302166059B5CDB95612D68550EB7238
            SHA-512:34EB3F7377F795B2CD79C89C0D1C2E20080FFE16E302F6B3E5B1F62E98725467C17800C6D52E05F952141ABDB7D3910DB30E7C1984CF0E8DCC73DA073326C576
            Malicious:false
            Preview:echo on..set args1=%1..set args2=%2..devcon.exe install %args1% %args2%..echo off

            C:\Program Files (x86)\IDmelon\Accesskey\Driver\statusdrv.bat

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:DOS batch file, Unicode text, UTF-8 (with BOM) text, with very long lines (327), with CRLF line terminators
            Category:dropped
            Size (bytes):401
            Entropy (8bit):5.091399972357828
            Encrypted:false
            SSDEEP:6:SmR94BgqrJzkmwPIct0yl/mmFN3tfRGiTy6EGrgyAyxAyI2RTiDhMB5ZBR:J74tdk5jtnrC0yyGyDR+A5J
            MD5:5992CF74AF8F737C1BD71D549D1C1065
            SHA1:6B38B8077C0D103ABA384C72BC1AEBFB2035D958
            SHA-256:BF41D1895CD280B1AEF7F41BA20F53C6D1EFF1FF9B83F8AB6E03299C5C367DF3
            SHA-512:F1BF08405256C7818CD027D87F0BB5634B4930139CD0B35DED33640F74EDB0E6D7BEEF714330B5873F1F0A3F585D06A3938E2D7651A26D9F36263C8E24D18191
            Malicious:false
            Preview:.@echo off..set "params=%*"..cd /d "%~dp0" && ( if exist "%temp%\getadmin.vbs" del "%temp%\getadmin.vbs" ) && fsutil dirty query %systemdrive% 1>nul 2>nul || ( echo Set UAC = CreateObject^("Shell.Application"^) : UAC.ShellExecute "cmd.exe", "/k cd ""%~sdp0"" && %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs" && "%temp%\getadmin.vbs" && exit /B )..devcon.exe status root\IDmelonHid && exit

            C:\Program Files (x86)\IDmelon\Accesskey\Driver\uninstalldrv.bat

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):58
            Entropy (8bit):4.195849477991226
            Encrypted:false
            SSDEEP:3:jb6+SZxvBAKeXt9PgDn:36Bp2hgD
            MD5:1B4BAD54EB85ADB7C4350B331FBA9030
            SHA1:DFB39F684097EF2615ECDFBBEA07C61027085FFF
            SHA-256:DC525C3758A61AD80DC434023D0A53111BC2F54A1572E169BC5BEBD749CC9A9D
            SHA-512:D35E50A69907319525E92FA2B017B7F732E9FEA62B468F374804B488B5242451137480DC1755C02126EA302E95F4DAB6BBE6534B51E375AD6ECE2892C175B05B
            Malicious:false
            Preview:echo on..set args1=%1..devcon.exe remove %args1%..echo off

            C:\Program Files (x86)\IDmelon\Accesskey\Driver\wudf.cat

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:data
            Category:dropped
            Size (bytes):11622
            Entropy (8bit):7.262321244095951
            Encrypted:false
            SSDEEP:192:1fMl5zkpJC4eRe4fh8uEwFQbdxUNQlO8X01k9z3AXL9Wa38i:1Xp7Aeo8uExUKlO8R9zGpWa3z
            MD5:F99106D82F0FF3A7CEDEF078919DD359
            SHA1:C4281154C3B52B32467AB042B460333623033F3B
            SHA-256:51FA1FC1D6CBA95C28E0AA3D622DFEBF925548ACB5440CC3CD865ED1DDBCDC9F
            SHA-512:8F8DB7AC371C52F7C9622AADE894027B509D5EBD7FB75ED1C8813A7B1A01634EFCD25CEC0B8842E9FCC175550C39F3509A11D036F1247DF0E8E2F4B79E8790FA
            Malicious:false
            Preview:0.-b..*.H........-S0.-O...1.0...`.H.e......0..k..+.....7.....\0..X0...+.....7........ppwO..<.X.7+..230920084942Z0...+.....7.....0...0.... ..x...h.......+C..T...D.n..f.-1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..x...h.......+C..T...D.n..f.-0.....G.i..I7....K3U...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0.... 2...F.[n.P.6.O.h...3in..=...?..@1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 2...F.[n.P.6.O.h...3in..=...?..@0....:........B~......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>.

            C:\Program Files (x86)\IDmelon\Accesskey\EllipticCurve.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):25088
            Entropy (8bit):5.301585636569163
            Encrypted:false
            SSDEEP:768:T/jmOxf+QZMuSOR8jfftu+lp3S/KG06EQ0v:TCOrLS/rk+lpMKG06EPv
            MD5:009DACE4EAA81F59E619B6AEF6684B48
            SHA1:8EED9304CC7DD14DD9B614B0EBB8464458170F10
            SHA-256:9059288BAE4FC8715CA67C98EEB0BECE76BA0CE196189B0FEF7EBE2E4D797CC4
            SHA-512:4E914F75C239E305319A75CFF358BB74F1D45694D66D6684AC59DD3B8515C13216E7AF74C6C7156F069666554E5796AF1DF0702A0BF847DD16694B28284630FC
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....hY..........." ..0..Z...........y... ........... ....................................`.................................Vy..O....................................x..8............................................ ............... ..H............text....Z... ...Z.................. ..`.rsrc................\..............@..@.reloc...............`..............@..B.................y......H........A...7............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*.0..T........(......(......(......(.......(..................s&...(.......(.......(.......(....*.0...........o#....j(....-..o#....(.....(....(....(....,..*.o$....j(....-..o$....(.....(....(....(....,..*.o$....(.....o#....(.....(.....o#...(....(.....(....(....(.....(....(h

            C:\Program Files (x86)\IDmelon\Accesskey\Encryption.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):10240
            Entropy (8bit):4.906632271878699
            Encrypted:false
            SSDEEP:192:GXh1+9FT278xgs9XoUPUx2rH2oq3PAU9hj3p991lRSzJEgB:iL+9FT2oxga9LrH2oY93pjRS9VB
            MD5:CC88D9CD36AFDB321CA58395A009B170
            SHA1:6D1FD46157840493DEA1DB8F7996DE606CD5B404
            SHA-256:62FA56823E248D1562EF54B14909A24C177F5A680EA661A2DBD01632D86C367D
            SHA-512:63D1C7F408EC8790E81114A3A36AAD0EC977CB2A544BBB34D56E677F3F29CE313358A3C8AE24EFB86601EF4CA18D410C3C20310E7E47060D976FCE51175A5EE6
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m.+..........." ..0.. ..........*>... ...@....... ....................................`..................................=..O....@.......................`......4=..8............................................ ............... ..H............text...0.... ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......&..............@..B.................>......H........(..(.............................................................(....*..{....*.0..O........{....,..{.....o.....+..{.....o.....r...p.{....{....(.....{....{....(....(....*..0............}.....(......}.....{....(....,...{....(....(....}....+Ks....%(....o....%.s....o....% ....s....o....%.o......(.....{.....( ...}......{....s!...}....*...}.....(......}.......(....("...}....*...0...........{....-.r...ps#...zs$..... ....o%.... ....o&.....o'.....{....~....o(....s).......s*.

            C:\Program Files (x86)\IDmelon\Accesskey\Fido.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):28672
            Entropy (8bit):5.644125419442534
            Encrypted:false
            SSDEEP:768:zh/uRqYAXHKZ0DATRtMuVLco/6zeAWhk6xrMNcojEC9R9:zh/VY4YPMuVz/WeQsrMNcojZ7
            MD5:A9A0AA1A1D625C3919C79372EF288235
            SHA1:87028CD0D275BEDB1771B47FB4BAAF7AE6061BF5
            SHA-256:5F5C8A67FF04D3075DA7F5BC863D5D101E27EDE9336D2797179E2C83F1B000F1
            SHA-512:9728105C6356269E61AF1058898B6BD918C09A5E6956AF5073543CD4669B44E42F8FF41932C5F71CE9B8A49383FB01E9CFD619911E55828293757A888E053922
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....B..........." ..0..h.............. ........... ....................................`.....................................O.......X...............................8............................................ ............... ..H............text....f... ...h.................. ..`.rsrc...X............j..............@..@.reloc...............n..............@..B.......................H........B..(C...........................................................0..Y........(....,...'...*.o.....[.'.....o.....],.r...ps....z..+....[...o......(.......X...o....2..*....0..M.........i.'........i(......i.Zs.........+.......r...p...'...o....&..X....i2..o....*....0............Y...'.........(.....*..0..$.........i..i...*..+..........*..X....i2..*.0..G.......s......'.....o....s.........+.......r...p...'...o....&..X....i2..o....*..0..*.........'......Y.+.... ...._...c%....

            C:\Program Files (x86)\IDmelon\Accesskey\Fido.dll.config

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):1192
            Entropy (8bit):5.059106104983516
            Encrypted:false
            SSDEEP:24:JduPF7NV+TkH2/17zVUrPH2/+CVVXBOH2/17zVQ7uH2/X9y:327Gwg1Sg+CBOg1SagXw
            MD5:332BE3E21BF51019D30F3682034BA4CD
            SHA1:B89362ACEAC875258EB616551F97C6BD022A9200
            SHA-256:E2CBECB050A6F0296811552F52E238A5A24EFC7F31B156AFBAEF0B90D8F25534
            SHA-512:0A91ACF7620C99AE8896F0A2A9120B7081440234A68532054331F4E8CE16A12BC7FE07C12895A37625C6D0C3BDE7D97DBF003273BE906E581E487A402EBD98C0
            Malicious:false
            Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.2" newVersion="4.0.1.2" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.batteries_v2" publicKeyToken="8226ea5df37bcae9" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f1

            C:\Program Files (x86)\IDmelon\Accesskey\FontAwesome.WPF.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):209408
            Entropy (8bit):7.118411209816897
            Encrypted:false
            SSDEEP:6144:Z8P7/P97ilHDqO01ktQOzB4YjDnX08RYA3fP5S:Z8PpilHD+kQA4uk8RYA3f
            MD5:2ACE85429EEE9E8320C82D878E5562B4
            SHA1:77ED8B89210930D1DE2495BA363519B696D0B6E2
            SHA-256:63D50DBE094BBCE5D7BF8AF08C0D919CFA5E057CA05AE7B27704A8477C8B348F
            SHA-512:7CE3467D1469ACDB544F4F42864D94C5AE0ADA252C5F096329E16D4B571FC1800BD572E52CFE902EE5D4B91D59A1A4182B07F40B7A4DFE54E338CA46684AF989
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....nX...........!.....(...........G... ........@.. ....................................@.................................`G..K....`...............................F............................................... ............... ..H............text....'... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............0..............@..B.................G......H........C..............D1......LC......................................F.~....o.........*..J.~..........o....*..0..E........u....-.*.t.......(....u....-.*..(............~....o...........o....*....0..T.......r...ps....re..ps.........r...p.....(.........(.................s....s....(.........*.0..G.............o....u....%-.&s......o....(...+(...+..,..#........o....+G.o....#........s....o...........o..........#.......?#.......?s....o....s.....s....%#........s....o....% h...ls...

            C:\Program Files (x86)\IDmelon\Accesskey\Google.Protobuf.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):461600
            Entropy (8bit):6.121892709817012
            Encrypted:false
            SSDEEP:6144:r4/m8Ea0LJqGVByY/ISDYLh0JPYqe9XMKr0g3pkUtdJAtQLxisgFafDcabBv805E:M+VLJqGVBlASKXMKJLBL0k/
            MD5:54AEB9BDBCAA96811DB6D02A620D2229
            SHA1:795AB7B578D8DEEE64BFA1AECB50391ABD25B5D7
            SHA-256:B628AEE109C1FD016F955C2FE3549EDD5195D86B57A213189A6210C396D00756
            SHA-512:D16DE313B944975ECE181D49959EC33806771EB4B6926279628454746E7BD1B1AA8D7243CFC027102518CC679BA980918259789C814D522441578DBFBC5B4F34
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ............" ..0.............^.... ........... .......................@.......N....`.....................................O....................... )... ......4...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................?.......H............Z............................................................(E...*..(E...*..(E...*:.(E.....}....*..{....*:.(E.....}....*..{....*..{....*"..}....*V.(E.....}......}....*..{....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*....0../...........1.......(F...*...X...+...%.X........X...2.*..0..%...........i.Y.+.................X...Y...2.*..s....*F.(...+(H...(....*:.(I.....}....*.~....*2.|....(J...**.(.......*2.|....(K...*..{....*2.|....(L.

            C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.Api.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):68896
            Entropy (8bit):6.319426362612074
            Encrypted:false
            SSDEEP:1536:MuuEI8RKXkCKysZ4rGzxViOZWBG+foVswKlOyDYGQeywKeP70xSc:hf5OrGzxUomgVswJyDYGQe/P
            MD5:68528BFB3CF84503766EFB6A3921B7A0
            SHA1:37FA9BFC4A2031383AC2A1A774EAE21CB2C2A55B
            SHA-256:90132B0E9AE73337CC3FD5958DD5380D1742ED4E51EE9B5452EE0D54156879FD
            SHA-512:9FF86B04F86CE643BF49E90B928072FC1E44ADA2CBAFF9F446166529F935B23C329D429FCF3B593E9BE62953011D3D2E29CCD15D234AC34E3E621D16168DA510
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o4.d.........." ..0.................. ........... .......................@............`.....................................O....................... )... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......LE..H.............................................................(&...*^.(&......I...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*..{....*V.(&.....}......}....*..{....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:...('...(....*..((.....r...p(...+}......r...p(...+}......}....*..{....*..{....*..{....*...}......}......} ......}!......}"...*...}......}......} ......}!.....}"...*..{"...*..0..(........{....u......-..

            C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):485656
            Entropy (8bit):6.61009099792126
            Encrypted:false
            SSDEEP:6144:VrJLcdXl5xFcQyCmnMENW1H/M8f9Z5mNplX4XmRrcMFADwYCuMsligT/Q5MSg:VrJLcd15XafWN/vZ4NLqmRrctb65MB
            MD5:6155B91228D88A0CFFF0E8F32942E772
            SHA1:B855C00124FF8048DD278F3ADA5A3392576AA5D6
            SHA-256:AA99E6AD71C01997C154BE1F0F6E5402266F787422CF67D66C5D59F63D26131F
            SHA-512:4E6A0C07C09845072EBE16AA7087B572358800E6FF1691B2A2E6F56C60EBDDB29EB9CDD4412DC78A8B9738E2D14B76B6C72373DBC7CD444B972E6320A818A728
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-.n..........." ..0..8..........BV... ...`....... ....................................`..................................U..O....`...............@...)...........U..T............................................ ............... ..H............text...H6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................$V......H.......t... ?...........K.......T........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*......(....*v...o......o ....o!.....("...*.0..V.........r...p(...+}$.....r...p(...+}%.....}&......r...p(...+}'......rC..p(...+}(......})...*..{$...*..{%...*..{&...*..{'...*..{(...*..{)...*...0...........q........})....*6.s*....o+...*..0..)........s*......o,...~-...~....~/...~0....s1...*....0../........s*......o2....s3...~-...~....~/...~

            C:\Program Files (x86)\IDmelon\Accesskey\GrpcClients.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):12288
            Entropy (8bit):4.9894399990535785
            Encrypted:false
            SSDEEP:192:6SNau5KGFgn97spCUyTEOehDXh5sy0x0cI:DFTgNfQOe1Xh5sym0T
            MD5:E9A35F8D6FC71C5DE125CC864FB66148
            SHA1:5E786CD645D8C2114A10E455E1BFD510A5DD8BE5
            SHA-256:DBE71AFF3E3B31669FFDAF6CE1ACD433014B818D9AFCD87843E0EA44CD5B894A
            SHA-512:324D78FBE5131FB62A5166B2D7FA328B70B8480E7E4A8C5133A9A497BE490056BF971E83A318D3D3556573C371ECA47CF9F12788B6D3A523ECA5066B5B1FF0B3
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....H..........." ..0..(..........nF... ...`....... ....................................`..................................F..O....`..............................tE..8............................................ ............... ..H............text...t&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B................MF......H........*..X..............................................................(......(......(.......(.......(.......(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*....0..p........-..*.u....,........+..*.(......(....(....,B.(......(....(....,..(......(....3..(......(....3..(......(......*.*.0..m....... C... )UU.Z(.....(....o....X )UU.Z(.....(....o....X )UU.Z.(....o....X )UU.Z.(....o....X )UU.Z.(.......(....X*R..........

            C:\Program Files (x86)\IDmelon\Accesskey\GrpcClients.dll.config

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):1430
            Entropy (8bit):5.037022201639899
            Encrypted:false
            SSDEEP:24:JduPF7NUrPH2/+CVQ7uH2/XV0PH2/+w3VV+TkH2/17zVVXBOH2/17z9y:3276g+CSagXsg+w3Owg1BOg1w
            MD5:FDC82C11296CA77D3A27DE9A030C06AD
            SHA1:B36EFA9C90C46386C8B745D4E865F9A6E40C75DB
            SHA-256:8E9E9EB64BF5F7BDAA2D18A19B8E5936640B8F14F3F6B89CDAD3B31A6E2D04D1
            SHA-512:60B143C7AC6B21ECB49CED9E826E320A65E95896568A82A5EC78D63A1B6A111C54952E68D9E7A81FAE064F4899D9DF3B354EDF78BE47B567BDDE58057FA2AB39
            Malicious:false
            Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.2" newVersion="4.0.1.2" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutr

            C:\Program Files (x86)\IDmelon\Accesskey\IDmelonVirtualHidAPI.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):12288
            Entropy (8bit):4.6365058468804055
            Encrypted:false
            SSDEEP:192:SQZuc9daUvdNX3j7vGPYbbegoTnZOZOKzLgrDtd:SQcunfGPYbbegoTnZuWZd
            MD5:6BD94B959873B15EE070DB03C910E727
            SHA1:9255B0627EDA36B16DCFF2360BA3E79BA07BCC81
            SHA-256:94C31663DE6A9F509B9C259FC02FF709FE999EDD8708C98FA63D4F99BF09E696
            SHA-512:8156EFFAE8DD6B4DA5CA2F857F42D0FEC5AA97475A4CB2C0918B69A9E1454B144307CACF011F8F9CE05D422466E90D5CB3DE99215BD75FB4A7C0CFD26DB08A0F
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....X............" ..0..(..........BF... ...`....... ....................................`..................................E..O....`..............................8E..8............................................ ............... ..H............text...H&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B................#F......H........(..0............................................................r...p.....*R.{....-.r...p*rM..p*R.{....-.r...p*r...p*R.{....-.r...p*r1..p*R.{....-.r_..p*r...p*R.{....-.r...p*r...p*:.(......}....*.0............@(...+(...+....,*.(....-..(....+..(....& ....(.....(....&..r?..p(.....(....rk..p(....r...p(......(.....s....}......(.....s....}.....{.... ....o....-..{....o....r...p(.......]......r>..p.o....(....(.......>.....{.....o.......r...p.o....(....(.............{.... ..

            C:\Program Files (x86)\IDmelon\Accesskey\IDmelonVirtualHidAPI.dll.config

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):1192
            Entropy (8bit):5.059106104983516
            Encrypted:false
            SSDEEP:24:JduPF7NV+TkH2/17zVUrPH2/+CVVXBOH2/17zVQ7uH2/X9y:327Gwg1Sg+CBOg1SagXw
            MD5:332BE3E21BF51019D30F3682034BA4CD
            SHA1:B89362ACEAC875258EB616551F97C6BD022A9200
            SHA-256:E2CBECB050A6F0296811552F52E238A5A24EFC7F31B156AFBAEF0B90D8F25534
            SHA-512:0A91ACF7620C99AE8896F0A2A9120B7081440234A68532054331F4E8CE16A12BC7FE07C12895A37625C6D0C3BDE7D97DBF003273BE906E581E487A402EBD98C0
            Malicious:false
            Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.2" newVersion="4.0.1.2" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.batteries_v2" publicKeyToken="8226ea5df37bcae9" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f1

            C:\Program Files (x86)\IDmelon\Accesskey\Logger.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):90112
            Entropy (8bit):5.942626437949717
            Encrypted:false
            SSDEEP:1536:l/yCHmCh+SXU3b88bGkc07ylVupbY1jht9lEwkfCKcxFQ:JX9kr86Gkc02lVupbyjvdg
            MD5:5F0FD20617D7DBF8D5EDDBA30DE47769
            SHA1:BA5BD4241D3BBA553A89AB8DF75314B70D1820C1
            SHA-256:DDA4728FC38441449EDB924FC35C94808999DA0AD4B1FC07D6FFA1732FDA8418
            SHA-512:A9A46D24F8E7F1E447E9741D8D9E4D4A564784F57CE53CA175DA6E21ADD5A860C1535B27248E7402FBB05DCE2C0668964F78C2EB66EABD5FC7B04BF6B2FDE52D
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..X...........w... ........... ....................................`..................................w..O....................................v..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H....... .................................................................{....*"..}....*>..(......(....*"..s....*..{....*"..}....*......(....*..0..?.......s........}.......(.....,%.{....,...o...........s....(...+(....*"..s....**....s....*R.o.....o......s....*..{....*"..}....*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..{$...*"..}$...*..{%...*"..}%...*..{&...*"..}&...*..{'...*"..}'...*..{(...*"..}(...*..{)...*"..})...*...0..................r...p.s....("...*....0......

            C:\Program Files (x86)\IDmelon\Accesskey\Logger.dll.config

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):1192
            Entropy (8bit):5.059106104983516
            Encrypted:false
            SSDEEP:24:JduPF7NV+TkH2/17zVUrPH2/+CVVXBOH2/17zVQ7uH2/X9y:327Gwg1Sg+CBOg1SagXw
            MD5:332BE3E21BF51019D30F3682034BA4CD
            SHA1:B89362ACEAC875258EB616551F97C6BD022A9200
            SHA-256:E2CBECB050A6F0296811552F52E238A5A24EFC7F31B156AFBAEF0B90D8F25534
            SHA-512:0A91ACF7620C99AE8896F0A2A9120B7081440234A68532054331F4E8CE16A12BC7FE07C12895A37625C6D0C3BDE7D97DBF003273BE906E581E487A402EBD98C0
            Malicious:false
            Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.2" newVersion="4.0.1.2" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.batteries_v2" publicKeyToken="8226ea5df37bcae9" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f1

            C:\Program Files (x86)\IDmelon\Accesskey\Microsoft.Bcl.AsyncInterfaces.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):26752
            Entropy (8bit):6.512503595653532
            Encrypted:false
            SSDEEP:768:DulwnBhYlTVv2wK5idcgF4of1n6K9zUYJ:ywHYFtKYdcg/f1nXzUYJ
            MD5:970B6E6478AE3AB699F277D77DE0CD19
            SHA1:5475CB28998D419B4714343FFA9511FF46322AC2
            SHA-256:5DC372A10F345B1F00EC6A8FA1A2CE569F7E5D63E4F1F8631BE367E46BFA34F4
            SHA-512:F3AD2088C5D3FCB770C6D8212650EED95507E107A34F9468CA9DB99DEFD8838443A95E0B59A5A6CB65A18EBBC529110C5348513A321B44223F537096C6D7D6E0
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$:............" ..0..4...........S... ...`....... ....................................`..................................S..O....`...............@...(...........R..T............................................ ............... ..H............text....3... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............>..............@..B.................S......H........'..P*..................,R........................................(....*..(....*^.(.......1...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..(....*..(....*..(....*..(....*:.(......}....*..{....*:.(......}....*..{....*:.(......}....*..{....*..(....*:.(......}....*..{....*^.(.......2...%...}....*:.(......}....*..{....*z.(......}.......2...%...}....*V.(......}......}....*..{....*..{....*:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{

            C:\Program Files (x86)\IDmelon\Accesskey\Newtonsoft.Json.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):711952
            Entropy (8bit):5.967185619483575
            Encrypted:false
            SSDEEP:12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
            MD5:195FFB7167DB3219B217C4FD439EEDD6
            SHA1:1E76E6099570EDE620B76ED47CF8D03A936D49F8
            SHA-256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
            SHA-512:56EB7F070929B239642DAB729537DDE2C2287BDB852AD9E80B5358C74B14BC2B2DDED910D0E3B6304EA27EB587E5F19DB0A92E1CBAE6A70FB20B4EF05057E4AC
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O......................../.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

            C:\Program Files (x86)\IDmelon\Accesskey\Numbers.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):294912
            Entropy (8bit):5.96623908194718
            Encrypted:false
            SSDEEP:6144:pjRrliK3x0YVUQAMiqzodDwRhSE/Z+j1DnJj1FVtZ//x:JRrliK3x0YVlAMiqzo/JZH
            MD5:39D370F850D234CF73DA822A7F2121BD
            SHA1:379960EF969DEF2B0A563C829BE3F413B52F49F5
            SHA-256:CF57674E763AD6F47F330AD21B2B663616AF053D6C5072540DD99879261FC6D3
            SHA-512:17F15A4C972DFE83DF07D321295C7C312D38569FE2DB19B45DF84C11890133B3542924343BB5B2838ADB2CEE1FEA47B3D214B6EA4C5801DF02B30C947F7E9CF6
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.........." ..0..v..........n.... ........... ..............................S.....@.....................................O.......$............................................................................ ............... ..H............text...\t... ...v.................. ..`.rsrc...$............x..............@..@.reloc...............~..............@..B................P.......H.......dK..8?...........................................................~.......Y.*.0..l.........Y.X........+W.-....Y~.....+D..3....Y~.....+4...3....Y~.....+#...Y.(....(....~9.....2..+...s.......X...1..*r.(......}......}......}....*..{....o.....{....o.....{....s....*2.{....o....*6.{......_...*2.{....._...*f.{......_-..{....o....*.*..(....-..*.(....-..{.....o.....2..*..(....{.....o..........*..(....-..{....o....*.{....o....o....*..{......_-..{....o....-..{....._-..*.*.*2.{...

            C:\Program Files (x86)\IDmelon\Accesskey\RestSharp.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):184320
            Entropy (8bit):6.186528718822514
            Encrypted:false
            SSDEEP:3072:Zn1z0eAv+f6FuseJFf3+Ptl6n6dYQ7g8QqWF2OYiBbcfJS/zC3lR6O/c:Z1z0bv+f68LRol6n6diqyt8R6
            MD5:98A13F2791C25C39C65268A55EBC219C
            SHA1:9843E3FE2BDB0D42509F5B1DDF02A71A6683FC82
            SHA-256:199E6A74E46AE881AD238656169CEAA390E2C2CE8038494BAAC236C117838D9F
            SHA-512:3F74016B5FB2636F102DF8347D283FCDD831AD0884A133623CFB1147D1E47E795F772162A401ADEEB3BC1787FA022EF6302C50580BC2405A4C6C7DAA407CEEE7
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....j..........." ..0.............6.... ........... .......................@......d.....`.....................................O............................ ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H...........d...................|.........................................(2...*^.(2..........%...}....*:.(2.....}....*:.(2.....}....*:.(2.....}....*....0..a.........(.....o....oe....o\....o....o~..... ...%..oR....%..o!....(........o........(......(......(....*....0..S.........(.....o....oe....o\....o....o~..... ...%..oR....%..o!....(........o........(....*..0..y.......s.......}9.....}:..... ...%..{9...oR....%..{:...o!...........s3...(...+(...+..o6...,"r...p........s7...(...+

            C:\Program Files (x86)\IDmelon\Accesskey\SQLite-net.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):101376
            Entropy (8bit):5.985092012305013
            Encrypted:false
            SSDEEP:1536:oTQ+q+zYQKdQVHYMqMuuy6I2SbEt3/ilufBNaxJtfIlic7h8rp2:CVuX2SbEt3YC7ErBp2
            MD5:E9B6CAF8D7A3351D36BF3C16FCCD5BB6
            SHA1:5E06692D09AC842E3A87972D0827F655C06643E1
            SHA-256:1B40EEE85207AC6424BBE3E6ADECB8F2028D840AC7492CDD4C3C5D65D30591BE
            SHA-512:C8955986F37A716430AB3F905B0629B86488569DBF9CD112C408CBA9277E62A3ACC44E72910F4FD6C3973BFF2858E1C9174CB81A034CB1D874FC9E125D62C19D
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q ..........." ..0................. ........... ....................................`.....................................O...................................x................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......H...0.............................................................{....*"..}....*>..(......(....*"..s....*..{....*"..}....*......(....*..0..?.......s........}}......(.....,%.{}...,...o...........s....(...+(....*"..s....**....s....*R.o.....o......s....*..{....*"..}....*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..{$...*"..}$...*..{%...*"..}%...*..{&...*"..}&...*..{'...*"..}'...*..{(...*"..}(...*..{)...*"..})...*rs................. ...( ...*..0..................

            C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.batteries_v2.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):11264
            Entropy (8bit):5.165095041426296
            Encrypted:false
            SSDEEP:192:MGLhQCwvA9yV+FOdJNFOYBH8aZ2L13pS9mWgcbcTVDggAA8b:phKpVrHHBH8aZqmgDTFggAAK
            MD5:FC99E1AECA222C1980C3042AC2E72C08
            SHA1:D94BBD5C3CB1324AA1B66E984E8DE2F3BEBC9939
            SHA-256:7AA16C8D1D924C877B5CFF9E84ECB633FA5E654B19A24F98CA2933319D193D15
            SHA-512:A86C1CCCDDD421F8D9A5EB9D89DE2B0D35736A98360B34EADA658C8C55A05FA941049CF1B735CC3721FAA81859E2B4C386F1892A58EC6BA7509F3418B0F0E801
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-.=..........." ..0.."...........A... ...`....... ....................................`..................................A..O....`..`............................@..T............................................ ............... ..H............text...."... ...".................. ..`.rsrc...`....`.......$..............@..@.reloc...............*..............@..B.................A......H........'.......................@.......................................(....*..0...............(....o........(....s....*...0............(.......(....s....(....*6r...p..(....*.0.._.......s!.....s....}.....{....r...p.r'..p(....o.........."...s....(....%~....(....,..{....o....s....z*..0..#.......(......-...(....*..3...(....*s....z...(....%~....(....,.r=..p.r'..p(....s....z*..0..#.......(......-..(....&*..3..(....&*s....z..0..7..........~....%-.&~..........s....%.....(.........

            C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.core.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):50688
            Entropy (8bit):5.811409220314285
            Encrypted:false
            SSDEEP:768:jmOGveifSTtyXEQ3nPGLb4PFvSMJCD2j+SIfHq1wJd9P581IADm/Dskqd:FLTtyXEQ3+bO6U+dlrPi14LsX
            MD5:E4823410682299E5A17619043C789EFB
            SHA1:410D31CA04AF5264F265DF10DE499416225A0962
            SHA-256:C33995427EDD44FA641CF702DF8B63CC82CB7054DD984DC8277D15EE7C958874
            SHA-512:5DDF9C356CB813BCA2097184CB16172A6B3D70CFB17CD11216CD1268550C2C897BC0C42A6675720E334EBF150EBB3725185380BB5822D9B4D953B00EC0B21583
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,b............" ..0.................. ........... ....................... ............`.....................................O.......0...............................T............................................ ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B........................H.......@@..<...........|.................................................(....*..(....*..(....*.......*Z~....,.*.oB...&......*.......*b~....-.r...ps....z~....*.(#...o8...*.0..........(#......o9.....(....Q*6.(.....(%...*.0..........(#........o:.....(....Q*R.(.......(....('...*:(#......o?...*N.(.....(.....()...*2(#....o;...*2(#....o<...*..o....*..o....*2(#....o=...*2(#....o>...*6(#.....o....*...0..........s"......}"....{"...-...+....#...s.......(1...*6(#.....o....*6..(....(3..

            C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.provider.dynamic_cdecl.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):64512
            Entropy (8bit):5.579635492627126
            Encrypted:false
            SSDEEP:1536:Kjb2NmqeZsE64aEKbMsZG0EN3ovewf8unWE7LJ/ZE/i1:KjbUmqWL3MjWkV8I
            MD5:C8A7C821CC06720B082CC301C902675F
            SHA1:DF4F540B334EF6701F0C995CE1CFD10F2AF3A52E
            SHA-256:6C5A7905456018EB99C214644A25F2A93542E52AA0083A18F76FFEFF408D33FC
            SHA-512:6158C3F24AF9499A12FCB8D323E945E23D37C811DD7F5D668F98C189D359BDBAF4CB954A6C5C27B8675C0EACF23EC3BF9F51C9A90065903A5BFA0B88C1A26699
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....w............" ..0.............".... ... ....... .......................`.......#....`.....................................O.... .......................@..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......pG...................... .......................................6.......(....*.~....*F~J......o.......*N........s....o...+*..0............(........~......o2...*.0............(........~K.....o....*.0..%.........(..........(........~L.......o....*....0..H.........(..........(........~M....o.............(....(.........{........o....*2~$....o....*2~#....o....*2~H....oz...*6~I.....o~...*:~J......o....*2~%....o....*2~&....o....*>.(.......o....*...0..N........,........s.....

            C:\Program Files (x86)\IDmelon\Accesskey\Scripts\start-service.bat

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (327), with CRLF line terminators
            Category:dropped
            Size (bytes):401
            Entropy (8bit):5.064495148978155
            Encrypted:false
            SSDEEP:6:F8694BgqrJzkmwPIct0yl/mmFN3tfRGiTy6EGrgyAyxAyI2R842uRn:F794tdk5jtnrC0yyGyD5Rn
            MD5:E870918430EAF37D07C8A8564B87468E
            SHA1:18BD9AF36B48432352AFFCEE343CF052D9E5249D
            SHA-256:5ADFAACE20B0A450F32B416A370A4773132145074DC5AF68A4BEB24CF4DA24AA
            SHA-512:B79E189866059E16F9D822F9326CDAD0191E80DF9B33F533F46CC2BB6350D4C1E45D17FE9765468546E6488F7514D6E2F39184E975A714AAC0CC589BD98C2FDA
            Malicious:false
            Preview:.echo on..set "params=%*"..cd /d "%~dp0" && ( if exist "%temp%\getadmin.vbs" del "%temp%\getadmin.vbs" ) && fsutil dirty query %systemdrive% 1>nul 2>nul || ( echo Set UAC = CreateObject^("Shell.Application"^) : UAC.ShellExecute "cmd.exe", "/k cd ""%~sdp0"" && %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs" && "%temp%\getadmin.vbs" && exit /B )..sc start "AccesskeyService"..echo off..exit

            C:\Program Files (x86)\IDmelon\Accesskey\Scripts\start-tag-service.bat

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (327), with CRLF line terminators
            Category:dropped
            Size (bytes):408
            Entropy (8bit):5.0917913131282635
            Encrypted:false
            SSDEEP:6:F8694BgqrJzkmwPIct0yl/mmFN3tfRGiTy6EGrgyAyxAyI2Re9SE7c2uRn:F794tdk5jtnrC0yyGyD0o0WRn
            MD5:818D01EAC4231B35964F077D5A2DD233
            SHA1:DB2B8DF50700CD3A1262572DAF097A90FCD55859
            SHA-256:D00C5EBDAF9D4455B3B62EB882D31A12001D89EF483447A52433300975CA7DA1
            SHA-512:FC961A202807BBD213BDC31549BF693611FC514D371CF386F4D8C6598517A40460212E7EDA299EC108ED1AF8D49F31BBFA79B8B685BAF88895ED2D6113D541EE
            Malicious:false
            Preview:.echo on..set "params=%*"..cd /d "%~dp0" && ( if exist "%temp%\getadmin.vbs" del "%temp%\getadmin.vbs" ) && fsutil dirty query %systemdrive% 1>nul 2>nul || ( echo Set UAC = CreateObject^("Shell.Application"^) : UAC.ShellExecute "cmd.exe", "/k cd ""%~sdp0"" && %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs" && "%temp%\getadmin.vbs" && exit /B )..sc start "IDmelonTagreaderService"..echo off..exit

            C:\Program Files (x86)\IDmelon\Accesskey\Scripts\stop-service.bat

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (327), with CRLF line terminators
            Category:dropped
            Size (bytes):400
            Entropy (8bit):5.067904955709468
            Encrypted:false
            SSDEEP:6:F8694BgqrJzkmwPIct0yl/mmFN3tfRGiTy6EGrgyAyxAyI2RdFW42uRn:F794tdk5jtnrC0yyGyDTHRn
            MD5:AD612C9DDB6599506A9E675D6FCC4016
            SHA1:70B92B9CBC37BF58BA585AFBFBF341A6E49CEB56
            SHA-256:68D268C9ABB712BEE74ABC06FA3C025324241FE1A8B73122B5C1A0D0E82C066B
            SHA-512:DC424F1E4F59F74985DC62A652F7DB0574D2111DCF64A741EED2FA10C973B19B5C8AE25B87DC1DD4200B6E19000EF38DCA335627AE7F9DBCF5359FFC75BFF980
            Malicious:false
            Preview:.echo on..set "params=%*"..cd /d "%~dp0" && ( if exist "%temp%\getadmin.vbs" del "%temp%\getadmin.vbs" ) && fsutil dirty query %systemdrive% 1>nul 2>nul || ( echo Set UAC = CreateObject^("Shell.Application"^) : UAC.ShellExecute "cmd.exe", "/k cd ""%~sdp0"" && %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs" && "%temp%\getadmin.vbs" && exit /B )..sc stop "AccesskeyService"..echo off..exit

            C:\Program Files (x86)\IDmelon\Accesskey\Scripts\stop-tag-service.bat

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (327), with CRLF line terminators
            Category:dropped
            Size (bytes):407
            Entropy (8bit):5.095958406848568
            Encrypted:false
            SSDEEP:6:F8694BgqrJzkmwPIct0yl/mmFN3tfRGiTy6EGrgyAyxAyI2RdZE7c2uRn:F794tdk5jtnrC0yyGyDTZ0WRn
            MD5:83999CB2B340534A72785D49A5185718
            SHA1:757E5D2833539108DD8EA3E03E81AD4165DD89C0
            SHA-256:FF7D44C5CF92026F63DF56CE6825B6E69EE14ABA6AE229E06C4AE03DCF1810AB
            SHA-512:A6A33396E7A28C6197072B8B797326A05C4217AD3AC27424F3963BD9EAF8065AA083D58C9BC8BD73F28FEC5A56F1A528A5211D2B39AAEE82F75F40CE1902ACC2
            Malicious:false
            Preview:.echo on..set "params=%*"..cd /d "%~dp0" && ( if exist "%temp%\getadmin.vbs" del "%temp%\getadmin.vbs" ) && fsutil dirty query %systemdrive% 1>nul 2>nul || ( echo Set UAC = CreateObject^("Shell.Application"^) : UAC.ShellExecute "cmd.exe", "/k cd ""%~sdp0"" && %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs" && "%temp%\getadmin.vbs" && exit /B )..sc stop "IDmelonTagreaderService"..echo off..exit

            C:\Program Files (x86)\IDmelon\Accesskey\ServerApi.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):36864
            Entropy (8bit):5.446927521203983
            Encrypted:false
            SSDEEP:768:sOAnaMx/sBpZ4LBGhj0Q/Zi4ugn8AZyQ33W076pLS:xAnDUBpZ8G/mAH
            MD5:C8B5C818EDA361C70D6F6B0168021787
            SHA1:A613691900EB3355712F44522B2C9EC16FAB0208
            SHA-256:E1776E33CB542C5ACF3272012D7D10A9A0825FDF4A61156A849922A1C2B2BFDD
            SHA-512:DC32B1F9189F559A8F3CE0EEA557E2AE98EB4C986E7C7ACDF96FC47BFA2C28B72CD877EAB1058F40A1B8DBF971B78AB0F2E70103AFCDCF12B5FF5C3071575AF9
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!..........." ..0.............:.... ........... ....................................`....................................O.......x...........................D...8............................................ ............... ..H............text...@.... ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B........................H........H..d]............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*....0..f.......r...p(....%(....o....o....o....s....o....o......8...%..:.o.......o......8...%..<.o.........&r5..p....*..........[[.......0..[.......rE..p.r[..ps....(....(...+~Z...%-.&~Y.........s....%.Z...(...+(...+t7......&("...o#.......*.........EK......Br...pr...p(....*^s$...(%.....(&...o'...*....0..1.......~(..

            C:\Program Files (x86)\IDmelon\Accesskey\ServerApi.dll.config

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):1673
            Entropy (8bit):5.020737883232971
            Encrypted:false
            SSDEEP:24:JduPF7NILhpPH2/i/QVQ7uH2/XVV+TkH2/17zVUrPH2/+CVVXBOH2/17zVEPH2/2:327ugDSagXOwg1Sg+CBOg1gg+w3w
            MD5:6B3FDF65DF4A30692CE9EF25E9B06E4F
            SHA1:DFBFABA0E0F9AAE107EA8C4AC21B6342F7A825DC
            SHA-256:CD5E255267B12593722E107DA6205EA0C3BEE8242BB742B87979E0546CFBF162
            SHA-512:80AF3C7633A724D57E1AB2EF75762A271CD7AFD9E31E1C3C591B89EBB2413944FFB04D23D9CF5AF8318CBD8A979E1F202E53FB59B7FBC14EF8BFE2FBA0AA0380
            Malicious:false
            Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Text.Json" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-7.0.0.3" newVersion="7.0.0.3" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" cultur

            C:\Program Files (x86)\IDmelon\Accesskey\Service.exe

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):165928
            Entropy (8bit):4.8862081336233
            Encrypted:false
            SSDEEP:768:P1PybS2XfSy8S0jS9tRNCsB48pwZHgyQLiqMphHY+BHAKqQK+pODKE9uLUKgKNJU:P16ZI+C30UHfwi5H0upOOyLDQvNX+L
            MD5:9E99F6F2DC43830D3959E55EDDDDB422
            SHA1:98421E8A9C1338AD98D8115C8F7E85CFC7F778CE
            SHA-256:D4F6EDE434577D4D47DB52EDE20762343968AA55B126DE34899E0CB8D95DE897
            SHA-512:B7E898CA1BE2356C3F2C26327D0857E95ECBB51C2688EF34CFF2760AEA7FDDF4F04BD1498A8955327BA15825B47A27C34239B6E0D6E7A85EA743D017532652DF
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Zu............"...0.................. ........@.. ....................................`.................................u...O...................v..(...............8............................................ ............... ..H............text........ ...................... ..`.rsrc..............................@..@.reloc...............t..............@..B........................H.......hb..p............................................................0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*.~....{....*2~.....}....*J~....-.s.........*....0..V........(.....s....}....(L...-.r...ps....z.{.....(L...s[...o............s....(....~....o....*.~....{.....{I...o.....{H...o|...*r~....{.

            C:\Program Files (x86)\IDmelon\Accesskey\Service.exe.config

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):2158
            Entropy (8bit):5.001906641704252
            Encrypted:false
            SSDEEP:48:327Yg+mSg+Cgg+w3Owg1BOg1sg+w3mgDSag+FIw:KkTJweJywDN
            MD5:08F1F6BE83F37D15AE0712D06BE2A2BD
            SHA1:5406180DD412ED1F1156FB9D2D3F8DCA46FCADC8
            SHA-256:A76DD9BC94DC1898DBA458FD6723D6D13FA5BF6C1C1A7DC427176FDA9452C255
            SHA-512:924919364B3D452ABD3B3C28E12AEE6269F3B00022BD28D6C937BDA0442276876C1D9529E275772C28EE7147A6FFA037DFC94CEAB24C0F3EA5790A98ED30035D
            Malicious:false
            Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.1.4.0" newVersion="4.1.4.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.2" newVersion="4.0.1.2" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.ValueTuple" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />..

            C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Core.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):6144
            Entropy (8bit):4.274825677811034
            Encrypted:false
            SSDEEP:96:ysIyrk8HlIxX8cr22F+04xXzLjsUCj5CWCwLp:ybuSXXr2G8Lg5CC
            MD5:972CF7A2ABA153424A0662839E3392C2
            SHA1:1C578A512D07B4EC6DB9FBA6764052A9F0F6E1BE
            SHA-256:6471168C0B27CE265A51C17E49D45411FAB1CFEB9232AC8121C72E473A9F5AE5
            SHA-512:C8ECDBF4B445A92368F4495638B6A92CA221119FD720719317F0BE2C38A3B959560C7275873FD44D7FE561ECB9577B0685CD08E466ED3B4668A7C095ADD2F4C9
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C_............" ..0..............-... ...@....... ..............................Z.....`..................................-..O....@..<....................`.......,..T............................................ ............... ..H............text........ ...................... ..`.rsrc...<....@......................@..@.reloc.......`......................@..B.................-......H.......P ......................D,......................................BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.d.......#GUID...t.......#Blob...........W..........3..............................................................g...........................<.....&.................?.....\...............................(.............................5.........y...5...........................5....... ...V.....V....... ...V.....V.....V.....V.6...V.

            C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Serializer.Core.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):7168
            Entropy (8bit):4.852842646024464
            Encrypted:false
            SSDEEP:96:hOzpHU8Qv77EBsSfSMe3qDdxst4jJEjrluuCTI6y4:k+tXjSfrQ7tGJqr0H1
            MD5:A97869B96E79428CD4DE4FF68033004C
            SHA1:C4AA6C116BAD95CEE3AE55634F314271280CDCF7
            SHA-256:A3C7E1BE985467BBB6877A2B943CCA4CF51D0AD95AC77832180AA0C32DC02AB5
            SHA-512:77E76F6982302408944BD1508342AEB0B0BBA78745B2884D1EE3958025CB64A370CD3861348FAD40DA13F9B8E66B94AB6113247F8C0B5B52E4697854BC5E98C5
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Y..........." ..0..............3... ...@....... ...............................L....`..................................2..O....@.......................`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H........!......................H1........................................(....*:.(......}....*..~....%-.&~..........s....%.....(...+*..~....%-.&~..........s....%.....(...+o....*...0..O........~....%-.&~..........s....%.....(...+~....%-.&~..........s....%.....(...+(...+*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.s.........*..(....**.o.......**.o.......**.o.......*..o....*.BSJB............v4.0.30319......l... ...#~......|...#Strings............#US.........#GUI

            C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Serializer.SystemTextJson.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):16384
            Entropy (8bit):5.368820720638889
            Encrypted:false
            SSDEEP:384:nwTZplrcrd+qyGDbDDDDbDUl081IgEeOpNdueeu2eUA:w1HqQlqeWdue4A
            MD5:21EBD70AA77DAEEB17A2CBF67C692303
            SHA1:E07B57C359ADDFF75A05A27A89A156AB04B84F4E
            SHA-256:03DDC08CDF50F6459342190B5C420AA34593B30A8BEF6BDB151F9A0B6DA99178
            SHA-512:8C87605AD79AE623D0AC727F5F87FBA8EF2DB37818E8906C281B689B22DA55A122932BE427E76AE463D18FFBDEC5695BD761B6AD1DE48EE047CEA0AB8EA24D8F
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....@..........." ..0..6...........U... ...`....... ..............................0.....`.................................\U..O....`.. ...........................LT..T............................................ ............... ..H............text....5... ...6.................. ..`.rsrc... ....`.......8..............@..@.reloc...............>..............@..B.................U......H.......8....%...................S........................................(....*:.(......}....*J.(.....s....}....*..{....*...0...........(........*.(....&.(.....3..(....r...p(....,..*.(....&.(......3..(....-..*.(....&.(.....3..(....r...p(....,..*.(....&.(......(.....o.....(....&*.0..I........(.....o.....o.....r...po......o.....r...po......(....o.....Yo.....o....*V.(......}......(....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*

            C:\Program Files (x86)\IDmelon\Accesskey\SocketIOClient.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):78336
            Entropy (8bit):5.871892034938933
            Encrypted:false
            SSDEEP:1536:lumQyiDPHmQ9WunI5z+rMhBgowTY3Hwmj1q2jwkrM9a:gm3umQbIiMhBrws3QI1qRkrP
            MD5:4B7D9B4D9125563AA9559AE6514B4531
            SHA1:49040376A040DD128EACD561850990883F02A2CC
            SHA-256:83EDC51BFE335F8744604E60DD7B761EE8197DFC79B3FACB754ACB71998A1690
            SHA-512:3313BACD146A5566DFD70563FAFD2356AEE40094922B823AF2EDFD58EDA1E1715B637F89ED339068CD567416B3DD9B9A87F68FA38DEA7AA2558EC1F4D6D758C1
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...cU............" ..0..*..........jH... ...`....... ....................................`..................................H..O....`..............................8G..T............................................ ............... ..H............text...p(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B................LH......H.......x...@....................F........................................(....*:.(......}....*..(....*.r...p.....r+..p.....rU..p.....ro..p.....r...p.....*"..(....*&...(....*6..s....(4...*6..s....(6...*:..s.....(6...*....0..k........s....}.......s....}.......s....}&......s....}(....(......%-.&r...ps....z(8.....%-.&r...ps....z}.....(\...*..{....*..{.....(....,...}......(....,..o....r...p( ...,...o....(<...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*..{....*"..}

            C:\Program Files (x86)\IDmelon\Accesskey\Storage.db

            Download File
            Process:C:\Program Files (x86)\IDmelon\Accesskey\Service.exe
            File Type:SQLite 3.x database, last written using SQLite version 3033000, file counter 5, database pages 10, cookie 0x5, schema 4, UTF-8, version-valid-for 5
            Category:dropped
            Size (bytes):40960
            Entropy (8bit):0.2878717232896105
            Encrypted:false
            SSDEEP:24:TLsnOLXGt+MwZvp6XGT+MxgrXGt+MeiMXGZJU5dXGtz9leeee:TRLXKM9p6XSFgrXKKiMXOIdXKz
            MD5:512E0C244AC04D27B26F4269F8071065
            SHA1:C2F421D27D62B378D245AC19789A85FF2695D838
            SHA-256:6D08531FFF511C9F2EF043DA2486AE777ECA77E1A8F81994751ACBD6FE22BFAB
            SHA-512:D77D4C1EC123EA2B4B1AC71F3101BA6FE292F1890ABB657C6382BA5D50E0D743EE1F8C41F6E69125CEC34DBDAF21F39F1BBFE1F2D1419E7A2F556A88A7629F02
            Malicious:false
            Preview:SQLite format 3......@ ..........................................................................G.......o..s.....P.0...5...o..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\Storage.db-journal

            Download File
            Process:C:\Program Files (x86)\IDmelon\Accesskey\Service.exe
            File Type:SQLite Rollback Journal
            Category:modified
            Size (bytes):4616
            Entropy (8bit):1.571663204849883
            Encrypted:false
            SSDEEP:24:7+tBPqL0G6XGT+MxgrXGt+MeiMXGZJU5dXGtz9R:7MNqH6XSFgrXKKiMXOIdXKzD
            MD5:73C5C72F9491F9C3B3AA267EB5BF68E4
            SHA1:3E88205951616B132272555B3C614D46B48D7578
            SHA-256:1CBD76A43663D954A4AD912B92ECC123819E05D91E7EA2A2D805DCF062B6EF69
            SHA-512:40CC76457FD54829D451850A591D8EC06749BC3111A23D1931C39022315073BAE5D1E63EF1DE159D5880D63FA7FBE1C22CF1E5BFC4440D8234E3821F355E0D86
            Malicious:false
            Preview:.... .c.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................G.......5..s.....P.0...5..........................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\Suprema.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):12800
            Entropy (8bit):5.35006186027745
            Encrypted:false
            SSDEEP:384:HbLoKXGYTOw7+GwJ5pm83AYsoOLHG/dH6W:HbLpG9WooHGFHB
            MD5:ACDD4380035D977ABA2FA558A351FC2D
            SHA1:7B67E12F024C3E159A01C4C812ABB2EBD87EDF6D
            SHA-256:BE75B10A04E02FCCBE9DA405262A56EEFE53310FE0E6C309B1E6CC71C9E249D0
            SHA-512:70E70D7883534854AC440A4DE1EBB3ECA3DFD3ADB76D1E0FA1A8DE2C10DFB3FAE88AFD17E45F5233B1A2B0BD19A5AD46897E949459BC7AE57310AA52CBD4B0DC
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s............" ..0..*...........I... ...`....... ....................................`.................................II..O....`...............................H..8............................................ ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B................}I......H........(... ........................................................... ....*..(.....s....}.....{.....}W....(....*b.(.....s....}.....(....*R.(......}.....(....*F.{....o....o....*.0..b.........i...i..{....-..(....,....}Q......}R....*.{.....{....{W...o.......{..........o....}R......}Q....*...0............i...i.!.......+.........i....X......i2..{....-..(....,....}.......}.....*.{.....{....{W...o.....{.....o.......{............o....}.......}.....*....0.......... .....".........

            C:\Program Files (x86)\IDmelon\Accesskey\Suprema.dll.config

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):1415
            Entropy (8bit):5.0365606453501925
            Encrypted:false
            SSDEEP:24:JduPF7NruH2/+YVV+TkH2/17zVVXBOH2/17zVUrPH2/+CV0PH2/+Q9y:327Yg+YOwg1BOg1Sg+Csg+Qw
            MD5:74A1E9E2C09E9A02425E15E3734C3AB7
            SHA1:BDA59ACB1E4BE2214B795AE54C4845EC62FF60FA
            SHA-256:6AFD5C4F0AF961344237D01CC076B22DAD492757A83E888B04518E37962AE5A5
            SHA-512:535B7BD67267DA6C4D6C864FBD73150277466091E738376E1D09DE68DC480DEC654AE7856D05D18E4096D3C9222E4024CDE430EE80E7D29AB7201F7BCB2E1BE8
            Malicious:false
            Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.1.3.0" newVersion="4.1.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.batteries_v2" publicKeyToken="8226ea5df37bcae9" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" cultur

            C:\Program Files (x86)\IDmelon\Accesskey\System.Buffers.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):20856
            Entropy (8bit):6.425485073687783
            Encrypted:false
            SSDEEP:384:/rMdp9yXOfPfAxR5zwWvYW8a2cyHRN7vCvlbLg:/rMcXP6N6e
            MD5:ECDFE8EDE869D2CCC6BF99981EA96400
            SHA1:2F410A0396BC148ED533AD49B6415FB58DD4D641
            SHA-256:ACCCCFBE45D9F08FFEED9916E37B33E98C65BE012CFFF6E7FA7B67210CE1FEFB
            SHA-512:5FC7FEE5C25CB2EEE19737068968E00A00961C257271B420F594E5A0DA0559502D04EE6BA2D8D2AAD77F3769622F6743A5EE8DAE23F8F993F33FB09ED8DB2741
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ....................................@..................................B..O....`..@...............x#...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

            C:\Program Files (x86)\IDmelon\Accesskey\System.Memory.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):142240
            Entropy (8bit):6.142019016866883
            Encrypted:false
            SSDEEP:3072:nUGrszKKLB8a9DvrJeeesIf3amN32AW/rcyw/s:OB8l3/aK32qU
            MD5:F09441A1EE47FB3E6571A3A448E05BAF
            SHA1:3C5C5DF5F8F8DB3F0A35C5ED8D357313A54E3CDE
            SHA-256:BF3FB84664F4097F1A8A9BC71A51DCF8CF1A905D4080A4D290DA1730866E856F
            SHA-512:0199AE0633BCCFEAEFBB5AED20832A4379C7AD73461D41A9DA3D6DC044093CC319670E67C4EFBF830308CBD9A48FB40D4A6C7E472DCC42EB745C6BA813E8E7C6
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`.......>....@.................................`...O.... ..@................'...@......(................................................ ............... ..H............text........ ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

            C:\Program Files (x86)\IDmelon\Accesskey\System.Numerics.Vectors.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):115856
            Entropy (8bit):5.631610124521223
            Encrypted:false
            SSDEEP:1536:nPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/hV+sUwS:nWw0SUUKBM8aOUiiGw7qa9tK/bJS
            MD5:AAA2CBF14E06E9D3586D8A4ED455DB33
            SHA1:3D216458740AD5CB05BC5F7C3491CDE44A1E5DF0
            SHA-256:1D3EF8698281E7CF7371D1554AFEF5872B39F96C26DA772210A33DA041BA1183
            SHA-512:0B14A039CA67982794A2BB69974EF04A7FBEE3686D7364F8F4DB70EA6259D29640CBB83D5B544D92FA1D3676C7619CD580FF45671A2BB4753ED8B383597C6DA8
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................DF....@.................................f...O........................>.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

            C:\Program Files (x86)\IDmelon\Accesskey\System.Runtime.CompilerServices.Unsafe.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):16768
            Entropy (8bit):6.361391591273708
            Encrypted:false
            SSDEEP:192:LGLxTyHvc4ROgcxAdWXYWJeaPtWsI9A9GaHnhWgN7aJeWw0fnCsqnajt:LgGLROZAdWXYW8aPcyHRN7WEqn1lx
            MD5:DA04A75DDC22118ED24E0B53E474805A
            SHA1:2D68C648A6A6371B6046E6C3AF09128230E0AD32
            SHA-256:66409F670315AFE8610F17A4D3A1EE52D72B6A46C544CEC97544E8385F90AD74
            SHA-512:26AF01CA25E921465F477A0E1499EDC9E0AC26C23908E5E9B97D3AFD60F3308BFBF2C8CA89EA21878454CD88A1CDDD2F2F0172A6E1E87EF33C56CD7A8D16E9C8
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!................^2... ...@....@.. ...............................y....@..................................2..S....@...................#...`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@2......H........#..@...................P ......................................{.v.`)!.t..@.62C<.=...h....X..}.`v.r...g.e...yXa.dat.mwQ.XdJ...M..`..J...$|.j.6W.U.3.r.A.h.....9Q..|..,<g..gy..6V9o%..Gd.r.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

            C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Encodings.Web.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):78976
            Entropy (8bit):6.105061710610473
            Encrypted:false
            SSDEEP:1536:4OO7OOOc2yIDmBkKQh3rt7jUGyRG/mz4CRLf8ocVW4t72bfQZHzp:fyMmXQh3rNjUFG/mk8f8owW4s0ZHF
            MD5:C77AE3414D78C1F082C65415FAE69661
            SHA1:3B35461D86A774535AC226CA9706FB50332DE20A
            SHA-256:C792BFE3F43C894E20339252D159A96A20CCC6E13322B2D382570FF97939E501
            SHA-512:08941BA8BE5031CC4E363A916525437C62B409576C91C10FC72795FAA10BC989F0D1797B576802E208DFE4305A4447C0299E2755BA92F97F531DE1F56FD5865A
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u............" ..0.................. ... ....... .......................`......<.....`.....................................O.... ...................(...@..........T............................................ ............... ..H............text...0.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........m......................H.........................................('...*..('...*..('...*^.('......8...%...}....*:.('.....}....*:.('.....}....*:.('.....}....*^.('......9...%...}....*:.('.....}....*:.('.....}....*..0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X((.....R...((.....d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X().... ...._.S...().....d.S*..0..&.........+....(*...G...Z.(......X....(+...2.*...0............(+.....1...(+....Z.:..

            C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Json.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):582320
            Entropy (8bit):5.99177382417674
            Encrypted:false
            SSDEEP:12288:Bo+rY8ZyAVNXL1VPGSEiWqJHsiEg2A9fLF:BhxXXrPGS6A7h
            MD5:B7083FFD5D2BBBE83C6B439196838D78
            SHA1:17B58D7F1CFFE4C1DD8E8246E127C949F4066D85
            SHA-256:D14DBC34F6824757E6F6AE758B05F76C447F96F8D75BE3C4B8286FCC5A388B30
            SHA-512:6C82D0F3B8E65DB99AA6F3973A6CB69CC9D02EFD3C3CC55AF03F01D5318360054E004EA4BCB53A2A7CF5DC1C0D77DC9183B479654CF88BBAC7B263FC68C61B16
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................... ......+.....`.................................i...O........................(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........S..............`O...w............................................(J...*..(J...*..(J...*..(J...*^.(J..........%...}....*:.(J.....}....*:.(J.....}....*:.(J.....}....*..(J...*:.(J.....}....*.0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(K.....R...(K.....d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(L.... ...._.S...(L.....d.S*..0..&.........+....(M...G...Z.(......X....(N...2.*...0............(N.....1...(N....Z.....(...+.+...(N....Z......

            C:\Program Files (x86)\IDmelon\Accesskey\System.Threading.Tasks.Extensions.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):25984
            Entropy (8bit):6.291520154015514
            Encrypted:false
            SSDEEP:384:1R973o62/KqcAnb05J3w0I5eUGef8s72XBWdvVW2JW8aJcyHRN7WEimpplex:1RZ4nNxnYTb6Blha
            MD5:E1E9D7D46E5CD9525C5927DC98D9ECC7
            SHA1:2242627282F9E07E37B274EA36FAC2D3CD9C9110
            SHA-256:4F81FFD0DC7204DB75AFC35EA4291769B07C440592F28894260EEA76626A23C6
            SHA-512:DA7AB8C0100E7D074F0E680B28D241940733860DFBDC5B8C78428B76E807F27E44D1C5EC95EE80C0B5098E8C5D5DA4D48BCE86800164F9734A05035220C3FF11
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..8...........V... ...`....... ....................................@..................................V..O....`...............B...#..........PU............................................... ............... ..H............text....6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................V......H........0...$...................T........................................(....*..(....z..(....z2.(....s....*2.(....s....*:........o....*.~....*~.-..(......}......}......}....*~.-..(......}......}......}....*Z..}......}......}....*J.{....%-.&.*o....*^.u....,........(....*.*~.{.....{....3..{.....{......*.*&...(....*2...(.......*....0..'........{......,..u....%-.&..(...+(....*(....*n.{....,..(....s....*.q....*..0..a.........{....o0.....,;..{....o2...(......;...3.~.......s......

            C:\Program Files (x86)\IDmelon\Accesskey\System.ValueTuple.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):25232
            Entropy (8bit):6.672539084038871
            Encrypted:false
            SSDEEP:384:VyPa16oAL4D+wW9IWmDIW4IWYDMFm0GftpBjMIraQHRN7VlmTpF0:VWs6oqDjADKeDYViG+LN
            MD5:23EE4302E85013A1EB4324C414D561D5
            SHA1:D1664731719E85AAD7A2273685D77FEB0204EC98
            SHA-256:E905D102585B22C6DF04F219AF5CBDBFA7BC165979E9788B62DF6DCC165E10F4
            SHA-512:6B223CE7F580A40A8864A762E3D5CCCF1D34A554847787551E8A5D4D05D7F7A5F116F2DE8A1C793F327A64D23570228C6E3648A541DD52F93D58F8F243591E32
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ...............................H....@..................................2..O....@...............$...>...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

            C:\Program Files (x86)\IDmelon\Accesskey\TagReaderGRPC.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):58880
            Entropy (8bit):5.651114038528575
            Encrypted:false
            SSDEEP:1536:cDO9PdVWTawODut3SZHVlC1i9ZUNOJufiacJ:qznO9ZHVA14Z6b+
            MD5:EFD5FCE9CDF53D5C85E525785303ACB5
            SHA1:2A19F03B1581C92BBA9779B52942110E993CB2B1
            SHA-256:124F009C133115826657F247B197A29E77358B2D2B2F88E00320A566E5DD92B6
            SHA-512:3B6086BF1E4F2E1A0A1A01DDEEEB28245E9CFE9064A570EBEFC385BC410E2ADAC6547F47B56DD990C9B8CE558CD92EAFA31DB7EEB71E6480A6945F61A5EB9247
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m.(..........." ..0.................. ........... .......................@............`.....................................O............................ ..........8............................................ ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......Di...............................................................(....*^.(.......1...%...}....*:.(......}....*.~....*...0...........$.2...%.r...p.%.r{..p.%.r...p.%.ro..p.%.r...p.%.rc..p.%.r...p.%.rW..p.%.r...p.%..rK..p.%..r...p.%..r?..p.%..r...p.%..r3..p.%..r...p.%..r'..p.%..r...p.%..r...p.%..r...p.%..r...p.%..r...p.%..r...p.%..r}..p.%..r...p.%..rq..p.%..r...p.%..re..p.%..r...p.%..rY..p.%..r...p.%..rM..p.%..r...p.%. rA..p.%.!r...p.%."r5..p.%.#r...p.(....(............

            C:\Program Files (x86)\IDmelon\Accesskey\TagReaderGRPC.dll.config

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):928
            Entropy (8bit):4.995731281926125
            Encrypted:false
            SSDEEP:24:JduPF7NQ7uH2/XV0PH2/+w3VUrPH2/+C9y:3276agXsg+w3Sg+Cw
            MD5:76B344530DD42F0FEFF3CA3260B4742D
            SHA1:A80D8B82F4CD400BDB2967C50FD9531C3D2E33DD
            SHA-256:670AFA345EB43C0E2AA042236AAA429796C8A70396360E5D091A50A066730019
            SHA-512:EDA8FA1B9ACBF6FCA579B9263E8039429D8A81B2F3414A265E5755F2F5B10B6166EE74100B147399F5130C79883EB1CFCD5BC0DE6A0A5C1EC81322A897F8C49A
            Malicious:false
            Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.2" newVersion="4.0.1.2" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

            C:\Program Files (x86)\IDmelon\Accesskey\URIUtility.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):18432
            Entropy (8bit):5.4382207566495016
            Encrypted:false
            SSDEEP:384:9xfl8lKmlSlm+ElBSSLqbKabycb787BlQHZrvyHRD09iDmA:9xfqT0788s8f874H4xtB
            MD5:F77DEB0E6843989453DDFC19FFF5988D
            SHA1:57B4A410356A5752BF54259A19399007C443D3F4
            SHA-256:4CF1BE49C8CDB265603E446F755DFD1F2D79AE3398BA730A734B74A6C49EFE38
            SHA-512:18D10AE9F2DF5AD9CC01EE7D8810014DD55FA904D9EB4FE119A4DECF67027DE2B6E3600A291C6A58999A8788F10EF6891285E71E89929D65767073DD257F34CC
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y].........." ..0..>..........~\... ...`....... ..............................$'....@.................................,\..O....`..x............................................................................ ............... ..H............text....<... ...>.................. ..`.rsrc...x....`.......@..............@..@.reloc...............F..............@..B................`\......H........F.......................[...........................................2#.r...po....&...........Yo....o....&*.....2!..#o....&............Yo....o....&*v...........Yo....(....o....&*b...........Yo....o....&*.....2 ..?o....&...........Yo....o....&*.....2 ...........Yo....o....&..:o....&*..0...........-..*....3..,....o.....("...+....-..*.,....o.....("...+......o.....s.....8......o........ ...._ ....3E..X./?...Xo.... ...._ ....3) ...... ...._..bX...Xo.... ...._X....X.+... ..

            C:\Program Files (x86)\IDmelon\Accesskey\WebKeyLocalServiceDotNetx64.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):111200
            Entropy (8bit):6.1221789546919325
            Encrypted:false
            SSDEEP:3072:Vf5KanssKF6BsefWKqjBbbgPiQ5i5v7F4MsiDMxi0:qasspVfWKMFQM34Mn50
            MD5:FFEEE6F46AAF9B189DDC7FC3B3357FC4
            SHA1:BD087AB87968434BACBA247CEBA70478904EC4A3
            SHA-256:01C2BA352545C2B28D4CA2AA7E6B042C52214B8312372D66FD4514C3FE6D133B
            SHA-512:8B100634D04271C14B9C96C3F5C373B405FBCD41696C7FAA029438886122903BD93BDC88F4073580F381A3487A999242F831AB2D61F79005F9C33C160BE58754
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......vx..2...2...2...;a_.6...`q..0...W...1...,K_.0...`q..'...`q..5...`q..3...p..0...2.......p..?...p3.3...2.[.3...p..3...Rich2...........PE..d...B..d.........." .....P...8.......Y....................................................`.................................................,`.........../......4.......`(......@....s..T............................t...............p.. ............r..H............text....I.......J.................. ..`.nep.........`.......N.............. ..`.rdata..\....p.......T..............@..@.data........p.......N..............@....pdata..4............T..............@..@.rsrc..../.......0...X..............@..@.reloc..@...........................@..B................................................................................................................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\WpfAnimatedGif.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):42496
            Entropy (8bit):5.782944900930189
            Encrypted:false
            SSDEEP:768:H0Gl7W1UiZTo1ooEqTh0sq/s/MnBOyvUPrYZbkch:UqQpZTsooEah0sqU/by4UZzh
            MD5:47D729B6841F1E0E510BBC7D74454B73
            SHA1:BB7A519A2BF2DBFA8AEF238241D6DD5C62AEED77
            SHA-256:B4C69BE213BA3DD40E6BC819B7BFC13AB03D06D5F3EFA0E4643B1B55E5A529F9
            SHA-512:F5ECD0CCA56306273685C12CCB5AF8F540161E2CFFE3F639A2FA1F9DE29CFEBB2F6D8F8BA4AD43E02A721DA30DD8E3CC911E46E4237578E026A5BA8C059429AF
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ...............................F....@.................................J...O.......$...........................h...T............................................ ............... ..H............text........ ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B................~.......H........H..Hq...........................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ...' )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*...0..2..........(....~.......o"...-.~.....s#...%.o$.....o%...&*...0..A..........(....~.......o"...,)..o&..., .o'...-.~.....o(

            C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32+ executable (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):19082792
            Entropy (8bit):7.993961306364174
            Encrypted:true
            SSDEEP:393216:V/m3pWBJH9dNrvymWTOha1OQK2GN2gLocDfDgMc6XCTLJWfRVyv43Gc:VK0LNrvy5ql12GIYocb0zQIL8fR5Gc
            MD5:FC4E01D66E8A5D58C306CEB4D115E464
            SHA1:83A3707C8E265702263B4C25E66D31785B5DA1DE
            SHA-256:54A1096D6A9DEEC8503831B262610314410C6307F0B98ABC74EED747AA6589F1
            SHA-512:F52FB92F69DC9EA53B83D2A6E9D50DD9A3083BFCEB6A5FFB36E68B38EF70D673D96E171B30B029E52E08F3ED61E8EA7158B9A53D4F762F182E1B562FB9FD5273
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]..G<.G<.G<..D..O<..D..<..D.M<.G<.F<.A.>.C<.A..o<.A..V<.A...V<..D.@<.G<.><.(..R<.(...F<.RichG<.........PE..d.....vf.........."....&......................@.............................@........#...`.....................................................P............@..d#....#.(....0..\...p...............................0...@............................................text...P........................... ..`.rdata..&,..........................@..@.data....3..........................@....pdata..d#...@...$..................@..@_RDATA.......p......................@..@.rsrc...............................@..@.reloc..\....0......................@..B........................................................................................................................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\32\pcProxAPI.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):495584
            Entropy (8bit):6.7696106294027665
            Encrypted:false
            SSDEEP:12288:liTMfjH1WyHWOJ9cKAuBxjC5kQqM+Ocq1qxwQpIDzu:liTMfL1zH3cKdNkcpxdwzu
            MD5:7E4FF135187E924AB5E9AF57F063257A
            SHA1:76FC0D22948806794633AC83AC8DB950597129F7
            SHA-256:62AE41A2314CEF52325CA8D0D0DE4EE20669A89BCC8AB69058FCE44307242033
            SHA-512:8400924C40EC18B7CB2BACF022990B7F3A84843399519288696EBC865111C1D43A8D30E2A73ED258181BEA38B809F3D703E33B88CEE192CD184FD02410B944F2
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........2..FS..FS..FS...;..IS...;...S...;..US....i.GS..."..IS..."..SS..."..gS...;..OS..FS...S...!..GS...!..TS...!..GS...!Q.GS..FS9.GS...!..GS..RichFS..........................PE..L......a...........!.........~.......................................................Q....@A.............................)......d....................f...)... ...V......................................@............................................text............................... ..`.rdata........... ..................@..@.data...(...........................@....rsrc...............................@..@.reloc...V... ...X..................@..B................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\32\pcProxAPI.lib

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:current ar archive
            Category:dropped
            Size (bytes):87450
            Entropy (8bit):5.377844050731864
            Encrypted:false
            SSDEEP:1536:UYPgQYWWC/TKo5JQRMEMue6nTygxBI5ykPlq6Q2/K5npAenyxnw/OCTojlh26TgN:UYP4WOR+uO5zPAxp6xc8DEl7RPHg3AB
            MD5:4BF8353FA573249AF8D2185D06886A2A
            SHA1:B11BC033B5994693DA00511A1E328D84A483C8A5
            SHA-256:7FB669CAC2000307EDB87E4FE5D4313050A189C13FAFC11E001AA6D46D5FA616
            SHA-512:885F136EC3AC7FC086794AA8D1D8F005FFDE8F1DE75B3449FDBF8F3F51C0F36048FA84C4A22C121CAD29DB773A62DBE001335D5DDD426DA049E77189AF1E2625
            Malicious:false
            Preview:!<arch>./ -1 0 21502 `............0...h...,...,...................v...v...........R...R...........:...:...........................................j...j...0...0...................................V...V...................................n...n.................N...N.................T...T...p...p...................2...2.................x...x...........V...V...........8...8.......................l...l...........D...D........."..."...............................x...x...................8...8...............................^...^...D...D.........(...(.................~...~...........`...`..."...".................v...v...........\...\.........................0...0.................4...4...P...P.........................~...~...........T...T...............................................|...|...........^...^...........*...*...:...:..."...".................^...^...........D...D.........$...$.........................

            C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\64\pcProxAPI.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):481248
            Entropy (8bit):6.549528625401982
            Encrypted:false
            SSDEEP:12288:xTl7DNpxv0H9Qq54mhhdFnJLgw79+sqi6:xTl7DNLq5H/Qw7Ei6
            MD5:D522C17E1620D9F3AFFE969C2E8ED089
            SHA1:AD465E113E4CBEAC0747DBB1BE8630053325105C
            SHA-256:0EA38137164E2BE0599B6AF01326720C41DDDCA0A2CF491441A5EE0C0B7BFC7C
            SHA-512:4C2215D1E7ECC2C801BA58F7F5A2536B35148CD8384512D2BF23B6348DFB120578302F63DAA7ED49509CA1687F901A6101105CBE4171A824E7376895BDDAD7C0
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.".q.L.q.L.q.L.*.H.z.L.*.O.v.L.*.I...L..m..p.L..H.~.L..O.x.L..I.S.L.*.M.x.L.q.M...L..H.p.L..I.c.L..L.p.L...p.L.q..p.L..N.p.L.Richq.L.........PE..d...3..a.........." .....J...........*.......................................`......9.....`A.............................................)..`...d....@..........06.......)...P.......k..T...........................@l..8............`...............................text... H.......J.................. ..`.rdata...~...`.......N..............@..@.data...............................@....pdata..06.......8..................@..@_RDATA.......0......................@..@.rsrc........@......................@..@.reloc.......P.......$..............@..B................................................................................................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\64\pcProxAPI.lib

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:current ar archive
            Category:dropped
            Size (bytes):80822
            Entropy (8bit):5.371100192595072
            Encrypted:false
            SSDEEP:1536:CQ/x1S+l7EsJWZtKkK42URmqhXgotyTK0SSlEH9SmhgfkE1+7nvGsoKYuRqX/JCw:CQ/jW1Tfye0w9ckb4P1TxmjQ
            MD5:19F5B596AAC79018239D44390816A1EA
            SHA1:DC76E2DE0881DB72794DFFE02554BCA066B530FD
            SHA-256:B83B1196E79A4B81DCF7DF21B7527F5DA646EC614BECEDA771D7C3B0EEAB22D9
            SHA-512:6F81EB41AB03C75B7AB5A98A62EBF4CDA8DB060A11E0F34229D4B87FC1279D438F11B893896C501B2EE1759EDD89E659E1A0CC8291F5E536420811AD1B5A40A9
            Malicious:false
            Preview:!<arch>./ -1 0 19410 `........B...t.......|...|...........N...N...........$...$...................r...r...........L...L...........*...*...................J...J...........$...$...................`...`...........2...2...................d...d...........>...>...........~...~...........T...T...........0...0...................t...t...........F...F...................................f...f...........:...:...........................X...X...........B...B...........*...*...................z...z...P...P...........$...$...........h...h...........................&...&...................p...p...........T...T...........t...t...........R...R.........*...*.........................d...d...........4...4...........v...v...........R...R...........,...,.................d...d...............................................t...t...........R...R.........z...z...(...(...........p...p...........4...4...............................^...^...........D...D...

            C:\Program Files (x86)\IDmelon\Accesskey\config.xml

            Download File
            Process:C:\Program Files (x86)\IDmelon\Accesskey\Service.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):715
            Entropy (8bit):5.924049217573425
            Encrypted:false
            SSDEEP:12:TMHd4Pro8iKdB/k/K5/2ICZ3+ApHDrJwVKSAN28ZnHWZdlLcfW1s2D9MtTLS:2d4jo8P3X/2bZOALwVKSE12ztcfW1s2n
            MD5:0B654C03981F8DBC39D66DFDF830205A
            SHA1:298084E00B165A46ABBA931478DA23DBE93809C2
            SHA-256:A453B7F48F05A994FF6368B6001D64F1E86E3CA1305FFC4F43EA795893687599
            SHA-512:5CB154B8E4B67135F8188DFD5A1449E189D7916585FFA2F5BF521733D264ED33454BE7E2A8C4667BCD3DF0F3DF5E973E0977F3D3D2AC18864F582365EC03B4AD
            Malicious:false
            Preview:<?xml version="1.0" encoding="utf-8"?>..<Config xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <Mode>Card</Mode>.. <AppID>669c8c4a91be90000824894f</AppID>.. <Token>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7ImNyZWF0ZWRBdCI6MTcyMTUzNTU2MjA5NiwiX2lkIjoiNjY5YzhjNGE5MWJlOTAwMDA4MjQ4OTRmIn0sImlwIjoiOC40Ni4xMjMuMzMiLCJ1c2VyQWdlbnQiOiJSZXN0U2hhcnAvMTEwLjIuMC4wIiwiaWF0IjoxNzIxNTM1NTYyfQ.nsEXp9agIX74VUsYZvN2h7bn98SMfowVdHYKX_Yjr5U</Token>.. <ServerPublicKey>04e9eb453c25eae85d95d80c9da3fab816a82a875b60feb6aebfa76ca79bfef88849b7732865d71b34da823f536a431bb4385a9c645c66cd27afbc3ea0049a552a</ServerPublicKey>.. <PinPolicy>PinRequired</PinPolicy>..</Config>

            C:\Program Files (x86)\IDmelon\Accesskey\grpc_csharp_ext.x64.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):12684056
            Entropy (8bit):5.750572800376826
            Encrypted:false
            SSDEEP:98304:T90rvru1gfhuxb58gzjuq8/bx72QJg/+gqms:T9Mvru1+hux/uPTcQK/Zjs
            MD5:865C7D285D665FE4D9FB672B111DD54D
            SHA1:C3E83E7A8402F0DE75A49D5DCC71DD131E9B2CAB
            SHA-256:4151229B6E31DAE91D459BE70655417DD18E6B0869C9A72FEF08A5BB28D980B8
            SHA-512:9BE1CA48ABFBCFB0964B25613E62EF75A5603876E84DD317D5946A96E1FFC64E219366B4635582D4C455212580E6B94A5DE54E5FFF6523792ABFA2BCF0E18A1E
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6es.r...r...r....`..o....`..|....`.........v...IZ..x...IZ......IZ..Z...r...c....`..y...r........Z.......Z.......Z..s....Z..s....Z..s...Richr...........PE..d...~|.c.........." .........`8..............................................`............`.............................................#...x...x....0..Y....@..x....b...)...@.......n..8.......................(...0o..................x............................text............................... ..`.rdata...,.......,.................@..@.data........@...Z...&..............@....pdata...q...@...r..................@..@.idata..K$.......&.................@..@.tls....s...........................@....gfids..4...........................@..@.00cfg....... .......:..............@..@.rsrc...Y....0.......<..............@..@.reloc..V....@... ...B..............@..B........................................................

            C:\Program Files (x86)\IDmelon\Accesskey\grpc_csharp_ext.x86.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):9986840
            Entropy (8bit):5.798952004538316
            Encrypted:false
            SSDEEP:98304:ht0TyUQmSCXRLO0KmlsunPzBVhgH01n/QoDD:hwQmSCB3Kmlsq1
            MD5:5375B505F0463930EE8EA2254B477DEB
            SHA1:B114BC70840FCFD7BB60ECACFFA1944F23A459FF
            SHA-256:F6A6B19A8EA19E51CD4FB8E120A8B3DF609429193653618E56D24C5D9704E56C
            SHA-512:2CE74BB9CAFB182E0052CEFBC5B40C0CEBC6DF31DF80DF59CD1BE9AFFAB53E274D75133327903FE3D8828F09225B20D48E3E2FC58BB58A4D17F542C5D6E7F7D4
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......|C..8"..8"..8"..WF..."..WF..."..WF..'".....;"...|..$"...|..O"...|..."..8"..4"..WF..3"..8"..."..|...#..|..#..|..9"..|..9"..|..9"..Rich8"..........................PE..L...p|.c...........!......z.........T+........z..........................................@.........................0........d..x.......Y............:...).............8..........................H...@............`...............................text.....z.......z................. ..`.rdata...H....z..J....z.............@..@.data....3... ......................@....idata..K....`.....................@..@.tls....$...........................@....gfids..............................@..@.00cfg............... ..............@..@.rsrc...Y............"..............@..@.reloc..............(..............@..B................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\log4net.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):270336
            Entropy (8bit):5.596191661109029
            Encrypted:false
            SSDEEP:3072:h+8gmdoxSO7ZbQFroo7RVir/dtnK0sgdnogtHcU5qFG1RSGCkE9kKn7GCcaLoWn:c1N8LLI/PK0scnodG1RS1T93caL
            MD5:46319A38CE5D09020D2AC56B67829C6C
            SHA1:FFE64CA4D4BC9E1DAB1D195982D22121A6BAA058
            SHA-256:1D45A6AFA38F0B10814063F2A42E6EFCE45752853667650E765844B8566B3332
            SHA-512:0DE61771A92EE71470E51BCCF66D3A39C105AE23D60E73D8E4E7D44135DFF4C8D1DDDFF9BBB6BE72FF083D51C784E5CA829A6ADEFEE87FD901D2DE58DB0DDB03
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....O..........." ..0...... ........... ... ....... .......................`...........`.....................................O.... .......................@......|................................................ ............... ..H............text...(.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32+ executable (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):373288
            Entropy (8bit):5.612916865047601
            Encrypted:false
            SSDEEP:6144:dI6VyDGb+HiFr4kchE18dkuCj7jLwcYBQarDosNXUk:dIJDGb+Hiu9hE18dkxfdsNXV
            MD5:17DE7869B1B721B3FFF9DBE111CAAFF8
            SHA1:5CA75CBF7928732B5B022BC06146216CC7EEBC30
            SHA-256:852F71F992F9C6FE89875F468AB7058FD9E0CF03FC13654E7E2F291BC403517F
            SHA-512:A4C736EECDCC4DBED1D871B1E593B174A09001DFAB5D2FE1309918CCDF82DC25C09683799B35F6BF748E4A61466BC302A30A5FB62A350A6912C9112108501155
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 14%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"1P.C_..C_..C_..;...C_..;...C_...$..C_..C^.YC_..;...C_......C_..;...C_.Rich.C_.........................PE..d...]..Y..........#......D...X................@.........................................................................................................|...P..."......(............................................................`.. ............................text...4B.......D.................. ..`.rdata.......`.......H..............@..@.data...dC......."..................@....pdata..."...P...$..................@..@.rsrc....|.......~..."..............@..@................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-arm\native\e_sqlite3.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) ARMv7 Thumb, for MS Windows
            Category:dropped
            Size (bytes):1083392
            Entropy (8bit):7.142876487136901
            Encrypted:false
            SSDEEP:24576:klnHRpXN2xxKmSckQwFwM3CHpzDTzRHzYNrCP74Y:k9cxxKJckQwdCJzDWNr4
            MD5:FBB305C445AB83E83BF60BDBA8534173
            SHA1:AB6E1A12C5EA3C14B7657395D09B3B7ED2546126
            SHA-256:632CEB55168C31C79A9B25BEF41C197AE6978326EE17F80DEF74EB75F1BE474E
            SHA-512:22024B6FE6241D8C6509A3094225302EF852CC39F85D168110D2C1C745B68CD957ED3B799CF22AB8038F13A0F8BFD964D9B0D529594AC83D7D938B9A830B0419
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.&...u...u...u.n.tc..u.n.t...u.n.t...u...ui..u.v.t...u.v.t...u.v.t...uXw.t...uXw.t...uXw4u...uXw.t...uRich...u........................PE......f.:_.........."!................aH....................................................@A........................0~...".....(....P..........pO...........`...V..h...T............................................................................text............................... ..`.rdata..............................@..@.data...tJ.......>..................@....pdata..pO.......P..................@..@.rsrc........P......................@..@.reloc...V...`...X...0..............@..B........................................................................................................................................................................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-x64\native\e_sqlite3.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):1570816
            Entropy (8bit):6.521735562400957
            Encrypted:false
            SSDEEP:24576:HIDsTpsRAN6hgpHIUpR9kMjYfV2QDdMQzb704Zw6K33PM36ZM5NH2Rt:HIDsTpsqtpoUpRQNYJ6e3PM3ek
            MD5:B429904F765F9EC975A15E8AB8CEB569
            SHA1:45D073854924B924C50B27363D37531673CBCC81
            SHA-256:F1C53F43819798C577EB9F4AC83BB3FAB38FA21AAF565DEFE8573B2FCA768230
            SHA-512:76AA50E3B6FC4D2C8C3F468AB061F0809399F8C723B1359E291011EE288AC75EA8170D357F9BE20EF94D121140B7FF53BB05E29F96EBE041032357ED7334A279
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................D............L..1......1......1......~......~......~.W....~......Rich...................PE..d...].:_.........." .........>...............................................P............`A........................................ ...."......(.... .......@...............0......X...T...............................0............................................text............................... ..`.rdata..*...........................@..@.data...Xj.......T..................@....pdata.......@......................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-x86\native\e_sqlite3.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):1184256
            Entropy (8bit):6.73335357356
            Encrypted:false
            SSDEEP:24576:XZrSxkftqbYzaTG7p5SX6BrR/uNQHBfvELjdf960rsJGgbNG:XZryxKR9TANit8lsJ6
            MD5:E02613D1A6211EB1BFC8D15431ACBD68
            SHA1:44D61B27A03C4BAE38C69B9F5449F613913E88DA
            SHA-256:03EF15557EC8B1DD8D8D1F5552EC96DF2E5EC27DE3A1ACFCB1C16D7A8A559AC9
            SHA-512:9CF82D36C77A33A77DF24335FE967A58E41C9140002C686912B465F1B3A1AB29511888AB39D3974BD9CA0E4B08C2B0F9310E60DB8CA09A0E52B84F9BC0FFD3C9
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............z...z...z..y..z....o.z..~..z..{...z...{.~.z......z...~...z...y..z.H.~...z.H.z...z.H.....z.H.x...z.Rich..z.................PE..L...R.:_...........!.........l...............................................P............@A.........................*..."...M..(...................................."..T...........................p"..@............................................text............................... ..`.rdata..n...........................@..@.data....K...`...>...L..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log

            Download File
            Process:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            File Type:ASCII text, with very long lines (467), with CRLF line terminators
            Category:dropped
            Size (bytes):2317
            Entropy (8bit):5.6930345763808585
            Encrypted:false
            SSDEEP:48:tiHxwOHXh37+30MDEhj/y0QyE+30MDEhj/y0iEGY/2d3CKRfteuslUbw3yenKfX:iwQqEMDa/+0EMDa//z2d3CwfMC
            MD5:8263E53E54245A0A76E93E143A0FDC8B
            SHA1:2647B3235BCF505A5E7D1707813441C6745FB421
            SHA-256:7AE13ED30B0D79B3A58287E0921AA2DD83498523ACFE5DE772092ACF3D098BD4
            SHA-512:167030F2A21CEEC51D911EF62D83D345598CA5711D084E1C9BCB1E109F036131B1E310960DB217C3C89DDD09AAC431E2A20E2AC187DBDA43AEBC5F5554DDDFEA
            Malicious:false
            Preview:2024-07-21 00:19:14,768 INFO - [Main] IDmelon AccessKey service started.....2024-07-21 00:19:14,784 INFO - [Main] IDmelon AccessKey service v2.7.0.0..2024-07-21 00:19:14,799 INFO - [InitConfig] Requesting new Token and AppID..2024-07-21 00:19:14,799 INFO - [InitConfig] No Proxy is being used..2024-07-21 00:19:15,768 INFO - [InitRequest] [ServiceManager._InitRestRequest] {"uniqueId":"ABAKAR9SE2X11SF993D6E3D5SMCM4S7RWC9YHQT19K4RD09MSJ1G","os":{"name":"Microsoft Windows 10 Pro","version":"19045"},"appversion":"2.7.0.0","PCName":"609290","userName":"SYSTEM","deviceId":null,"publicKey":"04df50f5e068376d9460753bbe3df5e525bf277c86f8b222fa19eaf9e7aa40d9f39ed057b968fb1090bcaa382879c41fe80550dc9321881d38bc97a7054e836993"}..2024-07-21 00:19:15,846 INFO - [InitRequest] [ServiceManager._InitRestRequest] Reqeusting new accesstoken with params: {"uniqueId":"ABAKAR9SE2X11SF993D6E3D5SMCM4S7RWC9YHQT19K4RD09MSJ1G","os":{"name":"Microsoft Windows 10 Pro","version":"19045"},"appversion":"2.7.0.0","PCName":

            C:\Program Files (x86)\IDmelon\Accesskey\uninstall.exe

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
            Category:dropped
            Size (bytes):175053
            Entropy (8bit):5.440434367296417
            Encrypted:false
            SSDEEP:1536:JfHLrLkSRoybCQUZsrs0DC1cu8pOwSPAcezB010n6BBteqmLAl:Jfr3k+o5buDC1culhjKB0+n6Xteqmkl
            MD5:B70EC66793408BD53E85984AFB1243AA
            SHA1:571CC2B6E2F1BAE181BAA46775A2BE15A88B9AA2
            SHA-256:E2A31247F61646FEE58C3F2483E982EE838596D25FB6EBE8C674C6DCA83714EC
            SHA-512:787157F29C1B578D271EF3D421AE73B50546D72B61A2B4FAFA6908644287E4853441E52A45F0DFCF91A3AA1448659BCD60D1065935F5BC6133E53D94A67B0218
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................j..........R5............@..........................@......7.....@.........................................................@-..(............................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata...@...P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\websocket-sharp.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):226816
            Entropy (8bit):5.805239882361139
            Encrypted:false
            SSDEEP:6144:aG6L6WIqe9bjj1OLNryn2aJJJnoQCSJgI:aG6L6WTeBjKsn2aJPoQ
            MD5:E67544B112F568F13B17D72189FDA007
            SHA1:B75B79C65330A77FE7AEA5EF6C319D7F3D1865D4
            SHA-256:697F13F09CB2C425DDCFE1AA167D698F7AF5AEA48D03D5370143BC00E9BBFA2E
            SHA-512:5A3381C0BE69DF8DC5A8C7C931B14919A189A8D03D2128D3848FBF73E3FD21631FE44ECCD9BAF97A15F646D0FCC5B3263B6EAC2F98D67557A07AD6FB4F91C402
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9!..........." ..0..j..........V.... ........... ...............................2....`.....................................O.......0...........................`...8............................................ ............... ..H............text...ti... ...j.................. ..`.rsrc...0............l..............@..@.reloc...............t..............@..B................6.......H.......0...............................................................J.("....~N...}....*&...(....*&...(....*:.(".....}....*R.("......s....}....*&...(....*..{....*2.{....o....*V.{....o....%-.&~#...*..{....*"..}....*&...(....*V.(".....}......}....*..{....*..{....*....0..#.........j-..*.s$.....(........,..o......*..................0..X.......s%.....o&...-..*..jo'......s(...... ....o)....o*....~......o+.....jo'........,..o......*......!.+L.......0.."........(......o*....o,....

            C:\Program Files (x86)\IDmelon\Accesskey\x64\sqlite3.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):1680384
            Entropy (8bit):5.9158652584281235
            Encrypted:false
            SSDEEP:24576:bu0KzhOuLJpZi3M3FEacJpL99AdS/3cZM:KDzlDyMCawpaS/
            MD5:E6663E129C949753773147061E5AC708
            SHA1:301FF30F7A698FA67AF19CEB9063B09E8BA5163B
            SHA-256:CDD6C407B61371280E49C9A2B34AF4EC06B0191993E6EDE8EFB9235990837977
            SHA-512:00B4313247C367298E7CD529F5CEA1B9F8A74671477DE29A34474F2E132B0EE61EE629905C0788546ED53505983A59D6E1170F463869FE660E66F23CF691488C
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y...=.f.=.f.=.f..w..>.f.=.g.C.f.4...&.f.4...6.f.4...f.f.4...<.f.#...<.f.4...<.f.Rich=.f.........................PE..d.....<W.........." ................................................................................................................0....#...p..(............p......................................................................8u...............................text...4........................... ..`.rdata..............................@..@.data...9Z.......B..................@....pdata.......p.......2..............@..@.idata..D....p.......2..............@...text....J............H..............@.. data....F ......."...N..............@..@.rsrc................p..............@..@.reloc.._........ ..................@..B........................................................................................................................................

            C:\Program Files (x86)\IDmelon\Accesskey\x86\sqlite3.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):826775
            Entropy (8bit):6.520580307753605
            Encrypted:false
            SSDEEP:24576:QJCoOO8Mh2X8Vy0JHfv3kDpigeLKh2R6fFQVp:QL8MFVym/kDpitLKZy
            MD5:16A1612789DC9063EBEA1CB55433B45B
            SHA1:438FDE2939BBB9B5B437F64F21C316C17CE4A7F6
            SHA-256:6DEAEC2F96C8A1C20698A93DDD468D5447B55AC426DC381EEF5D91B19953BB7B
            SHA-512:D727CE8CD793C09A8688ACCB7A2EB5D8F84CC198B8E9D51C21E2DFB11D850F3AC64A58D07FF7FE9D1A2FDB613567E4790866C08A423176216FF310BF24A5A7E3
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...TM<W....*......!.....j.........................a.........................`.......#........ .........................................x.......................@/..................................................................................text...,i.......j..................`.P`.data................p..............@.`..rdata..............................@.`@.bss..................................`..edata...............f..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...x...........................@.0..reloc..@/.......0..................@.0B/4........... ......................@.@B/19.........0......................@..B/31..................j..............@..B/45.................................@..B/57.................................@.0B/70.....i.... ..........

            C:\Users\user\AppData\Local\Temp\nstB00.tmp\EnVar.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):10240
            Entropy (8bit):5.408403475729264
            Encrypted:false
            SSDEEP:192:hjD5Bzu8mRd7ylc01dOF6Nr4mNiFHFEH3HGH8t+zaY6GVIb6:V9BXI4cqxCa+WFAzUeC6
            MD5:4EE6C0578960BCB5DAD78947E0CBFFE9
            SHA1:DD90488FFDE0B0DF76E0A5E8DCA8192C77619D8B
            SHA-256:EB182D049BA19F697628E20228AF329780AAF62C3585A1E36B9FB988911FE697
            SHA-512:0592166761C32AA804A26FB90191F636173B6E5144E4C10B100841FCB4D05CC30D8FFC3716E823D02DD3BCC73CFB9106639CF8AE2AEEBA409213F2F40DF5932C
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f.....................................................Rich....................PE..L...,N"`...........!................p'.......0...............................`............@.........................@2......l0..P............................P..\...P0...............................................0..L............................text............................... ..`.rdata..k....0......................@..@.data........@......."..............@....reloc.......P.......&..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\nstB00.tmp\InstallOptions.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):15872
            Entropy (8bit):5.4709854684159085
            Encrypted:false
            SSDEEP:192:E6GQtZkTktEQUrJaZfuyCnSmUsv3sY7L7cW8Y6Q86QvoT311929WtshLAzgSrX8:E6Nt+4t7uJalUnGesY7Lt8nC3/Yosa
            MD5:D1EEFB07ABC2577DFB92EB2E95A975E4
            SHA1:0584C2B1807BC3BD10D4B60D2D23EEB0E6832CA2
            SHA-256:89DD7D646278D8BFC41D5446BDC348B9A9AFAA832ABF02C1396272BB7AC7262A
            SHA-512:EAFFD9940B1DF59E95E2ADB79B3B6415FFF5BF196EBEA5FE625A6C52E552A00B44D985A36A8DD9EB33EBA2425FFEA4244ED07A75D87284FF51EC9F9A5E1AC65E
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.px.q.+.q.+.q.+.q.+[q.+.~C+.q.+^R.+.q.+^R/+.q.+.w.+.q.+.Q.+.q.+Rich.q.+........PE..L....C.f...........!.........`.......+.......0............................................@..........................8......X1..................................X....................................................0..X............................text............................... ..`.rdata..G....0......."..............@..@.data...DL...@.......,..............@....rsrc................6..............@..@.reloc..x............8..............@..B........................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\nstB00.tmp\System.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):12288
            Entropy (8bit):5.805604762622714
            Encrypted:false
            SSDEEP:192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
            MD5:4ADD245D4BA34B04F213409BFE504C07
            SHA1:EF756D6581D70E87D58CC4982E3F4D18E0EA5B09
            SHA-256:9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
            SHA-512:1BD260CABE5EA3CEFBBC675162F30092AB157893510F45A1B571489E03EBB2903C55F64F89812754D3FE03C8F10012B8078D1261A7E73AC1F87C82F714BCE03D
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...S.d...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\nstB00.tmp\ioSpecial.ini

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):1072
            Entropy (8bit):3.6876818839972834
            Encrypted:false
            SSDEEP:24:Q+sxv5SAD5ylSjqWCs7y6PaQ9n+c6k8lb2WvCxGfFC96kDWlYpK9:rsxwAQSjqQNak8lbQQtH
            MD5:AC22604962B42B6DAB234597D09B4AB1
            SHA1:44B08DB6564AC9C06AE0D66EB27D6131A6AF220A
            SHA-256:B409B4E4ED03B9236E102FCE6A63C4CEF25DB6E5660C633B8F15CA1498692D65
            SHA-512:E3A8DF6E8F677A2033716C5724345DDA95C8F2F0BF563E6141AB0229C1B71EB861C01814C8E9DFDE78268C0C43EC4F5B0886B1798656D50EF74F0EEA6F84C2DA
            Malicious:false
            Preview:..[.S.e.t.t.i.n.g.s.].....R.e.c.t.=.1.0.4.4.....N.u.m.F.i.e.l.d.s.=.3.....R.T.L.=.0.....N.e.x.t.B.u.t.t.o.n.T.e.x.t.=.&.F.i.n.i.s.h.....C.a.n.c.e.l.E.n.a.b.l.e.d.=.....S.t.a.t.e.=.0.....[.F.i.e.l.d. .1.].....T.y.p.e.=.b.i.t.m.a.p.....L.e.f.t.=.0.....R.i.g.h.t.=.1.0.9.....T.o.p.=.0.....B.o.t.t.o.m.=.1.9.3.....F.l.a.g.s.=.R.E.S.I.Z.E.T.O.F.I.T.....T.e.x.t.=.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.n.s.t.B.0.0...t.m.p.\.m.o.d.e.r.n.-.w.i.z.a.r.d...b.m.p.....H.W.N.D.=.2.2.2.9.2.8.4.....[.F.i.e.l.d. .2.].....T.y.p.e.=.l.a.b.e.l.....L.e.f.t.=.1.2.0.....R.i.g.h.t.=.3.1.5.....T.o.p.=.1.0.....T.e.x.t.=.C.o.m.p.l.e.t.i.n.g. .A.c.c.e.s.s.k.e.y. .S.e.t.u.p.....B.o.t.t.o.m.=.3.8.....H.W.N.D.=.1.3.7.7.3.7.2.....[.F.i.e.l.d. .3.].....T.y.p.e.=.l.a.b.e.l.....L.e.f.t.=.1.2.0.....R.i.g.h.t.=.3.1.5.....T.o.p.=.4.5.....B.o.t.t.o.m.=.1.8.5.....T.e.x.t.=.A.c.c.e.s.s.k.e.y. .h.a.s. .b.e.e.n. .i.n.s.t.a.l.l.e.d. .o.n. .y.o.u.r. .c.o.m.p.u.t.e.r...\.r.\.n.\.r.\.n.C.l.i.c.k. .F.

            C:\Users\user\AppData\Local\Temp\nstB00.tmp\modern-wizard.bmp

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118
            Category:dropped
            Size (bytes):26494
            Entropy (8bit):1.9568109962493656
            Encrypted:false
            SSDEEP:24:Qwika6aSaaDaVYoG6abuJsnZs5GhI11BayNXPcDrSsUWcSphsWwlEWqCl6aHAX2x:Qoi47a5G8SddzKFIcsOz3Xz
            MD5:CBE40FD2B1EC96DAEDC65DA172D90022
            SHA1:366C216220AA4329DFF6C485FD0E9B0F4F0A7944
            SHA-256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
            SHA-512:62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
            Malicious:false
            Preview:BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

            C:\Users\user\AppData\Local\Temp\nstB00.tmp\nsExec.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):7168
            Entropy (8bit):5.2959870663251625
            Encrypted:false
            SSDEEP:96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
            MD5:B4579BC396ACE8CAFD9E825FF63FE244
            SHA1:32A87ED28A510E3B3C06A451D1F3D0BA9FAF8D9C
            SHA-256:01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
            SHA-512:3A76E0E259A0CA12275FED922CE6E01BDFD9E33BA85973E80101B8025EF9243F5E32461A113BBCC6AA75E40894BB5D3A42D6B21045517B6B3CF12D76B4CFA36A
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L...Q.d...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\AccessKeyFidoVhid.dll (copy)

            Download File
            Process:C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):52944
            Entropy (8bit):6.483483863603903
            Encrypted:false
            SSDEEP:1536:nXVCxosSAPn6cWynO6SUJhUZnY1PdBmz:XVzsZPnNWykLnYBm
            MD5:42BB134409EB5B648998844608434CD7
            SHA1:492284DD87E06372E6DDCA23D64C8B2FC771077B
            SHA-256:0B502F92BF3B6B975D88EA60A2288134C18B3B28BC93A3482ED4C336B7DC674B
            SHA-512:DAF807A2384A22425812DE390CCB33491874E206F5E9F6A9CCD16180D653A9F3DD2D659E1E668A32AAE5E974B800620CF9246355CF6FE02B0172E67BD62B010A
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................[..............................F.....F.....F.7....F.....Rich...........................PE..d.....+d.........." ...".P...J.......@...................................................`A............................................X.......x........................8......D...0...8............................~..@............`...............................text...`O.......P.................. ..`.rdata...0...`...2...T..............@..@.data...P...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D...........................@..B................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\SET42C8.tmp

            Download File
            Process:C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):52944
            Entropy (8bit):6.483483863603903
            Encrypted:false
            SSDEEP:1536:nXVCxosSAPn6cWynO6SUJhUZnY1PdBmz:XVzsZPnNWykLnYBm
            MD5:42BB134409EB5B648998844608434CD7
            SHA1:492284DD87E06372E6DDCA23D64C8B2FC771077B
            SHA-256:0B502F92BF3B6B975D88EA60A2288134C18B3B28BC93A3482ED4C336B7DC674B
            SHA-512:DAF807A2384A22425812DE390CCB33491874E206F5E9F6A9CCD16180D653A9F3DD2D659E1E668A32AAE5E974B800620CF9246355CF6FE02B0172E67BD62B010A
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................[..............................F.....F.....F.7....F.....Rich...........................PE..d.....+d.........." ...".P...J.......@...................................................`A............................................X.......x........................8......D...0...8............................~..@............`...............................text...`O.......P.................. ..`.rdata...0...`...2...T..............@..@.data...P...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D...........................@..B................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\SET42D9.tmp

            Download File
            Process:C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
            File Type:Windows setup INFormation
            Category:dropped
            Size (bytes):4836
            Entropy (8bit):3.7387330079455343
            Encrypted:false
            SSDEEP:48:rRxR/zoP0dlUlyFxloQPxWmxxvVARfmwCfi6gDVkf3iQLt97Hu6/OgTgy7dCrXL5:rh/z9YRfmwCfiTQR97O4p4v9lsqs0sI
            MD5:8A71F48313969317868E08E1B8009DEF
            SHA1:3AE7FDACC7BEF1ECCDBEE2427E97ED90EFE2CF04
            SHA-256:09BB78FDE1F9681AACAA95880DB62B439DD6A25418D5E6BB44FB6EB90E66E12D
            SHA-512:32480914934142D1FB808CABF9651AF6295228766C39AB22CE4E1BC4E50555F03415E798D5117139AFE1482F7FFE8DE5F1014D5A3A0AF2DB490039621210EA31
            Malicious:false
            Preview:..[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.I.N.D.O.W.S. .N.T.$.".....C.l.a.s.s.=.H.I.D.C.l.a.s.s.....C.l.a.s.s.G.u.i.d.=.{.7.4.5.a.1.7.a.0.-.7.4.d.3.-.1.1.d.0.-.b.6.f.e.-.0.0.a.0.c.9.0.f.5.7.d.a.}.....P.r.o.v.i.d.e.r.=.%.P.r.o.v.i.d.e.r.S.t.r.i.n.g.%.....D.r.i.v.e.r.V.e.r. .=. .0.4./.0.3./.2.0.2.3.,.2.1...4...5.3...4.8.8.....C.a.t.a.l.o.g.F.i.l.e.=.w.u.d.f...c.a.t.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .C.l.a.s.s. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........;.[.C.l.a.s.s.I.n.s.t.a.l.l.3.2.].....;.A.d.d.r.e.g.=.F.I.D.O.C.l.a.s.s.R.e.g.........;.[.F.I.D.O.C.l.a.s.s.R.e.g.].....;.H.K.R.,.,.,.0.,.%.C.l.a.s.s.N.a.m.e.%.....;.H.K.R.,.,.I.c.o.n.,.,.-.5.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .D.e.v.i.c.e. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.S.t.r.i.n.g.%.=.I.D.m.e.l.o.n.,. .N.T.a.m.d.6.4...6...3.........[.I.D.m.e.l.o.n...N.T.a.m.d.6.4...6...3.].....%.D.e.v.i.c.

            C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\SET42E9.tmp

            Download File
            Process:C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
            File Type:data
            Category:dropped
            Size (bytes):11622
            Entropy (8bit):7.262321244095951
            Encrypted:false
            SSDEEP:192:1fMl5zkpJC4eRe4fh8uEwFQbdxUNQlO8X01k9z3AXL9Wa38i:1Xp7Aeo8uExUKlO8R9zGpWa3z
            MD5:F99106D82F0FF3A7CEDEF078919DD359
            SHA1:C4281154C3B52B32467AB042B460333623033F3B
            SHA-256:51FA1FC1D6CBA95C28E0AA3D622DFEBF925548ACB5440CC3CD865ED1DDBCDC9F
            SHA-512:8F8DB7AC371C52F7C9622AADE894027B509D5EBD7FB75ED1C8813A7B1A01634EFCD25CEC0B8842E9FCC175550C39F3509A11D036F1247DF0E8E2F4B79E8790FA
            Malicious:false
            Preview:0.-b..*.H........-S0.-O...1.0...`.H.e......0..k..+.....7.....\0..X0...+.....7........ppwO..<.X.7+..230920084942Z0...+.....7.....0...0.... ..x...h.......+C..T...D.n..f.-1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..x...h.......+C..T...D.n..f.-0.....G.i..I7....K3U...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0.... 2...F.[n.P.6.O.h...3in..=...?..@1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 2...F.[n.P.6.O.h...3in..=...?..@0....:........B~......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>.

            C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\accesskeyfidovhid.inf (copy)

            Download File
            Process:C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
            File Type:Windows setup INFormation
            Category:dropped
            Size (bytes):4836
            Entropy (8bit):3.7387330079455343
            Encrypted:false
            SSDEEP:48:rRxR/zoP0dlUlyFxloQPxWmxxvVARfmwCfi6gDVkf3iQLt97Hu6/OgTgy7dCrXL5:rh/z9YRfmwCfiTQR97O4p4v9lsqs0sI
            MD5:8A71F48313969317868E08E1B8009DEF
            SHA1:3AE7FDACC7BEF1ECCDBEE2427E97ED90EFE2CF04
            SHA-256:09BB78FDE1F9681AACAA95880DB62B439DD6A25418D5E6BB44FB6EB90E66E12D
            SHA-512:32480914934142D1FB808CABF9651AF6295228766C39AB22CE4E1BC4E50555F03415E798D5117139AFE1482F7FFE8DE5F1014D5A3A0AF2DB490039621210EA31
            Malicious:false
            Preview:..[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.I.N.D.O.W.S. .N.T.$.".....C.l.a.s.s.=.H.I.D.C.l.a.s.s.....C.l.a.s.s.G.u.i.d.=.{.7.4.5.a.1.7.a.0.-.7.4.d.3.-.1.1.d.0.-.b.6.f.e.-.0.0.a.0.c.9.0.f.5.7.d.a.}.....P.r.o.v.i.d.e.r.=.%.P.r.o.v.i.d.e.r.S.t.r.i.n.g.%.....D.r.i.v.e.r.V.e.r. .=. .0.4./.0.3./.2.0.2.3.,.2.1...4...5.3...4.8.8.....C.a.t.a.l.o.g.F.i.l.e.=.w.u.d.f...c.a.t.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .C.l.a.s.s. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........;.[.C.l.a.s.s.I.n.s.t.a.l.l.3.2.].....;.A.d.d.r.e.g.=.F.I.D.O.C.l.a.s.s.R.e.g.........;.[.F.I.D.O.C.l.a.s.s.R.e.g.].....;.H.K.R.,.,.,.0.,.%.C.l.a.s.s.N.a.m.e.%.....;.H.K.R.,.,.I.c.o.n.,.,.-.5.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .D.e.v.i.c.e. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.S.t.r.i.n.g.%.=.I.D.m.e.l.o.n.,. .N.T.a.m.d.6.4...6...3.........[.I.D.m.e.l.o.n...N.T.a.m.d.6.4...6...3.].....%.D.e.v.i.c.

            C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\wudf.cat (copy)

            Download File
            Process:C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
            File Type:data
            Category:dropped
            Size (bytes):11622
            Entropy (8bit):7.262321244095951
            Encrypted:false
            SSDEEP:192:1fMl5zkpJC4eRe4fh8uEwFQbdxUNQlO8X01k9z3AXL9Wa38i:1Xp7Aeo8uExUKlO8R9zGpWa3z
            MD5:F99106D82F0FF3A7CEDEF078919DD359
            SHA1:C4281154C3B52B32467AB042B460333623033F3B
            SHA-256:51FA1FC1D6CBA95C28E0AA3D622DFEBF925548ACB5440CC3CD865ED1DDBCDC9F
            SHA-512:8F8DB7AC371C52F7C9622AADE894027B509D5EBD7FB75ED1C8813A7B1A01634EFCD25CEC0B8842E9FCC175550C39F3509A11D036F1247DF0E8E2F4B79E8790FA
            Malicious:false
            Preview:0.-b..*.H........-S0.-O...1.0...`.H.e......0..k..+.....7.....\0..X0...+.....7........ppwO..<.X.7+..230920084942Z0...+.....7.....0...0.... ..x...h.......+C..T...D.n..f.-1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..x...h.......+C..T...D.n..f.-0.....G.i..I7....K3U...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0.... 2...F.[n.P.6.O.h...3in..=...?..@1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 2...F.[n.P.6.O.h...3in..=...?..@0....:........B~......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>.

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDmelon\Accesskey Website.lnk

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Jul 21 03:19:27 2024, mtime=Sun Jul 21 03:19:27 2024, atime=Sun Jul 21 03:19:27 2024, length=48, window=hide
            Category:dropped
            Size (bytes):1294
            Entropy (8bit):4.605254116068025
            Encrypted:false
            SSDEEP:24:8mM2xrIEfdOE4/yQSSWPK2WdUAmb+Nfd22WxWSd22WVVUUzkhzqygm:8m7hfdOHrjm6Nfd8dMW6kQyg
            MD5:519820256EA83BC9088AC6DCA38E1AE6
            SHA1:A23BE4C25E2CDD390BDC86F655613E4F15F79A78
            SHA-256:1F59617F308FA9E7F9D5B6D6B52427F6405874D9C82F428088E5E1A61DCE2FBF
            SHA-512:B6F13D6574618440EDA9A9DF12F02F674147BE6B03F1B8EADC1549C689CCA7575B065F0FFF29669965CD710EF15D12DF0A222ED9766F63D704F3EBBB5A24289E
            Malicious:false
            Preview:L..................F.... ...v..,%...v..,%...v..,%...0............................P.O. .:i.....+00.../C:\.....................1......Xe"..PROGRA~2.........O.I.Xe"....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....V.1......Xe"..IDmelon.@.......Xe".Xe"..............................I.D.m.e.l.o.n.....\.1......Xn"..ACCESS~1..D.......Xe".Xn"..........................UVi.A.c.c.e.s.s.k.e.y.....x.2.0....Xn" .ACCESS~1.URL..\.......Xn".Xn".....A......................[.A.c.c.e.s.s.k.e.y. .w.e.b.s.i.t.e...u.r.l.......m...............-.......l............U......C:\Program Files (x86)\IDmelon\Accesskey\Accesskey website.url..V.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.D.m.e.l.o.n.\.A.c.c.e.s.s.k.e.y.\.A.c.c.e.s.s.k.e.y. .w.e.b.s.i.t.e...u.r.l.(.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.D.m.e.l.o.n.\.A.c.c.e.s.s.k.e.y.........*................@Z|...K.J.........`.......X.......

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDmelon\Accesskey.lnk

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Jul 7 11:53:40 2024, mtime=Sun Jul 21 03:19:08 2024, atime=Sun Jul 7 11:53:40 2024, length=228392, window=hide
            Category:dropped
            Size (bytes):1269
            Entropy (8bit):4.594285112738516
            Encrypted:false
            SSDEEP:24:8mohxrIEfdOE4/y3lRWsKeWGcA3b+sxd22WxWGqgd22WVVUUzkhzqygm:8mghfdOY936AdlgdMW6kAyg
            MD5:CE6887747C5779862AD79FB501EB1ED9
            SHA1:4DA5BFD92A115D3BDBA16B87EED2B07EBBF5CED8
            SHA-256:E2351C1C8DDFBD164B23DA4D472182A9204B307A7643E50FB20A98D8894952E5
            SHA-512:8C39969D7A6C42A4EE2D31B5F8B8BB918E06E906A3F1BE1B750CE26E2AB9AD1C5B4B86F337E3F35D99A3D35A72D62E1BC3F7900358F3D9A4EC883AB5E42405FE
            Malicious:false
            Preview:L..................F.... .......l.../Az!%.......l...(|...........................P.O. .:i.....+00.../C:\.....................1......Xe"..PROGRA~2.........O.I.Xe"....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....V.1......Xe"..IDmelon.@.......Xe".Xe"..............................I.D.m.e.l.o.n.....\.1......Xl"..ACCESS~1..D.......Xe".Xl"...........................t*.A.c.c.e.s.s.k.e.y.....n.2.(|...X.f .ACCESS~1.EXE..R.......X.f.Xe"..............................A.c.c.e.s.s.k.e.y.C.l.i...e.x.e.......h...............-.......g............U......C:\Program Files (x86)\IDmelon\Accesskey\AccesskeyCli.exe..Q.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.D.m.e.l.o.n.\.A.c.c.e.s.s.k.e.y.\.A.c.c.e.s.s.k.e.y.C.l.i...e.x.e.(.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.D.m.e.l.o.n.\.A.c.c.e.s.s.k.e.y.........*................@Z|...K.J.........`.......X.......609290...........hT..CrF.

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDmelon\Uninstall Accesskey.lnk

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Jul 21 03:19:27 2024, mtime=Sun Jul 21 03:19:27 2024, atime=Sun Jul 21 03:19:27 2024, length=175053, window=hide
            Category:dropped
            Size (bytes):1254
            Entropy (8bit):4.634421113079257
            Encrypted:false
            SSDEEP:24:8mzUxrIEfdOE4/yQSSW/NlHUAOb+Bkd22WTvgd22WVVUUzkhjqygm:8mzUhfdOCvDO6BkdSvgdMW6kgyg
            MD5:2CC38044CD7D29C232E3CA18785DF526
            SHA1:9BAF7845EA0E8929BA1DEA2B2D66BE3645302EDA
            SHA-256:D8059F2303F791DDABB0CE03AA16475F2BBE1AACE63DD6E2441550689135D9B3
            SHA-512:31EDFECDB5F59D6360B9A1F75AF1053117D000B74B091C33013EC4050ABE7C5F9067F6B92B9FD490438962929E46E36796DB29C91CE98C17705261FCBAC3AAA9
            Malicious:false
            Preview:L..................F.... ....1.,%......,%......,%...............................P.O. .:i.....+00.../C:\.....................1......Xe"..PROGRA~2.........O.I.Xe"....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....V.1......Xe"..IDmelon.@.......Xe".Xe"..............................I.D.m.e.l.o.n.....\.1......Xn"..ACCESS~1..D.......Xe".Xn"..........................UVi.A.c.c.e.s.s.k.e.y.....h.2.....Xn" .UNINST~1.EXE..L.......Xn".Xn".....A......................f.u.n.i.n.s.t.a.l.l...e.x.e.......e...............-.......d............U......C:\Program Files (x86)\IDmelon\Accesskey\uninstall.exe..N.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.D.m.e.l.o.n.\.A.c.c.e.s.s.k.e.y.\.u.n.i.n.s.t.a.l.l...e.x.e.(.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.D.m.e.l.o.n.\.A.c.c.e.s.s.k.e.y.........*................@Z|...K.J.........`.......X.......609290...........hT..CrF.f4... ..%..Jc..

            C:\Windows\INF\oem4.inf

            Download File
            Process:C:\Windows\System32\drvinst.exe
            File Type:Windows setup INFormation
            Category:dropped
            Size (bytes):4836
            Entropy (8bit):3.7387330079455343
            Encrypted:false
            SSDEEP:48:rRxR/zoP0dlUlyFxloQPxWmxxvVARfmwCfi6gDVkf3iQLt97Hu6/OgTgy7dCrXL5:rh/z9YRfmwCfiTQR97O4p4v9lsqs0sI
            MD5:8A71F48313969317868E08E1B8009DEF
            SHA1:3AE7FDACC7BEF1ECCDBEE2427E97ED90EFE2CF04
            SHA-256:09BB78FDE1F9681AACAA95880DB62B439DD6A25418D5E6BB44FB6EB90E66E12D
            SHA-512:32480914934142D1FB808CABF9651AF6295228766C39AB22CE4E1BC4E50555F03415E798D5117139AFE1482F7FFE8DE5F1014D5A3A0AF2DB490039621210EA31
            Malicious:false
            Preview:..[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.I.N.D.O.W.S. .N.T.$.".....C.l.a.s.s.=.H.I.D.C.l.a.s.s.....C.l.a.s.s.G.u.i.d.=.{.7.4.5.a.1.7.a.0.-.7.4.d.3.-.1.1.d.0.-.b.6.f.e.-.0.0.a.0.c.9.0.f.5.7.d.a.}.....P.r.o.v.i.d.e.r.=.%.P.r.o.v.i.d.e.r.S.t.r.i.n.g.%.....D.r.i.v.e.r.V.e.r. .=. .0.4./.0.3./.2.0.2.3.,.2.1...4...5.3...4.8.8.....C.a.t.a.l.o.g.F.i.l.e.=.w.u.d.f...c.a.t.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .C.l.a.s.s. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........;.[.C.l.a.s.s.I.n.s.t.a.l.l.3.2.].....;.A.d.d.r.e.g.=.F.I.D.O.C.l.a.s.s.R.e.g.........;.[.F.I.D.O.C.l.a.s.s.R.e.g.].....;.H.K.R.,.,.,.0.,.%.C.l.a.s.s.N.a.m.e.%.....;.H.K.R.,.,.I.c.o.n.,.,.-.5.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .D.e.v.i.c.e. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.S.t.r.i.n.g.%.=.I.D.m.e.l.o.n.,. .N.T.a.m.d.6.4...6...3.........[.I.D.m.e.l.o.n...N.T.a.m.d.6.4...6...3.].....%.D.e.v.i.c.

            C:\Windows\INF\setupapi.dev.log

            Download File
            Process:C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
            File Type:Generic INItialization configuration [BeginLog]
            Category:dropped
            Size (bytes):64070
            Entropy (8bit):5.175032286156773
            Encrypted:false
            SSDEEP:768:Own95cdyYloiwnlz2eC67DaUZ3DOsN1/8Yda1d:O+5cdyeoiwllCOpiCrkd
            MD5:09B3427C76D5D393710E591E049D1E88
            SHA1:E9EDA089522AAC849B41F3076B1875D0D6E06FE6
            SHA-256:2B0F7E0E3CB2C265ADA8F3BBD257F582C9AB1ABD2F6B60B8C8FCADED5612321C
            SHA-512:C628203A32A1496860710CBD3BB19FE980344534FB388A3744CA29033194161374620ACC0B4F99DBD5174D641D9FDDACEE5781C8908308995490544A31F3391B
            Malicious:false
            Preview:[Device Install Log].. OS Version = 10.0.19045.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2023/10/03 09:57:02.288]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2023/10/03 09:57:37.904.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.19041.1806.. inf: Catalog File: prnms009.cat.. ump: Import flags: 0x0000000D.. pol: {Driver package policy check} 09:57:37.920.. pol: {Driver package policy check - exit(0x00000000)} 09:57:37.920.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf:

            C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\AccessKeyFidoVhid.dll (copy)

            Download File
            Process:C:\Windows\System32\drvinst.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):52944
            Entropy (8bit):6.483483863603903
            Encrypted:false
            SSDEEP:1536:nXVCxosSAPn6cWynO6SUJhUZnY1PdBmz:XVzsZPnNWykLnYBm
            MD5:42BB134409EB5B648998844608434CD7
            SHA1:492284DD87E06372E6DDCA23D64C8B2FC771077B
            SHA-256:0B502F92BF3B6B975D88EA60A2288134C18B3B28BC93A3482ED4C336B7DC674B
            SHA-512:DAF807A2384A22425812DE390CCB33491874E206F5E9F6A9CCD16180D653A9F3DD2D659E1E668A32AAE5E974B800620CF9246355CF6FE02B0172E67BD62B010A
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................[..............................F.....F.....F.7....F.....Rich...........................PE..d.....+d.........." ...".P...J.......@...................................................`A............................................X.......x........................8......D...0...8............................~..@............`...............................text...`O.......P.................. ..`.rdata...0...`...2...T..............@..@.data...P...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D...........................@..B................................................................................................................................................................................

            C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\SET44BC.tmp

            Download File
            Process:C:\Windows\System32\drvinst.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):52944
            Entropy (8bit):6.483483863603903
            Encrypted:false
            SSDEEP:1536:nXVCxosSAPn6cWynO6SUJhUZnY1PdBmz:XVzsZPnNWykLnYBm
            MD5:42BB134409EB5B648998844608434CD7
            SHA1:492284DD87E06372E6DDCA23D64C8B2FC771077B
            SHA-256:0B502F92BF3B6B975D88EA60A2288134C18B3B28BC93A3482ED4C336B7DC674B
            SHA-512:DAF807A2384A22425812DE390CCB33491874E206F5E9F6A9CCD16180D653A9F3DD2D659E1E668A32AAE5E974B800620CF9246355CF6FE02B0172E67BD62B010A
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................[..............................F.....F.....F.7....F.....Rich...........................PE..d.....+d.........." ...".P...J.......@...................................................`A............................................X.......x........................8......D...0...8............................~..@............`...............................text...`O.......P.................. ..`.rdata...0...`...2...T..............@..@.data...P...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D...........................@..B................................................................................................................................................................................

            C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\SET44DC.tmp

            Download File
            Process:C:\Windows\System32\drvinst.exe
            File Type:Windows setup INFormation
            Category:dropped
            Size (bytes):4836
            Entropy (8bit):3.7387330079455343
            Encrypted:false
            SSDEEP:48:rRxR/zoP0dlUlyFxloQPxWmxxvVARfmwCfi6gDVkf3iQLt97Hu6/OgTgy7dCrXL5:rh/z9YRfmwCfiTQR97O4p4v9lsqs0sI
            MD5:8A71F48313969317868E08E1B8009DEF
            SHA1:3AE7FDACC7BEF1ECCDBEE2427E97ED90EFE2CF04
            SHA-256:09BB78FDE1F9681AACAA95880DB62B439DD6A25418D5E6BB44FB6EB90E66E12D
            SHA-512:32480914934142D1FB808CABF9651AF6295228766C39AB22CE4E1BC4E50555F03415E798D5117139AFE1482F7FFE8DE5F1014D5A3A0AF2DB490039621210EA31
            Malicious:false
            Preview:..[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.I.N.D.O.W.S. .N.T.$.".....C.l.a.s.s.=.H.I.D.C.l.a.s.s.....C.l.a.s.s.G.u.i.d.=.{.7.4.5.a.1.7.a.0.-.7.4.d.3.-.1.1.d.0.-.b.6.f.e.-.0.0.a.0.c.9.0.f.5.7.d.a.}.....P.r.o.v.i.d.e.r.=.%.P.r.o.v.i.d.e.r.S.t.r.i.n.g.%.....D.r.i.v.e.r.V.e.r. .=. .0.4./.0.3./.2.0.2.3.,.2.1...4...5.3...4.8.8.....C.a.t.a.l.o.g.F.i.l.e.=.w.u.d.f...c.a.t.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .C.l.a.s.s. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........;.[.C.l.a.s.s.I.n.s.t.a.l.l.3.2.].....;.A.d.d.r.e.g.=.F.I.D.O.C.l.a.s.s.R.e.g.........;.[.F.I.D.O.C.l.a.s.s.R.e.g.].....;.H.K.R.,.,.,.0.,.%.C.l.a.s.s.N.a.m.e.%.....;.H.K.R.,.,.I.c.o.n.,.,.-.5.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .D.e.v.i.c.e. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.S.t.r.i.n.g.%.=.I.D.m.e.l.o.n.,. .N.T.a.m.d.6.4...6...3.........[.I.D.m.e.l.o.n...N.T.a.m.d.6.4...6...3.].....%.D.e.v.i.c.

            C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\SET44ED.tmp

            Download File
            Process:C:\Windows\System32\drvinst.exe
            File Type:data
            Category:dropped
            Size (bytes):11622
            Entropy (8bit):7.262321244095951
            Encrypted:false
            SSDEEP:192:1fMl5zkpJC4eRe4fh8uEwFQbdxUNQlO8X01k9z3AXL9Wa38i:1Xp7Aeo8uExUKlO8R9zGpWa3z
            MD5:F99106D82F0FF3A7CEDEF078919DD359
            SHA1:C4281154C3B52B32467AB042B460333623033F3B
            SHA-256:51FA1FC1D6CBA95C28E0AA3D622DFEBF925548ACB5440CC3CD865ED1DDBCDC9F
            SHA-512:8F8DB7AC371C52F7C9622AADE894027B509D5EBD7FB75ED1C8813A7B1A01634EFCD25CEC0B8842E9FCC175550C39F3509A11D036F1247DF0E8E2F4B79E8790FA
            Malicious:false
            Preview:0.-b..*.H........-S0.-O...1.0...`.H.e......0..k..+.....7.....\0..X0...+.....7........ppwO..<.X.7+..230920084942Z0...+.....7.....0...0.... ..x...h.......+C..T...D.n..f.-1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..x...h.......+C..T...D.n..f.-0.....G.i..I7....K3U...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0.... 2...F.[n.P.6.O.h...3in..=...?..@1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 2...F.[n.P.6.O.h...3in..=...?..@0....:........B~......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>.

            C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\accesskeyfidovhid.inf (copy)

            Download File
            Process:C:\Windows\System32\drvinst.exe
            File Type:Windows setup INFormation
            Category:dropped
            Size (bytes):4836
            Entropy (8bit):3.7387330079455343
            Encrypted:false
            SSDEEP:48:rRxR/zoP0dlUlyFxloQPxWmxxvVARfmwCfi6gDVkf3iQLt97Hu6/OgTgy7dCrXL5:rh/z9YRfmwCfiTQR97O4p4v9lsqs0sI
            MD5:8A71F48313969317868E08E1B8009DEF
            SHA1:3AE7FDACC7BEF1ECCDBEE2427E97ED90EFE2CF04
            SHA-256:09BB78FDE1F9681AACAA95880DB62B439DD6A25418D5E6BB44FB6EB90E66E12D
            SHA-512:32480914934142D1FB808CABF9651AF6295228766C39AB22CE4E1BC4E50555F03415E798D5117139AFE1482F7FFE8DE5F1014D5A3A0AF2DB490039621210EA31
            Malicious:false
            Preview:..[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.I.N.D.O.W.S. .N.T.$.".....C.l.a.s.s.=.H.I.D.C.l.a.s.s.....C.l.a.s.s.G.u.i.d.=.{.7.4.5.a.1.7.a.0.-.7.4.d.3.-.1.1.d.0.-.b.6.f.e.-.0.0.a.0.c.9.0.f.5.7.d.a.}.....P.r.o.v.i.d.e.r.=.%.P.r.o.v.i.d.e.r.S.t.r.i.n.g.%.....D.r.i.v.e.r.V.e.r. .=. .0.4./.0.3./.2.0.2.3.,.2.1...4...5.3...4.8.8.....C.a.t.a.l.o.g.F.i.l.e.=.w.u.d.f...c.a.t.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .C.l.a.s.s. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........;.[.C.l.a.s.s.I.n.s.t.a.l.l.3.2.].....;.A.d.d.r.e.g.=.F.I.D.O.C.l.a.s.s.R.e.g.........;.[.F.I.D.O.C.l.a.s.s.R.e.g.].....;.H.K.R.,.,.,.0.,.%.C.l.a.s.s.N.a.m.e.%.....;.H.K.R.,.,.I.c.o.n.,.,.-.5.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .D.e.v.i.c.e. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.S.t.r.i.n.g.%.=.I.D.m.e.l.o.n.,. .N.T.a.m.d.6.4...6...3.........[.I.D.m.e.l.o.n...N.T.a.m.d.6.4...6...3.].....%.D.e.v.i.c.

            C:\Windows\System32\DriverStore\Temp\{2b66b655-e0ff-c54b-ab20-dac488c814f3}\wudf.cat (copy)

            Download File
            Process:C:\Windows\System32\drvinst.exe
            File Type:data
            Category:dropped
            Size (bytes):11622
            Entropy (8bit):7.262321244095951
            Encrypted:false
            SSDEEP:192:1fMl5zkpJC4eRe4fh8uEwFQbdxUNQlO8X01k9z3AXL9Wa38i:1Xp7Aeo8uExUKlO8R9zGpWa3z
            MD5:F99106D82F0FF3A7CEDEF078919DD359
            SHA1:C4281154C3B52B32467AB042B460333623033F3B
            SHA-256:51FA1FC1D6CBA95C28E0AA3D622DFEBF925548ACB5440CC3CD865ED1DDBCDC9F
            SHA-512:8F8DB7AC371C52F7C9622AADE894027B509D5EBD7FB75ED1C8813A7B1A01634EFCD25CEC0B8842E9FCC175550C39F3509A11D036F1247DF0E8E2F4B79E8790FA
            Malicious:false
            Preview:0.-b..*.H........-S0.-O...1.0...`.H.e......0..k..+.....7.....\0..X0...+.....7........ppwO..<.X.7+..230920084942Z0...+.....7.....0...0.... ..x...h.......+C..T...D.n..f.-1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..x...h.......+C..T...D.n..f.-0.....G.i..I7....K3U...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0.... 2...F.[n.P.6.O.h...3in..=...?..@1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 2...F.[n.P.6.O.h...3in..=...?..@0....:........B~......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>.

            C:\Windows\System32\catroot2\dberr.txt

            Download File
            Process:C:\Windows\System32\drvinst.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):3474
            Entropy (8bit):5.365245879450685
            Encrypted:false
            SSDEEP:96:QO00eO00erMwUgWUg0B1kE3ZhpJp8ZpkRepk3s5pmspmZx:QO00eO00erMwmkB1kA3
            MD5:7D220125EF92AB71FCEDBAF34CCCC9FC
            SHA1:0AC6EE7B5EEF0399EF638EC9EC2A68994E55BA19
            SHA-256:24FF6CADD4FB951B287ED6F6829CC69443B5E38F124775E26DA9ACB1488EBE68
            SHA-512:65AE74CE051E0A91D5684CEA0278702EDA18557B844CDCAA6F181158DBAA87B2DBFF6F11E4744CEE418FC5B71CBD933BA1B39A4C07A84DB3F18D1A59D4F5D85C
            Malicious:false
            Preview:CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2083 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2459 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: SyncAllDBs Corruption or Schema Change..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #891 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #1307 encountered JET error -1601..CatalogDB: 08:57:12 03/10/2023: SyncDB:: Sync sta

            C:\Windows\System32\drivers\UMDF\AccessKeyFidoVhid.dll (copy)

            Download File
            Process:C:\Windows\System32\drvinst.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):52944
            Entropy (8bit):6.483483863603903
            Encrypted:false
            SSDEEP:1536:nXVCxosSAPn6cWynO6SUJhUZnY1PdBmz:XVzsZPnNWykLnYBm
            MD5:42BB134409EB5B648998844608434CD7
            SHA1:492284DD87E06372E6DDCA23D64C8B2FC771077B
            SHA-256:0B502F92BF3B6B975D88EA60A2288134C18B3B28BC93A3482ED4C336B7DC674B
            SHA-512:DAF807A2384A22425812DE390CCB33491874E206F5E9F6A9CCD16180D653A9F3DD2D659E1E668A32AAE5E974B800620CF9246355CF6FE02B0172E67BD62B010A
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................[..............................F.....F.....F.7....F.....Rich...........................PE..d.....+d.........." ...".P...J.......@...................................................`A............................................X.......x........................8......D...0...8............................~..@............`...............................text...`O.......P.................. ..`.rdata...0...`...2...T..............@..@.data...P...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D...........................@..B................................................................................................................................................................................

            C:\Windows\System32\drivers\UMDF\SET4B63.tmp

            Download File
            Process:C:\Windows\System32\drvinst.exe
            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):52944
            Entropy (8bit):6.483483863603903
            Encrypted:false
            SSDEEP:1536:nXVCxosSAPn6cWynO6SUJhUZnY1PdBmz:XVzsZPnNWykLnYBm
            MD5:42BB134409EB5B648998844608434CD7
            SHA1:492284DD87E06372E6DDCA23D64C8B2FC771077B
            SHA-256:0B502F92BF3B6B975D88EA60A2288134C18B3B28BC93A3482ED4C336B7DC674B
            SHA-512:DAF807A2384A22425812DE390CCB33491874E206F5E9F6A9CCD16180D653A9F3DD2D659E1E668A32AAE5E974B800620CF9246355CF6FE02B0172E67BD62B010A
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................[..............................F.....F.....F.7....F.....Rich...........................PE..d.....+d.........." ...".P...J.......@...................................................`A............................................X.......x........................8......D...0...8............................~..@............`...............................text...`O.......P.................. ..`.rdata...0...`...2...T..............@..@.data...P...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D...........................@..B................................................................................................................................................................................

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
            Entropy (8bit):7.996926513434255
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            File size:32'784'232 bytes
            MD5:c0d645827131ac1166dbe06d45511323
            SHA1:1dfa4d4a7ad6817f3d774ecf1fea7b6730f6cbac
            SHA256:3b0dc5d40dc74076656f303aa3652910d44ac2cf6492a4a405c6652a4e777714
            SHA512:d7cd126057605d28f5dab766a667a5e6b4a18bb371922df3c60a2f56c3d5555869f1e9734fb703cda1fb73a1551807f968aff060c763024f7fdde695ea00895d
            SSDEEP:786432:15db9hUqgrj2a4Zt4OeuJb394BkSCkhh6CN+v3cMB:15dbvUqYd4L4O/JbKBBBh/N+cMB
            TLSH:267733C877519E36F9FCD3762A61204CFCA86ED37680F40E6405B357EA3F9A249C4A19
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................j.........

            File Icon

            Icon Hash:183d47474b433d85

            Static PE Info

            General

            Entrypoint:0x403552
            Entrypoint Section:.text
            Digitally signed:true
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x660843FB [Sat Mar 30 16:55:23 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f4639a0b3116c2cfc71144b88a929cfd

            Authenticode Signature

            Signature Valid:false
            Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
            Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
            Error Number:-2146762495
            Not Before, Not After
            • 08/05/2024 21:43:05 15/06/2025 22:25:45
            Subject Chain
            • CN=IDMELON TECHNOLOGIES INC., O=IDMELON TECHNOLOGIES INC., L=Vancouver, S=British Columbia, C=CA, OID.1.3.6.1.4.1.311.60.2.1.2=British Columbia, OID.1.3.6.1.4.1.311.60.2.1.3=CA, SERIALNUMBER=BC1233812, OID.2.5.4.15=Private Organization
            Version:3
            Thumbprint MD5:BFF7C718161D1B0634325495D4B5FD56
            Thumbprint SHA-1:02C6A1A590289496DCA4D0C7997872B2081DF44F
            Thumbprint SHA-256:5D1F98182AB7C9B075B727E829DBB46C0C7A69ECEC32C5C9C7230713EDA617BA
            Serial:5D1D6B9CF96BC0FC88A26BE6

            Entrypoint Preview

            Instruction
            sub esp, 000003F8h
            push ebp
            push esi
            push edi
            push 00000020h
            pop edi
            xor ebp, ebp
            push 00008001h
            mov dword ptr [esp+20h], ebp
            mov dword ptr [esp+18h], 0040A2D8h
            mov dword ptr [esp+14h], ebp
            call dword ptr [004080A4h]
            mov esi, dword ptr [004080A8h]
            lea eax, dword ptr [esp+34h]
            push eax
            mov dword ptr [esp+4Ch], ebp
            mov dword ptr [esp+0000014Ch], ebp
            mov dword ptr [esp+00000150h], ebp
            mov dword ptr [esp+38h], 0000011Ch
            call esi
            test eax, eax
            jne 00007FACD07DC9CAh
            lea eax, dword ptr [esp+34h]
            mov dword ptr [esp+34h], 00000114h
            push eax
            call esi
            mov ax, word ptr [esp+48h]
            mov ecx, dword ptr [esp+62h]
            sub ax, 00000053h
            add ecx, FFFFFFD0h
            neg ax
            sbb eax, eax
            mov byte ptr [esp+0000014Eh], 00000004h
            not eax
            and eax, ecx
            mov word ptr [esp+00000148h], ax
            cmp dword ptr [esp+38h], 0Ah
            jnc 00007FACD07DC998h
            and word ptr [esp+42h], 0000h
            mov eax, dword ptr [esp+40h]
            movzx ecx, byte ptr [esp+3Ch]
            mov dword ptr [004347B8h], eax
            xor eax, eax
            mov ah, byte ptr [esp+38h]
            movzx eax, ax
            or eax, ecx
            xor ecx, ecx
            mov ch, byte ptr [esp+00000148h]
            movzx ecx, cx
            shl eax, 10h
            or eax, ecx
            movzx ecx, byte ptr [esp+0000004Eh]

            Rich Headers

            Programming Language:
            • [EXP] VC++ 6.0 SP5 build 8804

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x86080xa0.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x490000x1afb8.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x1f42d400x1228
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x68f80x6a00595406ea4e71ef6f8675a1bd30bcc8f9False0.6703272405660378data6.482222402519068IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x80000x14640x1600a995b118b38426885fc6ccaa984c8b7aFalse0.4314630681818182data4.969091535632612IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xa0000x2a8180x6007a91ec9f1c18e608c3f3f503ba4191c1False0.5221354166666666data4.165541189894117IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .ndata0x350000x140000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x490000x1afb80x1b000b2ca111a8128155706cf577de71e383fFalse0.1403175636574074data3.615451346061621IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0x492f80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 8504 x 8504 px/mEnglishUnited States0.04499881698805158
            RT_ICON0x59b200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 8504 x 8504 px/mEnglishUnited States0.08384506376948513
            RT_ICON0x5dd480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 8504 x 8504 px/mEnglishUnited States0.11784232365145228
            RT_ICON0x602f00x1c6bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9774570446735396
            RT_ICON0x61f600x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 8504 x 8504 px/mEnglishUnited States0.16674484052532834
            RT_ICON0x630080x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 8504 x 8504 px/mEnglishUnited States0.32092198581560283
            RT_DIALOG0x634700x202dataEnglishUnited States0.4085603112840467
            RT_DIALOG0x636780xf8dataEnglishUnited States0.6290322580645161
            RT_DIALOG0x637700xa0dataEnglishUnited States0.60625
            RT_DIALOG0x638100xeedataEnglishUnited States0.6302521008403361
            RT_GROUP_ICON0x639000x5adataEnglishUnited States0.7777777777777778
            RT_VERSION0x639600x224dataEnglishUnited States0.5145985401459854
            RT_MANIFEST0x63b880x42eXML 1.0 document, ASCII text, with very long lines (1070), with no line terminatorsEnglishUnited States0.5130841121495328

            Imports

            DLLImport
            ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
            SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
            ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
            COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
            USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
            GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
            KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jul 21, 2024 06:19:17.071667910 CEST49714443192.168.2.652.35.62.19
            Jul 21, 2024 06:19:17.071690083 CEST4434971452.35.62.19192.168.2.6
            Jul 21, 2024 06:19:17.071758986 CEST49714443192.168.2.652.35.62.19
            Jul 21, 2024 06:19:17.087590933 CEST49714443192.168.2.652.35.62.19
            Jul 21, 2024 06:19:17.087606907 CEST4434971452.35.62.19192.168.2.6
            Jul 21, 2024 06:19:21.272145987 CEST4434971452.35.62.19192.168.2.6
            Jul 21, 2024 06:19:21.272222996 CEST49714443192.168.2.652.35.62.19
            Jul 21, 2024 06:19:21.276221991 CEST49714443192.168.2.652.35.62.19
            Jul 21, 2024 06:19:21.276236057 CEST4434971452.35.62.19192.168.2.6
            Jul 21, 2024 06:19:21.276690006 CEST4434971452.35.62.19192.168.2.6
            Jul 21, 2024 06:19:21.329802990 CEST49714443192.168.2.652.35.62.19
            Jul 21, 2024 06:19:21.330688953 CEST49714443192.168.2.652.35.62.19
            Jul 21, 2024 06:19:21.376494884 CEST4434971452.35.62.19192.168.2.6
            Jul 21, 2024 06:19:21.509891987 CEST4434971452.35.62.19192.168.2.6
            Jul 21, 2024 06:19:21.525719881 CEST49714443192.168.2.652.35.62.19
            Jul 21, 2024 06:19:21.525741100 CEST4434971452.35.62.19192.168.2.6
            Jul 21, 2024 06:19:22.186197042 CEST4434971452.35.62.19192.168.2.6
            Jul 21, 2024 06:19:22.186273098 CEST49714443192.168.2.652.35.62.19
            Jul 21, 2024 06:19:22.186376095 CEST4434971452.35.62.19192.168.2.6
            Jul 21, 2024 06:19:22.186507940 CEST4434971452.35.62.19192.168.2.6
            Jul 21, 2024 06:19:22.186706066 CEST49714443192.168.2.652.35.62.19
            Jul 21, 2024 06:19:22.197582960 CEST49714443192.168.2.652.35.62.19

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jul 21, 2024 06:19:17.013885021 CEST6278053192.168.2.61.1.1.1
            Jul 21, 2024 06:19:17.059649944 CEST53627801.1.1.1192.168.2.6

            ICMP Packets

            TimestampSource IPDest IPChecksumCodeType
            Jul 21, 2024 06:19:27.026731968 CEST192.168.2.68.8.8.8f7fdEcho
            Jul 21, 2024 06:19:27.033194065 CEST8.8.8.8192.168.2.6fffdEcho Reply
            Jul 21, 2024 06:19:31.034248114 CEST192.168.2.68.8.8.8f7fcEcho
            Jul 21, 2024 06:19:31.041356087 CEST8.8.8.8192.168.2.6fffcEcho Reply
            Jul 21, 2024 06:19:35.051322937 CEST192.168.2.68.8.8.8f7fbEcho
            Jul 21, 2024 06:19:35.057750940 CEST8.8.8.8192.168.2.6fffbEcho Reply
            Jul 21, 2024 06:19:39.065367937 CEST192.168.2.68.8.8.8f7faEcho
            Jul 21, 2024 06:19:39.131911993 CEST8.8.8.8192.168.2.6fffaEcho Reply
            Jul 21, 2024 06:19:43.080698013 CEST192.168.2.68.8.8.8f7f9Echo
            Jul 21, 2024 06:19:43.087179899 CEST8.8.8.8192.168.2.6fff9Echo Reply
            Jul 21, 2024 06:19:47.097623110 CEST192.168.2.68.8.8.8f7f8Echo
            Jul 21, 2024 06:19:47.104041100 CEST8.8.8.8192.168.2.6fff8Echo Reply
            Jul 21, 2024 06:19:51.125521898 CEST192.168.2.68.8.8.8f7f7Echo
            Jul 21, 2024 06:19:51.131860971 CEST8.8.8.8192.168.2.6fff7Echo Reply
            Jul 21, 2024 06:19:55.111901045 CEST192.168.2.68.8.8.8f7f6Echo
            Jul 21, 2024 06:19:55.118300915 CEST8.8.8.8192.168.2.6fff6Echo Reply
            Jul 21, 2024 06:19:59.111824989 CEST192.168.2.68.8.8.8f7f5Echo
            Jul 21, 2024 06:19:59.118210077 CEST8.8.8.8192.168.2.6fff5Echo Reply
            Jul 21, 2024 06:20:03.112027884 CEST192.168.2.68.8.8.8f7f4Echo
            Jul 21, 2024 06:20:03.118612051 CEST8.8.8.8192.168.2.6fff4Echo Reply
            Jul 21, 2024 06:20:07.111882925 CEST192.168.2.68.8.8.8f7f3Echo
            Jul 21, 2024 06:20:07.118201017 CEST8.8.8.8192.168.2.6fff3Echo Reply
            Jul 21, 2024 06:20:11.112356901 CEST192.168.2.68.8.8.8f7f2Echo
            Jul 21, 2024 06:20:11.118969917 CEST8.8.8.8192.168.2.6fff2Echo Reply
            Jul 21, 2024 06:20:15.112726927 CEST192.168.2.68.8.8.8f7f1Echo
            Jul 21, 2024 06:20:15.119285107 CEST8.8.8.8192.168.2.6fff1Echo Reply
            Jul 21, 2024 06:20:19.126511097 CEST192.168.2.68.8.8.8f7f0Echo
            Jul 21, 2024 06:20:19.132972956 CEST8.8.8.8192.168.2.6fff0Echo Reply
            Jul 21, 2024 06:20:23.141405106 CEST192.168.2.68.8.8.8f7efEcho
            Jul 21, 2024 06:20:23.147850037 CEST8.8.8.8192.168.2.6ffefEcho Reply
            Jul 21, 2024 06:20:27.158811092 CEST192.168.2.68.8.8.8f7eeEcho
            Jul 21, 2024 06:20:27.165354013 CEST8.8.8.8192.168.2.6ffeeEcho Reply
            Jul 21, 2024 06:20:31.171618938 CEST192.168.2.68.8.8.8f7edEcho
            Jul 21, 2024 06:20:31.177917957 CEST8.8.8.8192.168.2.6ffedEcho Reply
            Jul 21, 2024 06:20:34.362016916 CEST192.168.2.68.8.8.8f7ecEcho
            Jul 21, 2024 06:20:34.368293047 CEST8.8.8.8192.168.2.6ffecEcho Reply
            Jul 21, 2024 06:20:38.369170904 CEST192.168.2.68.8.8.8f7ebEcho
            Jul 21, 2024 06:20:38.375802040 CEST8.8.8.8192.168.2.6ffebEcho Reply
            Jul 21, 2024 06:20:38.658817053 CEST192.168.2.68.8.8.8f7eaEcho
            Jul 21, 2024 06:20:38.665328026 CEST8.8.8.8192.168.2.6ffeaEcho Reply
            Jul 21, 2024 06:20:40.518182993 CEST192.168.2.68.8.8.8f7e9Echo
            Jul 21, 2024 06:20:40.524653912 CEST8.8.8.8192.168.2.6ffe9Echo Reply
            Jul 21, 2024 06:20:41.518702984 CEST192.168.2.68.8.8.8f7e8Echo
            Jul 21, 2024 06:20:41.525419950 CEST8.8.8.8192.168.2.6ffe8Echo Reply
            Jul 21, 2024 06:20:45.526959896 CEST192.168.2.68.8.8.8f7e7Echo
            Jul 21, 2024 06:20:45.533344984 CEST8.8.8.8192.168.2.6ffe7Echo Reply
            Jul 21, 2024 06:20:48.534858942 CEST192.168.2.68.8.8.8f7e6Echo
            Jul 21, 2024 06:20:48.541579962 CEST8.8.8.8192.168.2.6ffe6Echo Reply
            Jul 21, 2024 06:20:52.536968946 CEST192.168.2.68.8.8.8f7e5Echo
            Jul 21, 2024 06:20:52.543271065 CEST8.8.8.8192.168.2.6ffe5Echo Reply
            Jul 21, 2024 06:20:56.536676884 CEST192.168.2.68.8.8.8f7e4Echo
            Jul 21, 2024 06:20:56.543171883 CEST8.8.8.8192.168.2.6ffe4Echo Reply
            Jul 21, 2024 06:20:57.799551010 CEST192.168.2.68.8.8.8f7e3Echo
            Jul 21, 2024 06:20:57.805807114 CEST8.8.8.8192.168.2.6ffe3Echo Reply
            Jul 21, 2024 06:21:01.096896887 CEST192.168.2.68.8.8.8f7e2Echo
            Jul 21, 2024 06:21:01.103413105 CEST8.8.8.8192.168.2.6ffe2Echo Reply
            Jul 21, 2024 06:21:05.107027054 CEST192.168.2.68.8.8.8f7e1Echo
            Jul 21, 2024 06:21:05.114154100 CEST8.8.8.8192.168.2.6ffe1Echo Reply
            Jul 21, 2024 06:21:08.690512896 CEST192.168.2.68.8.8.8f7e0Echo
            Jul 21, 2024 06:21:08.697041035 CEST8.8.8.8192.168.2.6ffe0Echo Reply
            Jul 21, 2024 06:21:09.487955093 CEST192.168.2.68.8.8.8f7dfEcho
            Jul 21, 2024 06:21:09.494282961 CEST8.8.8.8192.168.2.6ffdfEcho Reply
            Jul 21, 2024 06:21:13.501061916 CEST192.168.2.68.8.8.8f7deEcho
            Jul 21, 2024 06:21:13.507642984 CEST8.8.8.8192.168.2.6ffdeEcho Reply
            Jul 21, 2024 06:21:17.515779018 CEST192.168.2.68.8.8.8f7ddEcho
            Jul 21, 2024 06:21:17.522131920 CEST8.8.8.8192.168.2.6ffddEcho Reply
            Jul 21, 2024 06:21:18.424530983 CEST192.168.2.68.8.8.8f7dcEcho
            Jul 21, 2024 06:21:18.431015968 CEST8.8.8.8192.168.2.6ffdcEcho Reply
            Jul 21, 2024 06:21:20.159064054 CEST192.168.2.68.8.8.8f7dbEcho
            Jul 21, 2024 06:21:20.165632963 CEST8.8.8.8192.168.2.6ffdbEcho Reply
            Jul 21, 2024 06:21:21.846776962 CEST192.168.2.68.8.8.8f7daEcho
            Jul 21, 2024 06:21:21.853038073 CEST8.8.8.8192.168.2.6ffdaEcho Reply
            Jul 21, 2024 06:21:24.674746990 CEST192.168.2.68.8.8.8f7d9Echo
            Jul 21, 2024 06:21:24.681108952 CEST8.8.8.8192.168.2.6ffd9Echo Reply
            Jul 21, 2024 06:21:26.034018040 CEST192.168.2.68.8.8.8f7d8Echo
            Jul 21, 2024 06:21:26.040699959 CEST8.8.8.8192.168.2.6ffd8Echo Reply
            Jul 21, 2024 06:21:26.174817085 CEST192.168.2.68.8.8.8f7d7Echo
            Jul 21, 2024 06:21:26.181377888 CEST8.8.8.8192.168.2.6ffd7Echo Reply
            Jul 21, 2024 06:21:28.143188953 CEST192.168.2.68.8.8.8f7d6Echo
            Jul 21, 2024 06:21:28.150295019 CEST8.8.8.8192.168.2.6ffd6Echo Reply
            Jul 21, 2024 06:21:29.627953053 CEST192.168.2.68.8.8.8f7d5Echo
            Jul 21, 2024 06:21:29.634474993 CEST8.8.8.8192.168.2.6ffd5Echo Reply
            Jul 21, 2024 06:21:33.635401964 CEST192.168.2.68.8.8.8f7d4Echo
            Jul 21, 2024 06:21:33.641905069 CEST8.8.8.8192.168.2.6ffd4Echo Reply
            Jul 21, 2024 06:21:34.721831083 CEST192.168.2.68.8.8.8f7d3Echo
            Jul 21, 2024 06:21:34.733186007 CEST8.8.8.8192.168.2.6ffd3Echo Reply
            Jul 21, 2024 06:21:35.346913099 CEST192.168.2.68.8.8.8f7d2Echo
            Jul 21, 2024 06:21:35.354043961 CEST8.8.8.8192.168.2.6ffd2Echo Reply
            Jul 21, 2024 06:21:39.362946033 CEST192.168.2.68.8.8.8f7d1Echo
            Jul 21, 2024 06:21:39.369288921 CEST8.8.8.8192.168.2.6ffd1Echo Reply
            Jul 21, 2024 06:21:43.376950979 CEST192.168.2.68.8.8.8f7d0Echo
            Jul 21, 2024 06:21:43.383358955 CEST8.8.8.8192.168.2.6ffd0Echo Reply
            Jul 21, 2024 06:21:47.390235901 CEST192.168.2.68.8.8.8f7cfEcho
            Jul 21, 2024 06:21:47.396467924 CEST8.8.8.8192.168.2.6ffcfEcho Reply
            Jul 21, 2024 06:21:51.406943083 CEST192.168.2.68.8.8.8f7ceEcho
            Jul 21, 2024 06:21:51.413285017 CEST8.8.8.8192.168.2.6ffceEcho Reply
            Jul 21, 2024 06:21:53.065016985 CEST192.168.2.68.8.8.8f7cdEcho
            Jul 21, 2024 06:21:53.071377993 CEST8.8.8.8192.168.2.6ffcdEcho Reply
            Jul 21, 2024 06:21:54.690051079 CEST192.168.2.68.8.8.8f7ccEcho
            Jul 21, 2024 06:21:54.696590900 CEST8.8.8.8192.168.2.6ffccEcho Reply
            Jul 21, 2024 06:21:55.534950018 CEST192.168.2.68.8.8.8f7cbEcho
            Jul 21, 2024 06:21:55.541596889 CEST8.8.8.8192.168.2.6ffcbEcho Reply
            Jul 21, 2024 06:21:55.786946058 CEST192.168.2.68.8.8.8f7caEcho
            Jul 21, 2024 06:21:55.793339968 CEST8.8.8.8192.168.2.6ffcaEcho Reply
            Jul 21, 2024 06:21:59.627578020 CEST192.168.2.68.8.8.8f7c9Echo
            Jul 21, 2024 06:21:59.633841991 CEST8.8.8.8192.168.2.6ffc9Echo Reply
            Jul 21, 2024 06:22:02.143269062 CEST192.168.2.68.8.8.8f7c8Echo
            Jul 21, 2024 06:22:02.149471045 CEST8.8.8.8192.168.2.6ffc8Echo Reply
            Jul 21, 2024 06:22:06.142633915 CEST192.168.2.68.8.8.8f7c7Echo
            Jul 21, 2024 06:22:06.149374008 CEST8.8.8.8192.168.2.6ffc7Echo Reply
            Jul 21, 2024 06:22:08.598901033 CEST192.168.2.68.8.8.8f7c6Echo
            Jul 21, 2024 06:22:08.605201006 CEST8.8.8.8192.168.2.6ffc6Echo Reply
            Jul 21, 2024 06:22:12.606069088 CEST192.168.2.68.8.8.8f7c5Echo
            Jul 21, 2024 06:22:12.612652063 CEST8.8.8.8192.168.2.6ffc5Echo Reply
            Jul 21, 2024 06:22:14.658900023 CEST192.168.2.68.8.8.8f7c4Echo
            Jul 21, 2024 06:22:14.665112972 CEST8.8.8.8192.168.2.6ffc4Echo Reply
            Jul 21, 2024 06:22:15.752572060 CEST192.168.2.68.8.8.8f7c3Echo
            Jul 21, 2024 06:22:15.758683920 CEST8.8.8.8192.168.2.6ffc3Echo Reply
            Jul 21, 2024 06:22:16.096333981 CEST192.168.2.68.8.8.8f7c2Echo
            Jul 21, 2024 06:22:16.102607965 CEST8.8.8.8192.168.2.6ffc2Echo Reply
            Jul 21, 2024 06:22:18.549559116 CEST192.168.2.68.8.8.8f7c1Echo
            Jul 21, 2024 06:22:18.555851936 CEST8.8.8.8192.168.2.6ffc1Echo Reply
            Jul 21, 2024 06:22:22.556044102 CEST192.168.2.68.8.8.8f7c0Echo
            Jul 21, 2024 06:22:22.562463999 CEST8.8.8.8192.168.2.6ffc0Echo Reply
            Jul 21, 2024 06:22:26.571078062 CEST192.168.2.68.8.8.8f7bfEcho
            Jul 21, 2024 06:22:26.577528000 CEST8.8.8.8192.168.2.6ffbfEcho Reply
            Jul 21, 2024 06:22:30.585798979 CEST192.168.2.68.8.8.8f7beEcho
            Jul 21, 2024 06:22:30.592386961 CEST8.8.8.8192.168.2.6ffbeEcho Reply
            Jul 21, 2024 06:22:34.602962017 CEST192.168.2.68.8.8.8f7bdEcho
            Jul 21, 2024 06:22:34.609833002 CEST8.8.8.8192.168.2.6ffbdEcho Reply
            Jul 21, 2024 06:22:38.615673065 CEST192.168.2.68.8.8.8f7bcEcho
            Jul 21, 2024 06:22:38.622164965 CEST8.8.8.8192.168.2.6ffbcEcho Reply
            Jul 21, 2024 06:22:42.408837080 CEST192.168.2.68.8.8.8f7bbEcho
            Jul 21, 2024 06:22:42.415030956 CEST8.8.8.8192.168.2.6ffbbEcho Reply
            Jul 21, 2024 06:22:46.422442913 CEST192.168.2.68.8.8.8f7baEcho
            Jul 21, 2024 06:22:46.428848982 CEST8.8.8.8192.168.2.6ffbaEcho Reply
            Jul 21, 2024 06:22:50.174978018 CEST192.168.2.68.8.8.8f7b9Echo
            Jul 21, 2024 06:22:50.181389093 CEST8.8.8.8192.168.2.6ffb9Echo Reply
            Jul 21, 2024 06:22:52.817439079 CEST192.168.2.68.8.8.8f7b8Echo
            Jul 21, 2024 06:22:52.823833942 CEST8.8.8.8192.168.2.6ffb8Echo Reply
            Jul 21, 2024 06:22:56.818418980 CEST192.168.2.68.8.8.8f7b7Echo
            Jul 21, 2024 06:22:56.824578047 CEST8.8.8.8192.168.2.6ffb7Echo Reply
            Jul 21, 2024 06:22:57.706099987 CEST192.168.2.68.8.8.8f7b6Echo
            Jul 21, 2024 06:22:57.712512016 CEST8.8.8.8192.168.2.6ffb6Echo Reply
            Jul 21, 2024 06:23:01.719693899 CEST192.168.2.68.8.8.8f7b5Echo
            Jul 21, 2024 06:23:01.728126049 CEST8.8.8.8192.168.2.6ffb5Echo Reply
            Jul 21, 2024 06:23:05.734798908 CEST192.168.2.68.8.8.8f7b4Echo
            Jul 21, 2024 06:23:05.741158009 CEST8.8.8.8192.168.2.6ffb4Echo Reply
            Jul 21, 2024 06:23:09.749598026 CEST192.168.2.68.8.8.8f7b3Echo
            Jul 21, 2024 06:23:09.756023884 CEST8.8.8.8192.168.2.6ffb3Echo Reply
            Jul 21, 2024 06:23:14.505500078 CEST192.168.2.68.8.8.8f7b2Echo
            Jul 21, 2024 06:23:14.511959076 CEST8.8.8.8192.168.2.6ffb2Echo Reply
            Jul 21, 2024 06:23:18.517858982 CEST192.168.2.68.8.8.8f7b1Echo
            Jul 21, 2024 06:23:18.524082899 CEST8.8.8.8192.168.2.6ffb1Echo Reply
            Jul 21, 2024 06:23:22.533535004 CEST192.168.2.68.8.8.8f7b0Echo
            Jul 21, 2024 06:23:22.540052891 CEST8.8.8.8192.168.2.6ffb0Echo Reply
            Jul 21, 2024 06:23:26.549236059 CEST192.168.2.68.8.8.8f7afEcho
            Jul 21, 2024 06:23:26.555855036 CEST8.8.8.8192.168.2.6ffafEcho Reply
            Jul 21, 2024 06:23:30.564670086 CEST192.168.2.68.8.8.8f7aeEcho
            Jul 21, 2024 06:23:30.571235895 CEST8.8.8.8192.168.2.6ffaeEcho Reply
            Jul 21, 2024 06:23:34.580308914 CEST192.168.2.68.8.8.8f7adEcho
            Jul 21, 2024 06:23:34.587547064 CEST8.8.8.8192.168.2.6ffadEcho Reply
            Jul 21, 2024 06:23:38.596143007 CEST192.168.2.68.8.8.8f7acEcho
            Jul 21, 2024 06:23:38.602739096 CEST8.8.8.8192.168.2.6ffacEcho Reply
            Jul 21, 2024 06:23:42.612771988 CEST192.168.2.68.8.8.8f7abEcho
            Jul 21, 2024 06:23:42.619174957 CEST8.8.8.8192.168.2.6ffabEcho Reply
            Jul 21, 2024 06:23:46.627242088 CEST192.168.2.68.8.8.8f7aaEcho
            Jul 21, 2024 06:23:46.633682966 CEST8.8.8.8192.168.2.6ffaaEcho Reply

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Jul 21, 2024 06:19:17.013885021 CEST192.168.2.61.1.1.10x61eStandard query (0)skm.idmelon.comA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jul 21, 2024 06:19:17.059649944 CEST1.1.1.1192.168.2.60x61eNo error (0)skm.idmelon.comk8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)false
            Jul 21, 2024 06:19:17.059649944 CEST1.1.1.1192.168.2.60x61eNo error (0)k8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.com52.35.62.19A (IP address)IN (0x0001)false
            Jul 21, 2024 06:19:17.059649944 CEST1.1.1.1192.168.2.60x61eNo error (0)k8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.com52.88.128.255A (IP address)IN (0x0001)false
            Jul 21, 2024 06:19:17.059649944 CEST1.1.1.1192.168.2.60x61eNo error (0)k8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.com34.214.245.150A (IP address)IN (0x0001)false

            HTTP Request Dependency Graph

            • skm.idmelon.com

            HTTPS Proxied Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.64971452.35.62.194433924C:\Program Files (x86)\IDmelon\Accesskey\Service.exe
            TimestampBytes transferredDirectionData
            2024-07-21 04:19:21 UTC318OUTPOST /apis/access-key-cli/v1/apps HTTP/1.1
            Accept: application/json, text/json, text/x-json, text/javascript, application/xml, text/xml
            User-Agent: RestSharp/110.2.0.0
            Content-Type: application/json
            Host: skm.idmelon.com
            Content-Length: 348
            Expect: 100-continue
            Accept-Encoding: gzip
            Connection: Keep-Alive
            2024-07-21 04:19:21 UTC25INHTTP/1.1 100 Continue
            2024-07-21 04:19:21 UTC348OUTData Raw: 7b 22 75 6e 69 71 75 65 49 64 22 3a 22 41 42 41 4b 41 52 39 53 45 32 58 31 31 53 46 39 39 33 44 36 45 33 44 35 53 4d 43 4d 34 53 37 52 57 43 39 59 48 51 54 31 39 4b 34 52 44 30 39 4d 53 4a 31 47 22 2c 22 6f 73 22 3a 7b 22 6e 61 6d 65 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 31 39 30 34 35 22 7d 2c 22 61 70 70 76 65 72 73 69 6f 6e 22 3a 22 32 2e 37 2e 30 2e 30 22 2c 22 50 43 4e 61 6d 65 22 3a 22 36 30 39 32 39 30 22 2c 22 75 73 65 72 4e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 64 65 76 69 63 65 49 64 22 3a 6e 75 6c 6c 2c 22 70 75 62 6c 69 63 4b 65 79 22 3a 22 30 34 64 66 35 30 66 35 65 30 36 38 33 37 36 64 39 34 36 30 37 35 33 62 62 65 33 64 66 35 65 35 32 35 62 66 32 37 37
            Data Ascii: {"uniqueId":"ABAKAR9SE2X11SF993D6E3D5SMCM4S7RWC9YHQT19K4RD09MSJ1G","os":{"name":"Microsoft Windows 10 Pro","version":"19045"},"appversion":"2.7.0.0","PCName":"609290","userName":"SYSTEM","deviceId":null,"publicKey":"04df50f5e068376d9460753bbe3df5e525bf277
            2024-07-21 04:19:22 UTC1788INHTTP/1.1 200 OK
            Date: Sun, 21 Jul 2024 04:19:22 GMT
            Content-Type: application/json; charset=utf-8
            Content-Length: 496
            Connection: close
            Set-Cookie: AWSALB=ux5jysVI5EyRb43xV9ZqhBorqRgiXUmy6j5u1S+CSsxx6CU66R5ilrORWMn3N5vj341dP0MsZa6Xva/GmETqwHgGNBzxlZiYIQTktBpvpCRuVnZEVZfkIBTjN8ML; Expires=Sun, 28 Jul 2024 04:19:21 GMT; Path=/
            Set-Cookie: AWSALBCORS=ux5jysVI5EyRb43xV9ZqhBorqRgiXUmy6j5u1S+CSsxx6CU66R5ilrORWMn3N5vj341dP0MsZa6Xva/GmETqwHgGNBzxlZiYIQTktBpvpCRuVnZEVZfkIBTjN8ML; Expires=Sun, 28 Jul 2024 04:19:21 GMT; Path=/; SameSite=None; Secure
            Access-Control-Allow-Origin: *
            Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
            Cross-Origin-Opener-Policy: same-origin
            Cross-Origin-Resource-Policy: same-origin
            Origin-Agent-Cluster: ?1
            Referrer-Policy: no-referrer
            Strict-Transport-Security: max-age=15552000; includeSubDomains
            X-Content-Type-Options: nosniff
            X-DNS-Prefetch-Control: off
            X-Download-Options: noopen
            X-Frame-Options: SAMEORIGIN
            X-Permitted-Cross-Domain-Policies: none
            X-XSS-Protection: 0
            ETag: W/"1f0-z6pzybpKsAKBHkR0jSKjNrTB6Ro"
            {"appId":"669c8c4a91be90000824894f","PCName":"609290","ip":"8.46.123.33","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7ImNyZWF0ZWRBdCI6MTcyMTUzNTU2MjA5NiwiX2lkIjoiNjY5YzhjNGE5MWJlOTAwMDA4MjQ4OTRmIn0sImlwIjoiOC40Ni4xMjMuMzMiLCJ1c2VyQWdlbnQiOiJSZXN0U2hhcnAvMTEwLjIuMC4wIiwiaWF0IjoxNzIxNTM1NTYyfQ.nsEXp9agIX74VUsYZvN2h7bn98SMfowVdHYKX_Yjr5U","publicKey":"04e9eb453c25eae85d95d80c9da3fab816a82a875b60feb6aebfa76ca79bfef88849b7732865d71b34da823f536a431bb4385a9c645c66cd27afbc3ea0049a552a"}


            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:00:19:03
            Start date:21/07/2024
            Path:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"
            Imagebase:0x400000
            File size:32'784'232 bytes
            MD5 hash:C0D645827131AC1166DBE06D45511323
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:00:19:09
            Start date:21/07/2024
            Path:C:\Windows\SysWOW64\setx.exe
            Wow64 process (32bit):true
            Commandline:setx /M IDmelonMode access-key
            Imagebase:0xc0000
            File size:46'592 bytes
            MD5 hash:5B700BC00E451033B2F9EEF349A91D1C
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:3
            Start time:00:19:09
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:00:19:10
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyService "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe"
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 14%, ReversingLabs
            Reputation:low
            Has exited:true

            General

            Target ID:5
            Start time:00:19:10
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:6
            Start time:00:19:10
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Application "C:\Program Files (x86)\IDmelon\Accesskey"\Service.exe
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:7
            Start time:00:19:10
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:8
            Start time:00:19:11
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey"
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:9
            Start time:00:19:11
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:10
            Start time:00:19:11
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log"
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:11
            Start time:00:19:11
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:12
            Start time:00:19:11
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderr "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log"
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:13
            Start time:00:19:11
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:14
            Start time:00:19:11
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Description "Coordinates the communications for using IDmelon solution as a roaming authenticator"
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:15
            Start time:00:19:11
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:16
            Start time:00:19:12
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdoutCreationDisposition 4
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:17
            Start time:00:19:12
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:18
            Start time:00:19:12
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderrCreationDisposition 4
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:19
            Start time:00:19:12
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:20
            Start time:00:19:12
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateFiles 1
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:21
            Start time:00:19:12
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:22
            Start time:00:19:12
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateOnline 0
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:23
            Start time:00:19:13
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:24
            Start time:00:19:13
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateSeconds 14400
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:25
            Start time:00:19:13
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:26
            Start time:00:19:13
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateBytes 5000000
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:27
            Start time:00:19:13
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:28
            Start time:00:19:13
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Start SERVICE_AUTO_START
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:29
            Start time:00:19:13
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:30
            Start time:00:19:13
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" restart AccesskeyService
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:31
            Start time:00:19:14
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:32
            Start time:00:19:14
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe"
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:false

            General

            Target ID:33
            Start time:00:19:14
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:34
            Start time:00:19:14
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\Service.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\Service.exe"
            Imagebase:0x20899550000
            File size:165'928 bytes
            MD5 hash:9E99F6F2DC43830D3959E55EDDDDB422
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 0%, ReversingLabs
            Has exited:false

            General

            Target ID:35
            Start time:00:19:14
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:false

            General

            Target ID:36
            Start time:00:19:15
            Start date:21/07/2024
            Path:C:\Windows\System32\dsregcmd.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\System32\dsregcmd.exe" /status
            Imagebase:0x7ff70c820000
            File size:468'992 bytes
            MD5 hash:866989AA656CF67780143376C12DF510
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:37
            Start time:00:19:16
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" status AccesskeyService
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:38
            Start time:00:19:16
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:39
            Start time:00:19:16
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" start AccesskeyService
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:40
            Start time:00:19:16
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:41
            Start time:00:19:16
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccesskeyHid
            Imagebase:0x7ff7df230000
            File size:83'456 bytes
            MD5 hash:6EA4F64D02AE236A6B60E5E665079A89
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 0%, ReversingLabs
            Has exited:true

            General

            Target ID:42
            Start time:00:19:16
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:43
            Start time:00:19:16
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccessKeyFidoVhid
            Imagebase:0x7ff7df230000
            File size:83'456 bytes
            MD5 hash:6EA4F64D02AE236A6B60E5E665079A89
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:44
            Start time:00:19:16
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:45
            Start time:00:19:17
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" install "C:\Program Files (x86)\IDmelon\Accesskey\driver\accesskeyfidovhid.inf" root\AccessKeyFidoVhid
            Imagebase:0x7ff7df230000
            File size:83'456 bytes
            MD5 hash:6EA4F64D02AE236A6B60E5E665079A89
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:46
            Start time:00:19:17
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:47
            Start time:00:19:18
            Start date:21/07/2024
            Path:C:\Windows\System32\svchost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
            Imagebase:0x7ff7403e0000
            File size:55'320 bytes
            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:48
            Start time:00:19:18
            Start date:21/07/2024
            Path:C:\Windows\System32\drvinst.exe
            Wow64 process (32bit):false
            Commandline:DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{0721629b-1bca-ab45-b3d8-6d54ebfa50a2}\accesskeyfidovhid.inf" "9" "4196477d7" "000000000000015C" "WinSta0\Default" "0000000000000164" "208" "c:\program files (x86)\idmelon\accesskey\driver"
            Imagebase:0x7ff68b140000
            File size:337'920 bytes
            MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:49
            Start time:00:19:19
            Start date:21/07/2024
            Path:C:\Windows\System32\drvinst.exe
            Wow64 process (32bit):false
            Commandline:DrvInst.exe "2" "211" "ROOT\HIDCLASS\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:50ab71fe221ae399:AccessKeyFidoVhid:21.4.53.488:root\accesskeyfidovhid," "4196477d7" "000000000000017C"
            Imagebase:0x7ff68b140000
            File size:337'920 bytes
            MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:50
            Start time:00:19:20
            Start date:21/07/2024
            Path:C:\Windows\System32\drivers\WUDFRd.sys
            Wow64 process (32bit):
            Commandline:
            Imagebase:
            File size:315'392 bytes
            MD5 hash:0B7A5464602DA68DA6BEFC2A1B5BE4C5
            Has elevated privileges:
            Has administrator privileges:
            Programmed in:C, C++ or other language
            Has exited:false

            General

            Target ID:51
            Start time:00:19:20
            Start date:21/07/2024
            Path:C:\Windows\System32\drivers\mshidumdf.sys
            Wow64 process (32bit):
            Commandline:
            Imagebase:
            File size:12'288 bytes
            MD5 hash:9E90FE6DF363D2427A5C773120E7B27D
            Has elevated privileges:
            Has administrator privileges:
            Programmed in:C, C++ or other language
            Has exited:false

            General

            Target ID:52
            Start time:00:19:20
            Start date:21/07/2024
            Path:C:\Windows\System32\WUDFHost.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-97f4f2de-0b6d-4708-9672-29cbfafe41c2 -SystemEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-ed4957c4-0381-42c5-b015-dd634ba9f208 -IoCancelEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-6f2c6ea5-0b65-4a5a-8a6d-a02cb8e867d5 -NonStateChangingEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-d0cce0e5-6853-4eca-8ea9-ec55e74c196f -LifetimeId:46a3174a-9ab4-4718-a9ea-f0f3d3c57b11 -DeviceGroupId:WudfDefaultDevicePool -HostArg:0
            Imagebase:0x7ff7df2d0000
            File size:271'872 bytes
            MD5 hash:00E2EF3D2C9309CA4135195A049CC79C
            Has elevated privileges:true
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:false

            General

            Target ID:53
            Start time:00:19:21
            Start date:21/07/2024
            Path:C:\Windows\System32\drvinst.exe
            Wow64 process (32bit):false
            Commandline:DrvInst.exe "1" "0" "HID\HIDCLASS\1&2d595ca7&0&0000" "" "" "4eeb73e57" "0000000000000000"
            Imagebase:0x7ff68b140000
            File size:337'920 bytes
            MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:55
            Start time:00:19:22
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyReaderService "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe"
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:56
            Start time:00:19:22
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:57
            Start time:00:19:22
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService Application "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe"
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:58
            Start time:00:19:22
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:59
            Start time:00:19:22
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader"
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:60
            Start time:00:19:22
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7403e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:61
            Start time:00:19:23
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\service_logs.log"
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:62
            Start time:00:19:23
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:65
            Start time:00:19:23
            Start date:21/07/2024
            Path:C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStderr "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\service_logs.log"
            Imagebase:0x140000000
            File size:373'288 bytes
            MD5 hash:17DE7869B1B721B3FFF9DBE111CAAFF8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:66
            Start time:00:19:23
            Start date:21/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:29.4%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:16.6%
              Total number of Nodes:1353
              Total number of Limit Nodes:45
              execution_graph 2950 401bc0 2951 401c11 2950->2951 2952 401bcd 2950->2952 2954 401c16 2951->2954 2955 401c3b GlobalAlloc 2951->2955 2953 4023af 2952->2953 2959 401be4 2952->2959 2957 4065b4 21 API calls 2953->2957 2965 401c56 2954->2965 2988 406577 lstrcpynW 2954->2988 2969 4065b4 2955->2969 2958 4023bc 2957->2958 2989 405bd7 2958->2989 2986 406577 lstrcpynW 2959->2986 2961 401c28 GlobalFree 2961->2965 2964 401bf3 2987 406577 lstrcpynW 2964->2987 2967 401c02 2993 406577 lstrcpynW 2967->2993 2984 4065bf 2969->2984 2970 406806 2971 40681f 2970->2971 3016 406577 lstrcpynW 2970->3016 2971->2965 2973 4067d7 lstrlenW 2973->2984 2974 4065b4 15 API calls 2974->2973 2978 4066d0 GetSystemDirectoryW 2978->2984 2979 4066e6 GetWindowsDirectoryW 2979->2984 2980 406778 lstrcatW 2980->2984 2982 4065b4 15 API calls 2982->2984 2984->2970 2984->2973 2984->2974 2984->2978 2984->2979 2984->2980 2984->2982 2985 406748 SHGetPathFromIDListW CoTaskMemFree 2984->2985 2994 406445 2984->2994 2999 40696b GetModuleHandleA 2984->2999 3005 406825 2984->3005 3014 4064be wsprintfW 2984->3014 3015 406577 lstrcpynW 2984->3015 2985->2984 2986->2964 2987->2967 2988->2961 2990 405bec 2989->2990 2991 405c38 2990->2991 2992 405c00 MessageBoxIndirectW 2990->2992 2991->2965 2992->2991 2993->2965 3017 4063e4 2994->3017 2997 4064a9 2997->2984 2998 406479 RegQueryValueExW RegCloseKey 2998->2997 3000 406991 GetProcAddress 2999->3000 3001 406987 2999->3001 3004 4069a0 3000->3004 3021 4068fb GetSystemDirectoryW 3001->3021 3003 40698d 3003->3000 3003->3004 3004->2984 3006 406832 3005->3006 3008 40689b CharNextW 3006->3008 3009 4068a8 3006->3009 3012 406887 CharNextW 3006->3012 3013 406896 CharNextW 3006->3013 3024 405e73 3006->3024 3007 4068ad CharPrevW 3007->3009 3008->3006 3008->3009 3009->3007 3010 4068ce 3009->3010 3010->2984 3012->3006 3013->3008 3014->2984 3015->2984 3016->2971 3018 4063f3 3017->3018 3019 4063f7 3018->3019 3020 4063fc RegOpenKeyExW 3018->3020 3019->2997 3019->2998 3020->3019 3022 40691d wsprintfW LoadLibraryExW 3021->3022 3022->3003 3025 405e79 3024->3025 3026 405e8f 3025->3026 3027 405e80 CharNextW 3025->3027 3026->3006 3027->3025 3876 402641 3877 402dcb 21 API calls 3876->3877 3878 402648 3877->3878 3881 406067 GetFileAttributesW CreateFileW 3878->3881 3880 402654 3881->3880 3882 4025c3 3883 402e0b 21 API calls 3882->3883 3884 4025cd 3883->3884 3885 402da9 21 API calls 3884->3885 3886 4025d6 3885->3886 3887 4025f2 RegEnumKeyW 3886->3887 3888 4025fe RegEnumValueW 3886->3888 3890 402953 3886->3890 3889 402613 RegCloseKey 3887->3889 3888->3889 3889->3890 3240 4015c8 3241 402dcb 21 API calls 3240->3241 3242 4015cf SetFileAttributesW 3241->3242 3243 4015e1 3242->3243 3892 401fc9 3893 402dcb 21 API calls 3892->3893 3894 401fcf 3893->3894 3895 4055fc 28 API calls 3894->3895 3896 401fd9 3895->3896 3897 405b5a 2 API calls 3896->3897 3898 401fdf 3897->3898 3899 402002 CloseHandle 3898->3899 3903 402953 3898->3903 3905 406a16 WaitForSingleObject 3898->3905 3899->3903 3902 401ff4 3902->3899 3910 4064be wsprintfW 3902->3910 3906 406a30 3905->3906 3907 406a42 GetExitCodeProcess 3906->3907 3908 4069a7 2 API calls 3906->3908 3907->3902 3909 406a37 WaitForSingleObject 3908->3909 3909->3906 3910->3899 3269 4014cb 3270 4055fc 28 API calls 3269->3270 3271 4014d2 3270->3271 3272 4021cf 3273 402dcb 21 API calls 3272->3273 3274 4021d6 3273->3274 3275 402dcb 21 API calls 3274->3275 3276 4021e0 3275->3276 3277 402dcb 21 API calls 3276->3277 3278 4021ea 3277->3278 3279 402dcb 21 API calls 3278->3279 3280 4021f4 3279->3280 3281 402dcb 21 API calls 3280->3281 3282 4021fe 3281->3282 3283 40223d CoCreateInstance 3282->3283 3284 402dcb 21 API calls 3282->3284 3287 40225c 3283->3287 3284->3283 3285 401423 28 API calls 3286 40231b 3285->3286 3287->3285 3287->3286 3911 40204f 3912 402dcb 21 API calls 3911->3912 3913 402056 3912->3913 3914 40696b 5 API calls 3913->3914 3915 402065 3914->3915 3916 402081 GlobalAlloc 3915->3916 3925 4020f1 3915->3925 3917 402095 3916->3917 3916->3925 3918 40696b 5 API calls 3917->3918 3919 40209c 3918->3919 3920 40696b 5 API calls 3919->3920 3921 4020a6 3920->3921 3921->3925 3926 4064be wsprintfW 3921->3926 3923 4020df 3927 4064be wsprintfW 3923->3927 3926->3923 3927->3925 3928 40254f 3929 402e0b 21 API calls 3928->3929 3930 402559 3929->3930 3931 402dcb 21 API calls 3930->3931 3932 402562 3931->3932 3933 402953 3932->3933 3934 40256d RegQueryValueExW 3932->3934 3935 40258d 3934->3935 3938 402593 RegCloseKey 3934->3938 3935->3938 3939 4064be wsprintfW 3935->3939 3938->3933 3939->3938 3348 403552 SetErrorMode GetVersionExW 3349 4035a6 GetVersionExW 3348->3349 3350 4035de 3348->3350 3349->3350 3351 403635 3350->3351 3352 40696b 5 API calls 3350->3352 3353 4068fb 3 API calls 3351->3353 3352->3351 3354 40364b lstrlenA 3353->3354 3354->3351 3355 40365b 3354->3355 3356 40696b 5 API calls 3355->3356 3357 403662 3356->3357 3358 40696b 5 API calls 3357->3358 3359 403669 3358->3359 3360 40696b 5 API calls 3359->3360 3361 403675 #17 OleInitialize SHGetFileInfoW 3360->3361 3436 406577 lstrcpynW 3361->3436 3364 4036c4 GetCommandLineW 3437 406577 lstrcpynW 3364->3437 3366 4036d6 3367 405e73 CharNextW 3366->3367 3368 4036fc CharNextW 3367->3368 3373 40370e 3368->3373 3369 403810 3370 403824 GetTempPathW 3369->3370 3438 403521 3370->3438 3372 40383c 3374 403840 GetWindowsDirectoryW lstrcatW 3372->3374 3375 403896 DeleteFileW 3372->3375 3373->3369 3376 405e73 CharNextW 3373->3376 3382 403812 3373->3382 3377 403521 12 API calls 3374->3377 3448 4030a2 GetTickCount GetModuleFileNameW 3375->3448 3376->3373 3379 40385c 3377->3379 3379->3375 3381 403860 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3379->3381 3380 4038aa 3383 403a9d ExitProcess OleUninitialize 3380->3383 3388 403951 3380->3388 3389 405e73 CharNextW 3380->3389 3385 403521 12 API calls 3381->3385 3532 406577 lstrcpynW 3382->3532 3386 403ad3 3383->3386 3387 403aaf 3383->3387 3393 40388e 3385->3393 3390 403b57 ExitProcess 3386->3390 3391 403adb GetCurrentProcess OpenProcessToken 3386->3391 3394 405bd7 MessageBoxIndirectW 3387->3394 3476 403c49 3388->3476 3404 4038c9 3389->3404 3395 403af3 LookupPrivilegeValueW AdjustTokenPrivileges 3391->3395 3396 403b27 3391->3396 3393->3375 3393->3383 3399 403abd ExitProcess 3394->3399 3395->3396 3400 40696b 5 API calls 3396->3400 3397 403961 3397->3383 3401 403b2e 3400->3401 3406 403b43 ExitWindowsEx 3401->3406 3409 403b50 3401->3409 3402 403927 3407 405f4e 18 API calls 3402->3407 3403 40396a 3405 405b42 5 API calls 3403->3405 3404->3402 3404->3403 3408 40396f lstrlenW 3405->3408 3406->3390 3406->3409 3410 403933 3407->3410 3535 406577 lstrcpynW 3408->3535 3540 40140b 3409->3540 3410->3383 3533 406577 lstrcpynW 3410->3533 3413 403989 3415 4039a1 3413->3415 3536 406577 lstrcpynW 3413->3536 3419 4039c7 wsprintfW 3415->3419 3433 4039f3 3415->3433 3416 403946 3534 406577 lstrcpynW 3416->3534 3420 4065b4 21 API calls 3419->3420 3420->3415 3421 405acb 2 API calls 3421->3433 3422 405b25 2 API calls 3422->3433 3423 403a03 GetFileAttributesW 3425 403a0f DeleteFileW 3423->3425 3423->3433 3424 403a3d SetCurrentDirectoryW 3426 406337 40 API calls 3424->3426 3425->3433 3428 403a4c CopyFileW 3426->3428 3427 403a3b 3427->3383 3428->3427 3428->3433 3429 405c83 71 API calls 3429->3433 3430 406337 40 API calls 3430->3433 3431 4065b4 21 API calls 3431->3433 3433->3415 3433->3419 3433->3421 3433->3422 3433->3423 3433->3424 3433->3427 3433->3429 3433->3430 3433->3431 3434 403ac5 CloseHandle 3433->3434 3435 4068d4 2 API calls 3433->3435 3537 405b5a CreateProcessW 3433->3537 3434->3427 3435->3433 3436->3364 3437->3366 3439 406825 5 API calls 3438->3439 3440 40352d 3439->3440 3441 403537 3440->3441 3442 405e46 3 API calls 3440->3442 3441->3372 3443 40353f 3442->3443 3444 405b25 2 API calls 3443->3444 3445 403545 3444->3445 3446 406096 2 API calls 3445->3446 3447 403550 3446->3447 3447->3372 3543 406067 GetFileAttributesW CreateFileW 3448->3543 3450 4030e2 3451 4030f2 3450->3451 3544 406577 lstrcpynW 3450->3544 3451->3380 3453 403108 3454 405e92 2 API calls 3453->3454 3455 40310e 3454->3455 3545 406577 lstrcpynW 3455->3545 3457 403119 GetFileSize 3458 403130 3457->3458 3473 403213 3457->3473 3458->3451 3461 4034f4 ReadFile 3458->3461 3464 40327f 3458->3464 3472 40303e 6 API calls 3458->3472 3458->3473 3460 40321c 3460->3451 3462 40324c GlobalAlloc 3460->3462 3558 40350a SetFilePointer 3460->3558 3461->3458 3557 40350a SetFilePointer 3462->3557 3466 40303e 6 API calls 3464->3466 3466->3451 3467 403235 3470 4034f4 ReadFile 3467->3470 3468 403267 3469 4032d9 35 API calls 3468->3469 3474 403273 3469->3474 3471 403240 3470->3471 3471->3451 3471->3462 3472->3458 3546 40303e 3473->3546 3474->3451 3474->3474 3475 4032b0 SetFilePointer 3474->3475 3475->3451 3477 40696b 5 API calls 3476->3477 3478 403c5d 3477->3478 3479 403c63 3478->3479 3480 403c75 3478->3480 3578 4064be wsprintfW 3479->3578 3481 406445 3 API calls 3480->3481 3483 403ca5 3481->3483 3482 403cc4 lstrcatW 3486 403c73 3482->3486 3483->3482 3485 406445 3 API calls 3483->3485 3485->3482 3563 403f1f 3486->3563 3489 405f4e 18 API calls 3490 403cf6 3489->3490 3491 403d8a 3490->3491 3493 406445 3 API calls 3490->3493 3492 405f4e 18 API calls 3491->3492 3494 403d90 3492->3494 3496 403d28 3493->3496 3495 403da0 LoadImageW 3494->3495 3497 4065b4 21 API calls 3494->3497 3498 403e46 3495->3498 3499 403dc7 RegisterClassW 3495->3499 3496->3491 3500 403d49 lstrlenW 3496->3500 3503 405e73 CharNextW 3496->3503 3497->3495 3502 40140b 2 API calls 3498->3502 3501 403dfd SystemParametersInfoW CreateWindowExW 3499->3501 3531 403e50 3499->3531 3504 403d57 lstrcmpiW 3500->3504 3505 403d7d 3500->3505 3501->3498 3506 403e4c 3502->3506 3507 403d46 3503->3507 3504->3505 3508 403d67 GetFileAttributesW 3504->3508 3509 405e46 3 API calls 3505->3509 3511 403f1f 22 API calls 3506->3511 3506->3531 3507->3500 3510 403d73 3508->3510 3512 403d83 3509->3512 3510->3505 3513 405e92 2 API calls 3510->3513 3514 403e5d 3511->3514 3579 406577 lstrcpynW 3512->3579 3513->3505 3516 403e69 ShowWindow 3514->3516 3517 403eec 3514->3517 3519 4068fb 3 API calls 3516->3519 3571 4056cf OleInitialize 3517->3571 3521 403e81 3519->3521 3520 403ef2 3522 403ef6 3520->3522 3523 403f0e 3520->3523 3524 403e8f GetClassInfoW 3521->3524 3526 4068fb 3 API calls 3521->3526 3530 40140b 2 API calls 3522->3530 3522->3531 3525 40140b 2 API calls 3523->3525 3527 403ea3 GetClassInfoW RegisterClassW 3524->3527 3528 403eb9 DialogBoxParamW 3524->3528 3525->3531 3526->3524 3527->3528 3529 40140b 2 API calls 3528->3529 3529->3531 3530->3531 3531->3397 3532->3370 3533->3416 3534->3388 3535->3413 3536->3415 3538 405b99 3537->3538 3539 405b8d CloseHandle 3537->3539 3538->3433 3539->3538 3541 401389 2 API calls 3540->3541 3542 401420 3541->3542 3542->3390 3543->3450 3544->3453 3545->3457 3547 403047 3546->3547 3548 40305f 3546->3548 3549 403050 DestroyWindow 3547->3549 3550 403057 3547->3550 3551 403067 3548->3551 3552 40306f GetTickCount 3548->3552 3549->3550 3550->3460 3559 4069a7 3551->3559 3553 4030a0 3552->3553 3554 40307d CreateDialogParamW ShowWindow 3552->3554 3553->3460 3554->3553 3557->3468 3558->3467 3560 4069c4 PeekMessageW 3559->3560 3561 40306d 3560->3561 3562 4069ba DispatchMessageW 3560->3562 3561->3460 3562->3560 3564 403f33 3563->3564 3580 4064be wsprintfW 3564->3580 3566 403fa4 3581 403fd8 3566->3581 3568 403cd4 3568->3489 3569 403fa9 3569->3568 3570 4065b4 21 API calls 3569->3570 3570->3569 3584 404542 3571->3584 3573 404542 SendMessageW 3575 40572b OleUninitialize 3573->3575 3574 4056f2 3577 405719 3574->3577 3587 401389 3574->3587 3575->3520 3577->3573 3578->3486 3579->3491 3580->3566 3582 4065b4 21 API calls 3581->3582 3583 403fe6 SetWindowTextW 3582->3583 3583->3569 3585 40455a 3584->3585 3586 40454b SendMessageW 3584->3586 3585->3574 3586->3585 3589 401390 3587->3589 3588 4013fe 3588->3574 3589->3588 3590 4013cb MulDiv SendMessageW 3589->3590 3590->3589 3940 401a55 3941 402dcb 21 API calls 3940->3941 3942 401a5e ExpandEnvironmentStringsW 3941->3942 3943 401a72 3942->3943 3945 401a85 3942->3945 3944 401a77 lstrcmpW 3943->3944 3943->3945 3944->3945 3662 4023d7 3663 4023df 3662->3663 3667 4023e5 3662->3667 3664 402dcb 21 API calls 3663->3664 3664->3667 3665 402401 3670 402dcb 21 API calls 3665->3670 3666 4023f3 3666->3665 3669 402dcb 21 API calls 3666->3669 3667->3666 3668 402dcb 21 API calls 3667->3668 3668->3666 3669->3665 3671 40240a WritePrivateProfileStringW 3670->3671 3946 4014d7 3947 402da9 21 API calls 3946->3947 3948 4014dd Sleep 3947->3948 3950 402c4f 3948->3950 3766 402459 3767 402461 3766->3767 3768 40248c 3766->3768 3782 402e0b 3767->3782 3769 402dcb 21 API calls 3768->3769 3771 402493 3769->3771 3778 402e89 3771->3778 3774 402472 3775 402dcb 21 API calls 3774->3775 3777 402479 RegDeleteValueW RegCloseKey 3775->3777 3776 4024a0 3777->3776 3779 402e9d 3778->3779 3781 402e96 3778->3781 3779->3781 3787 402ece 3779->3787 3781->3776 3783 402dcb 21 API calls 3782->3783 3784 402e22 3783->3784 3785 4063e4 RegOpenKeyExW 3784->3785 3786 402468 3785->3786 3786->3774 3786->3776 3788 4063e4 RegOpenKeyExW 3787->3788 3789 402efc 3788->3789 3790 402fb1 3789->3790 3791 402f0c RegEnumValueW 3789->3791 3792 402f2f 3789->3792 3790->3781 3791->3792 3793 402f96 RegCloseKey 3791->3793 3792->3793 3794 402f6b RegEnumKeyW 3792->3794 3795 402f74 RegCloseKey 3792->3795 3798 402ece 6 API calls 3792->3798 3793->3790 3794->3792 3794->3795 3796 40696b 5 API calls 3795->3796 3797 402f84 3796->3797 3799 402fa6 RegDeleteKeyExW 3797->3799 3800 402f88 RegDeleteKeyW 3797->3800 3798->3792 3799->3790 3800->3790 3956 40175a 3957 402dcb 21 API calls 3956->3957 3958 401761 SearchPathW 3957->3958 3959 40177c 3958->3959 3960 401d5d 3961 402da9 21 API calls 3960->3961 3962 401d64 3961->3962 3963 402da9 21 API calls 3962->3963 3964 401d70 GetDlgItem 3963->3964 3965 40265d 3964->3965 3966 404f63 GetDlgItem GetDlgItem 3967 404fb5 7 API calls 3966->3967 3973 4051da 3966->3973 3968 40505c DeleteObject 3967->3968 3969 40504f SendMessageW 3967->3969 3970 405065 3968->3970 3969->3968 3971 40509c 3970->3971 3974 4065b4 21 API calls 3970->3974 3975 4044f6 22 API calls 3971->3975 3972 4052bc 3976 405368 3972->3976 3986 405315 SendMessageW 3972->3986 4009 4051cd 3972->4009 3973->3972 4005 405249 3973->4005 4020 404eb1 SendMessageW 3973->4020 3979 40507e SendMessageW SendMessageW 3974->3979 3980 4050b0 3975->3980 3977 405372 SendMessageW 3976->3977 3978 40537a 3976->3978 3977->3978 3983 4053a3 3978->3983 3988 405393 3978->3988 3989 40538c ImageList_Destroy 3978->3989 3979->3970 3985 4044f6 22 API calls 3980->3985 3981 4052ae SendMessageW 3981->3972 3982 40455d 8 API calls 3987 405569 3982->3987 3990 40551d 3983->3990 4013 4053de 3983->4013 4025 404f31 3983->4025 3997 4050c1 3985->3997 3991 40532a SendMessageW 3986->3991 3986->4009 3988->3983 3992 40539c GlobalFree 3988->3992 3989->3988 3995 40552f ShowWindow GetDlgItem ShowWindow 3990->3995 3990->4009 3994 40533d 3991->3994 3992->3983 3993 40519c GetWindowLongW SetWindowLongW 3996 4051b5 3993->3996 4000 40534e SendMessageW 3994->4000 3995->4009 3998 4051d2 3996->3998 3999 4051ba ShowWindow 3996->3999 3997->3993 4001 405197 3997->4001 4004 405114 SendMessageW 3997->4004 4006 405152 SendMessageW 3997->4006 4007 405166 SendMessageW 3997->4007 4019 40452b SendMessageW 3998->4019 4018 40452b SendMessageW 3999->4018 4000->3976 4001->3993 4001->3996 4004->3997 4005->3972 4005->3981 4006->3997 4007->3997 4009->3982 4010 4054e8 4011 4054f3 InvalidateRect 4010->4011 4014 4054ff 4010->4014 4011->4014 4012 40540c SendMessageW 4016 405422 4012->4016 4013->4012 4013->4016 4014->3990 4034 404e6c 4014->4034 4015 405496 SendMessageW SendMessageW 4015->4016 4016->4010 4016->4015 4018->4009 4019->3973 4021 404f10 SendMessageW 4020->4021 4022 404ed4 GetMessagePos ScreenToClient SendMessageW 4020->4022 4023 404f08 4021->4023 4022->4023 4024 404f0d 4022->4024 4023->4005 4024->4021 4037 406577 lstrcpynW 4025->4037 4027 404f44 4038 4064be wsprintfW 4027->4038 4029 404f4e 4030 40140b 2 API calls 4029->4030 4031 404f57 4030->4031 4039 406577 lstrcpynW 4031->4039 4033 404f5e 4033->4013 4040 404da3 4034->4040 4036 404e81 4036->3990 4037->4027 4038->4029 4039->4033 4041 404dbc 4040->4041 4042 4065b4 21 API calls 4041->4042 4043 404e20 4042->4043 4044 4065b4 21 API calls 4043->4044 4045 404e2b 4044->4045 4046 4065b4 21 API calls 4045->4046 4047 404e41 lstrlenW wsprintfW SetDlgItemTextW 4046->4047 4047->4036 4048 402663 4049 402692 4048->4049 4050 402677 4048->4050 4052 4026c2 4049->4052 4053 402697 4049->4053 4051 402da9 21 API calls 4050->4051 4062 40267e 4051->4062 4054 402dcb 21 API calls 4052->4054 4055 402dcb 21 API calls 4053->4055 4056 4026c9 lstrlenW 4054->4056 4057 40269e 4055->4057 4056->4062 4065 406599 WideCharToMultiByte 4057->4065 4059 4026b2 lstrlenA 4059->4062 4060 4026f6 4061 40270c 4060->4061 4063 406119 WriteFile 4060->4063 4062->4060 4062->4061 4066 406148 SetFilePointer 4062->4066 4063->4061 4065->4059 4067 406164 4066->4067 4072 40617c 4066->4072 4068 4060ea ReadFile 4067->4068 4069 406170 4068->4069 4070 406185 SetFilePointer 4069->4070 4071 4061ad SetFilePointer 4069->4071 4069->4072 4070->4071 4073 406190 4070->4073 4071->4072 4072->4060 4074 406119 WriteFile 4073->4074 4074->4072 3128 4015e6 3129 402dcb 21 API calls 3128->3129 3130 4015ed 3129->3130 3147 405ef1 CharNextW CharNextW 3130->3147 3132 401656 3134 401688 3132->3134 3135 40165b 3132->3135 3133 405e73 CharNextW 3143 4015f6 3133->3143 3138 401423 28 API calls 3134->3138 3136 401423 28 API calls 3135->3136 3137 401662 3136->3137 3159 406577 lstrcpynW 3137->3159 3145 401680 3138->3145 3142 40166f SetCurrentDirectoryW 3142->3145 3143->3132 3143->3133 3144 40163c GetFileAttributesW 3143->3144 3153 405b42 3143->3153 3156 405acb CreateDirectoryW 3143->3156 3160 405b25 CreateDirectoryW 3143->3160 3144->3143 3148 405f0e 3147->3148 3151 405f20 3147->3151 3150 405f1b CharNextW 3148->3150 3148->3151 3149 405f44 3149->3143 3150->3149 3151->3149 3152 405e73 CharNextW 3151->3152 3152->3151 3154 40696b 5 API calls 3153->3154 3155 405b49 3154->3155 3155->3143 3157 405b17 3156->3157 3158 405b1b GetLastError 3156->3158 3157->3143 3158->3157 3159->3142 3161 405b35 3160->3161 3162 405b39 GetLastError 3160->3162 3161->3143 3162->3161 3163 401966 3164 401968 3163->3164 3165 402dcb 21 API calls 3164->3165 3166 40196d 3165->3166 3169 405c83 3166->3169 3205 405f4e 3169->3205 3172 405cab DeleteFileW 3177 401976 3172->3177 3173 405cc2 3174 405de2 3173->3174 3219 406577 lstrcpynW 3173->3219 3174->3177 3182 4068d4 2 API calls 3174->3182 3176 405ce8 3178 405cfb 3176->3178 3179 405cee lstrcatW 3176->3179 3220 405e92 lstrlenW 3178->3220 3180 405d01 3179->3180 3183 405d11 lstrcatW 3180->3183 3185 405d1c lstrlenW FindFirstFileW 3180->3185 3184 405e07 3182->3184 3183->3185 3184->3177 3233 405e46 lstrlenW CharPrevW 3184->3233 3185->3174 3203 405d3e 3185->3203 3188 405dc5 FindNextFileW 3192 405ddb FindClose 3188->3192 3188->3203 3189 405c3b 5 API calls 3191 405e1d 3189->3191 3193 405e21 3191->3193 3194 405e37 3191->3194 3192->3174 3193->3177 3197 4055fc 28 API calls 3193->3197 3196 4055fc 28 API calls 3194->3196 3196->3177 3199 405e2e 3197->3199 3198 405c83 64 API calls 3198->3203 3200 406337 40 API calls 3199->3200 3200->3177 3201 4055fc 28 API calls 3201->3188 3202 4055fc 28 API calls 3202->3203 3203->3188 3203->3198 3203->3201 3203->3202 3204 406337 40 API calls 3203->3204 3224 406577 lstrcpynW 3203->3224 3225 405c3b 3203->3225 3204->3203 3236 406577 lstrcpynW 3205->3236 3207 405f5f 3208 405ef1 4 API calls 3207->3208 3209 405f65 3208->3209 3210 405ca3 3209->3210 3211 406825 5 API calls 3209->3211 3210->3172 3210->3173 3217 405f75 3211->3217 3212 405fa6 lstrlenW 3213 405fb1 3212->3213 3212->3217 3215 405e46 3 API calls 3213->3215 3214 4068d4 2 API calls 3214->3217 3216 405fb6 GetFileAttributesW 3215->3216 3216->3210 3217->3210 3217->3212 3217->3214 3218 405e92 2 API calls 3217->3218 3218->3212 3219->3176 3221 405ea0 3220->3221 3222 405eb2 3221->3222 3223 405ea6 CharPrevW 3221->3223 3222->3180 3223->3221 3223->3222 3224->3203 3237 406042 GetFileAttributesW 3225->3237 3228 405c68 3228->3203 3229 405c56 RemoveDirectoryW 3231 405c64 3229->3231 3230 405c5e DeleteFileW 3230->3231 3231->3228 3232 405c74 SetFileAttributesW 3231->3232 3232->3228 3234 405e62 lstrcatW 3233->3234 3235 405e11 3233->3235 3234->3235 3235->3189 3236->3207 3238 405c47 3237->3238 3239 406054 SetFileAttributesW 3237->3239 3238->3228 3238->3229 3238->3230 3239->3238 4075 404666 lstrlenW 4076 404685 4075->4076 4077 404687 WideCharToMultiByte 4075->4077 4076->4077 4078 4049e7 4079 404a13 4078->4079 4080 404a24 4078->4080 4139 405bbb GetDlgItemTextW 4079->4139 4082 404a30 GetDlgItem 4080->4082 4114 404a8f 4080->4114 4086 404a44 4082->4086 4083 404a1e 4084 406825 5 API calls 4083->4084 4084->4080 4085 404a58 SetWindowTextW 4091 4044f6 22 API calls 4085->4091 4086->4085 4090 405ef1 4 API calls 4086->4090 4087 404d22 4089 40455d 8 API calls 4087->4089 4094 404d36 4089->4094 4095 404a4e 4090->4095 4096 404a74 4091->4096 4092 4065b4 21 API calls 4097 404b03 SHBrowseForFolderW 4092->4097 4093 404ba3 4098 405f4e 18 API calls 4093->4098 4095->4085 4105 405e46 3 API calls 4095->4105 4099 4044f6 22 API calls 4096->4099 4100 404b73 4097->4100 4101 404b1b CoTaskMemFree 4097->4101 4102 404ba9 4098->4102 4103 404a82 4099->4103 4100->4087 4141 405bbb GetDlgItemTextW 4100->4141 4104 405e46 3 API calls 4101->4104 4142 406577 lstrcpynW 4102->4142 4140 40452b SendMessageW 4103->4140 4107 404b28 4104->4107 4105->4085 4110 404b5f SetDlgItemTextW 4107->4110 4115 4065b4 21 API calls 4107->4115 4109 404a88 4112 40696b 5 API calls 4109->4112 4110->4100 4111 404bc0 4113 40696b 5 API calls 4111->4113 4112->4114 4122 404bc7 4113->4122 4114->4087 4114->4092 4114->4100 4116 404b47 lstrcmpiW 4115->4116 4116->4110 4119 404b58 lstrcatW 4116->4119 4117 404c08 4143 406577 lstrcpynW 4117->4143 4119->4110 4120 404c0f 4121 405ef1 4 API calls 4120->4121 4123 404c15 GetDiskFreeSpaceW 4121->4123 4122->4117 4126 405e92 2 API calls 4122->4126 4128 404c60 4122->4128 4125 404c39 MulDiv 4123->4125 4123->4128 4125->4128 4126->4122 4127 404cd1 4130 404cf4 4127->4130 4132 40140b 2 API calls 4127->4132 4128->4127 4129 404e6c 24 API calls 4128->4129 4131 404cbe 4129->4131 4144 404518 KiUserCallbackDispatcher 4130->4144 4133 404cd3 SetDlgItemTextW 4131->4133 4134 404cc3 4131->4134 4132->4130 4133->4127 4137 404da3 24 API calls 4134->4137 4136 404d10 4136->4087 4145 404940 4136->4145 4137->4127 4139->4083 4140->4109 4141->4093 4142->4111 4143->4120 4144->4136 4146 404953 SendMessageW 4145->4146 4147 40494e 4145->4147 4146->4087 4147->4146 3244 401c68 3245 402da9 21 API calls 3244->3245 3246 401c6f 3245->3246 3247 402da9 21 API calls 3246->3247 3248 401c7c 3247->3248 3249 401c91 3248->3249 3250 402dcb 21 API calls 3248->3250 3251 401ca1 3249->3251 3252 402dcb 21 API calls 3249->3252 3250->3249 3253 401cf8 3251->3253 3254 401cac 3251->3254 3252->3251 3255 402dcb 21 API calls 3253->3255 3256 402da9 21 API calls 3254->3256 3257 401cfd 3255->3257 3258 401cb1 3256->3258 3259 402dcb 21 API calls 3257->3259 3260 402da9 21 API calls 3258->3260 3261 401d06 FindWindowExW 3259->3261 3262 401cbd 3260->3262 3265 401d28 3261->3265 3263 401ce8 SendMessageW 3262->3263 3264 401cca SendMessageTimeoutW 3262->3264 3263->3265 3264->3265 4148 4028e9 4149 4028ef 4148->4149 4150 4028f7 FindClose 4149->4150 4151 402c4f 4149->4151 4150->4151 3288 403b6f 3289 403b87 3288->3289 3290 403b79 CloseHandle 3288->3290 3295 403bb4 3289->3295 3290->3289 3293 405c83 71 API calls 3294 403b98 3293->3294 3296 403bc2 3295->3296 3297 403bc7 FreeLibrary GlobalFree 3296->3297 3298 403b8c 3296->3298 3297->3297 3297->3298 3298->3293 4152 405570 4153 405580 4152->4153 4154 405594 4152->4154 4155 405586 4153->4155 4156 4055dd 4153->4156 4157 40559c IsWindowVisible 4154->4157 4163 4055b3 4154->4163 4158 404542 SendMessageW 4155->4158 4160 4055e2 CallWindowProcW 4156->4160 4157->4156 4159 4055a9 4157->4159 4161 405590 4158->4161 4162 404eb1 5 API calls 4159->4162 4160->4161 4162->4163 4163->4160 4164 404f31 4 API calls 4163->4164 4164->4156 4165 4016f1 4166 402dcb 21 API calls 4165->4166 4167 4016f7 GetFullPathNameW 4166->4167 4168 401711 4167->4168 4169 401733 4167->4169 4168->4169 4172 4068d4 2 API calls 4168->4172 4170 401748 GetShortPathNameW 4169->4170 4171 402c4f 4169->4171 4170->4171 4173 401723 4172->4173 4173->4169 4175 406577 lstrcpynW 4173->4175 4175->4169 4176 401e73 GetDC 4177 402da9 21 API calls 4176->4177 4178 401e85 GetDeviceCaps MulDiv ReleaseDC 4177->4178 4179 402da9 21 API calls 4178->4179 4180 401eb6 4179->4180 4181 4065b4 21 API calls 4180->4181 4182 401ef3 CreateFontIndirectW 4181->4182 4183 40265d 4182->4183 3632 402975 3633 402dcb 21 API calls 3632->3633 3634 402981 3633->3634 3635 402997 3634->3635 3636 402dcb 21 API calls 3634->3636 3637 406042 2 API calls 3635->3637 3636->3635 3638 40299d 3637->3638 3660 406067 GetFileAttributesW CreateFileW 3638->3660 3640 4029aa 3641 402a60 3640->3641 3642 4029c5 GlobalAlloc 3640->3642 3643 402a48 3640->3643 3644 402a67 DeleteFileW 3641->3644 3645 402a7a 3641->3645 3642->3643 3646 4029de 3642->3646 3647 4032d9 35 API calls 3643->3647 3644->3645 3661 40350a SetFilePointer 3646->3661 3649 402a55 CloseHandle 3647->3649 3649->3641 3650 4029e4 3651 4034f4 ReadFile 3650->3651 3652 4029ed GlobalAlloc 3651->3652 3653 402a31 3652->3653 3654 4029fd 3652->3654 3656 406119 WriteFile 3653->3656 3655 4032d9 35 API calls 3654->3655 3659 402a0a 3655->3659 3657 402a3d GlobalFree 3656->3657 3657->3643 3658 402a28 GlobalFree 3658->3653 3659->3658 3660->3640 3661->3650 4184 4014f5 SetForegroundWindow 4185 402c4f 4184->4185 3672 403ff7 3673 404170 3672->3673 3674 40400f 3672->3674 3676 404181 GetDlgItem GetDlgItem 3673->3676 3677 4041c1 3673->3677 3674->3673 3675 40401b 3674->3675 3678 404026 SetWindowPos 3675->3678 3679 404039 3675->3679 3680 4044f6 22 API calls 3676->3680 3681 40421b 3677->3681 3691 401389 2 API calls 3677->3691 3678->3679 3683 404042 ShowWindow 3679->3683 3684 404084 3679->3684 3685 4041ab SetClassLongW 3680->3685 3682 404542 SendMessageW 3681->3682 3698 40416b 3681->3698 3713 40422d 3682->3713 3686 404062 GetWindowLongW 3683->3686 3687 40412e 3683->3687 3688 4040a3 3684->3688 3689 40408c DestroyWindow 3684->3689 3690 40140b 2 API calls 3685->3690 3686->3687 3693 40407b ShowWindow 3686->3693 3752 40455d 3687->3752 3694 4040a8 SetWindowLongW 3688->3694 3695 4040b9 3688->3695 3742 40447f 3689->3742 3690->3677 3696 4041f3 3691->3696 3693->3684 3694->3698 3695->3687 3701 4040c5 GetDlgItem 3695->3701 3696->3681 3697 4041f7 SendMessageW 3696->3697 3697->3698 3699 40140b 2 API calls 3699->3713 3700 404481 DestroyWindow KiUserCallbackDispatcher 3700->3742 3703 4040f3 3701->3703 3704 4040d6 SendMessageW IsWindowEnabled 3701->3704 3702 4044b0 ShowWindow 3702->3698 3706 404100 3703->3706 3707 404147 SendMessageW 3703->3707 3708 404113 3703->3708 3716 4040f8 3703->3716 3704->3698 3704->3703 3705 4065b4 21 API calls 3705->3713 3706->3707 3706->3716 3707->3687 3711 404130 3708->3711 3712 40411b 3708->3712 3710 4044f6 22 API calls 3710->3713 3715 40140b 2 API calls 3711->3715 3714 40140b 2 API calls 3712->3714 3713->3698 3713->3699 3713->3700 3713->3705 3713->3710 3733 4043c1 DestroyWindow 3713->3733 3743 4044f6 3713->3743 3714->3716 3715->3716 3716->3687 3749 4044cf 3716->3749 3718 4042a8 GetDlgItem 3719 4042c5 ShowWindow KiUserCallbackDispatcher 3718->3719 3720 4042bd 3718->3720 3746 404518 KiUserCallbackDispatcher 3719->3746 3720->3719 3722 4042ef KiUserCallbackDispatcher 3727 404303 3722->3727 3723 404308 GetSystemMenu EnableMenuItem SendMessageW 3724 404338 SendMessageW 3723->3724 3723->3727 3724->3727 3726 403fd8 22 API calls 3726->3727 3727->3723 3727->3726 3747 40452b SendMessageW 3727->3747 3748 406577 lstrcpynW 3727->3748 3729 404367 lstrlenW 3730 4065b4 21 API calls 3729->3730 3731 40437d SetWindowTextW 3730->3731 3732 401389 2 API calls 3731->3732 3732->3713 3734 4043db CreateDialogParamW 3733->3734 3733->3742 3735 40440e 3734->3735 3734->3742 3736 4044f6 22 API calls 3735->3736 3737 404419 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3736->3737 3738 401389 2 API calls 3737->3738 3739 40445f 3738->3739 3739->3698 3740 404467 ShowWindow 3739->3740 3741 404542 SendMessageW 3740->3741 3741->3742 3742->3698 3742->3702 3744 4065b4 21 API calls 3743->3744 3745 404501 SetDlgItemTextW 3744->3745 3745->3718 3746->3722 3747->3727 3748->3729 3750 4044d6 3749->3750 3751 4044dc SendMessageW 3749->3751 3750->3751 3751->3687 3753 404575 GetWindowLongW 3752->3753 3763 404620 3752->3763 3754 40458a 3753->3754 3753->3763 3755 4045b7 GetSysColor 3754->3755 3756 4045ba 3754->3756 3754->3763 3755->3756 3757 4045c0 SetTextColor 3756->3757 3758 4045ca SetBkMode 3756->3758 3757->3758 3759 4045e2 GetSysColor 3758->3759 3760 4045e8 3758->3760 3759->3760 3761 4045f9 3760->3761 3762 4045ef SetBkColor 3760->3762 3761->3763 3764 404613 CreateBrushIndirect 3761->3764 3765 40460c DeleteObject 3761->3765 3762->3761 3763->3698 3764->3763 3765->3764 4186 40197b 4187 402dcb 21 API calls 4186->4187 4188 401982 lstrlenW 4187->4188 4189 40265d 4188->4189 3850 4020fd 3851 4021c1 3850->3851 3852 40210f 3850->3852 3855 401423 28 API calls 3851->3855 3853 402dcb 21 API calls 3852->3853 3854 402116 3853->3854 3856 402dcb 21 API calls 3854->3856 3861 40231b 3855->3861 3857 40211f 3856->3857 3858 402135 LoadLibraryExW 3857->3858 3859 402127 GetModuleHandleW 3857->3859 3858->3851 3860 402146 3858->3860 3859->3858 3859->3860 3870 4069da 3860->3870 3864 402190 3865 4055fc 28 API calls 3864->3865 3868 402167 3865->3868 3866 402157 3867 401423 28 API calls 3866->3867 3866->3868 3867->3868 3868->3861 3869 4021b3 FreeLibrary 3868->3869 3869->3861 3875 406599 WideCharToMultiByte 3870->3875 3872 4069f7 3873 402151 3872->3873 3874 4069fe GetProcAddress 3872->3874 3873->3864 3873->3866 3874->3873 3875->3872 4190 402b7e 4191 402bd0 4190->4191 4192 402b85 4190->4192 4193 40696b 5 API calls 4191->4193 4194 402bce 4192->4194 4196 402da9 21 API calls 4192->4196 4195 402bd7 4193->4195 4197 402dcb 21 API calls 4195->4197 4198 402b93 4196->4198 4199 402be0 4197->4199 4200 402da9 21 API calls 4198->4200 4199->4194 4201 402be4 IIDFromString 4199->4201 4203 402b9f 4200->4203 4201->4194 4202 402bf3 4201->4202 4202->4194 4208 406577 lstrcpynW 4202->4208 4207 4064be wsprintfW 4203->4207 4205 402c10 CoTaskMemFree 4205->4194 4207->4194 4208->4205 4209 401000 4210 401037 BeginPaint GetClientRect 4209->4210 4212 40100c DefWindowProcW 4209->4212 4213 4010f3 4210->4213 4214 401179 4212->4214 4215 401073 CreateBrushIndirect FillRect DeleteObject 4213->4215 4216 4010fc 4213->4216 4215->4213 4217 401102 CreateFontIndirectW 4216->4217 4218 401167 EndPaint 4216->4218 4217->4218 4219 401112 6 API calls 4217->4219 4218->4214 4219->4218 3107 401781 3108 402dcb 21 API calls 3107->3108 3109 401788 3108->3109 3113 406096 3109->3113 3111 40178f 3112 406096 2 API calls 3111->3112 3112->3111 3114 4060a3 GetTickCount GetTempFileNameW 3113->3114 3115 4060dd 3114->3115 3116 4060d9 3114->3116 3115->3111 3116->3114 3116->3115 4220 401d82 4221 402da9 21 API calls 4220->4221 4222 401d93 SetWindowLongW 4221->4222 4223 402c4f 4222->4223 3117 401f03 3125 402da9 3117->3125 3119 401f09 3120 402da9 21 API calls 3119->3120 3121 401f15 3120->3121 3122 401f21 ShowWindow 3121->3122 3123 401f2c EnableWindow 3121->3123 3124 402c4f 3122->3124 3123->3124 3126 4065b4 21 API calls 3125->3126 3127 402dbe 3126->3127 3127->3119 4224 401503 4225 401508 4224->4225 4227 40152e 4224->4227 4226 402da9 21 API calls 4225->4226 4226->4227 4228 402903 4229 40290b 4228->4229 4230 40290f FindNextFileW 4229->4230 4233 402921 4229->4233 4231 402968 4230->4231 4230->4233 4234 406577 lstrcpynW 4231->4234 4234->4233 4235 403c07 4236 403c12 4235->4236 4237 403c19 GlobalAlloc 4236->4237 4238 403c16 4236->4238 4237->4238 4239 401588 4240 402bc9 4239->4240 4243 4064be wsprintfW 4240->4243 4242 402bce 4243->4242 4244 40198d 4245 402da9 21 API calls 4244->4245 4246 401994 4245->4246 4247 402da9 21 API calls 4246->4247 4248 4019a1 4247->4248 4249 402dcb 21 API calls 4248->4249 4250 4019b8 lstrlenW 4249->4250 4251 4019c9 4250->4251 4252 401a0a 4251->4252 4256 406577 lstrcpynW 4251->4256 4254 4019fa 4254->4252 4255 4019ff lstrlenW 4254->4255 4255->4252 4256->4254 4257 40168f 4258 402dcb 21 API calls 4257->4258 4259 401695 4258->4259 4260 4068d4 2 API calls 4259->4260 4261 40169b 4260->4261 4262 402b10 4263 402da9 21 API calls 4262->4263 4264 402b16 4263->4264 4265 4065b4 21 API calls 4264->4265 4266 402953 4264->4266 4265->4266 4267 402711 4268 402da9 21 API calls 4267->4268 4275 402720 4268->4275 4269 40276a ReadFile 4269->4275 4279 40285d 4269->4279 4270 4060ea ReadFile 4270->4275 4271 4027aa MultiByteToWideChar 4271->4275 4272 40285f 4280 4064be wsprintfW 4272->4280 4273 406148 5 API calls 4273->4275 4275->4269 4275->4270 4275->4271 4275->4272 4275->4273 4276 4027d0 SetFilePointer MultiByteToWideChar 4275->4276 4277 402870 4275->4277 4275->4279 4276->4275 4278 402891 SetFilePointer 4277->4278 4277->4279 4278->4279 4280->4279 4281 401491 4282 4055fc 28 API calls 4281->4282 4283 401498 4282->4283 3591 401794 3592 402dcb 21 API calls 3591->3592 3593 40179b 3592->3593 3594 4017c3 3593->3594 3595 4017bb 3593->3595 3631 406577 lstrcpynW 3594->3631 3630 406577 lstrcpynW 3595->3630 3598 4017ce 3600 405e46 3 API calls 3598->3600 3599 4017c1 3602 406825 5 API calls 3599->3602 3601 4017d4 lstrcatW 3600->3601 3601->3599 3615 4017e0 3602->3615 3603 4068d4 2 API calls 3603->3615 3605 406042 2 API calls 3605->3615 3606 4017f2 CompareFileTime 3606->3615 3607 4018b2 3608 4055fc 28 API calls 3607->3608 3611 4018bc 3608->3611 3609 4055fc 28 API calls 3612 40189e 3609->3612 3610 406577 lstrcpynW 3610->3615 3613 4032d9 35 API calls 3611->3613 3614 4018cf 3613->3614 3616 4018e3 SetFileTime 3614->3616 3618 4018f5 FindCloseChangeNotification 3614->3618 3615->3603 3615->3605 3615->3606 3615->3607 3615->3610 3617 4065b4 21 API calls 3615->3617 3626 405bd7 MessageBoxIndirectW 3615->3626 3628 401889 3615->3628 3629 406067 GetFileAttributesW CreateFileW 3615->3629 3616->3618 3617->3615 3618->3612 3619 401906 3618->3619 3620 40190b 3619->3620 3621 40191e 3619->3621 3622 4065b4 21 API calls 3620->3622 3623 4065b4 21 API calls 3621->3623 3624 401913 lstrcatW 3622->3624 3625 401926 3623->3625 3624->3625 3627 405bd7 MessageBoxIndirectW 3625->3627 3626->3615 3627->3612 3628->3609 3628->3612 3629->3615 3630->3599 3631->3598 4284 401a97 4285 402da9 21 API calls 4284->4285 4286 401aa0 4285->4286 4287 402da9 21 API calls 4286->4287 4288 401a45 4287->4288 4289 401598 4290 4015b1 4289->4290 4291 4015a8 ShowWindow 4289->4291 4292 4015bf ShowWindow 4290->4292 4293 402c4f 4290->4293 4291->4290 4292->4293 4294 402419 4295 402dcb 21 API calls 4294->4295 4296 402428 4295->4296 4297 402dcb 21 API calls 4296->4297 4298 402431 4297->4298 4299 402dcb 21 API calls 4298->4299 4300 40243b GetPrivateProfileStringW 4299->4300 4301 40201b 4302 402dcb 21 API calls 4301->4302 4303 402022 4302->4303 4304 4068d4 2 API calls 4303->4304 4305 402028 4304->4305 4307 402039 4305->4307 4308 4064be wsprintfW 4305->4308 4308->4307 4309 401b9c 4310 402dcb 21 API calls 4309->4310 4311 401ba3 4310->4311 4312 402da9 21 API calls 4311->4312 4313 401bac wsprintfW 4312->4313 4314 402c4f 4313->4314 4315 40149e 4316 4014ac PostQuitMessage 4315->4316 4317 4023c2 4315->4317 4316->4317 3028 4016a0 3042 402dcb 3028->3042 3031 402dcb 21 API calls 3032 4016b0 3031->3032 3033 402dcb 21 API calls 3032->3033 3034 4016b9 MoveFileW 3033->3034 3035 4016c5 3034->3035 3036 4016cc 3034->3036 3055 401423 3035->3055 3040 40231b 3036->3040 3048 4068d4 FindFirstFileW 3036->3048 3043 402dd7 3042->3043 3044 4065b4 21 API calls 3043->3044 3045 402df8 3044->3045 3046 4016a7 3045->3046 3047 406825 5 API calls 3045->3047 3046->3031 3047->3046 3049 4016db 3048->3049 3050 4068ea FindClose 3048->3050 3049->3040 3051 406337 MoveFileExW 3049->3051 3050->3049 3052 40634b 3051->3052 3054 406358 3051->3054 3058 4061bd 3052->3058 3054->3035 3096 4055fc 3055->3096 3059 406213 GetShortPathNameW 3058->3059 3060 4061ed 3058->3060 3062 406332 3059->3062 3063 406228 3059->3063 3085 406067 GetFileAttributesW CreateFileW 3060->3085 3062->3054 3063->3062 3065 406230 wsprintfA 3063->3065 3064 4061f7 CloseHandle GetShortPathNameW 3064->3062 3067 40620b 3064->3067 3066 4065b4 21 API calls 3065->3066 3068 406258 3066->3068 3067->3059 3067->3062 3086 406067 GetFileAttributesW CreateFileW 3068->3086 3070 406265 3070->3062 3071 406274 GetFileSize GlobalAlloc 3070->3071 3072 406296 3071->3072 3073 40632b CloseHandle 3071->3073 3087 4060ea ReadFile 3072->3087 3073->3062 3078 4062b5 lstrcpyA 3081 4062d7 3078->3081 3079 4062c9 3080 405fcc 4 API calls 3079->3080 3080->3081 3082 40630e SetFilePointer 3081->3082 3094 406119 WriteFile 3082->3094 3085->3064 3086->3070 3088 406108 3087->3088 3088->3073 3089 405fcc lstrlenA 3088->3089 3090 40600d lstrlenA 3089->3090 3091 405fe6 lstrcmpiA 3090->3091 3093 406015 3090->3093 3092 406004 CharNextA 3091->3092 3091->3093 3092->3090 3093->3078 3093->3079 3095 406137 GlobalFree 3094->3095 3095->3073 3098 405617 3096->3098 3106 401431 3096->3106 3097 405633 lstrlenW 3100 405641 lstrlenW 3097->3100 3101 40565c 3097->3101 3098->3097 3099 4065b4 21 API calls 3098->3099 3099->3097 3102 405653 lstrcatW 3100->3102 3100->3106 3103 405662 SetWindowTextW 3101->3103 3104 40566f 3101->3104 3102->3101 3103->3104 3105 405675 SendMessageW SendMessageW SendMessageW 3104->3105 3104->3106 3105->3106 3106->3040 4318 4049a0 4319 4049b0 4318->4319 4320 4049d6 4318->4320 4321 4044f6 22 API calls 4319->4321 4322 40455d 8 API calls 4320->4322 4323 4049bd SetDlgItemTextW 4321->4323 4324 4049e2 4322->4324 4323->4320 4325 401a24 4326 402dcb 21 API calls 4325->4326 4327 401a2b 4326->4327 4328 402dcb 21 API calls 4327->4328 4329 401a34 4328->4329 4330 401a3b lstrcmpiW 4329->4330 4331 401a4d lstrcmpW 4329->4331 4332 401a41 4330->4332 4331->4332 4333 402324 4334 402dcb 21 API calls 4333->4334 4335 40232a 4334->4335 4336 402dcb 21 API calls 4335->4336 4337 402333 4336->4337 4338 402dcb 21 API calls 4337->4338 4339 40233c 4338->4339 4340 4068d4 2 API calls 4339->4340 4341 402345 4340->4341 4342 402356 lstrlenW lstrlenW 4341->4342 4343 402349 4341->4343 4345 4055fc 28 API calls 4342->4345 4344 4055fc 28 API calls 4343->4344 4347 402351 4343->4347 4344->4347 4346 402394 SHFileOperationW 4345->4346 4346->4343 4346->4347 4348 401da6 4349 401db9 GetDlgItem 4348->4349 4350 401dac 4348->4350 4352 401db3 4349->4352 4351 402da9 21 API calls 4350->4351 4351->4352 4353 401dfa GetClientRect LoadImageW SendMessageW 4352->4353 4354 402dcb 21 API calls 4352->4354 4356 401e58 4353->4356 4358 401e64 4353->4358 4354->4353 4357 401e5d DeleteObject 4356->4357 4356->4358 4357->4358 4359 4023a8 4360 4023c2 4359->4360 4361 4023af 4359->4361 4362 4065b4 21 API calls 4361->4362 4363 4023bc 4362->4363 4364 405bd7 MessageBoxIndirectW 4363->4364 4364->4360 3266 402c2a SendMessageW 3267 402c44 InvalidateRect 3266->3267 3268 402c4f 3266->3268 3267->3268 4365 40462c lstrcpynW lstrlenW 3299 4024af 3300 402dcb 21 API calls 3299->3300 3301 4024c1 3300->3301 3302 402dcb 21 API calls 3301->3302 3303 4024cb 3302->3303 3316 402e5b 3303->3316 3306 402953 3307 402503 3309 40250f 3307->3309 3311 402da9 21 API calls 3307->3311 3308 402dcb 21 API calls 3310 4024f9 lstrlenW 3308->3310 3312 40252e RegSetValueExW 3309->3312 3320 4032d9 3309->3320 3310->3307 3311->3309 3314 402544 RegCloseKey 3312->3314 3314->3306 3317 402e76 3316->3317 3340 406412 3317->3340 3322 4032f2 3320->3322 3321 403320 3344 4034f4 3321->3344 3322->3321 3347 40350a SetFilePointer 3322->3347 3326 40348d 3329 4034cf 3326->3329 3332 403491 3326->3332 3327 40333d GetTickCount 3328 403477 3327->3328 3336 40338c 3327->3336 3328->3312 3331 4034f4 ReadFile 3329->3331 3330 4034f4 ReadFile 3330->3336 3331->3328 3332->3328 3333 4034f4 ReadFile 3332->3333 3334 406119 WriteFile 3332->3334 3333->3332 3334->3332 3335 4033e2 GetTickCount 3335->3336 3336->3328 3336->3330 3336->3335 3337 403407 MulDiv wsprintfW 3336->3337 3339 406119 WriteFile 3336->3339 3338 4055fc 28 API calls 3337->3338 3338->3336 3339->3336 3341 406421 3340->3341 3342 4024db 3341->3342 3343 40642c RegCreateKeyExW 3341->3343 3342->3306 3342->3307 3342->3308 3343->3342 3345 4060ea ReadFile 3344->3345 3346 40332b 3345->3346 3346->3326 3346->3327 3346->3328 3347->3321 4366 402930 4367 402dcb 21 API calls 4366->4367 4368 402937 FindFirstFileW 4367->4368 4369 40295f 4368->4369 4373 40294a 4368->4373 4370 402968 4369->4370 4374 4064be wsprintfW 4369->4374 4375 406577 lstrcpynW 4370->4375 4374->4370 4375->4373 4376 401931 4377 401968 4376->4377 4378 402dcb 21 API calls 4377->4378 4379 40196d 4378->4379 4380 405c83 71 API calls 4379->4380 4381 401976 4380->4381 4382 401934 4383 402dcb 21 API calls 4382->4383 4384 40193b 4383->4384 4385 405bd7 MessageBoxIndirectW 4384->4385 4386 401944 4385->4386 4387 4046b5 4389 4047e7 4387->4389 4390 4046cd 4387->4390 4388 404851 4391 40491b 4388->4391 4392 40485b GetDlgItem 4388->4392 4389->4388 4389->4391 4398 404822 GetDlgItem SendMessageW 4389->4398 4393 4044f6 22 API calls 4390->4393 4397 40455d 8 API calls 4391->4397 4394 404875 4392->4394 4395 4048dc 4392->4395 4396 404734 4393->4396 4394->4395 4400 40489b SendMessageW LoadCursorW SetCursor 4394->4400 4395->4391 4401 4048ee 4395->4401 4399 4044f6 22 API calls 4396->4399 4411 404916 4397->4411 4420 404518 KiUserCallbackDispatcher 4398->4420 4404 404741 CheckDlgButton 4399->4404 4421 404964 4400->4421 4406 404904 4401->4406 4407 4048f4 SendMessageW 4401->4407 4403 40484c 4408 404940 SendMessageW 4403->4408 4418 404518 KiUserCallbackDispatcher 4404->4418 4406->4411 4412 40490a SendMessageW 4406->4412 4407->4406 4408->4388 4412->4411 4413 40475f GetDlgItem 4419 40452b SendMessageW 4413->4419 4415 404775 SendMessageW 4416 404792 GetSysColor 4415->4416 4417 40479b SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4415->4417 4416->4417 4417->4411 4418->4413 4419->4415 4420->4403 4424 405b9d ShellExecuteExW 4421->4424 4423 4048ca LoadCursorW SetCursor 4423->4395 4424->4423 4425 4028b6 4426 4028bd 4425->4426 4429 402bce 4425->4429 4427 402da9 21 API calls 4426->4427 4428 4028c4 4427->4428 4430 4028d3 SetFilePointer 4428->4430 4430->4429 4431 4028e3 4430->4431 4433 4064be wsprintfW 4431->4433 4433->4429 4434 401f37 4435 402dcb 21 API calls 4434->4435 4436 401f3d 4435->4436 4437 402dcb 21 API calls 4436->4437 4438 401f46 4437->4438 4439 402dcb 21 API calls 4438->4439 4440 401f4f 4439->4440 4441 402dcb 21 API calls 4440->4441 4442 401f58 4441->4442 4443 401423 28 API calls 4442->4443 4444 401f5f 4443->4444 4451 405b9d ShellExecuteExW 4444->4451 4446 401fa7 4447 406a16 5 API calls 4446->4447 4449 402953 4446->4449 4448 401fc4 CloseHandle 4447->4448 4448->4449 4451->4446 4452 402fb8 4453 402fe3 4452->4453 4454 402fca SetTimer 4452->4454 4455 403038 4453->4455 4456 402ffd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4453->4456 4454->4453 4456->4455 4457 4014b8 4458 4014be 4457->4458 4459 401389 2 API calls 4458->4459 4460 4014c6 4459->4460 3801 40573b 3802 4058e5 3801->3802 3803 40575c GetDlgItem GetDlgItem GetDlgItem 3801->3803 3805 405916 3802->3805 3806 4058ee GetDlgItem CreateThread FindCloseChangeNotification 3802->3806 3846 40452b SendMessageW 3803->3846 3808 405941 3805->3808 3810 405966 3805->3810 3811 40592d ShowWindow ShowWindow 3805->3811 3806->3805 3849 4056cf 5 API calls 3806->3849 3807 4057cc 3815 4057d3 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3807->3815 3809 4059a1 3808->3809 3812 405955 3808->3812 3813 40597b ShowWindow 3808->3813 3809->3810 3822 4059af SendMessageW 3809->3822 3814 40455d 8 API calls 3810->3814 3848 40452b SendMessageW 3811->3848 3817 4044cf SendMessageW 3812->3817 3818 40599b 3813->3818 3819 40598d 3813->3819 3827 405974 3814->3827 3820 405841 3815->3820 3821 405825 SendMessageW SendMessageW 3815->3821 3817->3810 3824 4044cf SendMessageW 3818->3824 3823 4055fc 28 API calls 3819->3823 3825 405854 3820->3825 3826 405846 SendMessageW 3820->3826 3821->3820 3822->3827 3828 4059c8 CreatePopupMenu 3822->3828 3823->3818 3824->3809 3830 4044f6 22 API calls 3825->3830 3826->3825 3829 4065b4 21 API calls 3828->3829 3831 4059d8 AppendMenuW 3829->3831 3832 405864 3830->3832 3833 4059f5 GetWindowRect 3831->3833 3834 405a08 TrackPopupMenu 3831->3834 3835 4058a1 GetDlgItem SendMessageW 3832->3835 3836 40586d ShowWindow 3832->3836 3833->3834 3834->3827 3837 405a23 3834->3837 3835->3827 3840 4058c8 SendMessageW SendMessageW 3835->3840 3838 405890 3836->3838 3839 405883 ShowWindow 3836->3839 3841 405a3f SendMessageW 3837->3841 3847 40452b SendMessageW 3838->3847 3839->3838 3840->3827 3841->3841 3842 405a5c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3841->3842 3844 405a81 SendMessageW 3842->3844 3844->3844 3845 405aaa GlobalUnlock SetClipboardData CloseClipboard 3844->3845 3845->3827 3846->3807 3847->3835 3848->3808 4461 401d3c 4462 402da9 21 API calls 4461->4462 4463 401d42 IsWindow 4462->4463 4464 401a45 4463->4464 4465 404d3d 4466 404d69 4465->4466 4467 404d4d 4465->4467 4468 404d9c 4466->4468 4469 404d6f SHGetPathFromIDListW 4466->4469 4476 405bbb GetDlgItemTextW 4467->4476 4471 404d86 SendMessageW 4469->4471 4472 404d7f 4469->4472 4471->4468 4474 40140b 2 API calls 4472->4474 4473 404d5a SendMessageW 4473->4466 4474->4471 4476->4473

              Executed Functions

              Function 00403552 Relevance: 86.2, APIs: 33, Strings: 16, Instructions: 464stringfilecomCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 403552-4035a4 SetErrorMode GetVersionExW 1 4035a6-4035d6 GetVersionExW 0->1 2 4035de-4035e3 0->2 1->2 3 4035e5 2->3 4 4035eb-40362d 2->4 3->4 5 403640 4->5 6 40362f-403637 call 40696b 4->6 7 403645-403659 call 4068fb lstrlenA 5->7 6->5 12 403639 6->12 13 40365b-403677 call 40696b * 3 7->13 12->5 20 403688-4036ec #17 OleInitialize SHGetFileInfoW call 406577 GetCommandLineW call 406577 13->20 21 403679-40367f 13->21 28 4036f5-403709 call 405e73 CharNextW 20->28 29 4036ee-4036f0 20->29 21->20 26 403681 21->26 26->20 32 403804-40380a 28->32 29->28 33 403810 32->33 34 40370e-403714 32->34 35 403824-40383e GetTempPathW call 403521 33->35 36 403716-40371b 34->36 37 40371d-403724 34->37 44 403840-40385e GetWindowsDirectoryW lstrcatW call 403521 35->44 45 403896-4038b0 DeleteFileW call 4030a2 35->45 36->36 36->37 39 403726-40372b 37->39 40 40372c-403730 37->40 39->40 42 4037f1-403800 call 405e73 40->42 43 403736-40373c 40->43 42->32 61 403802-403803 42->61 47 403756-40378f 43->47 48 40373e-403745 43->48 44->45 64 403860-403890 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403521 44->64 66 4038b6-4038bc 45->66 67 403a9d-403aad ExitProcess OleUninitialize 45->67 51 403791-403796 47->51 52 4037ac-4037e6 47->52 49 403747-40374a 48->49 50 40374c 48->50 49->47 49->50 50->47 51->52 56 403798-4037a0 51->56 58 4037e8-4037ec 52->58 59 4037ee-4037f0 52->59 62 4037a2-4037a5 56->62 63 4037a7 56->63 58->59 65 403812-40381f call 406577 58->65 59->42 61->32 62->52 62->63 63->52 64->45 64->67 65->35 72 4038c2-4038cd call 405e73 66->72 73 403955-40395c call 403c49 66->73 70 403ad3-403ad9 67->70 71 403aaf-403abf call 405bd7 ExitProcess 67->71 75 403b57-403b5f 70->75 76 403adb-403af1 GetCurrentProcess OpenProcessToken 70->76 87 40391b-403925 72->87 88 4038cf-403904 72->88 83 403961-403965 73->83 84 403b61 75->84 85 403b65-403b69 ExitProcess 75->85 81 403af3-403b21 LookupPrivilegeValueW AdjustTokenPrivileges 76->81 82 403b27-403b35 call 40696b 76->82 81->82 97 403b43-403b4e ExitWindowsEx 82->97 98 403b37-403b41 82->98 83->67 84->85 92 403927-403935 call 405f4e 87->92 93 40396a-403990 call 405b42 lstrlenW call 406577 87->93 90 403906-40390a 88->90 94 403913-403917 90->94 95 40390c-403911 90->95 92->67 107 40393b-403951 call 406577 * 2 92->107 110 4039a1-4039b9 93->110 111 403992-40399c call 406577 93->111 94->90 100 403919 94->100 95->94 95->100 97->75 102 403b50-403b52 call 40140b 97->102 98->97 98->102 100->87 102->75 107->73 114 4039be-4039c2 110->114 111->110 116 4039c7-4039f1 wsprintfW call 4065b4 114->116 120 4039f3-4039f8 call 405acb 116->120 121 4039fa call 405b25 116->121 125 4039ff-403a01 120->125 121->125 126 403a03-403a0d GetFileAttributesW 125->126 127 403a3d-403a5c SetCurrentDirectoryW call 406337 CopyFileW 125->127 128 403a2e-403a39 126->128 129 403a0f-403a18 DeleteFileW 126->129 135 403a9b 127->135 136 403a5e-403a7f call 406337 call 4065b4 call 405b5a 127->136 128->114 132 403a3b 128->132 129->128 131 403a1a-403a2c call 405c83 129->131 131->116 131->128 132->67 135->67 144 403a81-403a8b 136->144 145 403ac5-403ad1 CloseHandle 136->145 144->135 146 403a8d-403a95 call 4068d4 144->146 145->135 146->116 146->135
              APIs
              • SetErrorMode.KERNELBASE ref: 00403575
              • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 004035A0
              • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 004035B3
              • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040364C
              • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403689
              • OleInitialize.OLE32(00000000), ref: 00403690
              • SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 004036AF
              • GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036C4
              • CharNextW.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe",00000020,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036FD
              • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403835
              • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403852
              • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403866
              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040386E
              • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387F
              • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403887
              • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040389B
              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403974
                • Part of subcall function 00406577: lstrcpynW.KERNEL32(?,?,00000400,004036C4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406584
              • wsprintfW.USER32 ref: 004039D1
              • GetFileAttributesW.KERNEL32(00437800,C:\Users\user\AppData\Local\Temp\), ref: 00403A04
              • DeleteFileW.KERNEL32(00437800), ref: 00403A10
              • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A3E
                • Part of subcall function 00406337: MoveFileExW.KERNEL32(?,?,00000005,00405E35,?,00000000,000000F1,?,?,?,?,?), ref: 00406341
              • CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,00437800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A54
                • Part of subcall function 00405B5A: CreateProcessW.KERNEL32(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B83
                • Part of subcall function 00405B5A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B90
                • Part of subcall function 004068D4: FindFirstFileW.KERNELBASE(?,0042FAB8,C:\,00405F97,C:\,C:\,00000000,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 004068DF
                • Part of subcall function 004068D4: FindClose.KERNEL32(00000000), ref: 004068EB
              • ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A9D
              • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AA2
              • ExitProcess.KERNEL32 ref: 00403ABF
              • CloseHandle.KERNEL32(00000000,00438000,00438000,?,00437800,00000000), ref: 00403AC6
              • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AE2
              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AE9
              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AFE
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B21
              • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B46
              • ExitProcess.KERNEL32 ref: 00403B69
                • Part of subcall function 00405B25: CreateDirectoryW.KERNELBASE(?,00000000,00403545,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00405B2B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: File$Process$Exit$CloseDirectory$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
              • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"$1033$C:\Program Files (x86)\IDmelon$C:\Program Files (x86)\IDmelon\Accesskey$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
              • API String ID: 2017177436-307520350
              • Opcode ID: e7e0cd5b0ef4c9577908e2ee54baf6434358d7d27fb2459445cbf059cdb406f7
              • Instruction ID: 854c728f01c0035939758d15b123b9002cb8995d15bf2fdbd915a0a46deb4321
              • Opcode Fuzzy Hash: e7e0cd5b0ef4c9577908e2ee54baf6434358d7d27fb2459445cbf059cdb406f7
              • Instruction Fuzzy Hash: 6DF1F470604301ABD320AF659D05B6B7EE8EB8570AF10483FF581B22D1DB7DDA458B6E
              Function 0040573B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 149 40573b-405756 150 4058e5-4058ec 149->150 151 40575c-405823 GetDlgItem * 3 call 40452b call 404e84 GetClientRect GetSystemMetrics SendMessageW * 2 149->151 153 405916-405923 150->153 154 4058ee-405910 GetDlgItem CreateThread FindCloseChangeNotification 150->154 173 405841-405844 151->173 174 405825-40583f SendMessageW * 2 151->174 156 405941-40594b 153->156 157 405925-40592b 153->157 154->153 158 4059a1-4059a5 156->158 159 40594d-405953 156->159 161 405966-40596f call 40455d 157->161 162 40592d-40593c ShowWindow * 2 call 40452b 157->162 158->161 167 4059a7-4059ad 158->167 163 405955-405961 call 4044cf 159->163 164 40597b-40598b ShowWindow 159->164 170 405974-405978 161->170 162->156 163->161 171 40599b-40599c call 4044cf 164->171 172 40598d-405996 call 4055fc 164->172 167->161 175 4059af-4059c2 SendMessageW 167->175 171->158 172->171 178 405854-40586b call 4044f6 173->178 179 405846-405852 SendMessageW 173->179 174->173 180 405ac4-405ac6 175->180 181 4059c8-4059f3 CreatePopupMenu call 4065b4 AppendMenuW 175->181 188 4058a1-4058c2 GetDlgItem SendMessageW 178->188 189 40586d-405881 ShowWindow 178->189 179->178 180->170 186 4059f5-405a05 GetWindowRect 181->186 187 405a08-405a1d TrackPopupMenu 181->187 186->187 187->180 190 405a23-405a3a 187->190 188->180 193 4058c8-4058e0 SendMessageW * 2 188->193 191 405890 189->191 192 405883-40588e ShowWindow 189->192 194 405a3f-405a5a SendMessageW 190->194 195 405896-40589c call 40452b 191->195 192->195 193->180 194->194 196 405a5c-405a7f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 194->196 195->188 198 405a81-405aa8 SendMessageW 196->198 198->198 199 405aaa-405abe GlobalUnlock SetClipboardData CloseClipboard 198->199 199->180
              APIs
              • GetDlgItem.USER32(?,00000403), ref: 00405799
              • GetDlgItem.USER32(?,000003EE), ref: 004057A8
              • GetClientRect.USER32(?,?), ref: 004057E5
              • GetSystemMetrics.USER32(00000002), ref: 004057EC
              • SendMessageW.USER32(?,00001061,00000000,?), ref: 0040580D
              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040581E
              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405831
              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040583F
              • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405852
              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405874
              • ShowWindow.USER32(?,00000008), ref: 00405888
              • GetDlgItem.USER32(?,000003EC), ref: 004058A9
              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004058B9
              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058D2
              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058DE
              • GetDlgItem.USER32(?,000003F8), ref: 004057B7
                • Part of subcall function 0040452B: SendMessageW.USER32(00000028,?,00000001,00404356), ref: 00404539
              • GetDlgItem.USER32(?,000003EC), ref: 004058FB
              • CreateThread.KERNELBASE(00000000,00000000,Function_000056CF,00000000), ref: 00405909
              • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405910
              • ShowWindow.USER32(00000000), ref: 00405934
              • ShowWindow.USER32(?,00000008), ref: 00405939
              • ShowWindow.USER32(00000008), ref: 00405983
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004059B7
              • CreatePopupMenu.USER32 ref: 004059C8
              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059DC
              • GetWindowRect.USER32(?,?), ref: 004059FC
              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405A15
              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A4D
              • OpenClipboard.USER32(00000000), ref: 00405A5D
              • EmptyClipboard.USER32 ref: 00405A63
              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A6F
              • GlobalLock.KERNEL32(00000000), ref: 00405A79
              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A8D
              • GlobalUnlock.KERNEL32(00000000), ref: 00405AAD
              • SetClipboardData.USER32(0000000D,00000000), ref: 00405AB8
              • CloseClipboard.USER32 ref: 00405ABE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
              • String ID: {
              • API String ID: 4154960007-366298937
              • Opcode ID: a6b03d6253f0693a7e446d599fbd443ff6998c32a83cf6a7614abef3e4004c11
              • Instruction ID: d3b07f9c2581fb6b60ef1a2666babd9f8dcdaaa8066b0d43d813b8afd8e95190
              • Opcode Fuzzy Hash: a6b03d6253f0693a7e446d599fbd443ff6998c32a83cf6a7614abef3e4004c11
              • Instruction Fuzzy Hash: 03B159B0900608FFDF11AF60DD89AAE7B79FB48355F00813AFA45BA1A0C7785A51DF58
              Function 00405C83 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 448 405c83-405ca9 call 405f4e 451 405cc2-405cc9 448->451 452 405cab-405cbd DeleteFileW 448->452 454 405ccb-405ccd 451->454 455 405cdc-405cec call 406577 451->455 453 405e3f-405e43 452->453 456 405cd3-405cd6 454->456 457 405ded-405df2 454->457 463 405cfb-405cfc call 405e92 455->463 464 405cee-405cf9 lstrcatW 455->464 456->455 456->457 457->453 459 405df4-405df7 457->459 461 405e01-405e09 call 4068d4 459->461 462 405df9-405dff 459->462 461->453 472 405e0b-405e1f call 405e46 call 405c3b 461->472 462->453 465 405d01-405d05 463->465 464->465 468 405d11-405d17 lstrcatW 465->468 469 405d07-405d0f 465->469 471 405d1c-405d38 lstrlenW FindFirstFileW 468->471 469->468 469->471 473 405de2-405de6 471->473 474 405d3e-405d46 471->474 488 405e21-405e24 472->488 489 405e37-405e3a call 4055fc 472->489 473->457 476 405de8 473->476 477 405d66-405d7a call 406577 474->477 478 405d48-405d50 474->478 476->457 490 405d91-405d9c call 405c3b 477->490 491 405d7c-405d84 477->491 480 405d52-405d5a 478->480 481 405dc5-405dd5 FindNextFileW 478->481 480->477 484 405d5c-405d64 480->484 481->474 487 405ddb-405ddc FindClose 481->487 484->477 484->481 487->473 488->462 494 405e26-405e35 call 4055fc call 406337 488->494 489->453 500 405dbd-405dc0 call 4055fc 490->500 501 405d9e-405da1 490->501 491->481 495 405d86-405d8f call 405c83 491->495 494->453 495->481 500->481 504 405da3-405db3 call 4055fc call 406337 501->504 505 405db5-405dbb 501->505 504->481 505->481
              APIs
              • DeleteFileW.KERNELBASE(?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"), ref: 00405CAC
              • lstrcatW.KERNEL32(0042EA70,\*.*), ref: 00405CF4
              • lstrcatW.KERNEL32(?,0040A014), ref: 00405D17
              • lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"), ref: 00405D1D
              • FindFirstFileW.KERNELBASE(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"), ref: 00405D2D
              • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DCD
              • FindClose.KERNEL32(00000000), ref: 00405DDC
              Strings
              • "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe", xrefs: 00405C8C
              • pB, xrefs: 00405CDC
              • \*.*, xrefs: 00405CEE
              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C90
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
              • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"$C:\Users\user\AppData\Local\Temp\$\*.*$pB
              • API String ID: 2035342205-3812304127
              • Opcode ID: 06b40870d9db2984f76d7466e756925df4fbec91ebb4a1c75f6c7faa270cb809
              • Instruction ID: 26a84cf893ecfac7fe2d2a8ab9ced37764d13583991ceadb599b2dfedf858990
              • Opcode Fuzzy Hash: 06b40870d9db2984f76d7466e756925df4fbec91ebb4a1c75f6c7faa270cb809
              • Instruction Fuzzy Hash: 8E41B030800A18B6CB21AB65DC4DAAF7778EF42718F10813BF851711D1DB7C4A82DEAE
              Function 004068D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNELBASE(?,0042FAB8,C:\,00405F97,C:\,C:\,00000000,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 004068DF
              • FindClose.KERNEL32(00000000), ref: 004068EB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID: C:\
              • API String ID: 2295610775-3404278061
              • Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
              • Instruction ID: 1cf04926a4a3889f6b92b588199f87985a57aa1d1812818edfb9113e4ef6e03f
              • Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
              • Instruction Fuzzy Hash: 53D012725162209BC240673CBD0C84B7A58AF253317518A3AF46AF61E0DB348C639699
              Function 004021CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
              Download Yara Rule
              APIs
              • CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040224E
              Strings
              • C:\Program Files (x86)\IDmelon\Accesskey, xrefs: 0040228E
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CreateInstance
              • String ID: C:\Program Files (x86)\IDmelon\Accesskey
              • API String ID: 542301482-2077697000
              • Opcode ID: 99423ef168fa0dc7d563ab215b90f00d26a2448a52d76e49bcb10065e06d2d2e
              • Instruction ID: 879178e2914a864b6efeea5842d2d3985b85c893096dfa9a9f6c7732eb85e553
              • Opcode Fuzzy Hash: 99423ef168fa0dc7d563ab215b90f00d26a2448a52d76e49bcb10065e06d2d2e
              • Instruction Fuzzy Hash: D1412571A00209AFCB00DFE4CA89A9D7BB5FF48318B20457EF505EB2D1DB799981CB54
              Function 00403FF7 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 200 403ff7-404009 201 404170-40417f 200->201 202 40400f-404015 200->202 204 404181-4041c9 GetDlgItem * 2 call 4044f6 SetClassLongW call 40140b 201->204 205 4041ce-4041e3 201->205 202->201 203 40401b-404024 202->203 206 404026-404033 SetWindowPos 203->206 207 404039-404040 203->207 204->205 209 404223-404228 call 404542 205->209 210 4041e5-4041e8 205->210 206->207 212 404042-40405c ShowWindow 207->212 213 404084-40408a 207->213 218 40422d-404248 209->218 215 4041ea-4041f5 call 401389 210->215 216 40421b-40421d 210->216 219 404062-404075 GetWindowLongW 212->219 220 40415d-40416b call 40455d 212->220 221 4040a3-4040a6 213->221 222 40408c-40409e DestroyWindow 213->222 215->216 235 4041f7-404216 SendMessageW 215->235 216->209 217 4044c3 216->217 229 4044c5-4044cc 217->229 226 404251-404257 218->226 227 40424a-40424c call 40140b 218->227 219->220 228 40407b-40407e ShowWindow 219->228 220->229 232 4040a8-4040b4 SetWindowLongW 221->232 233 4040b9-4040bf 221->233 230 4044a0-4044a6 222->230 239 404481-40449a DestroyWindow KiUserCallbackDispatcher 226->239 240 40425d-404268 226->240 227->226 228->213 230->217 238 4044a8-4044ae 230->238 232->229 233->220 241 4040c5-4040d4 GetDlgItem 233->241 235->229 238->217 242 4044b0-4044b9 ShowWindow 238->242 239->230 240->239 243 40426e-4042bb call 4065b4 call 4044f6 * 3 GetDlgItem 240->243 244 4040f3-4040f6 241->244 245 4040d6-4040ed SendMessageW IsWindowEnabled 241->245 242->217 272 4042c5-404301 ShowWindow KiUserCallbackDispatcher call 404518 KiUserCallbackDispatcher 243->272 273 4042bd-4042c2 243->273 246 4040f8-4040f9 244->246 247 4040fb-4040fe 244->247 245->217 245->244 249 404129-40412e call 4044cf 246->249 250 404100-404106 247->250 251 40410c-404111 247->251 249->220 253 404147-404157 SendMessageW 250->253 254 404108-40410a 250->254 251->253 255 404113-404119 251->255 253->220 254->249 258 404130-404139 call 40140b 255->258 259 40411b-404121 call 40140b 255->259 258->220 268 40413b-404145 258->268 270 404127 259->270 268->270 270->249 276 404303-404304 272->276 277 404306 272->277 273->272 278 404308-404336 GetSystemMenu EnableMenuItem SendMessageW 276->278 277->278 279 404338-404349 SendMessageW 278->279 280 40434b 278->280 281 404351-404390 call 40452b call 403fd8 call 406577 lstrlenW call 4065b4 SetWindowTextW call 401389 279->281 280->281 281->218 292 404396-404398 281->292 292->218 293 40439e-4043a2 292->293 294 4043c1-4043d5 DestroyWindow 293->294 295 4043a4-4043aa 293->295 294->230 297 4043db-404408 CreateDialogParamW 294->297 295->217 296 4043b0-4043b6 295->296 296->218 298 4043bc 296->298 297->230 299 40440e-404465 call 4044f6 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 297->299 298->217 299->217 304 404467-40447a ShowWindow call 404542 299->304 306 40447f 304->306 306->230
              APIs
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404033
              • ShowWindow.USER32(?), ref: 00404053
              • GetWindowLongW.USER32(?,000000F0), ref: 00404065
              • ShowWindow.USER32(?,00000004), ref: 0040407E
              • DestroyWindow.USER32 ref: 00404092
              • SetWindowLongW.USER32(?,00000000,00000000), ref: 004040AB
              • GetDlgItem.USER32(?,?), ref: 004040CA
              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040DE
              • IsWindowEnabled.USER32(00000000), ref: 004040E5
              • GetDlgItem.USER32(?,00000001), ref: 00404190
              • GetDlgItem.USER32(?,00000002), ref: 0040419A
              • SetClassLongW.USER32(?,000000F2,?), ref: 004041B4
              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404205
              • GetDlgItem.USER32(?,00000003), ref: 004042AB
              • ShowWindow.USER32(00000000,?), ref: 004042CC
              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042DE
              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042F9
              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040430F
              • EnableMenuItem.USER32(00000000), ref: 00404316
              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040432E
              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404341
              • lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040436B
              • SetWindowTextW.USER32(?,0042CA68), ref: 0040437F
              • ShowWindow.USER32(?,0000000A), ref: 004044B3
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Window$Item$MessageSendShow$Long$CallbackDispatcherMenuUser$ClassDestroyEnableEnabledSystemTextlstrlen
              • String ID:
              • API String ID: 3964124867-0
              • Opcode ID: 85e06a1bfb462d71b49bda8b571905cea54c43c8c85ee92c4a54339351a5f343
              • Instruction ID: 8cad316efbf8f9c89f6feec2797fb874042f4abab253e3557332251604c97906
              • Opcode Fuzzy Hash: 85e06a1bfb462d71b49bda8b571905cea54c43c8c85ee92c4a54339351a5f343
              • Instruction Fuzzy Hash: C6C1A1B1500204BBDB206F61EE89E2B3AA8FB85755F01453EF751B51F0CB39A8529B2D
              Function 00403C49 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 307 403c49-403c61 call 40696b 310 403c63-403c73 call 4064be 307->310 311 403c75-403cac call 406445 307->311 319 403ccf-403cf8 call 403f1f call 405f4e 310->319 315 403cc4-403cca lstrcatW 311->315 316 403cae-403cbf call 406445 311->316 315->319 316->315 325 403d8a-403d92 call 405f4e 319->325 326 403cfe-403d03 319->326 331 403da0-403dc5 LoadImageW 325->331 332 403d94-403d9b call 4065b4 325->332 326->325 327 403d09-403d23 call 406445 326->327 333 403d28-403d31 327->333 335 403e46-403e4e call 40140b 331->335 336 403dc7-403df7 RegisterClassW 331->336 332->331 333->325 337 403d33-403d37 333->337 350 403e50-403e53 335->350 351 403e58-403e63 call 403f1f 335->351 340 403f15 336->340 341 403dfd-403e41 SystemParametersInfoW CreateWindowExW 336->341 338 403d49-403d55 lstrlenW 337->338 339 403d39-403d46 call 405e73 337->339 345 403d57-403d65 lstrcmpiW 338->345 346 403d7d-403d85 call 405e46 call 406577 338->346 339->338 344 403f17-403f1e 340->344 341->335 345->346 349 403d67-403d71 GetFileAttributesW 345->349 346->325 353 403d73-403d75 349->353 354 403d77-403d78 call 405e92 349->354 350->344 360 403e69-403e83 ShowWindow call 4068fb 351->360 361 403eec-403eed call 4056cf 351->361 353->346 353->354 354->346 368 403e85-403e8a call 4068fb 360->368 369 403e8f-403ea1 GetClassInfoW 360->369 364 403ef2-403ef4 361->364 366 403ef6-403efc 364->366 367 403f0e-403f10 call 40140b 364->367 366->350 374 403f02-403f09 call 40140b 366->374 367->340 368->369 372 403ea3-403eb3 GetClassInfoW RegisterClassW 369->372 373 403eb9-403edc DialogBoxParamW call 40140b 369->373 372->373 377 403ee1-403eea call 403b99 373->377 374->350 377->344
              APIs
                • Part of subcall function 0040696B: GetModuleHandleA.KERNEL32(?,00000020,?,00403662,0000000C,?,?,?,?,?,?,?,?), ref: 0040697D
                • Part of subcall function 0040696B: GetProcAddress.KERNEL32(00000000,?), ref: 00406998
              • lstrcatW.KERNEL32(1033,0042CA68), ref: 00403CCA
              • lstrlenW.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files (x86)\IDmelon,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,76233420), ref: 00403D4A
              • lstrcmpiW.KERNEL32(?,.exe,Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files (x86)\IDmelon,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D5D
              • GetFileAttributesW.KERNEL32(Remove folder: ), ref: 00403D68
              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files (x86)\IDmelon), ref: 00403DB1
                • Part of subcall function 004064BE: wsprintfW.USER32 ref: 004064CB
              • RegisterClassW.USER32(004336A0), ref: 00403DEE
              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403E06
              • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E3B
              • ShowWindow.USER32(00000005,00000000), ref: 00403E71
              • GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E9D
              • GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403EAA
              • RegisterClassW.USER32(004336A0), ref: 00403EB3
              • DialogBoxParamW.USER32(?,00000000,00403FF7,00000000), ref: 00403ED2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
              • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Program Files (x86)\IDmelon$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
              • API String ID: 1975747703-1465765428
              • Opcode ID: 5e20c267018cc28429e7407a64d751b23d4fe7797b8e7b228d04f4c9996f5690
              • Instruction ID: c722afd28cb3ad108a11d8546cd61d6ece1c23d3a169ae69e987cf65e7f86a01
              • Opcode Fuzzy Hash: 5e20c267018cc28429e7407a64d751b23d4fe7797b8e7b228d04f4c9996f5690
              • Instruction Fuzzy Hash: 7961C370500700BED620AF66AD46F2B3A6CEB85B5AF40053FF945B22E2DB7C5941CA6D
              Function 004030A2 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 381 4030a2-4030f0 GetTickCount GetModuleFileNameW call 406067 384 4030f2-4030f7 381->384 385 4030fc-40312a call 406577 call 405e92 call 406577 GetFileSize 381->385 387 4032d2-4032d6 384->387 393 403130 385->393 394 403215-403223 call 40303e 385->394 396 403135-40314c 393->396 400 403225-403228 394->400 401 403278-40327d 394->401 398 403150-403159 call 4034f4 396->398 399 40314e 396->399 407 40327f-403287 call 40303e 398->407 408 40315f-403166 398->408 399->398 403 40322a-403242 call 40350a call 4034f4 400->403 404 40324c-403276 GlobalAlloc call 40350a call 4032d9 400->404 401->387 403->401 430 403244-40324a 403->430 404->401 428 403289-40329a 404->428 407->401 412 4031e2-4031e6 408->412 413 403168-40317c call 406022 408->413 418 4031f0-4031f6 412->418 419 4031e8-4031ef call 40303e 412->419 413->418 427 40317e-403185 413->427 424 403205-40320d 418->424 425 4031f8-403202 call 406a58 418->425 419->418 424->396 429 403213 424->429 425->424 427->418 434 403187-40318e 427->434 435 4032a2-4032a7 428->435 436 40329c 428->436 429->394 430->401 430->404 434->418 437 403190-403197 434->437 438 4032a8-4032ae 435->438 436->435 437->418 439 403199-4031a0 437->439 438->438 440 4032b0-4032cb SetFilePointer call 406022 438->440 439->418 441 4031a2-4031c2 439->441 444 4032d0 440->444 441->401 443 4031c8-4031cc 441->443 445 4031d4-4031dc 443->445 446 4031ce-4031d2 443->446 444->387 445->418 447 4031de-4031e0 445->447 446->429 446->445 447->418
              APIs
              • GetTickCount.KERNEL32 ref: 004030B3
              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,00000400), ref: 004030CF
                • Part of subcall function 00406067: GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,80000000,00000003), ref: 0040606B
                • Part of subcall function 00406067: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040608D
              • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,80000000,00000003), ref: 0040311B
              • GlobalAlloc.KERNELBASE(00000040,?), ref: 00403251
              Strings
              • "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe", xrefs: 004030A8
              • Error launching installer, xrefs: 004030F2
              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403278
              • Null, xrefs: 00403199
              • C:\Users\user\AppData\Local\Temp\, xrefs: 004030A9
              • Inst, xrefs: 00403187
              • C:\Users\user\Desktop, xrefs: 004030FD, 00403102, 00403108
              • soft, xrefs: 00403190
              • C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, xrefs: 004030B9, 004030C8, 004030DC, 004030FC
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
              • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
              • API String ID: 2803837635-3820371625
              • Opcode ID: f372480b0837c6c57a2d238aa6b96231c33c595cef11dcb5259494f9e9f0d70c
              • Instruction ID: 55eb758a8cc994b5b8f5e8324c308f37a69edd03a8198e206d37cac48cd63750
              • Opcode Fuzzy Hash: f372480b0837c6c57a2d238aa6b96231c33c595cef11dcb5259494f9e9f0d70c
              • Instruction Fuzzy Hash: E9519171900204AFDB209FA5DD86B9E7EACEB09356F20417BF504B62D1C7789F408BAD
              Function 004065B4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204stringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 512 4065b4-4065bd 513 4065d0-4065ea 512->513 514 4065bf-4065ce 512->514 515 4065f0-4065fc 513->515 516 4067fa-406800 513->516 514->513 515->516 517 406602-406609 515->517 518 406806-406813 516->518 519 40660e-40661b 516->519 517->516 521 406815-40681a call 406577 518->521 522 40681f-406822 518->522 519->518 520 406621-40662a 519->520 523 406630-406673 520->523 524 4067e7 520->524 521->522 528 406679-406685 523->528 529 40678b-40678f 523->529 526 4067f5-4067f8 524->526 527 4067e9-4067f3 524->527 526->516 527->516 530 406687 528->530 531 40668f-406691 528->531 532 406791-406798 529->532 533 4067c3-4067c7 529->533 530->531 536 406693-4066b1 call 406445 531->536 537 4066cb-4066ce 531->537 534 4067a8-4067b4 call 406577 532->534 535 40679a-4067a6 call 4064be 532->535 538 4067d7-4067e5 lstrlenW 533->538 539 4067c9-4067d2 call 4065b4 533->539 551 4067b9-4067bf 534->551 535->551 550 4066b6-4066b9 536->550 544 4066d0-4066dc GetSystemDirectoryW 537->544 545 4066e1-4066e4 537->545 538->516 539->538 546 40676e-406771 544->546 547 4066f6-4066fa 545->547 548 4066e6-4066f2 GetWindowsDirectoryW 545->548 552 406783-406789 call 406825 546->552 553 406773-406776 546->553 547->546 554 4066fc-40671a 547->554 548->547 550->553 555 4066bf-4066c6 call 4065b4 550->555 551->538 556 4067c1 551->556 552->538 553->552 557 406778-40677e lstrcatW 553->557 559 40671c-406722 554->559 560 40672e-406746 call 40696b 554->560 555->546 556->552 557->552 565 40672a-40672c 559->565 569 406748-40675b SHGetPathFromIDListW CoTaskMemFree 560->569 570 40675d-406766 560->570 565->560 567 406768-40676c 565->567 567->546 569->567 569->570 570->554 570->567
              APIs
              • GetSystemDirectoryW.KERNEL32(Remove folder: ,00000400), ref: 004066D6
              • GetWindowsDirectoryW.KERNEL32(Remove folder: ,00000400,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\,?,?,00000000,00000000,00425A20,762323A0), ref: 004066EC
              • SHGetPathFromIDListW.SHELL32(00000000,Remove folder: ), ref: 0040674A
              • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406753
              • lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040677E
              • lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\,?,?,00000000,00000000,00425A20,762323A0), ref: 004067D8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
              • String ID: Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
              • API String ID: 4024019347-3642344988
              • Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
              • Instruction ID: fc4c1bf1ff31ba1b34cdfc75387d7881e57296f2874843d1a5ebc397bafcf832
              • Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
              • Instruction Fuzzy Hash: D16135716042009BD720AF24DD80B6B76E8EF85328F12453FF647B32D0DB7D9961865E
              Function 004032D9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 571 4032d9-4032f0 572 4032f2 571->572 573 4032f9-403302 571->573 572->573 574 403304 573->574 575 40330b-403310 573->575 574->575 576 403320-40332d call 4034f4 575->576 577 403312-40331b call 40350a 575->577 581 4034e2 576->581 582 403333-403337 576->582 577->576 583 4034e4-4034e5 581->583 584 40348d-40348f 582->584 585 40333d-403386 GetTickCount 582->585 586 4034ed-4034f1 583->586 589 403491-403494 584->589 590 4034cf-4034d2 584->590 587 4034ea 585->587 588 40338c-403394 585->588 587->586 592 403396 588->592 593 403399-4033a7 call 4034f4 588->593 589->587 591 403496 589->591 594 4034d4 590->594 595 4034d7-4034e0 call 4034f4 590->595 596 403499-40349f 591->596 592->593 593->581 605 4033ad-4033b6 593->605 594->595 595->581 603 4034e7 595->603 599 4034a1 596->599 600 4034a3-4034b1 call 4034f4 596->600 599->600 600->581 608 4034b3-4034b8 call 406119 600->608 603->587 607 4033bc-4033dc call 406ac6 605->607 613 4033e2-4033f5 GetTickCount 607->613 614 403485-403487 607->614 612 4034bd-4034bf 608->612 615 4034c1-4034cb 612->615 616 403489-40348b 612->616 617 403440-403442 613->617 618 4033f7-4033ff 613->618 614->583 615->596 621 4034cd 615->621 616->583 619 403444-403448 617->619 620 403479-40347d 617->620 622 403401-403405 618->622 623 403407-403438 MulDiv wsprintfW call 4055fc 618->623 624 40344a-403451 call 406119 619->624 625 40345f-40346a 619->625 620->588 626 403483 620->626 621->587 622->617 622->623 628 40343d 623->628 631 403456-403458 624->631 630 40346d-403471 625->630 626->587 628->617 630->607 632 403477 630->632 631->616 633 40345a-40345d 631->633 632->587 633->630
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CountTick$wsprintf
              • String ID: *B$ ZB$ A$ A$... %d%%
              • API String ID: 551687249-3856725213
              • Opcode ID: eaa593b87575a6ec937a1f138dd1ec6c9bfb619ef7c698298e3bc5a85a372825
              • Instruction ID: 3a086bfa1ae904988031f2e91e2ff9394e13111a018eeb379290de00703e2b75
              • Opcode Fuzzy Hash: eaa593b87575a6ec937a1f138dd1ec6c9bfb619ef7c698298e3bc5a85a372825
              • Instruction Fuzzy Hash: 2F519F71900219DBCB11DF65DA44B9E7FB8AF44766F10413BE810BB2D1C7789A40CBA9
              Function 00401794 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 634 401794-4017b9 call 402dcb call 405ebd 639 4017c3-4017d5 call 406577 call 405e46 lstrcatW 634->639 640 4017bb-4017c1 call 406577 634->640 645 4017da-4017db call 406825 639->645 640->645 649 4017e0-4017e4 645->649 650 4017e6-4017f0 call 4068d4 649->650 651 401817-40181a 649->651 659 401802-401814 650->659 660 4017f2-401800 CompareFileTime 650->660 653 401822-40183e call 406067 651->653 654 40181c-40181d call 406042 651->654 661 401840-401843 653->661 662 4018b2-4018db call 4055fc call 4032d9 653->662 654->653 659->651 660->659 663 401894-40189e call 4055fc 661->663 664 401845-401883 call 406577 * 2 call 4065b4 call 406577 call 405bd7 661->664 676 4018e3-4018ef SetFileTime 662->676 677 4018dd-4018e1 662->677 674 4018a7-4018ad 663->674 664->649 697 401889-40188a 664->697 678 402c58 674->678 680 4018f5-401900 FindCloseChangeNotification 676->680 677->676 677->680 682 402c5a-402c5e 678->682 683 401906-401909 680->683 684 402c4f-402c52 680->684 685 40190b-40191c call 4065b4 lstrcatW 683->685 686 40191e-401921 call 4065b4 683->686 684->678 692 401926-4023c7 call 405bd7 685->692 686->692 692->682 700 402953-40295a 692->700 697->674 698 40188c-40188d 697->698 698->663 700->684
              APIs
              • lstrcatW.KERNEL32(00000000,00000000), ref: 004017D5
              • CompareFileTime.KERNEL32(-00000014,?,show,show,00000000,00000000,show,C:\Program Files (x86)\IDmelon\Accesskey,?,?,00000031), ref: 004017FA
                • Part of subcall function 00406577: lstrcpynW.KERNEL32(?,?,00000400,004036C4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406584
                • Part of subcall function 004055FC: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\,00000000,00425A20,762323A0,?,?,?,?,?,?,?,?,?,0040343D,00000000,?), ref: 00405634
                • Part of subcall function 004055FC: lstrlenW.KERNEL32(0040343D,Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\,00000000,00425A20,762323A0,?,?,?,?,?,?,?,?,?,0040343D,00000000), ref: 00405644
                • Part of subcall function 004055FC: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\,0040343D), ref: 00405657
                • Part of subcall function 004055FC: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\), ref: 00405669
                • Part of subcall function 004055FC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040568F
                • Part of subcall function 004055FC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004056A9
                • Part of subcall function 004055FC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004056B7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
              • String ID: C:\Program Files (x86)\IDmelon\Accesskey$C:\Users\user\AppData\Local\Temp\nstB00.tmp$C:\Users\user\AppData\Local\Temp\nstB00.tmp\InstallOptions.dll$show
              • API String ID: 1941528284-1496520371
              • Opcode ID: 86d07d04b1d7bc420b44533fa191de8f1a63e7a8af8a14afb7d0afcb2e6aa1a2
              • Instruction ID: 896c0c78208a39cbb5dd39340d0745d1a2bf2ace5f7797069eceb710e9101d93
              • Opcode Fuzzy Hash: 86d07d04b1d7bc420b44533fa191de8f1a63e7a8af8a14afb7d0afcb2e6aa1a2
              • Instruction Fuzzy Hash: 4C41B671900108BACB117BB5DD85DBE7AB9EF45328F21423FF412B10E2D73C8A919A2D
              Function 004055FC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 701 4055fc-405611 702 405617-405628 701->702 703 4056c8-4056cc 701->703 704 405633-40563f lstrlenW 702->704 705 40562a-40562e call 4065b4 702->705 707 405641-405651 lstrlenW 704->707 708 40565c-405660 704->708 705->704 707->703 709 405653-405657 lstrcatW 707->709 710 405662-405669 SetWindowTextW 708->710 711 40566f-405673 708->711 709->708 710->711 712 405675-4056b7 SendMessageW * 3 711->712 713 4056b9-4056bb 711->713 712->713 713->703 714 4056bd-4056c0 713->714 714->703
              APIs
              • lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\,00000000,00425A20,762323A0,?,?,?,?,?,?,?,?,?,0040343D,00000000,?), ref: 00405634
              • lstrlenW.KERNEL32(0040343D,Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\,00000000,00425A20,762323A0,?,?,?,?,?,?,?,?,?,0040343D,00000000), ref: 00405644
              • lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\,0040343D), ref: 00405657
              • SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\), ref: 00405669
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040568F
              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004056A9
              • SendMessageW.USER32(?,00001013,?,00000000), ref: 004056B7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend$lstrlen$TextWindowlstrcat
              • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\
              • API String ID: 2531174081-578362566
              • Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
              • Instruction ID: 60923f6e922cea494a698f26c75bee70e53a21f42b4b77269416c2a585f1ce57
              • Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
              • Instruction Fuzzy Hash: 9A21A171900258BACB119FA5ED449DFBFB4EF45310F50843AF908B22A0C3794A40CFA8
              Function 00402975 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 715 402975-40298e call 402dcb call 405ebd 720 402990-402992 call 402dcb 715->720 721 402997-4029b0 call 406042 call 406067 715->721 720->721 727 402a60-402a65 721->727 728 4029b6-4029bf 721->728 731 402a67-402a73 DeleteFileW 727->731 732 402a7a 727->732 729 4029c5-4029dc GlobalAlloc 728->729 730 402a48-402a50 call 4032d9 728->730 729->730 733 4029de-4029fb call 40350a call 4034f4 GlobalAlloc 729->733 736 402a55-402a5a CloseHandle 730->736 731->732 740 402a31-402a44 call 406119 GlobalFree 733->740 741 4029fd-402a05 call 4032d9 733->741 736->727 740->730 744 402a0a 741->744 746 402a24-402a26 744->746 747 402a28-402a2b GlobalFree 746->747 748 402a0c-402a21 call 406022 746->748 747->740 748->746
              APIs
              • GlobalAlloc.KERNELBASE(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
              • GlobalFree.KERNEL32(?), ref: 00402A2B
              • GlobalFree.KERNELBASE(00000000), ref: 00402A3E
              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Global$AllocFree$CloseDeleteFileHandle
              • String ID:
              • API String ID: 2667972263-0
              • Opcode ID: aeea345b9e496e3d3fafa1617fda85685875a2e3d5cd25ef925516c77ed6eae9
              • Instruction ID: fd7949a1005e62e73a365a75524f2bbb059e9229dbd09bef2f8decdc6a7611be
              • Opcode Fuzzy Hash: aeea345b9e496e3d3fafa1617fda85685875a2e3d5cd25ef925516c77ed6eae9
              • Instruction Fuzzy Hash: FA31A271D00124BBCF21AFA5CE89D9E7E79AF45324F14423AF421762E1CB798D418FA8
              Function 00402ECE Relevance: 9.1, APIs: 6, Instructions: 84registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 751 402ece-402f00 call 4063e4 754 402fb1-402fb5 751->754 755 402f06-402f0a 751->755 756 402f0c-402f2d RegEnumValueW 755->756 757 402f2f-402f42 755->757 756->757 758 402f96-402fa4 RegCloseKey 756->758 759 402f6b-402f72 RegEnumKeyW 757->759 758->754 760 402f44-402f46 759->760 761 402f74-402f86 RegCloseKey call 40696b 759->761 760->758 763 402f48-402f5c call 402ece 760->763 767 402fa6-402faf RegDeleteKeyExW 761->767 768 402f88-402f94 RegDeleteKeyW 761->768 763->761 769 402f5e-402f6a 763->769 767->754 768->754 769->759
              APIs
              • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99
              • RegDeleteKeyExW.KERNELBASE(?,?,00100020,00000000,00000003,?,?), ref: 00402FAF
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CloseDeleteEnum$Value
              • String ID:
              • API String ID: 3807931542-0
              • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
              • Instruction ID: 446d876c474c9d83549856ad9cac23e68bb7371358ae7480bd0e7fa7c4692e5e
              • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
              • Instruction Fuzzy Hash: 1D212A7150010ABFDF129F90CE89EEF7A7DEB54388F110076B909B21E0E7B58E54AA64
              Function 00405F4E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 47stringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 770 405f4e-405f69 call 406577 call 405ef1 775 405f6b-405f6d 770->775 776 405f6f-405f7c call 406825 770->776 777 405fc7-405fc9 775->777 780 405f8c-405f90 776->780 781 405f7e-405f84 776->781 783 405fa6-405faf lstrlenW 780->783 781->775 782 405f86-405f8a 781->782 782->775 782->780 784 405fb1-405fc5 call 405e46 GetFileAttributesW 783->784 785 405f92-405f99 call 4068d4 783->785 784->777 790 405fa0-405fa1 call 405e92 785->790 791 405f9b-405f9e 785->791 790->783 791->775 791->790
              APIs
                • Part of subcall function 00406577: lstrcpynW.KERNEL32(?,?,00000400,004036C4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406584
                • Part of subcall function 00405EF1: CharNextW.USER32(?,?,C:\,?,00405F65,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"), ref: 00405EFF
                • Part of subcall function 00405EF1: CharNextW.USER32(00000000), ref: 00405F04
                • Part of subcall function 00405EF1: CharNextW.USER32(00000000), ref: 00405F1C
              • lstrlenW.KERNEL32(C:\,00000000,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"), ref: 00405FA7
              • GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 00405FB7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CharNext$AttributesFilelstrcpynlstrlen
              • String ID: 4#v$C:\$C:\Users\user\AppData\Local\Temp\
              • API String ID: 3248276644-1150081906
              • Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
              • Instruction ID: 6a7a19aedd3560da6e477bd72522a8c235124595f9c35bb96c459409ca5d5c37
              • Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
              • Instruction Fuzzy Hash: 28F0F42A105E6369C622333A5C05AAF1954CE86324B5A453FBC91F22C5CF3C8A42CDBE
              Function 004068FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 793 4068fb-40691b GetSystemDirectoryW 794 40691d 793->794 795 40691f-406921 793->795 794->795 796 406932-406934 795->796 797 406923-40692c 795->797 799 406935-406968 wsprintfW LoadLibraryExW 796->799 797->796 798 40692e-406930 797->798 798->799
              APIs
              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406912
              • wsprintfW.USER32 ref: 0040694D
              • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406961
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: DirectoryLibraryLoadSystemwsprintf
              • String ID: %s%S.dll$UXTHEME
              • API String ID: 2200240437-1106614640
              • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
              • Instruction ID: 6d7bab0cfc2d48cbbbe6bb2f91b005b1c0391479526b60628745523d5c0137a7
              • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
              • Instruction Fuzzy Hash: 66F02B71501129A7CF10AB68DD0EF9F376CAB00304F10447AA646F10E0EB7CDB69CB98
              Function 00401C68 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 800 401c68-401c88 call 402da9 * 2 805 401c94-401c98 800->805 806 401c8a-401c91 call 402dcb 800->806 808 401ca4-401caa 805->808 809 401c9a-401ca1 call 402dcb 805->809 806->805 812 401cf8-401d22 call 402dcb * 2 FindWindowExW 808->812 813 401cac-401cc8 call 402da9 * 2 808->813 809->808 823 401d28 812->823 824 401ce8-401cf6 SendMessageW 813->824 825 401cca-401ce6 SendMessageTimeoutW 813->825 826 401d2b-401d2e 823->826 824->823 825->826 827 401d34 826->827 828 402c4f-402c5e 826->828 827->828
              APIs
              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend$Timeout
              • String ID: !
              • API String ID: 1777923405-2657877971
              • Opcode ID: a637eb720a8cb25f7279c4c7dfa93e68b81a041eba1bee5adc213dda34b2fd0f
              • Instruction ID: 1a2acd516b32d4a8bba1f086ee74ddb70cdd2400578aaa813c3bd98b8eca9c32
              • Opcode Fuzzy Hash: a637eb720a8cb25f7279c4c7dfa93e68b81a041eba1bee5adc213dda34b2fd0f
              • Instruction Fuzzy Hash: 1121A071D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF501B61D0D7B88941DB98
              Function 004024AF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nstB00.tmp,00000023,00000011,00000002), ref: 004024FA
              • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nstB00.tmp,00000000,00000011,00000002), ref: 0040253A
              • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nstB00.tmp,00000000,00000011,00000002), ref: 00402622
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CloseValuelstrlen
              • String ID: C:\Users\user\AppData\Local\Temp\nstB00.tmp
              • API String ID: 2655323295-2719429655
              • Opcode ID: 1ee84d76f42b9e83beb61e37e14ca78df45b1a10c6f610f11eef06d316a7ff26
              • Instruction ID: 9ef1a868ac7dccf2a0d827ba333ec8444b87bd6dca13d8647f6a5f0896484b93
              • Opcode Fuzzy Hash: 1ee84d76f42b9e83beb61e37e14ca78df45b1a10c6f610f11eef06d316a7ff26
              • Instruction Fuzzy Hash: DF11B131D00119BEEF00AFA1DE4AAAEB6B4EF44318F20443FF404B61D1D7B88E009A68
              Function 00406096 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
              Download Yara Rule
              APIs
              • GetTickCount.KERNEL32 ref: 004060B4
              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403550,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C), ref: 004060CF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CountFileNameTempTick
              • String ID: C:\Users\user\AppData\Local\Temp\$nsa
              • API String ID: 1716503409-1857211195
              • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
              • Instruction ID: 0f0e971a11aa9000600537ad3b21051f2e76e4828209a3ca974843c19b3e0847
              • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
              • Instruction Fuzzy Hash: B5F09076B40204BBEB00CF69ED05F9EB7ACEBA5750F11803AE901F7180E6B099648768
              Function 004015E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00405EF1: CharNextW.USER32(?,?,C:\,?,00405F65,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"), ref: 00405EFF
                • Part of subcall function 00405EF1: CharNextW.USER32(00000000), ref: 00405F04
                • Part of subcall function 00405EF1: CharNextW.USER32(00000000), ref: 00405F1C
              • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040163F
                • Part of subcall function 00405ACB: CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405B0D
              • SetCurrentDirectoryW.KERNELBASE(?,C:\Program Files (x86)\IDmelon\Accesskey,?,00000000,000000F0), ref: 00401672
              Strings
              • C:\Program Files (x86)\IDmelon\Accesskey, xrefs: 00401665
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CharNext$Directory$AttributesCreateCurrentFile
              • String ID: C:\Program Files (x86)\IDmelon\Accesskey
              • API String ID: 1892508949-2077697000
              • Opcode ID: 522b783c9de46c7eb01671ee67dcdc22f4b8e2acc15c0cd2b2b5e6563b12514b
              • Instruction ID: 104414052cab316a424bfe0d2ff1de268c148956b102069c6a2fab9df067ebf3
              • Opcode Fuzzy Hash: 522b783c9de46c7eb01671ee67dcdc22f4b8e2acc15c0cd2b2b5e6563b12514b
              • Instruction Fuzzy Hash: 0911BE31804514ABCF206FA5CD01AAE36B0EF14368B25493BE941B22F1C63A4A41DA5D
              Function 00406445 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,Remove folder: ,?,00000000,004066B6,80000002), ref: 0040648B
              • RegCloseKey.KERNELBASE(?), ref: 00406496
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CloseQueryValue
              • String ID: Remove folder:
              • API String ID: 3356406503-1958208860
              • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
              • Instruction ID: 39ab2095516423f533248995afa5b88f9e2e33bd0920f2eea258779ff0fd120f
              • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
              • Instruction Fuzzy Hash: AB017C72500209AADF21CF51CC09EDB3BACFB55364F01803AFD1AA21A0D778D964DBA8
              Function 00403BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • FreeLibrary.KERNELBASE(?,76233420,00000000,C:\Users\user\AppData\Local\Temp\,00403B8C,00403AA2,?,?,00000008,0000000A,0000000C), ref: 00403BCE
              • GlobalFree.KERNEL32(00000000), ref: 00403BD5
              Strings
              • C:\Users\user\AppData\Local\Temp\, xrefs: 00403BB4
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Free$GlobalLibrary
              • String ID: C:\Users\user\AppData\Local\Temp\
              • API String ID: 1100898210-3936084776
              • Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
              • Instruction ID: 378dd3650374f781d23bf779db5809bbac3881e8a2166d277484928c36cee721
              • Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
              • Instruction Fuzzy Hash: 20E08C336204205BC6311F15AE05B1A77786F89B2AF01402AE8407B2628BB47C528FC8
              Function 004020FD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402128
                • Part of subcall function 004055FC: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\,00000000,00425A20,762323A0,?,?,?,?,?,?,?,?,?,0040343D,00000000,?), ref: 00405634
                • Part of subcall function 004055FC: lstrlenW.KERNEL32(0040343D,Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\,00000000,00425A20,762323A0,?,?,?,?,?,?,?,?,?,0040343D,00000000), ref: 00405644
                • Part of subcall function 004055FC: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\,0040343D), ref: 00405657
                • Part of subcall function 004055FC: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nstB00.tmp\), ref: 00405669
                • Part of subcall function 004055FC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040568F
                • Part of subcall function 004055FC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004056A9
                • Part of subcall function 004055FC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004056B7
              • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402139
              • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004021B6
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
              • String ID:
              • API String ID: 334405425-0
              • Opcode ID: a9a1cb99ff15f1357771582dd7df8513af6aefa9ca18d0a30a4eed977a1c7e10
              • Instruction ID: ae41dde4eff0046a081fa93f434b6203791b13f397c20c3345ef6f3f33f6a532
              • Opcode Fuzzy Hash: a9a1cb99ff15f1357771582dd7df8513af6aefa9ca18d0a30a4eed977a1c7e10
              • Instruction Fuzzy Hash: 4B21A131904104EACF10AFA5CF89A9E7A71BF44369F30413BF105B91E5CBBD99829A2D
              Function 00401BC0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
              Download Yara Rule
              APIs
              • GlobalFree.KERNEL32(005B82B8), ref: 00401C30
              • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C42
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Global$AllocFree
              • String ID: show
              • API String ID: 3394109436-839833857
              • Opcode ID: b2bf5aa3fb98d5d7659b4efbfb09c2738223d3c1d5b8947c58a47baf3ffb3ed2
              • Instruction ID: b741a03fd702b7c6772e3f95c256d95ec8b7de3af2fdc922703a565136a7d287
              • Opcode Fuzzy Hash: b2bf5aa3fb98d5d7659b4efbfb09c2738223d3c1d5b8947c58a47baf3ffb3ed2
              • Instruction Fuzzy Hash: 9521F372904150EBDB20ABA4EE85E6E33B8AB04718715063FF542B72D5C7BCE8409B9D
              Function 00405C3B Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00406042: GetFileAttributesW.KERNELBASE(?,?,00405C47,?,?,00000000,00405E1D,?,?,?,?), ref: 00406047
                • Part of subcall function 00406042: SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040605B
              • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405E1D), ref: 00405C56
              • DeleteFileW.KERNELBASE(?,?,?,00000000,00405E1D), ref: 00405C5E
              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C76
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: File$Attributes$DeleteDirectoryRemove
              • String ID:
              • API String ID: 1655745494-0
              • Opcode ID: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
              • Instruction ID: c82196251123d647324ab779b7bb87df945e5a0710881db1f7e3845477fa960f
              • Opcode Fuzzy Hash: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
              • Instruction Fuzzy Hash: 96E0E53220D79116E21067305A4CB5F2998DF86724F05093AF892B11C1DB78494A8AAE
              Function 004044CF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000408,?,00000000,0040412E), ref: 004044ED
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: x
              • API String ID: 3850602802-2363233923
              • Opcode ID: 940325285312ba596bb559440598d7c93f49923121e0d523c76edeea93f158b3
              • Instruction ID: 727aaa30b1a0279700c4ddf998542a6092130f4ca847e2a016c42ef825c52627
              • Opcode Fuzzy Hash: 940325285312ba596bb559440598d7c93f49923121e0d523c76edeea93f158b3
              • Instruction Fuzzy Hash: 62C012B1180200BECB105B80DE01F067B60E7A4B02F11A439F380240B087706862DB0C
              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
              Download Yara Rule
              APIs
              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
              • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
              • Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
              • Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
              • Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C
              Function 00402459 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
              Download Yara Rule
              APIs
              • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040247B
              • RegCloseKey.ADVAPI32(00000000), ref: 00402484
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CloseDeleteValue
              • String ID:
              • API String ID: 2831762973-0
              • Opcode ID: 88532daaf68fc495be88ee40bdce2257086fb46b70832e880cbbaed8aa0e1354
              • Instruction ID: 8c17455a9467dbb84b7eb3278e4b377a62f271589af7dc4cff81b1a675067d18
              • Opcode Fuzzy Hash: 88532daaf68fc495be88ee40bdce2257086fb46b70832e880cbbaed8aa0e1354
              • Instruction Fuzzy Hash: 6CF06832A045219BDB10BBA5DA8E5AE62A5AB44354F11443FE502B71C1CAF84D02977D
              Function 004056CF Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
              Download Yara Rule
              APIs
              • OleInitialize.OLE32(00000000), ref: 004056DF
                • Part of subcall function 00404542: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404554
              • OleUninitialize.OLE32(00000404,00000000), ref: 0040572B
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: InitializeMessageSendUninitialize
              • String ID:
              • API String ID: 2896919175-0
              • Opcode ID: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
              • Instruction ID: 52f38fc7938b2997ebb4afee836ba7d943988f66c47461a03c1f49ca59b4ab2d
              • Opcode Fuzzy Hash: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
              • Instruction Fuzzy Hash: 2AF02E72400610DBE7016B94AD02BA373A8FBC53A5F05503EFF89B32E0CB3658018B5D
              Function 00405ACB Relevance: 3.0, APIs: 2, Instructions: 26COMMON
              Download Yara Rule
              APIs
              • CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405B0D
              • GetLastError.KERNEL32 ref: 00405B1B
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CreateDirectoryErrorLast
              • String ID:
              • API String ID: 1375471231-0
              • Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
              • Instruction ID: 83f907d2df1d2810bbbe2cf052e9f9ea9028798b61a5f10ffece60f544324ce8
              • Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
              • Instruction Fuzzy Hash: 44F0F4B0D1060EDBDB00DFA4D6497EFBBB4AB04309F00812AD941B6281D7B89248CBA9
              Function 00401F03 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(00000000,00000000), ref: 00401F21
              • EnableWindow.USER32(00000000,00000000), ref: 00401F2C
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Window$EnableShow
              • String ID:
              • API String ID: 1136574915-0
              • Opcode ID: 220038190f5765e08acb68cab3f819293a66988b7b4b21bab0f24e91f41eee4f
              • Instruction ID: 14a8ef39102396d835bb54982d99b4aace68b6eedf0c4e81be07541ee7d8ceed
              • Opcode Fuzzy Hash: 220038190f5765e08acb68cab3f819293a66988b7b4b21bab0f24e91f41eee4f
              • Instruction Fuzzy Hash: FEE04F76908610DFE748EBA4AE499EEB3F4EF80365B20197FE001F11D1DBB94D00966D
              Function 0040696B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleA.KERNEL32(?,00000020,?,00403662,0000000C,?,?,?,?,?,?,?,?), ref: 0040697D
              • GetProcAddress.KERNEL32(00000000,?), ref: 00406998
                • Part of subcall function 004068FB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406912
                • Part of subcall function 004068FB: wsprintfW.USER32 ref: 0040694D
                • Part of subcall function 004068FB: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406961
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
              • String ID:
              • API String ID: 2547128583-0
              • Opcode ID: fa9529b661a20328ef717d54741181462d2da8a99b8882de0ad3477ad76f042b
              • Instruction ID: f16a4ad3e9102b165210d3f50f6adbe363033f5fe81171ed8a06a41b6d2757eb
              • Opcode Fuzzy Hash: fa9529b661a20328ef717d54741181462d2da8a99b8882de0ad3477ad76f042b
              • Instruction Fuzzy Hash: F1E08673504311AAD6105B759D0492772E89F89750302443EF986F2140DB38EC32A6AE
              Function 00402C2A Relevance: 3.0, APIs: 2, Instructions: 21windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000000B,?), ref: 00402C39
              • InvalidateRect.USER32(?), ref: 00402C49
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: InvalidateMessageRectSend
              • String ID:
              • API String ID: 909852535-0
              • Opcode ID: cfe8654151a7fb919b36f8ec236feca4529e6266032f4a9ef2e5c0ddbf65b270
              • Instruction ID: 92b7ebcd256046620b39c8ea217ab7c3c79192c04b2b2643f27b5f3eae77931e
              • Opcode Fuzzy Hash: cfe8654151a7fb919b36f8ec236feca4529e6266032f4a9ef2e5c0ddbf65b270
              • Instruction Fuzzy Hash: 9EE0ECB2650504FFEB15DB94EE85DAEB7B9EB80355B00047EF101E1060D7745D91DB28
              Function 00406067 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,80000000,00000003), ref: 0040606B
              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040608D
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: File$AttributesCreate
              • String ID:
              • API String ID: 415043291-0
              • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
              • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
              • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
              • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
              Function 00406042 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNELBASE(?,?,00405C47,?,?,00000000,00405E1D,?,?,?,?), ref: 00406047
              • SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040605B
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: AttributesFile
              • String ID:
              • API String ID: 3188754299-0
              • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
              • Instruction ID: a0ae240d833e004fe72580c92a9f2193965d94811d262e1a0a63bc04ff00b3bc
              • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
              • Instruction Fuzzy Hash: 7ED0C972504220AFC2102728AE0889BBB55DB542717028A35F8A9A22B0CB304CA68694
              Function 00403B6F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
              Download Yara Rule
              APIs
              • CloseHandle.KERNEL32(FFFFFFFF,00403AA2,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B7A
              Strings
              • C:\Users\user\AppData\Local\Temp\nstB00.tmp\, xrefs: 00403B8E
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CloseHandle
              • String ID: C:\Users\user\AppData\Local\Temp\nstB00.tmp\
              • API String ID: 2962429428-867066017
              • Opcode ID: ae973bb0dca4e4815b90d97470301ae31a1ae4600fd43aa67c366af3984d4a62
              • Instruction ID: 1b7086e6f2e4317af50c710f47857d00c701bc700238930339e1f9ec47f16c49
              • Opcode Fuzzy Hash: ae973bb0dca4e4815b90d97470301ae31a1ae4600fd43aa67c366af3984d4a62
              • Instruction Fuzzy Hash: 38C0223010070086F0202F389E0FA183A24670073DBA08329B0B8F00F3CF7C164C841D
              Function 00405B25 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • CreateDirectoryW.KERNELBASE(?,00000000,00403545,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00405B2B
              • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B39
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CreateDirectoryErrorLast
              • String ID:
              • API String ID: 1375471231-0
              • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
              • Instruction ID: 2532c664264170c07cbc731aa09703a23e3881c092aaf3b019fc47175ec23a7b
              • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
              • Instruction Fuzzy Hash: 98C04C70604906DAD7505F219F087177960AB50741F158439A6C7F40A0DA74A455D92D
              Function 004016A0 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
              Download Yara Rule
              APIs
              • MoveFileW.KERNEL32(00000000,00000000), ref: 004016BB
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: FileMove
              • String ID:
              • API String ID: 3562171763-0
              • Opcode ID: 28dc5c50ebc12032345a7729cf35481b8c8bbd71f25d5d2fe63a1407a727cbb2
              • Instruction ID: b5cd7fb0f8cac405fb011e9cf8ea0a60cc8dc6b6af2237c550085c2a5a912803
              • Opcode Fuzzy Hash: 28dc5c50ebc12032345a7729cf35481b8c8bbd71f25d5d2fe63a1407a727cbb2
              • Instruction Fuzzy Hash: 1DF0903160812293CB1077B55F0ED9F26A49F8137CB21063FB112B21E1D6BCC902926E
              Function 004023D7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
              Download Yara Rule
              APIs
              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040240E
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: PrivateProfileStringWrite
              • String ID:
              • API String ID: 390214022-0
              • Opcode ID: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
              • Instruction ID: ca2f62041d63e4abf833ada0eb3473e8090594299762c22e2e4a91b8788c92d6
              • Opcode Fuzzy Hash: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
              • Instruction Fuzzy Hash: CEE086319105266BDB103AF20ECE9BE2058AF48308B24093FF512B61C2DEFC8C42567D
              Function 00406412 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
              Download Yara Rule
              APIs
              • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E7C,00000000,?,?), ref: 0040643B
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
              • Instruction ID: 173efcb61436e01de2ec3b268cd8b302251cd5bc368a703a1804e99dfb897165
              • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
              • Instruction Fuzzy Hash: 51E0BF72010109BFEF095F60DD4AD7B3A1DE708610B11852EF906D5051E6B5A9705675
              Function 00406119 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
              Download Yara Rule
              APIs
              • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034BD,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040612D
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: FileWrite
              • String ID:
              • API String ID: 3934441357-0
              • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
              • Instruction ID: 5447fabf40714e60d37a3b8d529c829a5aab84dab7567664cea5a9789522ebfd
              • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
              • Instruction Fuzzy Hash: DFE08C3221021ABBDF109E518C00EEB3B6CEB003A0F014432FD26E7050D630E86097A4
              Function 004060EA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403507,00000000,00000000,0040332B,000000FF,00000004,00000000,00000000,00000000), ref: 004060FE
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
              • Instruction ID: 2902185137110ca2ffdb2282e3c832ce644deeff7f1201e2b4f2572205eed693
              • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
              • Instruction Fuzzy Hash: D0E08C3221021AABCF109E508C01EEB3BACFF043A0F014432FD12EB042D230E9229BA4
              Function 004063E4 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,00406472,?,?,?,?,Remove folder: ,?,00000000), ref: 00406408
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Open
              • String ID:
              • API String ID: 71445658-0
              • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
              • Instruction ID: 12ce3b422fe6a0da393528f22193a7488631f194d1dbc4d2354a9349d97d7052
              • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
              • Instruction Fuzzy Hash: 34D0123204020DBBEF115F90DD01FAB3B1DEB08310F018836FE06A4091D776D570A758
              Function 004015C8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
              Download Yara Rule
              APIs
              • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015D3
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: AttributesFile
              • String ID:
              • API String ID: 3188754299-0
              • Opcode ID: bd9eef0ddba76f96e5ede74a4073dc30a0544dd5bf06428a66fa2d1577afb889
              • Instruction ID: cd4f68ad1bc4df61111a8e6125a37bec327b368bc2224c93a9ffc6bdd58994c4
              • Opcode Fuzzy Hash: bd9eef0ddba76f96e5ede74a4073dc30a0544dd5bf06428a66fa2d1577afb889
              • Instruction Fuzzy Hash: 74D05B72B08101D7DB00DBE89B49A9E77A4DB50378B31853BD111F11D4D7B8C545A71D
              Function 004044F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • SetDlgItemTextW.USER32(?,?,00000000), ref: 00404510
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: ItemText
              • String ID:
              • API String ID: 3367045223-0
              • Opcode ID: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
              • Instruction ID: 97ac48dd61a0b469960c63b80490aac8c8cd18122c4a3518691629518e2bbf09
              • Opcode Fuzzy Hash: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
              • Instruction Fuzzy Hash: 2DC08C31008200BFE241A704CC42F0FB3ECEF9031AF00C42EB05CE00D6C6B495208A26
              Function 00404542 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404554
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
              • Instruction ID: 6ad8b1d984edffd0e08e34c6f36dd165e1dcb54a73607e2b540eae92d4c67d50
              • Opcode Fuzzy Hash: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
              • Instruction Fuzzy Hash: ACC04C717402007BDA209F549D49F1777546790702F1495397351E51E0C674E550D61C
              Function 0040350A Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403267,?), ref: 00403518
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
              • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
              • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
              • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
              Function 0040452B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000028,?,00000001,00404356), ref: 00404539
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
              • Instruction ID: 777369a795cbaa9bd4fd16da76cbada5404ff361b75e364c58eeef3f96c31ac9
              • Opcode Fuzzy Hash: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
              • Instruction Fuzzy Hash: 6BB09235181600AADA115B40DE09F867BA2E7A4701F029438B340640B0CBB210A0DB08
              Function 00404518 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
              Download Yara Rule
              APIs
              • KiUserCallbackDispatcher.NTDLL(?,004042EF), ref: 00404522
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CallbackDispatcherUser
              • String ID:
              • API String ID: 2492992576-0
              • Opcode ID: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
              • Instruction ID: 186c68f4495094c0cebc3eb7279f68ffc90812dad8dfd9e689695b78415bb769
              • Opcode Fuzzy Hash: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
              • Instruction Fuzzy Hash: 43A00176544A04ABCE12EB50EF4990ABB62BBA4B01B618879A285514388B325921EB19

              Non-executed Functions

              Function 004049E7 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003FB), ref: 00404A36
              • SetWindowTextW.USER32(00000000,?), ref: 00404A60
              • SHBrowseForFolderW.SHELL32(?), ref: 00404B11
              • CoTaskMemFree.OLE32(00000000), ref: 00404B1C
              • lstrcmpiW.KERNEL32(Remove folder: ,0042CA68,00000000,?,?), ref: 00404B4E
              • lstrcatW.KERNEL32(?,Remove folder: ), ref: 00404B5A
              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B6C
                • Part of subcall function 00405BBB: GetDlgItemTextW.USER32(?,?,00000400,00404BA3), ref: 00405BCE
                • Part of subcall function 00406825: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00406888
                • Part of subcall function 00406825: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406897
                • Part of subcall function 00406825: CharNextW.USER32(?,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 0040689C
                • Part of subcall function 00406825: CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 004068AF
              • GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C2F
              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C4A
                • Part of subcall function 00404DA3: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E44
                • Part of subcall function 00404DA3: wsprintfW.USER32 ref: 00404E4D
                • Part of subcall function 00404DA3: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E60
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
              • String ID: A$C:\Program Files (x86)\IDmelon$Remove folder:
              • API String ID: 2624150263-2023687464
              • Opcode ID: 716f91307e0c0206c4811f73cf3aa40f2f43fcc6cf09981b0470e9a043fb6368
              • Instruction ID: 819d6111372f9eb468737b2dc9595d459319e5efb98401d1644bfd8e85b56d65
              • Opcode Fuzzy Hash: 716f91307e0c0206c4811f73cf3aa40f2f43fcc6cf09981b0470e9a043fb6368
              • Instruction Fuzzy Hash: 14A180B1901208ABDB11EFA5DD45BAFB7B8EF84314F11803BF601B62D1D77C9A418B69
              Function 00402930 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040293F
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: FileFindFirst
              • String ID:
              • API String ID: 1974802433-0
              • Opcode ID: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
              • Instruction ID: 26e9208e2aa2ebd90a7e98889f3239c7d6ed4a815a584e9a2b1206afb1357c73
              • Opcode Fuzzy Hash: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
              • Instruction Fuzzy Hash: D1F08C71A04105AAD700EBE4EE499AEB378EF14324F20017BE112F31E5D7B89E509B2E
              Function 00406DE6 Relevance: .3, Instructions: 334COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
              • Instruction ID: 02047a1f5ab1e1ae91636e32b2ea393de8a2dfbdc7c3bc720fead707395ef2b6
              • Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
              • Instruction Fuzzy Hash: 74E19A71A0470ADFCB24CF58C890BAABBF5FF44305F15852EE496A72D1E738AA51CB05
              Function 004075BD Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
              • Instruction ID: 0a97e2f3c77d8a3c51360fc4da6bbcda8fc4cde0dfaec3b210e24d05d93e5961
              • Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
              • Instruction Fuzzy Hash: 46C14872E042198BCF18DF68C4905EEB7B2BF88354F25866AD856B7380D734A942CF95
              Function 00404F63 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003F9), ref: 00404F7B
              • GetDlgItem.USER32(?,00000408), ref: 00404F86
              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404FD0
              • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FE7
              • SetWindowLongW.USER32(?,000000FC,00405570), ref: 00405000
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00405014
              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405026
              • SendMessageW.USER32(?,00001109,00000002), ref: 0040503C
              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405048
              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040505A
              • DeleteObject.GDI32(00000000), ref: 0040505D
              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405088
              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405094
              • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040512F
              • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040515F
                • Part of subcall function 0040452B: SendMessageW.USER32(00000028,?,00000001,00404356), ref: 00404539
              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405173
              • GetWindowLongW.USER32(?,000000F0), ref: 004051A1
              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004051AF
              • ShowWindow.USER32(?,00000005), ref: 004051BF
              • SendMessageW.USER32(?,00000419,00000000,?), ref: 004052BA
              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040531F
              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405334
              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405358
              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405378
              • ImageList_Destroy.COMCTL32(?), ref: 0040538D
              • GlobalFree.KERNEL32(?), ref: 0040539D
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405416
              • SendMessageW.USER32(?,00001102,?,?), ref: 004054BF
              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054CE
              • InvalidateRect.USER32(?,00000000,00000001), ref: 004054F9
              • ShowWindow.USER32(?,00000000), ref: 00405547
              • GetDlgItem.USER32(?,000003FE), ref: 00405552
              • ShowWindow.USER32(00000000), ref: 00405559
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
              • String ID: $M$N
              • API String ID: 2564846305-813528018
              • Opcode ID: 90cd5b96e7067808b838d0f88060242d92195fc86ed4621a895529849429e476
              • Instruction ID: 2b71226c2ce540754c325362a134889399d6c5c4637dca841463e5b600fa6882
              • Opcode Fuzzy Hash: 90cd5b96e7067808b838d0f88060242d92195fc86ed4621a895529849429e476
              • Instruction Fuzzy Hash: 8802AD70900608AFDF20DFA8DD85AAF7BB5FB45314F10817AE611BA2E1D7798A41CF58
              Function 004046B5 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
              Download Yara Rule
              APIs
              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404753
              • GetDlgItem.USER32(?,000003E8), ref: 00404767
              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404784
              • GetSysColor.USER32(?), ref: 00404795
              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004047A3
              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004047B1
              • lstrlenW.KERNEL32(?), ref: 004047B6
              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047C3
              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047D8
              • GetDlgItem.USER32(?,0000040A), ref: 00404831
              • SendMessageW.USER32(00000000), ref: 00404838
              • GetDlgItem.USER32(?,000003E8), ref: 00404863
              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004048A6
              • LoadCursorW.USER32(00000000,00007F02), ref: 004048B4
              • SetCursor.USER32(00000000), ref: 004048B7
              • LoadCursorW.USER32(00000000,00007F00), ref: 004048D0
              • SetCursor.USER32(00000000), ref: 004048D3
              • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404902
              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404914
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
              • String ID: ,F@$N$Remove folder:
              • API String ID: 3103080414-938614624
              • Opcode ID: ffd7346a229d966f7877475afaa511d8b27e78dae7af650fbb9c2f9128a087cb
              • Instruction ID: ccb0ec9a7d9d767aff215416cd1a2e620de701fb5c4a8d8609e67ea5798c0c5e
              • Opcode Fuzzy Hash: ffd7346a229d966f7877475afaa511d8b27e78dae7af650fbb9c2f9128a087cb
              • Instruction Fuzzy Hash: 046192F1900209BFDB10AF64DD85EAA7B69FB84315F00853AFB05B65E0C778A951CF98
              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
              Download Yara Rule
              APIs
              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
              • BeginPaint.USER32(?,?), ref: 00401047
              • GetClientRect.USER32(?,?), ref: 0040105B
              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
              • DeleteObject.GDI32(?), ref: 004010ED
              • CreateFontIndirectW.GDI32(?), ref: 00401105
              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
              • SelectObject.GDI32(00000000,?), ref: 00401140
              • DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
              • SelectObject.GDI32(00000000,00000000), ref: 00401160
              • DeleteObject.GDI32(?), ref: 00401165
              • EndPaint.USER32(?,?), ref: 0040116E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
              • String ID: F
              • API String ID: 941294808-1304234792
              • Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
              • Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
              • Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
              • Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4
              Function 004061BD Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
              Download Yara Rule
              APIs
              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406358,?,?), ref: 004061F8
              • GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 00406201
                • Part of subcall function 00405FCC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FDC
                • Part of subcall function 00405FCC: lstrlenA.KERNEL32(00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040600E
              • GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 0040621E
              • wsprintfA.USER32 ref: 0040623C
              • GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406277
              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406286
              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004062BE
              • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 00406314
              • GlobalFree.KERNEL32(00000000), ref: 00406325
              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040632C
                • Part of subcall function 00406067: GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,80000000,00000003), ref: 0040606B
                • Part of subcall function 00406067: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040608D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
              • String ID: %ls=%ls$[Rename]
              • API String ID: 2171350718-461813615
              • Opcode ID: b6131911dca260ac1acd8a9d51529d53a14599eca6d80b74622841643bb82037
              • Instruction ID: 21ba76f912769f78f8e3df01d85e3e27af82f360ac84a16f7af8f01611abcd2b
              • Opcode Fuzzy Hash: b6131911dca260ac1acd8a9d51529d53a14599eca6d80b74622841643bb82037
              • Instruction Fuzzy Hash: 66314330240325BBD2206B659D48F6B3B6CDF45708F16043EFD42B62C2DA3C982486BD
              Function 00406825 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
              Download Yara Rule
              APIs
              • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00406888
              • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406897
              • CharNextW.USER32(?,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 0040689C
              • CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 004068AF
              Strings
              • "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe", xrefs: 00406869
              • C:\Users\user\AppData\Local\Temp\, xrefs: 00406826
              • *?|<>/":, xrefs: 00406877
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Char$Next$Prev
              • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
              • API String ID: 589700163-1652265935
              • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
              • Instruction ID: bedb2e6347f460b6a244a356934bd0223db9426f0f89d28790e15ec7ef568a4f
              • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
              • Instruction Fuzzy Hash: C911B66780221295DB303B148C40A7762A8AF59754F56C43FED86732C0E77C5C9282AD
              Function 0040455D Relevance: 12.1, APIs: 8, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • GetWindowLongW.USER32(?,000000EB), ref: 0040457A
              • GetSysColor.USER32(00000000), ref: 004045B8
              • SetTextColor.GDI32(?,00000000), ref: 004045C4
              • SetBkMode.GDI32(?,?), ref: 004045D0
              • GetSysColor.USER32(?), ref: 004045E3
              • SetBkColor.GDI32(?,?), ref: 004045F3
              • DeleteObject.GDI32(?), ref: 0040460D
              • CreateBrushIndirect.GDI32(?), ref: 00404617
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
              • String ID:
              • API String ID: 2320649405-0
              • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
              • Instruction ID: 3bf72a8e0ffa46ee4049c610ab3cabbd6d50cfb344f29d4a8179c655b9565abb
              • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
              • Instruction Fuzzy Hash: 5C2165B1500B04ABC7319F38DE08B577BF4AF41715F04892EEA96A26E0D739D944CB54
              Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNEL32(?,?,?,?), ref: 0040277D
              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
              • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1
                • Part of subcall function 00406148: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040615E
              • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: File$Pointer$ByteCharMultiWide$Read
              • String ID: 9
              • API String ID: 163830602-2366072709
              • Opcode ID: e6852b5c5fbfd8bc876860f3b14f1bcaed0b753dd9a04d4db6e12186382bd870
              • Instruction ID: d1aefac9689752b6b3ea6a4f87dd4281ecbe68d6f3974aa7f4e2ef829afcd0bd
              • Opcode Fuzzy Hash: e6852b5c5fbfd8bc876860f3b14f1bcaed0b753dd9a04d4db6e12186382bd870
              • Instruction Fuzzy Hash: 66510C75D04119AADF20EFD4CA85AAEBBB9FF44304F14817BE501B62D0D7B89D828B58
              Function 00404EB1 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404ECC
              • GetMessagePos.USER32 ref: 00404ED4
              • ScreenToClient.USER32(?,?), ref: 00404EEE
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404F00
              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F26
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Message$Send$ClientScreen
              • String ID: f
              • API String ID: 41195575-1993550816
              • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
              • Instruction ID: fe1e2a7802b6c51c8f018a14413b1ee553013da7dc16083b389f375565560bf3
              • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
              • Instruction Fuzzy Hash: 20015E71900219BADB00DB94DD85BFEBBBCAF95711F10412BBB51B61D0C7B4AA418BA4
              Function 00401E73 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(?), ref: 00401E76
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
              • MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
              • ReleaseDC.USER32(?,00000000), ref: 00401EA9
              • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401EF8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CapsCreateDeviceFontIndirectRelease
              • String ID: MS Shell Dlg
              • API String ID: 3808545654-76309092
              • Opcode ID: d16b9d3e65f9976eb005c53eb2d4e9b3ac670e2d85412e8b50a51612330472b7
              • Instruction ID: 32ce691c062fdf7882ca7c79f7dc95dd78c7e40f541a0607bb82830de01dd458
              • Opcode Fuzzy Hash: d16b9d3e65f9976eb005c53eb2d4e9b3ac670e2d85412e8b50a51612330472b7
              • Instruction Fuzzy Hash: 3C017171905250EFE7005BB4EE49BDD3FA4AB19301F208A7AF142B61E2CBB904458BED
              Function 00402FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
              Download Yara Rule
              APIs
              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
              • MulDiv.KERNEL32(01F42D36,00000064,01F43F68), ref: 00403001
              • wsprintfW.USER32 ref: 00403011
              • SetWindowTextW.USER32(?,?), ref: 00403021
              • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033
              Strings
              • verifying installer: %d%%, xrefs: 0040300B
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Text$ItemTimerWindowwsprintf
              • String ID: verifying installer: %d%%
              • API String ID: 1451636040-82062127
              • Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
              • Instruction ID: de78d71e2fb772fb87643f85aa6fa794cb5f2d0f129fd79c7e15704eeb750e6f
              • Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
              • Instruction Fuzzy Hash: 85014F71640208BBEF209F60DD49FEE3B79AB04344F008039FA02B51D0DBB996559B59
              Function 00401DA6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,?), ref: 00401DBF
              • GetClientRect.USER32(?,?), ref: 00401E0A
              • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
              • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
              • DeleteObject.GDI32(00000000), ref: 00401E5E
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
              • String ID:
              • API String ID: 1849352358-0
              • Opcode ID: 81c9bb8771d2fff4a04963bae7b32cf8a9b6882c20dc3426dc9c78dd315e4f46
              • Instruction ID: c57303c31a56d7bc8f2a0c5af16d3cdd50a2ae23bf22298ce01a5789fd7b985b
              • Opcode Fuzzy Hash: 81c9bb8771d2fff4a04963bae7b32cf8a9b6882c20dc3426dc9c78dd315e4f46
              • Instruction Fuzzy Hash: B9211972900119AFCB05DF98DE45AEEBBB5EB08354F14003AFA45F62A0D7789D81DB98
              Function 00404DA3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E44
              • wsprintfW.USER32 ref: 00404E4D
              • SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E60
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: ItemTextlstrlenwsprintf
              • String ID: %u.%u%s%s
              • API String ID: 3540041739-3551169577
              • Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
              • Instruction ID: f1ad69e943298bab6ea0b6c220370dbc78873d19d133ff1b34b391d97265b774
              • Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
              • Instruction Fuzzy Hash: 3011EB336041287BDB10566DAC45E9E329CDF85374F250237FE25F21D5E978C92182E8
              Function 00405EF1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
              Download Yara Rule
              APIs
              • CharNextW.USER32(?,?,C:\,?,00405F65,C:\,C:\, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"), ref: 00405EFF
              • CharNextW.USER32(00000000), ref: 00405F04
              • CharNextW.USER32(00000000), ref: 00405F1C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CharNext
              • String ID: C:\
              • API String ID: 3213498283-3404278061
              • Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
              • Instruction ID: 0a1f1b5a9c7109d9782da40e5c64a20d368bd089a9add51530d5bf68f03dfa04
              • Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
              • Instruction Fuzzy Hash: 98F09062D00A2795DA31B7645C85A7766BCEB593A0B00807BE601B72C0D7BC48818EDA
              Function 00405E46 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040353F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00405E4C
              • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040353F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00405E56
              • lstrcatW.KERNEL32(?,0040A014), ref: 00405E68
              Strings
              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E46
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CharPrevlstrcatlstrlen
              • String ID: C:\Users\user\AppData\Local\Temp\
              • API String ID: 2659869361-3936084776
              • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
              • Instruction ID: f2f0f64a112d89f35c11d852d44423d34ca235ab8761dbed5ccf1744ff487032
              • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
              • Instruction Fuzzy Hash: C2D05E31101534AAC6116F54AD04DDB62AC9E46384381483BF541B20A5C778595186FD
              Function 00402663 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nstB00.tmp\InstallOptions.dll), ref: 004026BA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: lstrlen
              • String ID: C:\Users\user\AppData\Local\Temp\nstB00.tmp$C:\Users\user\AppData\Local\Temp\nstB00.tmp\InstallOptions.dll
              • API String ID: 1659193697-2477927441
              • Opcode ID: a4ab9620505a7c85356e9c2108c39dfcc9113724b8f7ebba52d5104abcb2633f
              • Instruction ID: 2d8dd356423beb748054ff885628a6ea3dfbd93006732d19d47d72bde2aed11d
              • Opcode Fuzzy Hash: a4ab9620505a7c85356e9c2108c39dfcc9113724b8f7ebba52d5104abcb2633f
              • Instruction Fuzzy Hash: 3C11EB71A00315ABCB106FB19E466AE7761AF40748F21443FF502B71C1EAFD8891676E
              Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(00000000,00000000,0040321C,00000001), ref: 00403051
              • GetTickCount.KERNEL32 ref: 0040306F
              • CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
              • ShowWindow.USER32(00000000,00000005), ref: 0040309A
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Window$CountCreateDestroyDialogParamShowTick
              • String ID:
              • API String ID: 2102729457-0
              • Opcode ID: dba963b85b565a1be4b34eea4ba853e9dad76a83014f6dce089c5eda9641480c
              • Instruction ID: e0f0fd039426b51c9db09d8e0aed7b7b9f53d87474512ec8403aba9b2c913b41
              • Opcode Fuzzy Hash: dba963b85b565a1be4b34eea4ba853e9dad76a83014f6dce089c5eda9641480c
              • Instruction Fuzzy Hash: 93F05470602A21ABC6216F50FE09A9B7B69FB45B12B41043AF545B11ACCB384891CB9D
              Function 00405570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
              Download Yara Rule
              APIs
              • IsWindowVisible.USER32(?), ref: 0040559F
              • CallWindowProcW.USER32(?,?,?,?), ref: 004055F0
                • Part of subcall function 00404542: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404554
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Window$CallMessageProcSendVisible
              • String ID:
              • API String ID: 3748168415-3916222277
              • Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
              • Instruction ID: f144bc20a23b2fc1dad06cc698734642626ca736bc3518a3bbd7873959a32aa8
              • Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
              • Instruction Fuzzy Hash: 21017171100608BBDF219F11DD84A9F376BEB84794F204037FA027A1D9C7398D529A69
              Function 00405E92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,80000000,00000003), ref: 00405E98
              • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,80000000,00000003), ref: 00405EA8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CharPrevlstrlen
              • String ID: C:\Users\user\Desktop
              • API String ID: 2709904686-3125694417
              • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
              • Instruction ID: f09b3c5ebc87e5286f4ae90cf2a9e4f9baad7a67d9a69d6c991adc66958b5f71
              • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
              • Instruction Fuzzy Hash: 40D05EB28019209ED3226B04EC0499F73A8EF123107868826E980A61A5D7785D818AEC
              Function 00405FCC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FDC
              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FF4
              • CharNextA.USER32(00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406005
              • lstrlenA.KERNEL32(00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040600E
              Memory Dump Source
              • Source File: 00000000.00000002.2445818549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2445790738.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445847504.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2445873511.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2446044133.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: lstrlen$CharNextlstrcmpi
              • String ID:
              • API String ID: 190613189-0
              • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
              • Instruction ID: b896d6fd3cda69cb85c158c7a33f171d68b8f81fed19edc6c2f6f75b2124ada4
              • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
              • Instruction Fuzzy Hash: 64F0F631104418FFC702DFA5DD00D9EBBA8EF45350B2200B9E841FB250D674DE11AB68

              Execution Graph

              Execution Coverage:4.7%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:2.2%
              Total number of Nodes:735
              Total number of Limit Nodes:45
              execution_graph 15247 1400250ee 15256 140019a9c 15247->15256 15249 14001c6a8 _getptd 45 API calls 15250 140025156 15249->15250 15251 14001c6a8 _getptd 45 API calls 15250->15251 15252 140025169 15251->15252 15255 140025143 __CxxFrameHandler 15255->15249 15257 14001c6a8 _getptd 45 API calls 15256->15257 15258 140019aae 15257->15258 15259 140019abc 15258->15259 15271 14001e118 DecodePointer 15258->15271 15261 14001c6a8 _getptd 45 API calls 15259->15261 15263 140019ac1 15261->15263 15262 140019ad8 15265 14001e118 __CxxFrameHandler 50 API calls 15262->15265 15263->15262 15264 140019ae8 15263->15264 15266 14001c6a8 _getptd 45 API calls 15264->15266 15267 140019add 15265->15267 15266->15267 15267->15255 15268 140019a68 15267->15268 15269 14001c6a8 _getptd 45 API calls 15268->15269 15270 140019a76 15269->15270 15270->15255 15272 14001e12d 15271->15272 15275 14001e0f4 15272->15275 15276 14001c6a8 _getptd 45 API calls 15275->15276 15277 14001e0fd 15276->15277 15280 140023d20 15277->15280 15281 140023d30 15280->15281 15283 140023d3a __CxxFrameHandler 15280->15283 15282 14001dbb8 _FF_MSGBANNER 45 API calls 15281->15282 15282->15283 15284 140023d4e 15283->15284 15290 14001e358 15283->15290 15286 140023d57 RtlCaptureContext 15284->15286 15287 140023db6 __CxxFrameHandler 15284->15287 15288 140018830 _FF_MSGBANNER 15286->15288 15289 140023d77 SetUnhandledExceptionFilter UnhandledExceptionFilter 15288->15289 15289->15287 15291 14001e384 15290->15291 15292 14001e3de DecodePointer 15290->15292 15291->15292 15294 14001e42f 15291->15294 15296 14001e3a8 15291->15296 15297 14001e434 __CxxFrameHandler 15292->15297 15295 14001c624 __doserrno 45 API calls 15294->15295 15295->15297 15296->15292 15299 14001e3b7 15296->15299 15298 14001a91c _lock 45 API calls 15297->15298 15301 14001e4d3 15297->15301 15307 14001e3d6 15297->15307 15298->15301 15300 14001b8bc _errno 45 API calls 15299->15300 15302 14001e3bc 15300->15302 15305 14001e525 15301->15305 15308 14001c534 EncodePointer 15301->15308 15303 14001b7ec _close_nolock 7 API calls 15302->15303 15303->15307 15305->15307 15309 14001a81c LeaveCriticalSection 15305->15309 15307->15284 15622 140014c20 15623 140014c73 write_char 15622->15623 15624 140014c63 15622->15624 15627 1400026b0 85 API calls 15623->15627 15624->15623 15625 140014cb4 15624->15625 15626 140018170 _snwprintf_s 77 API calls 15625->15626 15628 140014cdb 15626->15628 15629 140014c89 15627->15629 15630 140018170 _snwprintf_s 77 API calls 15628->15630 15633 140018800 write_char 8 API calls 15629->15633 15631 140014d08 15630->15631 15632 140006b30 94 API calls 15631->15632 15635 140014d1d 15632->15635 15634 140014c9c 15633->15634 15635->15629 15637 14000d020 15635->15637 15638 140018170 _snwprintf_s 77 API calls 15637->15638 15639 14000d074 15638->15639 15640 14000d0a8 15639->15640 15641 14000d078 15639->15641 15642 14000d11b 15640->15642 15644 14000cd00 89 API calls 15640->15644 15643 1400025f0 3 API calls 15641->15643 15645 14000cd20 89 API calls 15642->15645 15649 14000d0a1 15643->15649 15646 14000d0db 15644->15646 15647 14000d12e 15645->15647 15648 14000d0e3 RegQueryValueExW RegCloseKey 15646->15648 15646->15649 15647->15649 15652 14000d154 15647->15652 15653 14000d16a RegDeleteValueW 15647->15653 15648->15642 15648->15649 15650 140018800 write_char 8 API calls 15649->15650 15651 14000d1a4 15650->15651 15651->15629 15654 14000bfc0 88 API calls 15652->15654 15655 14000d17a 15653->15655 15657 14000d166 15654->15657 15656 14000d181 RegCloseKey 15655->15656 15656->15649 15657->15656 14935 14000d020 14936 140018170 _snwprintf_s 77 API calls 14935->14936 14937 14000d074 14936->14937 14938 14000d0a8 14937->14938 14939 14000d078 14937->14939 14940 14000d11b 14938->14940 14942 14000cd00 89 API calls 14938->14942 14941 1400025f0 3 API calls 14939->14941 14943 14000cd20 89 API calls 14940->14943 14947 14000d0a1 14941->14947 14944 14000d0db 14942->14944 14945 14000d12e 14943->14945 14946 14000d0e3 RegQueryValueExW RegCloseKey 14944->14946 14944->14947 14945->14947 14950 14000d154 14945->14950 14951 14000d16a RegDeleteValueW 14945->14951 14946->14940 14946->14947 14948 140018800 write_char 8 API calls 14947->14948 14949 14000d1a4 14948->14949 14956 14000bfc0 RegSetValueExW 14950->14956 14953 14000d17a 14951->14953 14954 14000d181 RegCloseKey 14953->14954 14954->14947 14955 14000d166 14955->14954 14957 14000c017 GetLastError 14956->14957 14958 14000c00c 14956->14958 14959 140002430 83 API calls 14957->14959 14958->14955 14960 14000c024 14959->14960 14961 1400025f0 3 API calls 14960->14961 14962 14000c045 14961->14962 14962->14955 16053 140024e2d 16056 14001a81c LeaveCriticalSection 16053->16056 16106 140018038 16111 14001a700 16106->16111 16112 14001a60c 16111->16112 16113 14001a91c _lock 45 API calls 16112->16113 16119 14001a635 16113->16119 16114 14001a6d2 16140 14001a81c LeaveCriticalSection 16114->16140 16117 1400180c0 46 API calls 16117->16119 16118 140018148 2 API calls 16118->16119 16119->16114 16119->16117 16119->16118 16130 14001a5c4 16119->16130 16131 14001a5d2 16130->16131 16132 14001a5d9 16130->16132 16141 14001a60c 16131->16141 16134 14001a548 _flush 77 API calls 16132->16134 16135 14001a5de 16134->16135 16136 140019e0c _flush 45 API calls 16135->16136 16139 14001a5d7 16135->16139 16137 14001a5f6 16136->16137 16150 1400212c0 16137->16150 16139->16119 16142 14001a91c _lock 45 API calls 16141->16142 16148 14001a635 16142->16148 16143 14001a6d2 16176 14001a81c LeaveCriticalSection 16143->16176 16146 1400180c0 46 API calls 16146->16148 16147 140018148 2 API calls 16147->16148 16148->16143 16148->16146 16148->16147 16149 14001a5c4 81 API calls 16148->16149 16149->16148 16151 1400212ec 16150->16151 16152 1400212d9 16150->16152 16154 1400213a2 16151->16154 16157 140021300 16151->16157 16153 14001b8bc _errno 45 API calls 16152->16153 16156 1400212de 16153->16156 16155 14001b8bc _errno 45 API calls 16154->16155 16158 1400213a7 16155->16158 16156->16139 16159 140021326 16157->16159 16160 14002134b 16157->16160 16162 14001b7ec _close_nolock 7 API calls 16158->16162 16163 14001b8bc _errno 45 API calls 16159->16163 16161 14002006c _flush 46 API calls 16160->16161 16164 140021352 16161->16164 16162->16156 16165 14002132b 16163->16165 16167 14001ffe8 _close_nolock 45 API calls 16164->16167 16175 140021387 16164->16175 16166 14001b7ec _close_nolock 7 API calls 16165->16166 16166->16156 16169 140021365 FlushFileBuffers 16167->16169 16168 14001b8bc _errno 45 API calls 16170 14002138e 16168->16170 16171 140021372 GetLastError 16169->16171 16173 14002137c 16169->16173 16177 140020114 LeaveCriticalSection 16170->16177 16171->16173 16173->16170 16174 14001b8dc __doserrno 45 API calls 16173->16174 16174->16175 16175->16168 12130 140019e44 12131 140019e5c 12130->12131 12170 1400205ec HeapCreate 12131->12170 12134 140019eea 12173 14001c804 12134->12173 12136 140019ed1 12372 14001dde0 12136->12372 12137 140019ed6 12381 14001dbb8 12137->12381 12171 140019ec4 12170->12171 12172 140020610 HeapSetInformation 12170->12172 12171->12134 12171->12136 12171->12137 12172->12171 12422 14001915c 12173->12422 12175 14001c80f 12427 14001a70c 12175->12427 12178 14001c878 12445 14001c548 12178->12445 12179 14001c818 FlsAlloc 12179->12178 12180 14001c830 12179->12180 12431 14001a34c 12180->12431 12185 14001c847 FlsSetValue 12185->12178 12186 14001c85a 12185->12186 12436 14001c570 12186->12436 14858 140023c7c 12372->14858 12375 14001ddfd 12376 14001dbb8 _FF_MSGBANNER 45 API calls 12375->12376 12379 14001de1e 12375->12379 12378 14001de14 12376->12378 12377 140023c7c _FF_MSGBANNER 45 API calls 12377->12375 12380 14001dbb8 _FF_MSGBANNER 45 API calls 12378->12380 12379->12137 12380->12379 12382 14001dbdb 12381->12382 12383 140023c7c _FF_MSGBANNER 42 API calls 12382->12383 12413 140019ee0 12382->12413 12384 14001dbfd 12383->12384 12385 14001dd82 GetStdHandle 12384->12385 12386 140023c7c _FF_MSGBANNER 42 API calls 12384->12386 12387 14001dd95 _FF_MSGBANNER 12385->12387 12385->12413 12388 14001dc10 12386->12388 12390 14001ddab WriteFile 12387->12390 12387->12413 12388->12385 12389 14001dc21 12388->12389 12389->12413 14864 140022840 12389->14864 12390->12413 12393 14001dc65 GetModuleFileNameA 12395 14001dcb6 _FF_MSGBANNER 12393->12395 12396 14001dc85 12393->12396 12394 14001b6c4 _FF_MSGBANNER 6 API calls 12394->12393 12398 14001dd11 12395->12398 14873 140022768 12395->14873 12397 140022840 _FF_MSGBANNER 42 API calls 12396->12397 12399 14001dc9d 12397->12399 14882 1400226dc 12398->14882 12399->12395 12401 14001b6c4 _FF_MSGBANNER 6 API calls 12399->12401 12401->12395 12404 14001dd3c 12405 1400226dc _FF_MSGBANNER 42 API calls 12404->12405 12408 14001dd52 12405->12408 12407 14001b6c4 _FF_MSGBANNER 6 API calls 12407->12404 12409 14001dd6b 12408->12409 12411 14001b6c4 _FF_MSGBANNER 6 API calls 12408->12411 14891 140023a88 12409->14891 12410 14001b6c4 _FF_MSGBANNER 6 API calls 12410->12398 12411->12409 12414 140018e48 12413->12414 14909 140018e0c GetModuleHandleW 12414->14909 12448 14001c534 EncodePointer 12422->12448 12424 140019167 _initp_misc_winsig 12425 14001e13c EncodePointer 12424->12425 12426 1400191aa EncodePointer 12425->12426 12426->12175 12429 14001a72f 12427->12429 12430 14001a76c 12429->12430 12449 14001e5e4 InitializeCriticalSectionAndSpinCount 12429->12449 12430->12178 12430->12179 12432 14001a371 12431->12432 12434 14001a3b1 12432->12434 12435 14001a38f Sleep 12432->12435 12451 1400207a4 12432->12451 12434->12178 12434->12185 12435->12432 12435->12434 12494 14001a91c 12436->12494 12446 14001c564 12445->12446 12447 14001c557 FlsFree 12445->12447 12447->12446 12450 14001e611 12449->12450 12450->12429 12452 1400207b9 12451->12452 12458 1400207eb realloc 12451->12458 12453 1400207c7 12452->12453 12452->12458 12460 14001b8bc 12453->12460 12455 140020803 HeapAlloc 12457 1400207e7 12455->12457 12455->12458 12457->12432 12458->12455 12458->12457 12467 14001c624 GetLastError FlsGetValue 12460->12467 12462 14001b8c5 12463 14001b7ec DecodePointer 12462->12463 12464 14001b837 write_char 12463->12464 12465 14001b81d 12463->12465 12485 14001b6c4 12464->12485 12465->12457 12468 14001c692 SetLastError 12467->12468 12469 14001c64a 12467->12469 12468->12462 12470 14001a34c __doserrno 40 API calls 12469->12470 12471 14001c657 12470->12471 12471->12468 12472 14001c65f FlsSetValue 12471->12472 12473 14001c675 12472->12473 12474 14001c68b 12472->12474 12475 14001c570 __doserrno 40 API calls 12473->12475 12479 14001a458 12474->12479 12478 14001c67c GetCurrentThreadId 12475->12478 12477 14001c690 12477->12468 12478->12468 12480 14001a45d HeapFree 12479->12480 12482 14001a48d free 12479->12482 12481 14001a478 12480->12481 12480->12482 12483 14001b8bc _errno 43 API calls 12481->12483 12482->12477 12484 14001a47d GetLastError 12483->12484 12484->12482 12492 140018830 12485->12492 12487 14001b6e4 RtlCaptureContext 12488 14001b721 12487->12488 12489 14001b781 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12488->12489 12490 14001b7cc GetCurrentProcess TerminateProcess 12489->12490 12491 14001b7c0 write_char 12489->12491 12490->12465 12491->12490 12493 140018839 12492->12493 12493->12487 12493->12493 12495 14001a93a 12494->12495 12496 14001a94b EnterCriticalSection 12494->12496 12500 14001a834 12495->12500 12499 140018ddc _lock 44 API calls 12499->12496 12501 14001a872 12500->12501 12502 14001a85b 12500->12502 12504 14001a887 12501->12504 12526 14001a2e0 12501->12526 12503 14001dde0 _FF_MSGBANNER 44 API calls 12502->12503 12505 14001a860 12503->12505 12504->12496 12504->12499 12507 14001dbb8 _FF_MSGBANNER 44 API calls 12505->12507 12509 14001a868 12507->12509 12514 140018e48 malloc 3 API calls 12509->12514 12510 14001a8ac 12513 14001a91c _lock 44 API calls 12510->12513 12511 14001a89d 12512 14001b8bc _errno 44 API calls 12511->12512 12512->12504 12515 14001a8b6 12513->12515 12514->12501 12516 14001a8ee 12515->12516 12517 14001a8bf 12515->12517 12519 14001a458 free 44 API calls 12516->12519 12518 14001e5e4 _lock InitializeCriticalSectionAndSpinCount 12517->12518 12520 14001a8cc 12518->12520 12525 14001a8dd LeaveCriticalSection 12519->12525 12522 14001a458 free 44 API calls 12520->12522 12520->12525 12523 14001a8d8 12522->12523 12524 14001b8bc _errno 44 API calls 12523->12524 12524->12525 12525->12504 12527 14001a2fc 12526->12527 12529 14001a334 12527->12529 12530 14001a314 Sleep 12527->12530 12531 1400206ec 12527->12531 12529->12510 12529->12511 12530->12527 12530->12529 12532 140020704 realloc 12531->12532 12533 140020780 realloc 12531->12533 12534 14002073c RtlAllocateHeap 12532->12534 12535 14002071c 12532->12535 12539 140020765 12532->12539 12542 14002076a 12532->12542 12537 14001b8bc _errno 44 API calls 12533->12537 12534->12532 12538 140020775 12534->12538 12535->12534 12536 14001dde0 _FF_MSGBANNER 44 API calls 12535->12536 12541 14001dbb8 _FF_MSGBANNER 44 API calls 12535->12541 12543 140018e48 malloc 3 API calls 12535->12543 12536->12535 12537->12538 12538->12527 12540 14001b8bc _errno 44 API calls 12539->12540 12540->12542 12541->12535 12544 14001b8bc _errno 44 API calls 12542->12544 12543->12535 12544->12538 14859 140023c84 14858->14859 14860 14001ddee 14859->14860 14861 14001b8bc _errno 45 API calls 14859->14861 14860->12375 14860->12377 14862 140023ca9 14861->14862 14863 14001b7ec _close_nolock 7 API calls 14862->14863 14863->14860 14865 140022855 14864->14865 14866 14002284b 14864->14866 14867 14001b8bc _errno 45 API calls 14865->14867 14866->14865 14871 140022881 14866->14871 14868 14002285d 14867->14868 14869 14001b7ec _close_nolock 7 API calls 14868->14869 14870 14001dc4c 14869->14870 14870->12393 14870->12394 14871->14870 14872 14001b8bc _errno 45 API calls 14871->14872 14872->14868 14874 140022776 14873->14874 14877 14002277b 14874->14877 14879 14001dcf8 14874->14879 14880 1400227c9 14874->14880 14875 14001b8bc _errno 45 API calls 14876 1400227a5 14875->14876 14878 14001b7ec _close_nolock 7 API calls 14876->14878 14877->14875 14877->14879 14878->14879 14879->12398 14879->12410 14880->14879 14881 14001b8bc _errno 45 API calls 14880->14881 14881->14876 14883 1400226f4 14882->14883 14885 1400226ea 14882->14885 14884 14001b8bc _errno 45 API calls 14883->14884 14890 1400226fc 14884->14890 14885->14883 14888 140022738 14885->14888 14886 14001b7ec _close_nolock 7 API calls 14887 14001dd23 14886->14887 14887->12404 14887->12407 14888->14887 14889 14001b8bc _errno 45 API calls 14888->14889 14889->14890 14890->14886 14908 14001c534 EncodePointer 14891->14908 14910 140018e26 GetProcAddress 14909->14910 14911 140018e3f ExitProcess 14909->14911 14910->14911 14912 140018e3b 14910->14912 14912->14911 16825 14001c178 16826 14001c185 16825->16826 16827 14001c18f 16825->16827 16829 14001bf80 16826->16829 16830 14001c6a8 _getptd 45 API calls 16829->16830 16831 14001bfa4 16830->16831 16832 14001bbbc __initmbctable 45 API calls 16831->16832 16833 14001bfac 16832->16833 16853 14001bc78 16833->16853 16836 14001a2e0 _getbuf 45 API calls 16837 14001bfd0 __initmbctable 16836->16837 16852 14001c12d 16837->16852 16860 14001bd08 16837->16860 16840 14001c00b 16844 14001a458 free 45 API calls 16840->16844 16846 14001c030 16840->16846 16841 14001c12f 16842 14001c148 16841->16842 16845 14001a458 free 45 API calls 16841->16845 16841->16852 16843 14001b8bc _errno 45 API calls 16842->16843 16843->16852 16844->16846 16845->16842 16847 14001a91c _lock 45 API calls 16846->16847 16846->16852 16848 14001c068 16847->16848 16849 14001c118 16848->16849 16851 14001a458 free 45 API calls 16848->16851 16870 14001a81c LeaveCriticalSection 16849->16870 16851->16849 16852->16827 16854 140018564 _wcstoui64 45 API calls 16853->16854 16855 14001bc8c 16854->16855 16856 14001bc98 GetOEMCP 16855->16856 16857 14001bcbd 16855->16857 16859 14001bca8 16856->16859 16858 14001bcc2 GetACP 16857->16858 16857->16859 16858->16859 16859->16836 16859->16852 16861 14001bc78 __initmbctable 47 API calls 16860->16861 16862 14001bd2f 16861->16862 16863 14001bd37 __initmbctable 16862->16863 16864 14001bd88 IsValidCodePage 16862->16864 16869 14001bdae _FF_MSGBANNER 16862->16869 16865 140018800 write_char 8 API calls 16863->16865 16864->16863 16866 14001bd99 GetCPInfo 16864->16866 16867 14001bf6b 16865->16867 16866->16863 16866->16869 16867->16840 16867->16841 16871 14001b9d8 GetCPInfo 16869->16871 16872 14001bb06 16871->16872 16873 14001ba1a _FF_MSGBANNER 16871->16873 16876 140018800 write_char 8 API calls 16872->16876 16874 140022384 __initmbctable 67 API calls 16873->16874 16875 14001ba9d 16874->16875 16881 140022080 16875->16881 16878 14001bba6 16876->16878 16878->16863 16880 140022080 __initmbctable 78 API calls 16880->16872 16882 140018564 _wcstoui64 45 API calls 16881->16882 16883 1400220a4 16882->16883 16886 140021b40 16883->16886 16887 140021b98 LCMapStringW 16886->16887 16891 140021bbc 16886->16891 16888 140021bc8 GetLastError 16887->16888 16887->16891 16888->16891 16889 140021e8a 16894 1400245e8 __initmbctable 67 API calls 16889->16894 16890 140021c37 16892 140021e83 16890->16892 16893 140021c55 MultiByteToWideChar 16890->16893 16891->16889 16891->16890 16895 140018800 write_char 8 API calls 16892->16895 16893->16892 16904 140021c84 16893->16904 16896 140021eb8 16894->16896 16897 14001bad0 16895->16897 16896->16892 16898 140022013 LCMapStringA 16896->16898 16899 140021ed7 16896->16899 16897->16880 16915 140021f1f 16898->16915 16901 14002463c __initmbctable 60 API calls 16899->16901 16900 140021d00 MultiByteToWideChar 16902 140021e75 16900->16902 16903 140021d2a LCMapStringW 16900->16903 16906 140021eef 16901->16906 16902->16892 16911 14001a458 free 45 API calls 16902->16911 16903->16902 16907 140021d54 16903->16907 16905 1400206ec malloc 45 API calls 16904->16905 16908 140021cb5 _flush 16904->16908 16905->16908 16906->16892 16909 140021ef7 LCMapStringA 16906->16909 16912 140021d5f 16907->16912 16918 140021d9a 16907->16918 16908->16892 16908->16900 16909->16915 16920 140021f26 16909->16920 16910 140022043 16910->16892 16916 14001a458 free 45 API calls 16910->16916 16911->16892 16912->16902 16914 140021d76 LCMapStringW 16912->16914 16913 14001a458 free 45 API calls 16913->16910 16914->16902 16915->16910 16915->16913 16916->16892 16917 140021e07 LCMapStringW 16921 140021e67 16917->16921 16922 140021e28 WideCharToMultiByte 16917->16922 16919 1400206ec malloc 45 API calls 16918->16919 16928 140021db8 _flush 16918->16928 16919->16928 16923 1400206ec malloc 45 API calls 16920->16923 16925 140021f47 _flush _FF_MSGBANNER 16920->16925 16921->16902 16927 14001a458 free 45 API calls 16921->16927 16922->16921 16923->16925 16924 140021fa9 LCMapStringA 16929 140021fd1 16924->16929 16930 140021fd5 16924->16930 16925->16915 16925->16924 16927->16902 16928->16902 16928->16917 16929->16915 16932 14001a458 free 45 API calls 16929->16932 16931 14002463c __initmbctable 60 API calls 16930->16931 16931->16929 16932->16915 16988 14001977c 16989 14001c6a8 _getptd 45 API calls 16988->16989 16990 14001979e 16989->16990 16991 14001c6a8 _getptd 45 API calls 16990->16991 16992 1400197ae 16991->16992 16993 14001c6a8 _getptd 45 API calls 16992->16993 16994 1400197be 16993->16994 16997 14001fd14 16994->16997 16998 14001c6a8 _getptd 45 API calls 16997->16998 16999 14001fd3d 16998->16999 17001 14001fda8 16999->17001 17002 14001fe3b 16999->17002 17016 1400197f3 16999->17016 17000 14001fe04 17006 14001fe28 17000->17006 17010 14001fe0d 17000->17010 17001->17000 17004 14001fdca 17001->17004 17001->17016 17007 14001fe5b 17002->17007 17002->17016 17051 140019668 17002->17051 17019 14001e9b8 17004->17019 17042 1400196d0 17006->17042 17013 14001fe95 17007->17013 17007->17016 17054 140019680 17007->17054 17014 14001fdee 17010->17014 17015 14001e118 __CxxFrameHandler 50 API calls 17010->17015 17013->17016 17057 14001f794 17013->17057 17025 14001eca4 17014->17025 17015->17014 17017 14001e118 __CxxFrameHandler 50 API calls 17017->17014 17020 14001e9da 17019->17020 17021 14001e9df 17019->17021 17022 14001e118 __CxxFrameHandler 50 API calls 17020->17022 17023 14001e118 __CxxFrameHandler 50 API calls 17021->17023 17024 14001e9f1 17021->17024 17022->17021 17023->17024 17024->17014 17024->17017 17127 14001ea4c 17025->17127 17028 140019668 __CxxFrameHandler 45 API calls 17029 14001ecde 17028->17029 17030 14001c6a8 _getptd 45 API calls 17029->17030 17040 14001eceb __CxxFrameHandler 17030->17040 17031 14001edef 17032 14001c6a8 _getptd 45 API calls 17031->17032 17033 14001edf4 17032->17033 17035 14001ee02 17033->17035 17036 14001c6a8 _getptd 45 API calls 17033->17036 17034 14001e118 __CxxFrameHandler 50 API calls 17034->17040 17037 14001ee17 __CxxFrameHandler 17035->17037 17038 14001e118 __CxxFrameHandler 50 API calls 17035->17038 17036->17035 17037->17016 17038->17037 17039 140019668 45 API calls __CxxFrameHandler 17039->17040 17040->17031 17040->17034 17040->17039 17131 140019698 17040->17131 17134 14001957c 17042->17134 17046 14001c6a8 _getptd 45 API calls 17047 140019705 17046->17047 17047->17046 17048 140019744 17047->17048 17049 14001eca4 __CxxFrameHandler 50 API calls 17048->17049 17050 140019763 17049->17050 17050->17016 17052 14001c6a8 _getptd 45 API calls 17051->17052 17053 140019671 17052->17053 17053->17007 17055 14001c6a8 _getptd 45 API calls 17054->17055 17056 140019689 17055->17056 17056->17013 17058 14001ea44 __SetUnwindTryBlock 50 API calls 17057->17058 17059 14001f7e7 17058->17059 17060 14001957c __SetUnwindTryBlock 51 API calls 17059->17060 17061 14001f7fc 17060->17061 17145 14001eabc 17061->17145 17064 14001f834 17066 14001eabc __GetUnwindTryBlock 51 API calls 17064->17066 17065 14001f814 __CxxFrameHandler 17148 14001ea80 17065->17148 17067 14001f832 17066->17067 17069 14001e118 __CxxFrameHandler 50 API calls 17067->17069 17075 14001f84d 17067->17075 17069->17075 17070 14001fca4 17071 14001fc41 __CxxFrameHandler 17070->17071 17073 14001fcb4 17070->17073 17074 14001fce8 17070->17074 17072 14001c6a8 _getptd 45 API calls 17071->17072 17076 14001fc7b 17072->17076 17199 14001f550 17073->17199 17078 14001e0f4 __CxxFrameHandler 49 API calls 17074->17078 17075->17070 17079 14001c6a8 _getptd 45 API calls 17075->17079 17082 14001fa0a 17075->17082 17080 14001fc89 17076->17080 17087 14001e118 __CxxFrameHandler 50 API calls 17076->17087 17081 14001fced 17078->17081 17086 14001f891 17079->17086 17080->17016 17216 140023e9c 17081->17216 17082->17070 17083 14001fa48 17082->17083 17085 14001fbcd 17083->17085 17173 1400198fc 17083->17173 17085->17071 17091 140019668 __CxxFrameHandler 45 API calls 17085->17091 17094 14001fbf8 17085->17094 17086->17080 17090 14001c6a8 _getptd 45 API calls 17086->17090 17087->17080 17092 14001f8a3 17090->17092 17091->17094 17093 14001c6a8 _getptd 45 API calls 17092->17093 17096 14001f8af 17093->17096 17094->17071 17095 14001fc0f 17094->17095 17097 140019668 __CxxFrameHandler 45 API calls 17094->17097 17100 14001eea0 __CxxFrameHandler 50 API calls 17095->17100 17151 1400196b4 17096->17151 17097->17095 17098 140019668 __CxxFrameHandler 45 API calls 17117 14001fa81 17098->17117 17101 14001fc26 17100->17101 17101->17071 17104 14001957c __SetUnwindTryBlock 51 API calls 17101->17104 17102 140019680 45 API calls __CxxFrameHandler 17102->17117 17103 14001f8cc __CxxFrameHandler 17106 14001e118 __CxxFrameHandler 50 API calls 17103->17106 17108 14001f8e3 17103->17108 17104->17071 17105 14001f917 17107 14001c6a8 _getptd 45 API calls 17105->17107 17106->17108 17109 14001f91c 17107->17109 17108->17105 17110 14001e118 __CxxFrameHandler 50 API calls 17108->17110 17109->17082 17111 14001c6a8 _getptd 45 API calls 17109->17111 17110->17105 17112 14001f92e 17111->17112 17113 14001c6a8 _getptd 45 API calls 17112->17113 17115 14001f93a 17113->17115 17154 14001eea0 17115->17154 17117->17085 17117->17098 17117->17102 17178 14001eb34 17117->17178 17192 14001f48c 17117->17192 17119 14001f9b3 17120 14001e0f4 __CxxFrameHandler 49 API calls 17119->17120 17121 14001f9b8 __CxxFrameHandler 17120->17121 17164 140023e28 17121->17164 17122 140019668 45 API calls __CxxFrameHandler 17123 14001f94c __CxxFrameHandler 17122->17123 17123->17082 17123->17119 17123->17121 17123->17122 17128 14001ea63 17127->17128 17129 14001ea6e 17127->17129 17130 14001e9b8 __CxxFrameHandler 50 API calls 17128->17130 17129->17028 17130->17129 17132 14001c6a8 _getptd 45 API calls 17131->17132 17133 1400196a6 17132->17133 17133->17040 17135 14001ea44 __SetUnwindTryBlock 50 API calls 17134->17135 17138 1400195b0 17135->17138 17136 140019633 17139 14001ea44 17136->17139 17137 1400195e5 RtlLookupFunctionEntry 17137->17138 17138->17136 17138->17137 17140 14001e9b8 17139->17140 17141 14001e9df 17140->17141 17142 14001e118 __CxxFrameHandler 50 API calls 17140->17142 17143 14001e9f1 17141->17143 17144 14001e118 __CxxFrameHandler 50 API calls 17141->17144 17142->17141 17143->17047 17144->17143 17146 14001957c __SetUnwindTryBlock 51 API calls 17145->17146 17147 14001eacf 17146->17147 17147->17064 17147->17065 17149 14001957c __SetUnwindTryBlock 51 API calls 17148->17149 17150 14001ea9a 17149->17150 17150->17067 17152 14001c6a8 _getptd 45 API calls 17151->17152 17153 1400196c2 17152->17153 17153->17103 17155 14001eec7 17154->17155 17160 14001eed1 17154->17160 17156 14001e118 __CxxFrameHandler 50 API calls 17155->17156 17158 14001eecc 17156->17158 17157 14001ef53 17157->17123 17159 14001e0f4 __CxxFrameHandler 49 API calls 17158->17159 17159->17160 17160->17157 17161 140019680 45 API calls __CxxFrameHandler 17160->17161 17162 140019668 __CxxFrameHandler 45 API calls 17160->17162 17163 14001eb34 __CxxFrameHandler 45 API calls 17160->17163 17161->17160 17162->17160 17163->17160 17165 14001f9e7 17164->17165 17166 140023e4f _FF_MSGBANNER 17164->17166 17170 140024004 17165->17170 17167 1400206ec malloc 45 API calls 17166->17167 17168 140023e60 17167->17168 17168->17165 17169 140022840 _FF_MSGBANNER 45 API calls 17168->17169 17169->17165 17172 14002402b __initmbctable 17170->17172 17171 140024072 RaiseException 17171->17082 17172->17171 17174 14001ea44 __SetUnwindTryBlock 50 API calls 17173->17174 17175 140019930 17174->17175 17176 14001e118 __CxxFrameHandler 50 API calls 17175->17176 17177 14001993b 17175->17177 17176->17177 17177->17117 17179 14001eb5f 17178->17179 17181 14001eb67 17178->17181 17180 140019668 __CxxFrameHandler 45 API calls 17179->17180 17180->17181 17182 140019668 __CxxFrameHandler 45 API calls 17181->17182 17184 14001eb86 17181->17184 17190 14001ebe3 __CxxFrameHandler 17181->17190 17182->17184 17183 14001eba2 17186 140019680 __CxxFrameHandler 45 API calls 17183->17186 17184->17183 17185 140019668 __CxxFrameHandler 45 API calls 17184->17185 17184->17190 17185->17183 17187 14001ebb6 17186->17187 17188 14001ebcf 17187->17188 17189 140019668 __CxxFrameHandler 45 API calls 17187->17189 17187->17190 17191 140019680 __CxxFrameHandler 45 API calls 17188->17191 17189->17188 17190->17117 17191->17190 17193 14001957c __SetUnwindTryBlock 51 API calls 17192->17193 17194 14001f4c9 17193->17194 17195 14001f4ef 17194->17195 17222 14001f3dc 17194->17222 17197 140019668 __CxxFrameHandler 45 API calls 17195->17197 17198 14001f4f4 __CxxFrameHandler 17197->17198 17198->17117 17200 14001f581 17199->17200 17201 14001f77c 17199->17201 17202 14001c6a8 _getptd 45 API calls 17200->17202 17201->17071 17203 14001f586 17202->17203 17204 14001f5e6 17203->17204 17205 14001c6a8 _getptd 45 API calls 17203->17205 17204->17201 17206 14001f5f9 17204->17206 17208 14001e118 __CxxFrameHandler 50 API calls 17204->17208 17207 14001f5a5 17205->17207 17209 1400198fc __CxxFrameHandler 50 API calls 17206->17209 17252 14001c534 EncodePointer 17207->17252 17208->17206 17213 14001f62e 17209->17213 17213->17201 17214 140019668 45 API calls __CxxFrameHandler 17213->17214 17215 14001f48c __CxxFrameHandler 51 API calls 17213->17215 17214->17213 17215->17213 17217 140023ec5 _FF_MSGBANNER 17216->17217 17221 14001fcfe 17216->17221 17218 1400206ec malloc 45 API calls 17217->17218 17217->17221 17219 140023edf 17218->17219 17220 140022840 _FF_MSGBANNER 45 API calls 17219->17220 17219->17221 17220->17221 17221->17016 17223 14001f3f8 17222->17223 17231 14001f1b4 17223->17231 17225 14001f409 17226 14001f449 17225->17226 17227 14001f40e 17225->17227 17228 140019680 __CxxFrameHandler 45 API calls 17226->17228 17230 14001f421 __AdjustPointer 17226->17230 17229 140019680 __CxxFrameHandler 45 API calls 17227->17229 17227->17230 17228->17230 17229->17230 17230->17195 17232 14001f1e4 17231->17232 17234 14001f1ec 17231->17234 17233 140019668 __CxxFrameHandler 45 API calls 17232->17233 17233->17234 17235 140019668 __CxxFrameHandler 45 API calls 17234->17235 17236 14001f209 17234->17236 17249 14001f269 __AdjustPointer __initmbctable 17234->17249 17235->17236 17237 14001f28d 17236->17237 17241 14001f247 __CxxFrameHandler 17236->17241 17236->17249 17238 14001f2f8 17237->17238 17243 14001f297 __CxxFrameHandler 17237->17243 17239 14001f302 17238->17239 17240 140019680 __CxxFrameHandler 45 API calls 17238->17240 17245 14001f316 __CxxFrameHandler 17239->17245 17248 14001f35b __CxxFrameHandler 17239->17248 17240->17239 17242 14001e118 __CxxFrameHandler 50 API calls 17241->17242 17241->17249 17242->17249 17244 14001e118 __CxxFrameHandler 50 API calls 17243->17244 17243->17249 17244->17249 17246 14001e118 __CxxFrameHandler 50 API calls 17245->17246 17245->17249 17246->17249 17247 14001e118 __CxxFrameHandler 50 API calls 17247->17249 17250 14001f382 __CxxFrameHandler 17248->17250 17251 140019680 __CxxFrameHandler 45 API calls 17248->17251 17249->17225 17250->17247 17250->17249 17251->17250 17271 140023f84 17274 140024b84 17271->17274 17275 14001a91c _lock 45 API calls 17274->17275 17278 140024b97 17275->17278 17280 14001a458 free 45 API calls 17278->17280 17281 140024be0 17278->17281 17282 140024bcb 17278->17282 17279 14001a458 free 45 API calls 17279->17281 17280->17282 17283 14001a81c LeaveCriticalSection 17281->17283 17282->17279 17299 140024d86 17300 140024da2 17299->17300 17301 140024d98 17299->17301 17303 14001a81c LeaveCriticalSection 17301->17303 14913 140018f98 14914 14001a91c _lock 45 API calls 14913->14914 14915 140018fc6 14914->14915 14916 140018fed DecodePointer 14915->14916 14922 1400190a9 _initterm 14915->14922 14918 14001900a DecodePointer 14916->14918 14916->14922 14917 1400190df 14920 14001910a 14917->14920 14931 14001a81c LeaveCriticalSection 14917->14931 14929 14001902e 14918->14929 14922->14917 14934 14001a81c LeaveCriticalSection 14922->14934 14923 1400190f8 14924 140018e0c malloc GetModuleHandleW GetProcAddress 14923->14924 14927 140019100 ExitProcess 14924->14927 14926 14001904d DecodePointer 14933 14001c534 EncodePointer 14926->14933 14929->14922 14929->14926 14930 140019062 DecodePointer DecodePointer 14929->14930 14932 14001c534 EncodePointer 14929->14932 14930->14929 17705 14001c6cc 17706 14001c6d5 17705->17706 17734 14001c7f6 17705->17734 17707 14001c6f0 17706->17707 17708 14001a458 free 45 API calls 17706->17708 17709 14001c6fe 17707->17709 17710 14001a458 free 45 API calls 17707->17710 17708->17707 17711 14001c70c 17709->17711 17712 14001a458 free 45 API calls 17709->17712 17710->17709 17713 14001c71a 17711->17713 17714 14001a458 free 45 API calls 17711->17714 17712->17711 17715 14001c728 17713->17715 17717 14001a458 free 45 API calls 17713->17717 17714->17713 17716 14001c736 17715->17716 17718 14001a458 free 45 API calls 17715->17718 17719 14001c747 17716->17719 17720 14001a458 free 45 API calls 17716->17720 17717->17715 17718->17716 17721 14001c75f 17719->17721 17722 14001a458 free 45 API calls 17719->17722 17720->17719 17723 14001a91c _lock 45 API calls 17721->17723 17722->17721 17725 14001c769 17723->17725 17728 14001a458 free 45 API calls 17725->17728 17729 14001c797 17725->17729 17728->17729 17737 14001a81c LeaveCriticalSection 17729->17737

              Executed Functions

              Function 000000014000D2D0 Relevance: 123.1, APIs: 40, Strings: 30, Instructions: 619registryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: CloseDelete
              • String ID: AppAffinity$AppDirectory$AppEnvironment$AppEnvironmentExtra$AppKillProcessTree$AppNoConsole$AppParameters$AppPriority$AppRedirectHook$AppRestartDelay$AppRotateBytes$AppRotateBytesHigh$AppRotateDelay$AppRotateFiles$AppRotateOnline$AppRotateSeconds$AppStderr$AppStdin$AppStdout$AppStopMethodConsole$AppStopMethodSkip$AppStopMethodThreads$AppStopMethodWindow$AppThrottle$AppTimestampLog$Application$CopyAndTruncate$CreationDisposition$FlagsAndAttributes$ShareMode
              • API String ID: 453069226-2212462884
              • Opcode ID: d6f40d484542d60e602315e057a830b834a1cf69aa439974fe36276ad11cd41d
              • Instruction ID: 5f1e44c56ca19a9d09426f40c55942bea94d1b5e1f951be96c332341e708dae6
              • Opcode Fuzzy Hash: d6f40d484542d60e602315e057a830b834a1cf69aa439974fe36276ad11cd41d
              • Instruction Fuzzy Hash: 27524AB5214B4281FA66DB27B841BE93361B74D7D8F84512BBF0A076B5DF78CA48C720
              Function 000000014000A2E0 Relevance: 58.1, APIs: 9, Strings: 24, Instructions: 347memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 267 14000a2e0-14000a2f7 call 140001d10 270 14000a2f9 call 140017cc0 267->270 271 14000a2fe-14000a30a call 14000a050 call 140007a90 267->271 270->271 277 14000a317-14000a387 call 140018170 PathQuoteSpacesW GetModuleFileNameW * 2 PathQuoteSpacesW 271->277 278 14000a30c-14000a316 call 140009b30 271->278 283 14000a38d-14000a398 call 140009bf0 277->283 284 14000a73f-14000a752 TlsAlloc 277->284 278->277 294 14000a39a-14000a3ce call 1400194c0 call 140009b30 283->294 295 14000a3cf-14000a3e1 call 140009b50 283->295 285 14000a754 call 14000b870 284->285 286 14000a759-14000a767 GetStdHandle 284->286 285->286 289 14000a7f2-14000a803 call 140009fb0 call 140009b30 286->289 290 14000a76d-14000a79f StartServiceCtrlDispatcherW 286->290 292 14000a7a1-14000a7ac GetLastError 290->292 293 14000a7ea-14000a7f1 call 140009b30 290->293 299 14000a7ae-14000a7bf call 140009fb0 call 140009b30 292->299 300 14000a7c0-14000a7e9 call 140002430 call 1400025f0 call 140009b30 292->300 293->289 294->295 312 14000a3e3-14000a3f8 call 1400129d0 call 140009b30 295->312 313 14000a3f9-14000a40b call 140009b50 295->313 299->300 300->293 312->313 326 14000a426-14000a438 call 140009b50 313->326 327 14000a40d-14000a425 call 1400129d0 call 140009b30 313->327 335 14000a43a-14000a44d call 1400129d0 326->335 336 14000a46d-14000a47f call 140009b50 326->336 327->326 344 14000a457-14000a46c call 1400129d0 call 140009b30 335->344 345 14000a44f-14000a456 call 140009b30 335->345 342 14000a481-14000a499 call 1400129d0 call 140009b30 336->342 343 14000a49a-14000a4ac call 140009b50 336->343 342->343 355 14000a4c7-14000a4d9 call 140009b50 343->355 356 14000a4ae-14000a4c6 call 1400129d0 call 140009b30 343->356 344->336 345->344 364 14000a4f4-14000a506 call 140009b50 355->364 365 14000a4db-14000a4f3 call 1400129d0 call 140009b30 355->365 356->355 373 14000a524-14000a536 call 140009b50 364->373 374 14000a508-14000a523 call 140012550 call 140009b30 364->374 365->364 380 14000a551-14000a563 call 140009b50 373->380 381 14000a538-14000a550 call 1400129d0 call 140009b30 373->381 374->373 389 14000a565-14000a56c 380->389 390 14000a59f-14000a5b1 call 140009b50 380->390 381->380 393 14000a586-14000a599 call 14000b870 call 140013b00 call 140009b30 389->393 394 14000a56e-14000a585 call 14000a180 call 140009b30 389->394 399 14000a5b7-14000a5c9 call 140009b50 390->399 400 14000a6cc-14000a6de call 140010470 390->400 416 14000a59e 393->416 394->393 399->400 413 14000a5cf-14000a5e1 call 140009b50 399->413 411 14000a705-14000a70a 400->411 412 14000a6e0-14000a6e7 400->412 414 14000a736-14000a73e call 140009b30 411->414 415 14000a70c 411->415 412->411 417 14000a6e9-14000a6eb 412->417 413->400 423 14000a5e7-14000a5f9 call 140009b50 413->423 414->284 420 14000a710-14000a734 415->420 416->390 417->411 422 14000a6ed-14000a704 call 14000a180 call 140009b30 417->422 420->414 420->420 422->411 423->400 431 14000a5ff-14000a611 call 140009b50 423->431 431->400 434 14000a617-14000a629 call 140009b50 431->434 434->400 437 14000a62f-14000a641 call 140009b50 434->437 440 14000a643-14000a656 call 140011a80 call 140009b30 437->440 441 14000a657-14000a669 call 140009b50 437->441 440->441 447 14000a66b-14000a67e call 140011db0 call 140009b30 441->447 448 14000a67f-14000a691 call 140009b50 441->448 447->448 448->284 455 14000a697-14000a69e 448->455 457 14000a6b8-14000a6cb call 140012090 call 140009b30 455->457 458 14000a6a0-14000a6b7 call 14000a180 call 140009b30 455->458 457->400 458->457
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: ConsoleWindow$Process$FileHandleModuleNameOutputPathQuoteSpaces$AllocCtrlCurrentDispatcherErrorLastServiceStartStationThread_snwprintf_s
              • String ID: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe"$%s %s %s %s$2.24-101-g897c7ad$2017-04-26$64-bit$NSSM$continue$dump$edit$get$install$list$pause$processes$remove$reset$restart$rotate$set$start$status$statuscode$stop$unset
              • API String ID: 3367203220-4093838077
              • Opcode ID: 0cc89f18b1057b5a72a2ee583f9768e88b6792957dfbdf81a853be53e10b8232
              • Instruction ID: 475713a89709ce93db3c9404fee735fe112960effc50d923b9116429dcfb75de
              • Opcode Fuzzy Hash: 0cc89f18b1057b5a72a2ee583f9768e88b6792957dfbdf81a853be53e10b8232
              • Instruction Fuzzy Hash: F1E16CB0600A4686FB16FB73F9657E923A1EB497D8F404426BB194B2F6EF78C945C340
              Function 0000000140012160 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 220memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 467 140012160-140012173 468 140012182-1400121c0 467->468 469 140012175-140012181 467->469 470 1400121c2-1400121c5 468->470 471 1400121d7 468->471 472 1400121c7-1400121cd 470->472 473 1400121cf-1400121d5 470->473 474 1400121dd-1400121ea 471->474 472->474 473->474 475 1400121ec-140012208 call 140018170 474->475 476 14001220d-14001222b 474->476 475->476 478 140012231-140012246 call 140001140 476->478 479 14001238d-140012390 476->479 486 140012367-140012379 call 140001780 478->486 487 14001224c-140012277 GetProcessHeap HeapAlloc 478->487 481 140012392-140012399 479->481 482 1400123a1-1400123b1 call 140001a60 479->482 481->482 488 1400123b3-1400123b6 482->488 489 1400123bb-1400123ca call 140001ad0 482->489 500 14001237b-140012382 486->500 501 14001235d-140012362 486->501 490 1400122a3-1400122ba call 140018230 487->490 491 140012279-14001229e call 140017f4c call 1400026b0 487->491 493 1400122bc-14001230e ChangeServiceConfigW 488->493 489->493 507 1400123d0-1400123d8 489->507 490->493 508 14001251b-140012548 491->508 503 140012314-14001231c 493->503 504 140012413-14001241b 493->504 500->482 510 140012384-14001238b 500->510 501->508 505 140012337-140012358 GetLastError call 140002430 call 140017f4c call 1400026b0 503->505 506 14001231e-140012331 GetProcessHeap HeapFree 503->506 511 140012436-14001243d 504->511 512 14001241d-140012430 GetProcessHeap HeapFree 504->512 505->501 506->505 516 1400123f3-14001240e call 140017f4c call 1400026b0 507->516 517 1400123da-1400123ed GetProcessHeap HeapFree 507->517 510->482 513 14001245e-14001246a 511->513 514 14001243f-140012458 call 14000f500 511->514 512->511 521 140012471-14001247c call 14000fce0 513->521 522 14001246c-14001246f 513->522 514->501 514->513 516->508 517->516 526 140012481-1400124b0 ChangeServiceConfig2W 521->526 522->521 522->526 530 1400124e2-1400124e5 526->530 531 1400124b2-1400124bb GetLastError 526->531 536 1400124e7-1400124ee call 14000d2d0 530->536 537 140012519 530->537 531->530 534 1400124bd-1400124dd call 140002430 call 1400025f0 531->534 534->530 540 1400124f3-1400124f5 536->540 537->508 542 140012511-140012514 call 140011130 540->542 543 1400124f7-14001250f call 140017f4c call 1400026b0 540->543 542->537 543->508
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$AllocProcess_snwprintf_s
              • String ID: LocalSystem$canon$edit_service()
              • API String ID: 3659976305-2564672073
              • Opcode ID: c2f84ec46b8393c74ca8ca84993f5637c0292e65ffba0c481b9bd538b89089a5
              • Instruction ID: e3b5c0a1dd0221c7c68a33bde828070b828dc71daee6d23759004c629932d6ba
              • Opcode Fuzzy Hash: c2f84ec46b8393c74ca8ca84993f5637c0292e65ffba0c481b9bd538b89089a5
              • Instruction Fuzzy Hash: ACA17E72204B8192EB26DB22E4443DA73A1F788BD4F444126FB99477A5DF39C965C700
              Function 0000000140002530 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48memorywindowCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: FormatHeapMessage$AllocDefaultLangProcessUser_snwprintf_s
              • String ID: system error %lu
              • API String ID: 1301441402-1824642319
              • Opcode ID: aaa1bbfdd9c70fa5ff9d64c30cbb850859592f88a9e14e0967e5c3d2bea55925
              • Instruction ID: 8ac30a1a1620e7ed145e822f26d1194f441ec5727b48fbd65988fd17af8cf97c
              • Opcode Fuzzy Hash: aaa1bbfdd9c70fa5ff9d64c30cbb850859592f88a9e14e0967e5c3d2bea55925
              • Instruction Fuzzy Hash: 60118271614B8182E721DF62F814796B791FB8C7A9F004238AB9943BE4EF3CC5488B00
              Function 00000001400133A0 Relevance: 10.6, APIs: 7, Instructions: 92COMMON
              Download Yara Rule

              Control-flow Graph

              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3fecfab8ebf54e75fb7e5ea40beadd711431b0205b0aaf5941a53d812bb5c10a
              • Instruction ID: 7bc4927bec7be680e73558176a6a3dd42dc0bfe2cbad2d4f784c91d458048ab8
              • Opcode Fuzzy Hash: 3fecfab8ebf54e75fb7e5ea40beadd711431b0205b0aaf5941a53d812bb5c10a
              • Instruction Fuzzy Hash: 02416D71204A8086E766EB22F4453DE73A4FB88BD0F544125FBAE87BA6EF3DC5558700
              Function 000000014000B870 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 82registryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Event$Source$CreateDeregisterErrorLastRegisterReport_snwprintf_s
              • String ID: EventMessageFile$NSSM$SYSTEM\CurrentControlSet\Services\EventLog\Application\%s$TypesSupported$create_messages()$eventlog registry
              • API String ID: 3915943028-129066941
              • Opcode ID: 38f3f3b6c8bfc54d669350a2e0a1a664d129324a3bdfb289b21d3487b642f25c
              • Instruction ID: 65ade5d21c82d8a5f2cf4e8821feba2f506391910815b1a365cbf720ff84dd66
              • Opcode Fuzzy Hash: 38f3f3b6c8bfc54d669350a2e0a1a664d129324a3bdfb289b21d3487b642f25c
              • Instruction Fuzzy Hash: 0E416271204B8186E721CB62F4917DA73A5F78C7A4F404315F79947AA8DB3CC509CB00
              Function 000000014000BA30 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 97registryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Event$Source$CreateDeregisterErrorLastRegisterReport_snwprintf_s
              • String ID: AppExit$NSSM_REG_EXIT$create_exit_action()
              • API String ID: 3915943028-2079778180
              • Opcode ID: 72daa3fbc5d415ad54047c881a5534a5db6ebd6bceb6f11fdf2c9258942a3b44
              • Instruction ID: ccaac05e6ae8247f9b9043b8869667f207f6f4575daf8edcbf1287825eb9e7ed
              • Opcode Fuzzy Hash: 72daa3fbc5d415ad54047c881a5534a5db6ebd6bceb6f11fdf2c9258942a3b44
              • Instruction Fuzzy Hash: E6415F71208B8186EB61CB62F8857DAB3A5F78C794F440226BB9D43BA9DF78C545CB00
              Function 0000000140018F98 Relevance: 13.6, APIs: 9, Instructions: 98COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: DecodePointer$_initterm$ExitProcess_lock
              • String ID:
              • API String ID: 2551688548-0
              • Opcode ID: ec79b0a8b6d411056a24b8aba7a4874d8e85f0765a7b56a25bc0f7be61cd2043
              • Instruction ID: c03ffe64fd4b435e30c5ae8a24083b9de1078ef0a929f37934195ca75bf9864d
              • Opcode Fuzzy Hash: ec79b0a8b6d411056a24b8aba7a4874d8e85f0765a7b56a25bc0f7be61cd2043
              • Instruction Fuzzy Hash: 6F416D31216A9085FA539B17F8443D96295F78C7C4F144429FB4D4B7BAEF3AC992C740
              Function 0000000140013B00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 131COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 0000000140010290: GetProcessHeap.KERNEL32(?,?,?,?,?,0000000140004171), ref: 0000000140010296
                • Part of subcall function 0000000140010290: RtlAllocateHeap.NTDLL(?,?,?,?,?,0000000140004171), ref: 00000001400102AA
              • _snwprintf_s.LIBCMT ref: 0000000140013B41
              • _snwprintf_s.LIBCMT ref: 0000000140013BC9
                • Part of subcall function 00000001400026B0: _vfwprintf_p.LIBCMT ref: 00000001400026E1
                • Part of subcall function 00000001400026B0: LocalFree.KERNEL32(?,?,?,00000000,0000000140001065), ref: 00000001400026E9
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap_snwprintf_s$AllocateFreeLocalProcess_vfwprintf_p
              • String ID: pre_install_service()$service
              • API String ID: 1864752748-3337766052
              • Opcode ID: a4fe2850516496a6d6bef16b651254128269590410b47283ba75cfab8d25e80a
              • Instruction ID: 1f3a638b6378999b6819d25118dd32754412a06506d8dd69f99bcf8c10b9a7c2
              • Opcode Fuzzy Hash: a4fe2850516496a6d6bef16b651254128269590410b47283ba75cfab8d25e80a
              • Instruction Fuzzy Hash: 9051C272614A8582EA12EB26E4013DA6365F7487F4F455322BFBA5B7E6DF39C542C300
              Function 0000000140019FF0 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 711 140019ff0-14001a036 GetStartupInfoA call 14001a34c 714 14001a038-14001a03b 711->714 715 14001a040-14001a059 711->715 716 14001a2bb-14001a2dc 714->716 717 14001a05b-14001a096 715->717 718 14001a09e-14001a0a4 715->718 717->717 721 14001a098 717->721 719 14001a1f3-14001a1f6 718->719 720 14001a0aa-14001a0b2 718->720 723 14001a1f9-14001a20b 719->723 720->719 722 14001a0b8-14001a0d3 720->722 721->718 724 14001a166 722->724 725 14001a0d9 722->725 726 14001a219-14001a241 GetStdHandle 723->726 727 14001a20d-14001a211 723->727 730 14001a16d-14001a173 724->730 728 14001a0e0-14001a0f3 call 14001a34c 725->728 731 14001a243-14001a246 726->731 732 14001a28d-14001a291 726->732 727->726 729 14001a213-14001a217 727->729 745 14001a0f5-14001a112 728->745 746 14001a15e-14001a164 728->746 734 14001a298-14001a2a2 729->734 730->719 735 14001a175-14001a179 730->735 731->732 736 14001a248-14001a254 GetFileType 731->736 732->734 734->723 739 14001a2a8-14001a2b6 SetHandleCount 734->739 740 14001a1e6-14001a1f1 735->740 741 14001a17b-14001a17f 735->741 736->732 737 14001a256-14001a25f 736->737 743 14001a261-14001a265 737->743 744 14001a267-14001a26a 737->744 739->716 740->719 740->735 741->740 742 14001a181-14001a186 741->742 742->740 747 14001a188-14001a18d 742->747 748 14001a270-14001a281 call 14001e5e4 743->748 744->748 749 14001a26c 744->749 750 14001a114-14001a14d 745->750 751 14001a155-14001a15a 745->751 746->730 752 14001a19d-14001a1d5 call 14001e5e4 747->752 753 14001a18f-14001a19b GetFileType 747->753 760 14001a283-14001a286 748->760 761 14001a288-14001a28b 748->761 749->748 750->750 755 14001a14f 750->755 751->728 756 14001a15c 751->756 762 14001a1d7-14001a1dc 752->762 763 14001a1de-14001a1e1 752->763 753->740 753->752 755->751 756->730 760->734 761->716 762->740 763->716
              APIs
              • GetStartupInfoA.KERNEL32 ref: 000000014001A015
                • Part of subcall function 000000014001A34C: Sleep.KERNEL32(?,?,?,000000014001C657,?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63), ref: 000000014001A391
              • GetFileType.KERNEL32 ref: 000000014001A192
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: FileInfoSleepStartupType
              • String ID:
              • API String ID: 1527402494-0
              • Opcode ID: 5b4f25ddc331ad848b09e89fc693490d3fec4779a9e2ba7ae0bc686f3b222f91
              • Instruction ID: 7a3fca090f6ba9f5ab9e1a2497757437a20a6ef231ed88d5b265d648ccddedd5
              • Opcode Fuzzy Hash: 5b4f25ddc331ad848b09e89fc693490d3fec4779a9e2ba7ae0bc686f3b222f91
              • Instruction Fuzzy Hash: 3F916F31604A8085E7528B2AD84879937A5F30B7F4F658B25EB794B3F1DB7EC886C311
              Function 0000000140019E44 Relevance: 7.6, APIs: 5, Instructions: 99COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: CommandInitializeLine_cinit
              • String ID:
              • API String ID: 2063639010-0
              • Opcode ID: ecf82f526bca1e36555f0eff5cfb9770f1d094e6865a6b65b2518921b59a087b
              • Instruction ID: 49bd52d0a6cb84c4fc261c0c752a8ca64d3d73b004f0ff5055fbb52a34e6a74c
              • Opcode Fuzzy Hash: ecf82f526bca1e36555f0eff5cfb9770f1d094e6865a6b65b2518921b59a087b
              • Instruction Fuzzy Hash: 6B41113160474186F763ABA7A4913E932A1AB9D3C4F54043DBB458F2F7DB3AC941C711
              Function 0000000140010290 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 826 140010290-1400102b6 GetProcessHeap RtlAllocateHeap 827 1400102b8-1400102db call 1400025f0 826->827 828 1400102de-1400102e3 826->828 827->828
              APIs
              • GetProcessHeap.KERNEL32(?,?,?,?,?,0000000140004171), ref: 0000000140010296
              • RtlAllocateHeap.NTDLL(?,?,?,?,?,0000000140004171), ref: 00000001400102AA
                • Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
                • Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
                • Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Event$HeapSource$AllocateDeregisterProcessRegisterReport
              • String ID: alloc_nssm_service()$service
              • API String ID: 3449932736-2157636798
              • Opcode ID: 340dcb3ea64f2eaa611f07df5ba2ae7dbefa44cddf1a4083a5f2c707a3498489
              • Instruction ID: 68c9e48bc270ec39d5ec3dc1802da48655ef9d9f8276d5f31e599d5297850325
              • Opcode Fuzzy Hash: 340dcb3ea64f2eaa611f07df5ba2ae7dbefa44cddf1a4083a5f2c707a3498489
              • Instruction Fuzzy Hash: 5EE0D834611B9982FF029F62A4143DA6390A74D784F480029EE894B375EF3CC9498B00
              Function 0000000140001D10 Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: ConsoleProcessWindow$CurrentFreeThread
              • String ID:
              • API String ID: 3525601419-0
              • Opcode ID: 29e15103fe5f831a4dd6db545d7f1efa3da3bd332465f4f0af65380b46d4571c
              • Instruction ID: 8be19064b400df3bdc88df37d5e9ee8f6c9001a69cbb9b9d9eb637b770bdfd16
              • Opcode Fuzzy Hash: 29e15103fe5f831a4dd6db545d7f1efa3da3bd332465f4f0af65380b46d4571c
              • Instruction Fuzzy Hash: 9CE0E675A11581D3EE56AF23B8453D923A0BB9CB81FC45019F7464B674EF3CD9498710
              Function 000000014000B770 Relevance: 4.6, APIs: 3, Instructions: 61registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 837 14000b770-14000b796 838 14000b798-14000b7c6 RegCreateKeyExW 837->838 839 14000b7cd-14000b7ec RegOpenKeyExW 837->839 840 14000b827-14000b843 838->840 841 14000b7c8-14000b7cb 838->841 839->840 842 14000b7ee-14000b7f6 839->842 843 14000b7fd-14000b822 GetLastError call 140002430 call 1400025f0 841->843 842->843 844 14000b7f8-14000b7fb 842->844 843->840 844->840 844->843
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: CreateErrorLastOpen
              • String ID:
              • API String ID: 2883820896-0
              • Opcode ID: 426f83eaa0c046e117805a459ac9e79b35227a8f246da0bf843b4684c48776b8
              • Instruction ID: 07820c114393a1c3651ebc684bf4408ed366b49354d521bc99e9e45516614059
              • Opcode Fuzzy Hash: 426f83eaa0c046e117805a459ac9e79b35227a8f246da0bf843b4684c48776b8
              • Instruction Fuzzy Hash: 6E21A176600B4186E761CF6BB89476A72A5F788BD4F584234EF88437B5CF38C811C704
              Function 000000014000EE10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 848 14000ee10-14000ee29 OpenSCManagerW 849 14000ee4a-14000ee4e 848->849 850 14000ee2b-14000ee31 848->850 851 14000ee33-14000ee43 call 1400025f0 850->851 852 14000ee48 850->852 851->852 852->849
              APIs
              • OpenSCManagerW.ADVAPI32(?,?,?,?,00000001400133C9), ref: 000000014000EE20
                • Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
                • Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
                • Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Event$Source$DeregisterManagerOpenRegisterReport
              • String ID: ServicesActive
              • API String ID: 2921005559-3071072050
              • Opcode ID: f8b1cc4c245f662c5fbfc86ec2cd82fe25e88d529c2b183d9024c7d0f0ce16cb
              • Instruction ID: 7bf288e408de665aed5aeb23dc28e3206f15ed75b00312d32a24d07a7a484b57
              • Opcode Fuzzy Hash: f8b1cc4c245f662c5fbfc86ec2cd82fe25e88d529c2b183d9024c7d0f0ce16cb
              • Instruction Fuzzy Hash: 19E0C2F07116D041FBAB9733A8957E91191530E380F88142EB6091B2E1E53DC4895700
              Function 0000000140020558 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
              Download Yara Rule
              APIs
              • GetEnvironmentStringsW.KERNEL32(?,?,00000001,0000000140019F3F), ref: 000000014002056C
              • FreeEnvironmentStringsW.KERNEL32(?,?,00000001,0000000140019F3F), ref: 00000001400205C3
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: EnvironmentStrings$Free
              • String ID:
              • API String ID: 3328510275-0
              • Opcode ID: 52b48ba027309c268b512042e826b0040b0b68e810d38ab844d28889a68a6781
              • Instruction ID: 27a3e792f96817a0e8cf10094a7cce5f9e20a5dc5851357d12ae0bf73b465cf9
              • Opcode Fuzzy Hash: 52b48ba027309c268b512042e826b0040b0b68e810d38ab844d28889a68a6781
              • Instruction Fuzzy Hash: 82018B32705B5085EE616F63A55539B67A0E74CFC0F4C8425FF49077A6EA3CC9C18740
              Function 000000014000BFC0 Relevance: 3.0, APIs: 2, Instructions: 42registryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: ErrorLastValue
              • String ID:
              • API String ID: 1151882462-0
              • Opcode ID: f126e78fb2dcacfabb8a301fae63ef6e246f4beabb4efec4ad6e6b4439e68fb8
              • Instruction ID: 83cb7a815068fcf4ab2de7cbf73c3f9a6832888872b2b956c7e89c07b6edc9bc
              • Opcode Fuzzy Hash: f126e78fb2dcacfabb8a301fae63ef6e246f4beabb4efec4ad6e6b4439e68fb8
              • Instruction Fuzzy Hash: 93012B7170468042E7118B3AF450B9BA260F789BF8F584324FFAA43BE5DA3CC9414700
              Function 00000001400026B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0000000140002530: GetUserDefaultLangID.KERNELBASE(?,?,?,?,?,?,00000000,00000001400026CE,?,?,?,00000000,0000000140001065), ref: 0000000140002538
                • Part of subcall function 0000000140002530: FormatMessageW.KERNELBASE ref: 0000000140002567
                • Part of subcall function 0000000140002530: FormatMessageW.KERNEL32 ref: 0000000140002599
                • Part of subcall function 0000000140002530: GetProcessHeap.KERNEL32 ref: 00000001400025A3
                • Part of subcall function 0000000140002530: HeapAlloc.KERNEL32 ref: 00000001400025B2
                • Part of subcall function 0000000140002530: _snwprintf_s.LIBCMT ref: 00000001400025D4
              • _vfwprintf_p.LIBCMT ref: 00000001400026E1
              • LocalFree.KERNEL32(?,?,?,00000000,0000000140001065), ref: 00000001400026E9
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: FormatHeapMessage$AllocDefaultFreeLangLocalProcessUser_snwprintf_s_vfwprintf_p
              • String ID:
              • API String ID: 2711435474-0
              • Opcode ID: b9e2fb73056956266d8f65f75a8af008741aaaf4afbe52a6e07819eac5454351
              • Instruction ID: 6d7d810d7111ec690abced4b0f3e6a2a606c685bad1816cb6f56e965f88532a0
              • Opcode Fuzzy Hash: b9e2fb73056956266d8f65f75a8af008741aaaf4afbe52a6e07819eac5454351
              • Instruction Fuzzy Hash: FAE04F7260578042DD0ADB1779503A9A291AB8C7C1F484828BF8907755EF3CC6948740
              Function 00000001400205EC Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$CreateInformation
              • String ID:
              • API String ID: 1774340351-0
              • Opcode ID: edb88e91396a61cd8c355dff496fc69843bdaca4606bf3ee0219da364ff22c02
              • Instruction ID: 9ee7d56fb08d5f3afb1ad26f4d176171cdeb2e2a73566ed9e3bf0c6f6fa99c57
              • Opcode Fuzzy Hash: edb88e91396a61cd8c355dff496fc69843bdaca4606bf3ee0219da364ff22c02
              • Instruction Fuzzy Hash: 76E08675B22B9083F78ADB22E85979962A0F78C781F90502DFB49037A4DF3CC5558B00
              Function 000000014001A2E0 Relevance: 2.5, APIs: 2, Instructions: 30sleepCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • malloc.LIBCMT ref: 000000014001A2FF
                • Part of subcall function 00000001400206EC: _FF_MSGBANNER.LIBCMT ref: 000000014002071C
                • Part of subcall function 00000001400206EC: RtlAllocateHeap.NTDLL(?,?,00000000,000000014001A304,?,?,00000000,000000014001A895,?,?,00000000,000000014001A93F), ref: 0000000140020741
                • Part of subcall function 00000001400206EC: _errno.LIBCMT ref: 0000000140020765
                • Part of subcall function 00000001400206EC: _errno.LIBCMT ref: 0000000140020770
              • Sleep.KERNEL32(?,?,00000000,000000014001A895,?,?,00000000,000000014001A93F,?,?,?,?,?,?,00000000,000000014001C67C), ref: 000000014001A316
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: _errno$AllocateHeapSleepmalloc
              • String ID:
              • API String ID: 4275769124-0
              • Opcode ID: d487568a586992d1fcb55698f8c4441f09e4e55957370627acfcf2ddf9cad006
              • Instruction ID: 4142fe8a63bf8884d36fe6fdc3d1457c7defd5a6f16963f854cf87769d59775e
              • Opcode Fuzzy Hash: d487568a586992d1fcb55698f8c4441f09e4e55957370627acfcf2ddf9cad006
              • Instruction Fuzzy Hash: 61F0F636205B8486EA469F17A8403AD72A1F79CBD0F140225FBA90B765CF3DCD928700

              Non-executed Functions

              Function 00000001400070A0 Relevance: 170.2, APIs: 63, Strings: 34, Instructions: 443memorytimeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: EnvironmentVariable$_snwprintf_s$Event$HeapProcessSourceTime$AllocCriticalCurrentDeregisterEnterFileRegisterReportSectionSystem
              • String ID: "%s" %s$%lu$%s (%s/%s)$2.24-101-g897c7ad$2017-04-26$64-bit$NSSM_ACTION$NSSM_APPLICATION_PID$NSSM_APPLICATION_RUNTIME$NSSM_BUILD_DATE$NSSM_COMMAND_LINE$NSSM_CONFIGURATION$NSSM_DEADLINE$NSSM_EVENT$NSSM_EXE$NSSM_EXITCODE$NSSM_EXIT_COUNT$NSSM_HOOK_VERSION$NSSM_LAST_CONTROL$NSSM_PID$NSSM_RUNTIME$NSSM_SERVICE_DISPLAYNAME$NSSM_SERVICE_NAME$NSSM_START_COUNT$NSSM_START_REQUESTED_COUNT$NSSM_THROTTLE_COUNT$NSSM_TRIGGER$NSSM_VERSION$Pre$Start$h$hook$nssm_hook$nssm_hook()
              • API String ID: 1580475628-2341226502
              • Opcode ID: 294eb9d4a23a78c2de3f36ec37dab0aad2ddc9e726d8f4d6a7593e092b17f7c3
              • Instruction ID: 1c3f5b841a22e28915dda55d46f00e8888b02ddfce4e8b72b9f71ca216febfb4
              • Opcode Fuzzy Hash: 294eb9d4a23a78c2de3f36ec37dab0aad2ddc9e726d8f4d6a7593e092b17f7c3
              • Instruction Fuzzy Hash: 27323E71604A8691EB22DB22F8517DA7361F7887D4F80422AFB9D476B9DF3CCA49C710
              Function 000000014000DD40 Relevance: 72.2, APIs: 17, Strings: 24, Instructions: 491registryCOMMON
              Download Yara Rule
              APIs
              • RegCloseKey.ADVAPI32(00000003,00000000,?,00000003,00000000,0000000140010A23), ref: 000000014000DE27
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Close
              • String ID: AppAffinity$AppDirectory$AppEnvironment$AppEnvironmentExtra$AppKillProcessTree$AppNoConsole$AppParameters$AppPriority$AppRedirectHook$AppRestartDelay$AppRotateBytes$AppRotateBytesHigh$AppRotateDelay$AppRotateFiles$AppRotateOnline$AppRotateSeconds$AppStopMethodConsole$AppStopMethodSkip$AppStopMethodThreads$AppStopMethodWindow$AppThrottle$AppTimestampLog$Application$NSSM
              • API String ID: 3535843008-3506916582
              • Opcode ID: a3178ec04ad4e68e416fe25619a2ffa94c5c1b4cf00600d989723d11c9e5fa88
              • Instruction ID: c7805839bb8358a959a768a10e243be2ff9b259aeb2623d0bf795c7c7b3a558e
              • Opcode Fuzzy Hash: a3178ec04ad4e68e416fe25619a2ffa94c5c1b4cf00600d989723d11c9e5fa88
              • Instruction Fuzzy Hash: D432B1F2208AC5C5EB22DF62B4417DA77A0F788BC8F84412AFB89576A9DB3CC545C711
              Function 000000014000F500 Relevance: 72.1, APIs: 34, Strings: 7, Instructions: 330memoryregistryserviceCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$Free$Process$ErrorLastOpenService$ChangeCloseConfigHandleLocalManager_vfwprintf_p
              • String ID: %s: %s$%s: %s$%s\%s: %s$List$SYSTEM\CurrentControlSet\Control\ServiceGroupOrder$groups$set_service_dependencies()
              • API String ID: 717911963-3133791794
              • Opcode ID: 54557dc6fc8c01a7130147166d68acc7474a2c037710422b00090d6a8d766381
              • Instruction ID: d7ce32b5b10f061c7e7195f09d254de381534975a8cdc810ca296d842c87e0db
              • Opcode Fuzzy Hash: 54557dc6fc8c01a7130147166d68acc7474a2c037710422b00090d6a8d766381
              • Instruction Fuzzy Hash: B5E191B1601A4581EA22DB63B8147EA63A1FB8DBD4F448119FF5E43BB9EF38C945D700
              Function 0000000140012E00 Relevance: 40.5, APIs: 13, Strings: 10, Instructions: 296COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID:
              • String ID: N$"%s" %s$%lu$E$Post$Pre$Start$command line$h$start_service
              • API String ID: 0-2674916716
              • Opcode ID: 61a6d97d03bd1b107dd6fa5df021d69fdc1368fe82631b5aaab015d8bca59c8c
              • Instruction ID: 023993fa0f7560711ba82d2caa2d9202a0fbac83a1b829d0283cea075c44361b
              • Opcode Fuzzy Hash: 61a6d97d03bd1b107dd6fa5df021d69fdc1368fe82631b5aaab015d8bca59c8c
              • Instruction Fuzzy Hash: 97E160B2504AD182E762DF22A4513DE73A0F788BD8F544226FB894B6AADF3CC545CB50
              Function 0000000140002B50 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 178windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Message$Send$Item$EnvironmentFormatHeapTextVariable_snwprintf_s$AllocDefaultLangProcessUser
              • String ID: Change$NSSM_HOOK_%s_%s$Post$Pre$Resume
              • API String ID: 2959201675-3454526459
              • Opcode ID: 2f41eb6af505d12dd21b44215bfd44072d8710aa8027056f3b4481a60488a377
              • Instruction ID: 4d61490fa284bf38201bd411ba8695437f9e61230d5e4b6a083a814ca1fc796a
              • Opcode Fuzzy Hash: 2f41eb6af505d12dd21b44215bfd44072d8710aa8027056f3b4481a60488a377
              • Instruction Fuzzy Hash: 98717F71305A8192F766DB22F9247DA2361E78DBC8F501029FB4E07AB5DF39CD4A8701
              Function 0000000140020A2C Relevance: 39.0, APIs: 21, Strings: 1, Instructions: 468COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: __doserrno_errno
              • String ID: U
              • API String ID: 921712934-4171548499
              • Opcode ID: 74c5f7fb8baae198cacb24aad5bbcbe68e136ebc3b0815143d4b2bb7719c7451
              • Instruction ID: 76fb5729cbaa013820f51bb000bfef4f3fcad7bac76d669b73782e902e55697a
              • Opcode Fuzzy Hash: 74c5f7fb8baae198cacb24aad5bbcbe68e136ebc3b0815143d4b2bb7719c7451
              • Instruction Fuzzy Hash: 3712023220478586EB228F66E4443EEB7A1F38CBC4F55411AFB8947AB6DB3DD945CB00
              Function 0000000140008E20 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 348fileCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: File$ErrorHandleInformationLastTextUnicodeWrite
              • String ID: CopyFile()$MoveFile()
              • API String ID: 3620008457-2845297855
              • Opcode ID: d06a1913474329db8f6a3aa3d548f31daddee877e2bca60e31014723715ace4d
              • Instruction ID: 911a94780f45dd87590bef11f4ac37bd3019a58644ce44482c958d09773acbbb
              • Opcode Fuzzy Hash: d06a1913474329db8f6a3aa3d548f31daddee877e2bca60e31014723715ace4d
              • Instruction Fuzzy Hash: 95F159B2208A8196EB25DF22F5403DAB3A1F78DBD4F544119FB8943BA9DF38D954CB00
              Function 000000014000EE50 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 190memoryserviceCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$ErrorLast$Process$FreeService$EnumNameServicesStatus$AllocDisplayOpen_snwprintf_s
              • String ID: ENUM_SERVICE_STATUS_PROCESS$canonical_name$open_service()
              • API String ID: 2015548786-1539203807
              • Opcode ID: 457023ee60d23c60c41332a15b72afbf33f55e71c4758a42e6d57e6a748a91cc
              • Instruction ID: 5ee9360cefee841a79e9959a14513cd3d11481ffbf4d78818340a009a2714b5b
              • Opcode Fuzzy Hash: 457023ee60d23c60c41332a15b72afbf33f55e71c4758a42e6d57e6a748a91cc
              • Instruction Fuzzy Hash: 79815D75205B8086EB52DB62F4443DAB7A1FB8DBD4F444129FB4A43BA9DF3CC9099B00
              Function 0000000140023A88 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023AC5
              • GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023AE1
              • GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023B09
              • EncodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023B12
              • GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023B28
              • EncodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023B31
              • GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023B47
              • EncodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023B50
              • GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023B6E
              • EncodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023B77
              • DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023BA9
              • DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023BB8
              • DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023C10
              • DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023C30
              • DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023C49
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
              • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
              • API String ID: 3085332118-232180764
              • Opcode ID: 394c86fa8740025843811833a4a0878d79852cd341f95afa00973598f09dcfa6
              • Instruction ID: 963d9139185d25277fa7d6bff1b6dbe887c214cdc387d39ea297937161747b03
              • Opcode Fuzzy Hash: 394c86fa8740025843811833a4a0878d79852cd341f95afa00973598f09dcfa6
              • Instruction Fuzzy Hash: D4511630212B4080FE5BEB67B8557E962A5AB8DBC0F64043DBF4E077B5EE78D8818711
              Function 0000000140011A80 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 185memoryserviceCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: ErrorHeapLast$EnumFreeProcessServicesStatus$AllocLocal_snwprintf_s_vfwprintf_p
              • String ID: %s$ENUM_SERVICE_STATUS_PROCESS$all$list_nssm_services()$nssm_service_t
              • API String ID: 1638472356-4196503671
              • Opcode ID: f4310e37fca4d66cae59513067b94a4934d94d266e052b314e4d01511460c31d
              • Instruction ID: 220fa191e2712f2fa40922eeb86950ca4a2caa5aec97ef5d5f917f65aa88fd44
              • Opcode Fuzzy Hash: f4310e37fca4d66cae59513067b94a4934d94d266e052b314e4d01511460c31d
              • Instruction Fuzzy Hash: 1E814A31204B8186EA26DB62F4403DA77A5FBCD7C4F44412AEB89477BAEF39C949C701
              Function 0000000140008480 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 181timefilesleepCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: File$Time$System$Handle$CloseErrorLast$CompareCopyCreateInformationMovePointerSleep
              • String ID: CopyFile()$CreateFile()$MoveFile()
              • API String ID: 3228394015-381917562
              • Opcode ID: 01af08144f5c24a7e0f72f2537b02be2019094e1b56a6c29d558042bc7711969
              • Instruction ID: 2c5f9a746a650ff16cd0eb76c04cc0088810d3ecae15e8d67c050bf747509107
              • Opcode Fuzzy Hash: 01af08144f5c24a7e0f72f2537b02be2019094e1b56a6c29d558042bc7711969
              • Instruction Fuzzy Hash: 94713D72204B8186E762DB62F8507DAB3A4F789BD4F541119FF8943AB9DF78C948CB00
              Function 0000000140012550 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 288serviceCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0000000140009FB0: GetConsoleWindow.KERNEL32 ref: 0000000140009FB8
                • Part of subcall function 0000000140009FB0: GetStdHandle.KERNEL32 ref: 0000000140009FC8
                • Part of subcall function 0000000140009FB0: GetProcessWindowStation.USER32 ref: 0000000140009FD3
                • Part of subcall function 0000000140002430: TlsGetValue.KERNEL32 ref: 0000000140002442
                • Part of subcall function 0000000140002430: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002458
              • CloseServiceHandle.ADVAPI32 ref: 000000014001296C
                • Part of subcall function 0000000140002430: TlsSetValue.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002481
                • Part of subcall function 0000000140002430: GetUserDefaultLangID.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002487
                • Part of subcall function 0000000140002430: FormatMessageW.KERNEL32 ref: 00000001400024B1
                • Part of subcall function 0000000140002430: FormatMessageW.KERNEL32 ref: 00000001400024DE
                • Part of subcall function 0000000140002430: _snwprintf_s.LIBCMT ref: 00000001400024FF
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: FormatHandleMessageValueWindow_errno$AllocCloseConsoleDefaultLangLocalProcessServiceStationUser_snwprintf_s
              • String ID: %s$%s: %s$%s: %s: %s$AppThrottle
              • API String ID: 3091485450-1444196156
              • Opcode ID: ad12e137b0566e539ec48c87203486ce3c3dfc246e838f177d5758311995c6fa
              • Instruction ID: 6cfbc6d17aabad81b5b106fe63f1999e49cdb119c4a97786fe8d2ec62f0a0950
              • Opcode Fuzzy Hash: ad12e137b0566e539ec48c87203486ce3c3dfc246e838f177d5758311995c6fa
              • Instruction Fuzzy Hash: 68B1A53160578582FA26AB63B5447EE67A1BB8CBC4F401029FF4A0B7B6EF3AC5158740
              Function 0000000140013D10 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 200sleepregistryserviceCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Service$ErrorEventLast$CreateCriticalHeapInitializeProcessRegisterSectionSource$AllocAllocateCloseCtrlCurrentDeregisterDisplayHandleHandlerLocalNameReportSleepStatusThreadTimerValueWaitable_snwprintf_s
              • String ID: NSSM$debug$service->name$service_main()
              • API String ID: 1666988295-3121758583
              • Opcode ID: 232ef101459a34ba4e97bc38d354e551541c59c984acad53f48cefa515037594
              • Instruction ID: 391d97ab9eb6af0e6816f0a333b294f2bc5ca0cf5282711f4ea3fa88c4337364
              • Opcode Fuzzy Hash: 232ef101459a34ba4e97bc38d354e551541c59c984acad53f48cefa515037594
              • Instruction Fuzzy Hash: 43A18F71A04B8086F752DF37A8017DA77A0FB4D7C8F48062AAB598B3B5DF398905CB50
              Function 0000000140021B40 Relevance: 28.9, APIs: 19, Instructions: 377COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: String$free$ByteCharMultiWidemalloc$ErrorLast
              • String ID:
              • API String ID: 1837315383-0
              • Opcode ID: bcf4e56cdb41816d9ab4cf6d17006c74b5e0cdac7c2592137a90cf9d59c2fbdf
              • Instruction ID: d87029fe98a7cd502051614993c32973fbf8f1b99cdc22530c100499747c406a
              • Opcode Fuzzy Hash: bcf4e56cdb41816d9ab4cf6d17006c74b5e0cdac7c2592137a90cf9d59c2fbdf
              • Instruction Fuzzy Hash: 54F1B1326006808AEB628F66D8407DD77E1F79CBE8F544629FB5A57BE8DB38CD418700
              Function 000000014000A180 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 82memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$FreeProcess$AllocCommandExecuteLineLocalShell_snwprintf_s_vfwprintf_p
              • String ID: "$GetCommandLine()$elevate()$p$runas
              • API String ID: 568333785-2664397508
              • Opcode ID: 783b1db419e6da8296bc21220930b56356767060dd0a3c5355d5f8fa1b9bd47e
              • Instruction ID: 2077ac3bbf38e24c34af6bbde4a8a7d20c8c22cec92f61cf467793f99d6e06a8
              • Opcode Fuzzy Hash: 783b1db419e6da8296bc21220930b56356767060dd0a3c5355d5f8fa1b9bd47e
              • Instruction Fuzzy Hash: 96315C71615B9582E7129B22B8047EA33A1F7897E4F404229FB69437E9DF3DC905C740
              Function 000000014000A810 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 65threadCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: ThreadToken$AdjustCurrentOpenPrivileges$CloseErrorHandleImpersonateLastLookupPrivilegeSelfValue
              • String ID: SeDebugPrivilege
              • API String ID: 2095247420-2896544425
              • Opcode ID: 3e7152db20e3f8e3e4ac19a98164bd4134ace9dbb4197a0a704cf1b4ed9552ec
              • Instruction ID: 1f60dc984ff7cd1ee9279a057587273100a33775c52be9d20afd9c1c22f79b8e
              • Opcode Fuzzy Hash: 3e7152db20e3f8e3e4ac19a98164bd4134ace9dbb4197a0a704cf1b4ed9552ec
              • Instruction Fuzzy Hash: 42310672608B8482EB51DF26F44478AB7A0F789B94F400219F78A43AB8DF3CD549CB40
              Function 000000014000ACB0 Relevance: 16.6, APIs: 11, Instructions: 109processCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Event$ErrorLastSource$AllocCloseCreateDeregisterHandleLocalRegisterReportSnapshotToolhelp32Value
              • String ID:
              • API String ID: 3638057332-0
              • Opcode ID: 736b111b100a646399828fc1beca10fc05defdbe9cab0c2b345cb83a7c5a2b91
              • Instruction ID: d4a25d63226701a5820217a3ec4a756d52cdc905e9f9b02ee8c88e4c8cc5a9cb
              • Opcode Fuzzy Hash: 736b111b100a646399828fc1beca10fc05defdbe9cab0c2b345cb83a7c5a2b91
              • Instruction Fuzzy Hash: 7F417E7261468086E781DB36F54079A77A1E78DBD4F400229FB9A97BA9EF3CC841CB40
              Function 000000014001DBB8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetModuleFileNameA.KERNEL32(?,?,?,?,?,000000014001DE14,?,?,?,?,0000000140020721,?,?,00000000,000000014001A304), ref: 000000014001DC7B
              • GetStdHandle.KERNEL32(?,?,?,?,?,000000014001DE14,?,?,?,?,0000000140020721,?,?,00000000,000000014001A304), ref: 000000014001DD87
              • WriteFile.KERNEL32 ref: 000000014001DDC1
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: File$HandleModuleNameWrite
              • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
              • API String ID: 3784150691-4022980321
              • Opcode ID: 76b32cf82c17dd4405aab22500cf80e41e04892a9192f50629b7580b2b5dfafe
              • Instruction ID: 4619fa3bf99482af2e3b2e7abf25445da3b72f923f0fd6b82687fc6d9c2ecd06
              • Opcode Fuzzy Hash: 76b32cf82c17dd4405aab22500cf80e41e04892a9192f50629b7580b2b5dfafe
              • Instruction Fuzzy Hash: C351FD31310A8242FB26DBA7E9557EA3252B79C7C8F54462ABF494BAF6CF3DC544C200
              Function 0000000140018800 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
              • String ID:
              • API String ID: 3778485334-0
              • Opcode ID: 2c73cabdacd67ecc1ab47cb5ea7a511d34c178d29615d86a7b68e056a520e744
              • Instruction ID: 68ad1d73d9e93cc6001284d5fa1a39834dd5386839cfa0cf077785c591060cfe
              • Opcode Fuzzy Hash: 2c73cabdacd67ecc1ab47cb5ea7a511d34c178d29615d86a7b68e056a520e744
              • Instruction Fuzzy Hash: B231F231105F808AEB629B62F8543DA73A1F78C3D4F60452AEB8E43B75DF38C4948B00
              Function 0000000140023864 Relevance: 10.6, APIs: 7, Instructions: 138COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: _errno$ByteCharErrorLastMultiWide
              • String ID:
              • API String ID: 3895584640-0
              • Opcode ID: de36e9be98680906f13d6fdec89071b2ed5335f68037e9720c0431ee17c4b1d6
              • Instruction ID: c1f587e2613b7e2320280e204ff58a8efa348b9f757dde8eac3d56b3eb560925
              • Opcode Fuzzy Hash: de36e9be98680906f13d6fdec89071b2ed5335f68037e9720c0431ee17c4b1d6
              • Instruction Fuzzy Hash: D35186726047C04AF7729F66E0503EEB790E3897D0F588119F79947AE5DE78CC818B16
              Function 000000014001B6C4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
              • String ID:
              • API String ID: 1269745586-0
              • Opcode ID: db0e8556fbde31411f20dd6a3de043652d6dc213d7a28bc9c9def38311efb816
              • Instruction ID: dbf51be08b14eccf182f8a2a6019e3681ceeefd0d48998f919ae06a8e142e91c
              • Opcode Fuzzy Hash: db0e8556fbde31411f20dd6a3de043652d6dc213d7a28bc9c9def38311efb816
              • Instruction Fuzzy Hash: 0A314972208B8182EB259B66F4443DAB3A4F79C784F500129ABCD43AA9EF7CC548CF00
              Function 0000000140002840 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Resource$Find$CreateDefaultDialogErrorIndirectLangLastLoadParamUser
              • String ID:
              • API String ID: 940021595-0
              • Opcode ID: fed401cc8e8f5612569b6891206cde108573bd67a878dd979692201b7d3e6802
              • Instruction ID: 9944d1bd91ac6ef74c3327299d60d6f918d01a8079eaa409e9ba49cf5d91b016
              • Opcode Fuzzy Hash: fed401cc8e8f5612569b6891206cde108573bd67a878dd979692201b7d3e6802
              • Instruction Fuzzy Hash: F601887570578082EB165B63B80479AA360BB4CFC0F18843DAF89437B4DF3CD8418750
              Function 0000000140019CB4 Relevance: 7.6, APIs: 5, Instructions: 93COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: _errno$DecodePointer
              • String ID:
              • API String ID: 2310398763-0
              • Opcode ID: 9931ccc4ea3a3858abefdf71ca0561b1e710505d0c46915268689c3ffa0de49b
              • Instruction ID: 44ef4eb01c81118c6643f99bc6a2e946d05f9bc6aed31f978ef6c775e81dc10f
              • Opcode Fuzzy Hash: 9931ccc4ea3a3858abefdf71ca0561b1e710505d0c46915268689c3ffa0de49b
              • Instruction Fuzzy Hash: 1631E332B1065442F3279B3BA5827EE6552A78C794F588219FB250FBFACF3AC441C700
              Function 000000014000A050 Relevance: 4.5, APIs: 3, Instructions: 38memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: AllocateCheckFreeInitializeMembershipToken
              • String ID:
              • API String ID: 3429775523-0
              • Opcode ID: 3be228cc09c29312831331bff11f0d4ef4207261988248bd0618be56e79fc0d1
              • Instruction ID: 48eee273634d74207520e7cdaf30b75688e279164638d9c4aace6fd17198c53c
              • Opcode Fuzzy Hash: 3be228cc09c29312831331bff11f0d4ef4207261988248bd0618be56e79fc0d1
              • Instruction Fuzzy Hash: 1211F872618B808AE752CB26F45434BBBE0F399784F54005AE7C987B69DB3DD109CF40
              Function 0000000140023D20 Relevance: 4.5, APIs: 3, Instructions: 35COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • RtlCaptureContext.KERNEL32 ref: 0000000140023D5F
              • SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140023DA5
              • UnhandledExceptionFilter.KERNEL32 ref: 0000000140023DB0
                • Part of subcall function 000000014001DBB8: GetModuleFileNameA.KERNEL32(?,?,?,?,?,000000014001DE14,?,?,?,?,0000000140020721,?,?,00000000,000000014001A304), ref: 000000014001DC7B
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
              • String ID:
              • API String ID: 2731829486-0
              • Opcode ID: 1772c0e6350e5a06dade1ac13ce35099e640e8ea5e04fc13367c51db8d1894a0
              • Instruction ID: 46ba363e4b0eae91f713770cd299bb224122c89c83ee0360e1bb8fbde21d07a9
              • Opcode Fuzzy Hash: 1772c0e6350e5a06dade1ac13ce35099e640e8ea5e04fc13367c51db8d1894a0
              • Instruction Fuzzy Hash: DD014C35214A8481F6669762F4543DA73A1FB8D385F440129BB8E0BAFADF3DC905CB11
              Function 00000001400245E8 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: InfoLocale
              • String ID:
              • API String ID: 2299586839-0
              • Opcode ID: 06faa0f0bb2dc971177e39b3f6ed31a2957b8d98190a0f00278e0934fa454d68
              • Instruction ID: b5e575d4c44cd20b866f75d5ef2225df689e7b31d630515f6afed79aa59475fa
              • Opcode Fuzzy Hash: 06faa0f0bb2dc971177e39b3f6ed31a2957b8d98190a0f00278e0934fa454d68
              • Instruction Fuzzy Hash: 36E06D31618A8085FB32D722E4513CA2750A79D798F800216FB8D476F5DE3CC6098B00
              Function 0000000140020180 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 114d92dcbf7d2c8af530ca3185321c199e066624115f7fe8c2d49beb1dc33ef1
              • Instruction ID: a7c7f3dcdb102532dc9973edfc0c04c9e05a3ec38676fa0d26270a69678edde2
              • Opcode Fuzzy Hash: 114d92dcbf7d2c8af530ca3185321c199e066624115f7fe8c2d49beb1dc33ef1
              • Instruction Fuzzy Hash: E7B01230B12840C1D705AB33EC863C012A07F5C340FD00858D20DC2131EA3C89EBC700
              Function 0000000140001220 Relevance: 77.3, APIs: 37, Strings: 7, Instructions: 322memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Free$HeapMemory$Process$Authority$AllocClose$ComputerErrorIdentifierInitializeLastLocalName_vfwprintf_p
              • String ID: %s\%s$LSA_UNICODE_STRING$NT Service\$SID$expanded$username_sid$username_sid()
              • API String ID: 69952446-4149950637
              • Opcode ID: 92efc2b86d5c6147075e5e9320d55aa18b01e5cf5b5004848248b986e7ef1e03
              • Instruction ID: 50195b4bb22f38393f53dc6e2ddd160500ea8e110de682d4c5e502559bc3d69a
              • Opcode Fuzzy Hash: 92efc2b86d5c6147075e5e9320d55aa18b01e5cf5b5004848248b986e7ef1e03
              • Instruction Fuzzy Hash: 53E14E75204A8082EA12EB63E4507DA67A1FBCDBD4F444125FB4E477BADF39C946C700
              Function 0000000140022410 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: free$ErrorFreeHeapLast_errno
              • String ID:
              • API String ID: 1012874770-0
              • Opcode ID: 0b0a0ae3fdfc1ed0fa13838e4ad93de12d14e6b930d1803b0b0efe21a5381680
              • Instruction ID: 8d2492f42c3375f3df4473a04d93de8bff90f0277a39e01c48f8c640fe808fed
              • Opcode Fuzzy Hash: 0b0a0ae3fdfc1ed0fa13838e4ad93de12d14e6b930d1803b0b0efe21a5381680
              • Instruction Fuzzy Hash: 59417432A1158883FA57BB77C8563EC1320ABCAB84F444231BB5D6F6B7CEB5C8459360
              Function 000000014000B2D0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 236processCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: CloseErrorHandleLast$Event_snwprintf_s$NextProcessProcess32Source$AllocCodeCreateDeregisterExitLocalOpenRegisterReportSnapshotToolhelp32Value
              • String ID: %lu$AppStopMethodSkip$NSSM
              • API String ID: 3491791553-153837258
              • Opcode ID: 0c7385911431ca271a527a88f3baef0bf870f7267b49319b7ae97b48872975ef
              • Instruction ID: 228514648ff0bd046f16d9da10956bf1708be2c3e3f6d233c5a9c556325b648d
              • Opcode Fuzzy Hash: 0c7385911431ca271a527a88f3baef0bf870f7267b49319b7ae97b48872975ef
              • Instruction Fuzzy Hash: 33B149B1204B8486EB25DB62E4543DA73A0F78DBD8F800215FB99477AADF3DCA058B41
              Function 0000000140016190 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 169COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID:
              • String ID: dependencies$native_set_dependongroup
              • API String ID: 0-409972118
              • Opcode ID: 739a02f57c687493ff17d25acbd0d647586937320d629fc731b6e7eb5aacb352
              • Instruction ID: 03521c866b4c7cfe6bf2b1022ff6480705ab1916cd7ea62ef3b9d3751cacd87a
              • Opcode Fuzzy Hash: 739a02f57c687493ff17d25acbd0d647586937320d629fc731b6e7eb5aacb352
              • Instruction Fuzzy Hash: 62716C71604B8082EA269B77B8143DA67A1FB8DBD4F044129FB99477B9DF3DC944CB40
              Function 0000000140016720 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 165memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$Process$Free$Alloc
              • String ID: dependencies$native_set_dependonservice
              • API String ID: 3689955550-2849880886
              • Opcode ID: e09cbeb6ba163b7733074487d8c5ea57c5f9c57d39f7d7db8b5e54c9bc97f286
              • Instruction ID: 4c18f0a9f8906bac8d29316d0d99a19f8ca38918d160cccc75a1141df60495ad
              • Opcode Fuzzy Hash: e09cbeb6ba163b7733074487d8c5ea57c5f9c57d39f7d7db8b5e54c9bc97f286
              • Instruction Fuzzy Hash: 53714B71604B8082EA269B77A8143DA67A1FB8DBD4F444129FB89477B9DF3DC845CB40
              Function 00000001400102F0 Relevance: 30.1, APIs: 20, Instructions: 91memoryserviceCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$FreeProcess$CloseHandle$CriticalDeleteSection$ServiceUnregisterWait
              • String ID:
              • API String ID: 721818521-0
              • Opcode ID: 8b1967781c819801c2282c7234f9428b6f988098830cbf00d7948db7f41d6083
              • Instruction ID: e9855117271ec644d348db211c8dcb89f8f0867333612b95edce9907f1671582
              • Opcode Fuzzy Hash: 8b1967781c819801c2282c7234f9428b6f988098830cbf00d7948db7f41d6083
              • Instruction Fuzzy Hash: 2D413D74601E90C2EB56DBB395183E963A1BF8DFD5F084138AF4A57778DE3889448710
              Function 0000000140006E20 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 155memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$EventProcess$AllocSource$CloseDeregisterFreeHandleRegisterReport
              • String ID: await_hook_threads$await_hook_threads()$data$retain
              • API String ID: 2142993808-1900669911
              • Opcode ID: d01ba2fbf3bcc440b567fc7c1a7f886c0b57a6a8111ab25369b635bf27e9f7c9
              • Instruction ID: 780427434044c61dd547f03e7bf771bfcca09c03c361e120a64a7bde647cd176
              • Opcode Fuzzy Hash: d01ba2fbf3bcc440b567fc7c1a7f886c0b57a6a8111ab25369b635bf27e9f7c9
              • Instruction Fuzzy Hash: 2A6178B6601A8086EA16DF23F8503EA73A5F78CBC4F548129EF8E53764DF39C9128700
              Function 0000000140001780 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 146COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID:
              • String ID: canon$lsa_canon$username_sid
              • API String ID: 0-3165952623
              • Opcode ID: 61a4d28acd9b3c91b8a6b98856a030ccb66226a499a1cfe347736c4baa40fbbe
              • Instruction ID: 2a8286567617ec90dd27cdb103d0c73c0caae6ca0e22823ef32155b10df1f8e5
              • Opcode Fuzzy Hash: 61a4d28acd9b3c91b8a6b98856a030ccb66226a499a1cfe347736c4baa40fbbe
              • Instruction Fuzzy Hash: 51516176610A8582EA02EF66E4117DA6364FBC8BD4F444026FF4D47BAAEE39C586C710
              Function 0000000140004690 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 143memorywindowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$Process_snwprintf_s$AllocFreeMessage$Format$DefaultFileLangLocalNameOpenSendUser
              • String ID: :%s:
              • API String ID: 293816848-1112191061
              • Opcode ID: 724d6725c9227211ad7173d27c787d1fbc941b97eaedc79ecfb1e8cb120bc382
              • Instruction ID: f4c02c16514924a05df0f0130103984169df6d8ae751033e802da1f55740790b
              • Opcode Fuzzy Hash: 724d6725c9227211ad7173d27c787d1fbc941b97eaedc79ecfb1e8cb120bc382
              • Instruction Fuzzy Hash: 85616B71604A8082E761DB66F8043DA62A1FB8D7F4F504329BBBA47BE9DF3CC5458B00
              Function 000000014001F794 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 337COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: _getptd$BlockUnwind$BaseEntryExceptionFunctionImageLookupRaiseThrow
              • String ID: bad exception$csm$csm$csm
              • API String ID: 2351602029-820278400
              • Opcode ID: 94f2d7a7ac3fbf0c7e408cc05698066adc522e88fcd38db2d59bce62785e5561
              • Instruction ID: 4ff304013d71e1c421c352ba0f3210a58c520cabd4eb8e9e99b64509a02ee7b9
              • Opcode Fuzzy Hash: 94f2d7a7ac3fbf0c7e408cc05698066adc522e88fcd38db2d59bce62785e5561
              • Instruction Fuzzy Hash: 95E1A27220478086EA72AB27A1403ED77A0F74CBC4F444525FF890BBAACF39D591D741
              Function 0000000140013690 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 226timeCOMMON
              Download Yara Rule
              APIs
              • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140011585), ref: 00000001400136EC
              • GetExitCodeProcess.KERNEL32 ref: 000000014001370B
              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140011585), ref: 0000000140013740
              • _snwprintf_s.LIBCMT ref: 0000000140013779
              • EnterCriticalSection.KERNEL32 ref: 0000000140013947
              • LeaveCriticalSection.KERNEL32 ref: 000000014001396B
                • Part of subcall function 000000014000AA80: GetProcessTimes.KERNEL32 ref: 000000014000AAA2
                • Part of subcall function 000000014000AA80: GetLastError.KERNEL32 ref: 000000014000AAAC
                • Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
                • Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
                • Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691
                • Part of subcall function 0000000140011450: UnregisterWait.KERNEL32 ref: 000000014001148E
                • Part of subcall function 0000000140011450: SetServiceStatus.ADVAPI32 ref: 0000000140011526
                • Part of subcall function 0000000140011450: EnterCriticalSection.KERNEL32 ref: 00000001400115A5
                • Part of subcall function 0000000140011450: LeaveCriticalSection.KERNEL32 ref: 00000001400115CE
                • Part of subcall function 0000000140011450: SetServiceStatus.ADVAPI32 ref: 0000000140011610
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: CriticalSection$Event$EnterLeaveProcessServiceSourceStatusTime$CloseCodeDeregisterErrorExitFileHandleLastRegisterReportSystemTimesUnregisterWait_snwprintf_s
              • String ID: %lu$Exit$Post$`
              • API String ID: 3610551520-1249451036
              • Opcode ID: 642cab63ffa1f930bf2db4ea8372a97cdcc443e84d7dfb65cdf66ffba4770686
              • Instruction ID: 9c6898da4b82adcd527d375305501d490671b7e5d756c49b4bab06ebdae18802
              • Opcode Fuzzy Hash: 642cab63ffa1f930bf2db4ea8372a97cdcc443e84d7dfb65cdf66ffba4770686
              • Instruction Fuzzy Hash: FFB17C76604BC582E722DF22E4513DB73A4F789B88F540126FF890B6A9DF39C949CB10
              Function 00000001400150A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 188COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Process$AffinityCurrentMask
              • String ID: All
              • API String ID: 1231390398-55916349
              • Opcode ID: eff96e4369339bbba2c319400aa00bee1043dd448a0f535bee212858d1ac3183
              • Instruction ID: 89333b989c272c6900fa0fe1462a190d1688c94fb8f165d787664ba4dc7caf2a
              • Opcode Fuzzy Hash: eff96e4369339bbba2c319400aa00bee1043dd448a0f535bee212858d1ac3183
              • Instruction Fuzzy Hash: 1B716172204B80C1EA62EB63E4403DA63A5FB8DBD4F444125FF9E8B7A9EF38C5458700
              Function 0000000140001AD0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 153COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID:
              • String ID: SeServiceLogonRight
              • API String ID: 0-347471591
              • Opcode ID: 1ca323ff7544cbea062a316e85ed950d70d80caaa4b078221830f27f3448ad9d
              • Instruction ID: a0f944345680951f5638d9c7f8e84b06276241971c720b1fbeca9eec54f8535e
              • Opcode Fuzzy Hash: 1ca323ff7544cbea062a316e85ed950d70d80caaa4b078221830f27f3448ad9d
              • Instruction Fuzzy Hash: 8051307260464082E612EB26B4517DB66A1F7C97D0F550125FF5E87BB6DE38C942C700
              Function 00000001400067E0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 100memorysynchronizationtimeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$FreeProcessTime$CloseFileHandleObjectSingleSystemWait
              • String ID: hook
              • API String ID: 2152274456-2757247829
              • Opcode ID: 09c5df5f2420748436591441a970fd3aa0a79a693a197f012b347bfb45edf898
              • Instruction ID: d1e46cd8051026dbb071bf6fa3c4f2d243ea7f00bf048e6cb1231a60534f5b15
              • Opcode Fuzzy Hash: 09c5df5f2420748436591441a970fd3aa0a79a693a197f012b347bfb45edf898
              • Instruction Fuzzy Hash: 3C4134B6601B8486EB16CF66E84435967A1FB88FD8F144119EF4A53768DF38C896CB40
              Function 000000014000BDB0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121memoryregistryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$Event$ProcessSource$AllocDeregisterFreeQueryRegisterReportValue
              • String ID: get_string()
              • API String ID: 4130051898-896229945
              • Opcode ID: f432ba425df1c334af0d5d8bc6cf21bbf44c8f1dc0a7f0ab12c867f88ba37124
              • Instruction ID: e01773196815c225b165d9e20bffeedce6d82feaaa2e36e89eb2a6d238022399
              • Opcode Fuzzy Hash: f432ba425df1c334af0d5d8bc6cf21bbf44c8f1dc0a7f0ab12c867f88ba37124
              • Instruction Fuzzy Hash: 9F416AB1204A8186F722DB63B8543EA6691F78DBC4F444028FF8943BBADF3CC5458B00
              Function 0000000140009600 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 267fileCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: CreateErrorFileLast
              • String ID: AppStderr$AppStdout$stderr$stderr_si$stdout$stdout_si
              • API String ID: 1214770103-3145564883
              • Opcode ID: 8bc41217d2cab0aac7e5492a8b28b5557a478992bb3363fedfbb000bcd89686d
              • Instruction ID: 84f8d01f0d4a39fbc827c3b2a16233fbc00f92dc2afb04cd47d387f1aa36e1d9
              • Opcode Fuzzy Hash: 8bc41217d2cab0aac7e5492a8b28b5557a478992bb3363fedfbb000bcd89686d
              • Instruction Fuzzy Hash: 06E11AB26046C1CAD761CF35E4417DA77A4F348B98F48463AEF8C4B6A9DB38C945CB20
              Function 0000000140015580 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 187memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$FreeProcess
              • String ID: AppEnvironment
              • API String ID: 3859560861-948859433
              • Opcode ID: bf727592a83bd657103b9efa741edc9865e88ac5b80f902545c4b4d6b6b03db5
              • Instruction ID: 1f537f8a4e15fb6a063128440b77b0ff2ca1e7455b8185a5c21f445aa25c8dd6
              • Opcode Fuzzy Hash: bf727592a83bd657103b9efa741edc9865e88ac5b80f902545c4b4d6b6b03db5
              • Instruction Fuzzy Hash: 4871A676604A80C2EA62EB63B4443DA67A0FB8DBD5F544215FF998B6F8DF39C845C700
              Function 0000000140011840 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorysynchronizationCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap_snwprintf_s$Process$AllocFreeObjectServiceSingleStatusWait
              • String ID: %lu$%s()
              • API String ID: 3601813699-699940799
              • Opcode ID: 0ffba0166ba33d02090c299909e839c505018103f0bb2f8e7f4f694d868e91e3
              • Instruction ID: 69971400c90e31b65b72574bdd09145e1363e6fa122ccb17f487d7069af77f90
              • Opcode Fuzzy Hash: 0ffba0166ba33d02090c299909e839c505018103f0bb2f8e7f4f694d868e91e3
              • Instruction Fuzzy Hash: 17514B76204B8186E6618B62A4503DA73A5F7887E4F50031AEFBD477E9DF39C509C700
              Function 0000000140015390 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 125registryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: QueryValue
              • String ID: All$affinity$setting_get_affinity
              • API String ID: 3660427363-3501811323
              • Opcode ID: 36e189c61de046a56e77c0e4f0c4d51a8d75b56e4cf18c7dacff24821600d77c
              • Instruction ID: d992f5cfb115b4e69d8ec94212e49f6658679346330c533de7153ebc08c68e82
              • Opcode Fuzzy Hash: 36e189c61de046a56e77c0e4f0c4d51a8d75b56e4cf18c7dacff24821600d77c
              • Instruction Fuzzy Hash: 7B516171608A8082EB22DB66F4503DAA7A1F78DBD4F544125FB8947BB9DF3DC4858B00
              Function 000000014000FD70 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 112memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$AllocConfig2ErrorLastProcessQueryService
              • String ID: SERVICE_CONFIG_DESCRIPTION$get_service_description()
              • API String ID: 2527037045-119971955
              • Opcode ID: 87cfc007ee1f7d47041ce5e3710580b357c85b779c488430ea12dfe6e7cffaa3
              • Instruction ID: ce23d3445b3d502cfd1cee6f423eb33bdad80a8a01337122df70ec9d9f023edb
              • Opcode Fuzzy Hash: 87cfc007ee1f7d47041ce5e3710580b357c85b779c488430ea12dfe6e7cffaa3
              • Instruction Fuzzy Hash: 08418E75600B8182EA22EBA3F8007EA67A1BB8DBD4F444129BF4947BB6DF3CC545D700
              Function 0000000140002700 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 73windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Message$FormatHeap$AllocDefaultFreeLangLocalProcessUser_snwprintf_s_wcsftime_l
              • String ID: NSSM$P$The message which was supposed to go here is missing!$The message which was supposed to go here is too big!$e
              • API String ID: 2747969056-1535976118
              • Opcode ID: 58946c53e902570074538918f1f58bb95ea40b455ed7411fed5f342a362d9c8f
              • Instruction ID: e0aea5a5f9581d4066fd1c3e1683cd6cd46946633892eee8657d269f664f3205
              • Opcode Fuzzy Hash: 58946c53e902570074538918f1f58bb95ea40b455ed7411fed5f342a362d9c8f
              • Instruction Fuzzy Hash: 63316E75215B8186EB629B62F8947DA7364FB8C7D4F804129FB8943BA5DF3CC949CB00
              Function 0000000140007E20 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 197COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Event$Source$DeregisterRegisterReport_snwprintf_s
              • String ID: %s%s$CopyAndTruncate$CreationDisposition$FlagsAndAttributes$ShareMode$get_createfile_parameters()
              • API String ID: 3081108292-1260861110
              • Opcode ID: c099c9cb19559e2fdbbafae6862631fb2bc145655e25f918de2c2d4a7a0ce256
              • Instruction ID: e75d1d6abf4a235fca88e6547070dcd46e2f06ec00b428c63354f5bbf43e8fee
              • Opcode Fuzzy Hash: c099c9cb19559e2fdbbafae6862631fb2bc145655e25f918de2c2d4a7a0ce256
              • Instruction Fuzzy Hash: B2817BB1204A8586E762DB22F850BDA7754F74C7E8F844316FFA9876E5EB38C646C700
              Function 0000000140011DB0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 155COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Window$ConsoleHandleProcessStation
              • String ID: %s: %lu: %s$%s: %s
              • API String ID: 2390998093-150483647
              • Opcode ID: dd4fb859678dd9658312077e5fb5972b1ddeae43dbb5eb2bda94efda359b6f6e
              • Instruction ID: 935a7045af60d552a4a1b6eb069eef078a932ada1a95a9807a014f2b4c9f0a51
              • Opcode Fuzzy Hash: dd4fb859678dd9658312077e5fb5972b1ddeae43dbb5eb2bda94efda359b6f6e
              • Instruction Fuzzy Hash: BF618F31204B8582EA26EB52F4443DA73A4FB8DBC4F404225FB990BBA6EF39C556C700
              Function 0000000140009400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 126memorypipethreadCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$CreateErrorLastProcess$AllocFreeHandleInformationPipeThread
              • String ID: create_logging_thread()$logger
              • API String ID: 3682172063-2332508298
              • Opcode ID: 6ce080337fbdde164dd771dbbd35574d1c3cc7e9e503ab1a96137a68f46eed7a
              • Instruction ID: 0f708c83b6d6882e8b311f25b1277f2bd71e346d58eaf93934f5f47650e512b5
              • Opcode Fuzzy Hash: 6ce080337fbdde164dd771dbbd35574d1c3cc7e9e503ab1a96137a68f46eed7a
              • Instruction Fuzzy Hash: 9E514B76205B9086E7A1CB63B95079A77A0F78CBC0F44402AEF8983B69DF38D565CB00
              Function 000000014000FF20 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 111memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$AllocConfig2ErrorLastProcessQueryService
              • String ID: SERVICE_CONFIG_DELAYED_AUTO_START_INFO$SERVICE_DELAYED_AUTO_START_INFO$get_service_startup()
              • API String ID: 2527037045-1869567720
              • Opcode ID: 69fb2d42e2d91f1c685f588ffc0fe427bfee43e353695e8c5bf8aefcc2d855ce
              • Instruction ID: 38db9a9ae14d872f97fdc1de8561fc73ac50b2242696658d995bfcb454e7631e
              • Opcode Fuzzy Hash: 69fb2d42e2d91f1c685f588ffc0fe427bfee43e353695e8c5bf8aefcc2d855ce
              • Instruction Fuzzy Hash: 9A417C36604A9186EB12DB66F4043DAB7A0FB8DBC4F444425FB8947BB9EF79C945C700
              Function 000000014000FA60 Relevance: 18.2, APIs: 10, Strings: 2, Instructions: 171COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID:
              • String ID: get_service_dependencies()$lpDependencies
              • API String ID: 0-219018013
              • Opcode ID: 68ce330cffe9adf813eb05897d5185dfa0d7afdf617ecf9cd4df69588dddc146
              • Instruction ID: 0b794208b03b107e37140d15cab82f7c2ac1332d20ef532040e36ff5cb6e1006
              • Opcode Fuzzy Hash: 68ce330cffe9adf813eb05897d5185dfa0d7afdf617ecf9cd4df69588dddc146
              • Instruction Fuzzy Hash: B1617EB6601A4486EB12DF66E4107A977A4F74CFD8F448015EF4943BB9DF38C896EB00
              Function 000000014001C6CC Relevance: 18.1, APIs: 12, Instructions: 82COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: free$_lock$ErrorFreeHeapLast_errno
              • String ID:
              • API String ID: 1575098132-0
              • Opcode ID: 900ce2037cdb037113a81b253223c54e735500e579220bc9ff7a13c552b12bce
              • Instruction ID: 3f2e47c94607781c5668a653277a2e80905b3f9df4bd34b8ef35c317ec6b371a
              • Opcode Fuzzy Hash: 900ce2037cdb037113a81b253223c54e735500e579220bc9ff7a13c552b12bce
              • Instruction Fuzzy Hash: C931613171658046FE57ABA39051BF81350AFCEBD4F481625BB1E0F6E6CF7AC8419721
              Function 00000001400146D0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 191registryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Close$Value_snwprintf_s$DeleteErrorLast
              • String ID: %s$Default
              • API String ID: 3208764733-3635391725
              • Opcode ID: f968c3f3b5bbd221de3442cd771249ba592d43d4f0135544e74485d0ad2b4540
              • Instruction ID: 7f3500c77af8523e0b9688c3565e21f73e6fccc2fc3eb3fe9c18069a2d6bb7bc
              • Opcode Fuzzy Hash: f968c3f3b5bbd221de3442cd771249ba592d43d4f0135544e74485d0ad2b4540
              • Instruction Fuzzy Hash: 36719F71205A8481FB62AF63A8507DA6390BB8DBE4F441225BF2A4B7F5EF39C545C700
              Function 000000014000AE60 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 132COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID:
              • String ID: kill_console
              • API String ID: 0-1600766264
              • Opcode ID: 24588610c75a006a5ec3907880273b6228820f287f5c7304aec0ead17864109a
              • Instruction ID: 4e94d8b513b1f5e7ee0762e412180e31d9f0e4f8997cd7f6d5a9da43dfda367a
              • Opcode Fuzzy Hash: 24588610c75a006a5ec3907880273b6228820f287f5c7304aec0ead17864109a
              • Instruction Fuzzy Hash: ED517CB1204A8086E756DB67B5043EA73A0FB4D7C4F444129FF9A877A9EF3CC9608344
              Function 0000000140017720 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 132memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$FreeProcess
              • String ID: %s$LocalSystem$SERVICE_INTERACTIVE_PROCESS$SERVICE_WIN32_OWN_PROCESS
              • API String ID: 3859560861-1492594695
              • Opcode ID: fffd49694891c048e89e9d27ed4e9e083eab7d1e701e1650eb288d6d3e09bb87
              • Instruction ID: 91411cd37f94a30d779ec4d0d885fcc79ea8ecf7b1daad06c6b59b3cb524fe1d
              • Opcode Fuzzy Hash: fffd49694891c048e89e9d27ed4e9e083eab7d1e701e1650eb288d6d3e09bb87
              • Instruction Fuzzy Hash: D8516E71600A8581EA22EB63F8147DA36A0FB9DBE4F544129BF5D8B7E5EF38C945C310
              Function 00000001400159F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID:
              • String ID: %c%s$dump$setting_dump_environment
              • API String ID: 0-3189341153
              • Opcode ID: 9a0f11384646d509be77c744bea4d997d78b4229cb7c4b37e1591e935d434a64
              • Instruction ID: a88404555512558ecfb639f2472b13f1a2d02313ba6e537b4a6dd30e16b3868c
              • Opcode Fuzzy Hash: 9a0f11384646d509be77c744bea4d997d78b4229cb7c4b37e1591e935d434a64
              • Instruction Fuzzy Hash: FC418672605B8086E7529B22B8407CA73A0FB4DBE4F448215FF59477A8DF38C546C740
              Function 0000000140016540 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 116COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID:
              • String ID: %c%s$dump$setting_dump_dependon
              • API String ID: 0-3641056368
              • Opcode ID: 57a2d30268ecd36bb96e0013271ec2899ae4f714c99f68fd30a59840ab665ad2
              • Instruction ID: 5b2c56ca74a4f11c5f493cda54f30b86cc1eab8f828d8a41247e1b07d06811aa
              • Opcode Fuzzy Hash: 57a2d30268ecd36bb96e0013271ec2899ae4f714c99f68fd30a59840ab665ad2
              • Instruction Fuzzy Hash: AB415E72605B8086E7529F62B8003DA77A4F789BE4F454216FF99477A8DF39C986C700
              Function 000000014000B050 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 89memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$Process$AllocErrorFileFreeLastModuleName_snwprintf_s
              • String ID: % 8lu %s%s$???$[WOW64]
              • API String ID: 2935443209-3245662266
              • Opcode ID: cbb4cfd1420a93e7b420b7677ccf895b67e377104a8596a3b37561e861a92888
              • Instruction ID: e0c9e3d2c961057911ea44f832aeb7ed931542fe1b8e416e59bf97ed6bf11b92
              • Opcode Fuzzy Hash: cbb4cfd1420a93e7b420b7677ccf895b67e377104a8596a3b37561e861a92888
              • Instruction Fuzzy Hash: 05319A71301A8592EB16DB62E8507DA63A0FB8CBC4F444126FB5D877A8EF3CC946C700
              Function 0000000140001E20 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 82memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Event$AllocHeapSource$DeregisterEnvironmentErrorExpandLastLocalProcessRegisterReportStringsValue
              • String ID: ExpandEnvironmentStrings()$expand_environment_string
              • API String ID: 834161584-2090451141
              • Opcode ID: 1a857a85fd842b27e93463c536bdb97f0d9aefa233d789fc1baff957dccea033
              • Instruction ID: 58318641a1031420995e21b4a8e777d6e14e3e5644aac21f61b35d74fcd66aa2
              • Opcode Fuzzy Hash: 1a857a85fd842b27e93463c536bdb97f0d9aefa233d789fc1baff957dccea033
              • Instruction Fuzzy Hash: F1317175704A9042FB519B77B81039A62A1BB8DBC8F480139FF899776EEE3DC9414700
              Function 000000014000F170 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$ConfigErrorLastProcessQueryService$AllocFree
              • String ID: QUERY_SERVICE_CONFIG$query_service_config()
              • API String ID: 2921672788-976127789
              • Opcode ID: 6385d850b7c4583b6f4ff08a7ab95c0a91cc1a175e4f964d4c8b666ba4b27812
              • Instruction ID: 12ef63c7e0ec9709d506b3c2b775e2798cffe3e90e480b8a1bef477be83b5080
              • Opcode Fuzzy Hash: 6385d850b7c4583b6f4ff08a7ab95c0a91cc1a175e4f964d4c8b666ba4b27812
              • Instruction Fuzzy Hash: E0215E75604A9082EB02DBA7F8043DAA7A0BB8DBC4F444429FF4E43B79DE7CC9459B00
              Function 000000014000C570 Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 183memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$Process$AllocFree
              • String ID: append_to_double_null()$key$newdn
              • API String ID: 756756679-3598718664
              • Opcode ID: e8c0b0ba8166b1c5237778d83a4dddeaf43343473c6732b3d22e86108212e6b8
              • Instruction ID: a8659a9f761dcd48a20ea0bbf3106ddecff7fc8e2851ddb4a1a6f8d7a32dd65c
              • Opcode Fuzzy Hash: e8c0b0ba8166b1c5237778d83a4dddeaf43343473c6732b3d22e86108212e6b8
              • Instruction Fuzzy Hash: CF7180B6615A8081E662DB26B41079AB7A0FB4DBE4F448215FF6953BE8EB3CC545C700
              Function 000000014000C840 Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 164memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$Process$AllocFree
              • String ID: key$newdn$remove_from_double_null()
              • API String ID: 756756679-180665911
              • Opcode ID: dec6ef9297f2f528877f7eddd1e9d4dee81437ed94269273f5d5e12274e4d5bc
              • Instruction ID: 8c6053ef598a717a1cf223f2861525f2768c9fab3b540323a4fd1412df3eeb5f
              • Opcode Fuzzy Hash: dec6ef9297f2f528877f7eddd1e9d4dee81437ed94269273f5d5e12274e4d5bc
              • Instruction Fuzzy Hash: 03619D76722A9485E622DF26B8047D9B7E0F749BD4F488219EF59037E8DF38C985C300
              Function 000000014000E8B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 129COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID:
              • String ID: %c%u
              • API String ID: 0-883269693
              • Opcode ID: dae4665bc3affedc8ddc6640690ef829aa088a68563d45def97606a5a0a477d5
              • Instruction ID: e75947337f5fd74baf7b6f5cfe7824060c4155299e81c8694041bf6305fe6a32
              • Opcode Fuzzy Hash: dae4665bc3affedc8ddc6640690ef829aa088a68563d45def97606a5a0a477d5
              • Instruction Fuzzy Hash: 6C51D072215AC596E7A1CF26F4483DA73A0F78C7E8F548229EB5957BE8DB38C105CB00
              Function 000000014000BBD0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 124registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryValueExW.ADVAPI32 ref: 000000014000BC24
                • Part of subcall function 0000000140002430: TlsGetValue.KERNEL32 ref: 0000000140002442
                • Part of subcall function 0000000140002430: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002458
                • Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
                • Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
                • Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Event$SourceValue$AllocDeregisterLocalQueryRegisterReport
              • String ID: get_environment()
              • API String ID: 3592804690-3013924771
              • Opcode ID: d57cb4b6c5f1898b49630d35002a849a514446ed12f956d7628af7b00dca0aac
              • Instruction ID: 391c77f4bcccafbf38fb0bab5bbf8670fbb79554e73f50bd891dca26f0d5cfbd
              • Opcode Fuzzy Hash: d57cb4b6c5f1898b49630d35002a849a514446ed12f956d7628af7b00dca0aac
              • Instruction Fuzzy Hash: A9515CB6204B9082E721DF62A8547DE72A5F74DBC8F44812AFF89477A9EF38C9158700
              Function 0000000140011640 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 114sleepsynchronizationtimeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: CriticalSection_snwprintf_s$EnterLeaveObjectServiceSingleSleepStatusTimerWaitWaitable
              • String ID: %lu
              • API String ID: 109876818-685833217
              • Opcode ID: a44a97c43d17e4cb705c039e0ed849eaca5a340843a244270a44aae3fcf5a655
              • Instruction ID: e17d187198e1d2c556d4b600b8acea85b7155cc02b68ccfbb8bdb977714c94d3
              • Opcode Fuzzy Hash: a44a97c43d17e4cb705c039e0ed849eaca5a340843a244270a44aae3fcf5a655
              • Instruction Fuzzy Hash: 2B51DC72A04A80D7E7698F22E5553DE7360F388794F40032AF7AD876E5DB39D969CB00
              Function 000000014000D020 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 105registryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Event$Source$CloseDeregisterQueryRegisterReportValue_snwprintf_s
              • String ID: %s\%s$AppEvents$hook registry$set_hook()
              • API String ID: 2341694245-1670097391
              • Opcode ID: b442a7b8d74010f362647dca0de7b108b6b00fa7208d0fa25c58233f39fd3f26
              • Instruction ID: 6d0862f9470687456da518464cbe15381b9a51efbdc411d03d7a1f67d58250b0
              • Opcode Fuzzy Hash: b442a7b8d74010f362647dca0de7b108b6b00fa7208d0fa25c58233f39fd3f26
              • Instruction Fuzzy Hash: 9041B17131468059EB62CB23B891BEA6291B74DBE4F84032ABF6E47BE5DF3CC5459310
              Function 0000000140002430 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 62windowmemoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: FormatMessageValue$AllocDefaultLangLocalUser_snwprintf_s
              • String ID: <out of memory for error message>$system error %lu
              • API String ID: 2253289489-3923297632
              • Opcode ID: c57cf59de28d07db67d5877a0ca59d18a7d4958fae7d58dbe770bbd656636a06
              • Instruction ID: a577034a7231977c6e80a66ab4d1eee538ee20579c78fea223c5835cb28133ac
              • Opcode Fuzzy Hash: c57cf59de28d07db67d5877a0ca59d18a7d4958fae7d58dbe770bbd656636a06
              • Instruction Fuzzy Hash: 7E21327160478186E7229F26F8547A66291FB8C7E8F444238EB99477E4EF3CC8548704
              Function 0000000140015EA0 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 195memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$Process$Free$Alloc
              • String ID: canon$native_set_dependon
              • API String ID: 3689955550-866904565
              • Opcode ID: 1a41d593f63f6d53f7ef41eee8dd95d892469f4ce90a1465bab3fee54d794e47
              • Instruction ID: 3417812ee75a08193b20f1fd53a885790022d951d8f5cc66eb521b80143630f7
              • Opcode Fuzzy Hash: 1a41d593f63f6d53f7ef41eee8dd95d892469f4ce90a1465bab3fee54d794e47
              • Instruction Fuzzy Hash: 8B81947260468086E762DF66A8003DA73A1F74DBE4F548229FF9947BE9DF39C9468700
              Function 000000014002463C Relevance: 15.2, APIs: 10, Instructions: 177COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 0000000140024692
              • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00000001400246B1
              • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 0000000140024756
              • malloc.LIBCMT ref: 000000014002476D
              • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00000001400247B5
              • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00000001400247F0
              • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000014002482C
              • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000014002486C
              • free.LIBCMT ref: 000000014002487A
              • free.LIBCMT ref: 000000014002489C
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: ByteCharMultiWide$Infofree$malloc
              • String ID:
              • API String ID: 1309074677-0
              • Opcode ID: 87be4e84dfff67e6a5404b062bacef3d47c9d24ad15316017cadb552b82724b7
              • Instruction ID: 0861bc031b95cbac96e7ade4b626951d0e31202a9991f2a15cb32f64d4bc2cc4
              • Opcode Fuzzy Hash: 87be4e84dfff67e6a5404b062bacef3d47c9d24ad15316017cadb552b82724b7
              • Instruction Fuzzy Hash: 6761A232214A8086E7268F27A8403ED76D5F789BE8F544629FB6A47BF4DF78C9458600
              Function 000000014000AB10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: ErrorLastOpenProcess_snwprintf_s
              • String ID: %lu
              • API String ID: 1004745324-685833217
              • Opcode ID: 90df853b17baf89f81b51910ebc5fb765af783191756ca6429a8faba2c2f6cee
              • Instruction ID: 96f1c24e96412612cb91f2ad7393678c3340066f9dc9d26303ae69a5e6fb9e68
              • Opcode Fuzzy Hash: 90df853b17baf89f81b51910ebc5fb765af783191756ca6429a8faba2c2f6cee
              • Instruction Fuzzy Hash: 38318071204A8182EB25DB26F41179E73A0FB4D7D4F444225BB8A876B9DF3CC545C700
              Function 0000000140011330 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$Event$ProcessSource$AllocDeregisterFreeRegisterReport_snwprintf_s
              • String ID: 0x%08x$control code$log_service_control()
              • API String ID: 4005908332-2089045330
              • Opcode ID: 4b21c5b224168c7e7b4499695bab61fcf9293932d0e1ac05f85688a7a5bfa71c
              • Instruction ID: ffd804206bfe6ad337dc71d2b961a3d269193d7c685cb79a6a520c7edc326c17
              • Opcode Fuzzy Hash: 4b21c5b224168c7e7b4499695bab61fcf9293932d0e1ac05f85688a7a5bfa71c
              • Instruction Fuzzy Hash: CB219E74605B9582F716CB57B8403E963A0E78C7D8F44422AFF99477AAEB3DC9868700
              Function 000000014001C1A0 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: free$ErrorFreeHeapLast_errno
              • String ID:
              • API String ID: 1012874770-0
              • Opcode ID: a77eea8c151e190d82b6f428cf3663883c0e4f19f30549a310c13090e96925bf
              • Instruction ID: ba48b5ff12f0f3a38f4112c7b4e794e919eaded4b65ab0df7ef7b43739d5b6dd
              • Opcode Fuzzy Hash: a77eea8c151e190d82b6f428cf3663883c0e4f19f30549a310c13090e96925bf
              • Instruction Fuzzy Hash: D941083261268486FF579FA3C4557EC23A0AB9EBC4F480535EB1D1F6A5CF7AC8918320
              Function 0000000140022118 Relevance: 13.7, APIs: 9, Instructions: 173COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetStringTypeW.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 0000000140022178
              • GetLastError.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 000000014002218A
              • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 00000001400221EA
              • malloc.LIBCMT ref: 0000000140022256
              • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 00000001400222A0
              • GetStringTypeW.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 00000001400222B7
              • free.LIBCMT ref: 00000001400222C8
              • GetStringTypeA.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 0000000140022345
              • free.LIBCMT ref: 0000000140022355
                • Part of subcall function 000000014002463C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 0000000140024692
                • Part of subcall function 000000014002463C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00000001400246B1
                • Part of subcall function 000000014002463C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00000001400247B5
                • Part of subcall function 000000014002463C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00000001400247F0
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: ByteCharMultiWide$StringType$Infofree$ErrorLastmalloc
              • String ID:
              • API String ID: 3804003340-0
              • Opcode ID: e91ada0d3418bd2f4ec09be758e20b385c78253fc2d9f4ca109f82a3e7e5caae
              • Instruction ID: d53383f59eec4462090a64fdbba06e0d248b67d1e792285d37ae28196ec31423
              • Opcode Fuzzy Hash: e91ada0d3418bd2f4ec09be758e20b385c78253fc2d9f4ca109f82a3e7e5caae
              • Instruction Fuzzy Hash: 1A61A4326006809AEB229F66D4407DC77A6F74CBE8F540A29FF1957BE8DB78CD458340
              Function 0000000140001F50 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 78memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: EnvironmentVariable$Heap$FreeProcess
              • String ID: =$=
              • API String ID: 3778319993-2054292070
              • Opcode ID: 7bf4f98abe447227e6e460fd7a3f549218de6e97ff0865786475516afd98c878
              • Instruction ID: f6e392f159df02a5c0d1aa5861e7932fb23e5242deca1ebcea39a171da841de7
              • Opcode Fuzzy Hash: 7bf4f98abe447227e6e460fd7a3f549218de6e97ff0865786475516afd98c878
              • Instruction Fuzzy Hash: 98217676B0464081EB67AF23B4003EAA3B4FB99FC4F189025FB45436B5EB78C896C301
              Function 000000014000CF10 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 72registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,00000000,0000000140010A23), ref: 000000014000CF9C
              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00000000,0000000140010A23), ref: 000000014000CFA9
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: CloseQueryValue
              • String ID: %lu$AppExit
              • API String ID: 3356406503-2506947422
              • Opcode ID: 91cce3c04103fca208db0ba8ea57d72feedcf25d7159b3a3e563298903852ca5
              • Instruction ID: e4ede004e4c372926661c22df9dbebd0d94544826e947ded5c53d602466b7697
              • Opcode Fuzzy Hash: 91cce3c04103fca208db0ba8ea57d72feedcf25d7159b3a3e563298903852ca5
              • Instruction Fuzzy Hash: 66217172226B4586EB52CB22B440BEA63A1EB4DBE4F541235BF4D477B5EB38C4458701
              Function 0000000140001080 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 46memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$AllocFreeLocalProcess_snwprintf_s_vfwprintf_p
              • String ID: %s\%s$NT Service$name$virtual_account
              • API String ID: 1628691493-1293189587
              • Opcode ID: db52c54a1bd37a6a99ec5c8299a3637e23c77f5368cde7bf9e39c4659f78377e
              • Instruction ID: 847d56988c11ccff595402cc5be1d1d2c3e50c9f6037e04ff214d1465cb41b48
              • Opcode Fuzzy Hash: db52c54a1bd37a6a99ec5c8299a3637e23c77f5368cde7bf9e39c4659f78377e
              • Instruction Fuzzy Hash: E3112B35604A9591EA01DB66B5003CAA7A0E789BF8F944326EF6C03BF8DE38C5468700
              Function 0000000140018B3C Relevance: 12.1, APIs: 8, Instructions: 94COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: _errno
              • String ID:
              • API String ID: 2918714741-0
              • Opcode ID: 982cf5645eaff3f93709234b792b80570c945d66980feefcdc7db2932bc7bba4
              • Instruction ID: f44b4c5ca08c131a72ac2aeda0961a669f3265e00c911aa11d5fdcb0036162f4
              • Opcode Fuzzy Hash: 982cf5645eaff3f93709234b792b80570c945d66980feefcdc7db2932bc7bba4
              • Instruction Fuzzy Hash: 1E31B036605A0085FA329B63A5403DE7294F78CBE4F544211FFA90B7F5CB7AC680CB61
              Function 000000014001DA5C Relevance: 12.1, APIs: 8, Instructions: 92COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: _errno
              • String ID:
              • API String ID: 2918714741-0
              • Opcode ID: d8e2f75bd4eec119b7a74162acb909693bf6366b45e2778bd4c6527078f16033
              • Instruction ID: 458bbcd361950d94f00f622139773638d49f6eb722cf8fc22553e0bf105d927e
              • Opcode Fuzzy Hash: d8e2f75bd4eec119b7a74162acb909693bf6366b45e2778bd4c6527078f16033
              • Instruction Fuzzy Hash: 1141AEB550874085FE669B6399803DD73A4A79DBE4F594216FB6A0B7F6CB3AC400CB01
              Function 000000014002146C Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: __doserrno_errno
              • String ID:
              • API String ID: 921712934-0
              • Opcode ID: 9996c40566fb5828d46623c4ffa25a2266b36484e3f6297649932163638dfe60
              • Instruction ID: 9b1ae2692c7aa1f797c30d2a7736f9f56704421511a9f923b1d78b963cf8b70d
              • Opcode Fuzzy Hash: 9996c40566fb5828d46623c4ffa25a2266b36484e3f6297649932163638dfe60
              • Instruction Fuzzy Hash: 88319E32610A5085E7139FA7A8417ED7555A7C8BF0F554719FF3A0B7E2CB3988428B04
              Function 000000014002118C Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: __doserrno_errno
              • String ID:
              • API String ID: 921712934-0
              • Opcode ID: b7646aed9a6597f5178b7b5b15324365973a83a7cbee41c92b9d46bd9732982a
              • Instruction ID: 0ddb69c9fbd17f45a9d6bfcdc64467eb0070a41d15bfb506f601218df6432c84
              • Opcode Fuzzy Hash: b7646aed9a6597f5178b7b5b15324365973a83a7cbee41c92b9d46bd9732982a
              • Instruction Fuzzy Hash: 8831CF32A1025086F3135FB7A8427DE7659A7C9BE0F594619FB254B7F2CB39C8128B04
              Function 00000001400241F4 Relevance: 12.1, APIs: 8, Instructions: 79COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: __doserrno_errno
              • String ID:
              • API String ID: 921712934-0
              • Opcode ID: 090d77a67de7c985594c94a79ab8a345aab91e021a788556be9dfe15f8f47d1c
              • Instruction ID: ac8746d5d8e92a8110249d21505def07f870fd1ce60ee0340a01ca48d51c1f4b
              • Opcode Fuzzy Hash: 090d77a67de7c985594c94a79ab8a345aab91e021a788556be9dfe15f8f47d1c
              • Instruction Fuzzy Hash: 9631B63261069486F313AF77A8417ED7A55A7C9BD0FAA4619FB250B7F2CF39C8058B04
              Function 0000000140017950 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 63COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID:
              • String ID: SERVICE_FILE_SYSTEM_DRIVER$SERVICE_INTERACTIVE_PROCESS$SERVICE_KERNEL_DRIVER$SERVICE_WIN32_OWN_PROCESS$SERVICE_WIN32_SHARE_PROCESS$SERVICE_WIN32_SHARE_PROCESS|SERVICE_INTERACTIVE_PROCESS
              • API String ID: 0-2402770260
              • Opcode ID: 16b709bc6346c575211078ab4dfa56cc102608930ce32e59cc0a2d25995df4d4
              • Instruction ID: 23a8490cfe90f1c2a308090e366f6a85ca121b180c663b3a352cc601f3572310
              • Opcode Fuzzy Hash: 16b709bc6346c575211078ab4dfa56cc102608930ce32e59cc0a2d25995df4d4
              • Instruction Fuzzy Hash: 01217C75524680C1F6678B67A804BE86271AB5C7D0FD51502FF0E5BAF0CB39CE889301
              Function 00000001400144B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 126COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID:
              • String ID: %lu$%s set %s %s %s$%s set %s %s %s %s
              • API String ID: 0-1795435707
              • Opcode ID: 7eaeb9f95fd18fb7197ea1527400dc4321b66208a513659367c1991a4ac879e3
              • Instruction ID: 054e451fad24e7065109f3f0b029d0dd47eea46ddc6e4fcf6589d200fc340022
              • Opcode Fuzzy Hash: 7eaeb9f95fd18fb7197ea1527400dc4321b66208a513659367c1991a4ac879e3
              • Instruction Fuzzy Hash: C251C2B1618A8052FB32DB26A4517DA2290F7497F8F901322FF794BAF9DB39C641C700
              Function 00000001400212C0 Relevance: 10.6, APIs: 7, Instructions: 79COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: _errno
              • String ID:
              • API String ID: 2918714741-0
              • Opcode ID: 8845e350c9dea3cf5267cdca4f8cdd242e0faa8e4b5157f2ade3c82d791c144e
              • Instruction ID: ab451d4fd270bb3903f805b9d7dd5fa572604a2d19d0fe20b2da734d15af6b17
              • Opcode Fuzzy Hash: 8845e350c9dea3cf5267cdca4f8cdd242e0faa8e4b5157f2ade3c82d791c144e
              • Instruction Fuzzy Hash: 8631D232B1064082F723AFB799467EE2656ABD97D0F19421DFB250B6F2CF78C8018744
              Function 000000014001F086 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: _getptd$ExceptionRaise
              • String ID: csm
              • API String ID: 2255768072-1018135373
              • Opcode ID: faddf5dcd7db62c195a203077242433b8dd42f1278d6c606382e79f7e625ce9f
              • Instruction ID: e8565f7666dcd684ddfdf79a9db708bd8ef6147b54f82e3b1904922039863616
              • Opcode Fuzzy Hash: faddf5dcd7db62c195a203077242433b8dd42f1278d6c606382e79f7e625ce9f
              • Instruction Fuzzy Hash: D7315032200780C2E662DF12E008BEE7365F79DBE1F454226EF5A0B7A5CB36C845CB00
              Function 0000000140008360 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: _snwprintf_s$ExtensionFindPathSystemTime
              • String ID: %s%s$-%04u%02u%02uT%02u%02u%02u.%03u%s
              • API String ID: 3012895273-3937541175
              • Opcode ID: 04bf656ff3656d3b29a7e1c79b75fe1ba97853567e5a848dceba71563a3bc1b0
              • Instruction ID: ef619b30c47574710df53ad96ff4b3ed88230155163be6427908ee86fe4bb24b
              • Opcode Fuzzy Hash: 04bf656ff3656d3b29a7e1c79b75fe1ba97853567e5a848dceba71563a3bc1b0
              • Instruction Fuzzy Hash: 8F219F72214A9096E7619F16F84179AB3A4F7887E0F504325BFA807AE8EB3CC521CB00
              Function 000000014000D1C0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Event$Source$DeregisterRegisterReport_snwprintf_s
              • String ID: %s\%s$AppEvents$get_hook()$hook registry
              • API String ID: 3081108292-1702643787
              • Opcode ID: 1a6e9feb4cc426e37fdb4580ac0202121e0b5c3df63c35c9d4901585fb099b56
              • Instruction ID: 186230ca1ad757ef69455b0b81aec2deb29fe0d21a35ae0f365b12cc6bbcffb9
              • Opcode Fuzzy Hash: 1a6e9feb4cc426e37fdb4580ac0202121e0b5c3df63c35c9d4901585fb099b56
              • Instruction Fuzzy Hash: 90216D71208A8485FA22DB62F8557DA6350FB9C7D8F400226FB9D477AADB3CC5458B40
              Function 000000014001A834 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _FF_MSGBANNER.LIBCMT ref: 000000014001A85B
                • Part of subcall function 000000014001DBB8: GetModuleFileNameA.KERNEL32(?,?,?,?,?,000000014001DE14,?,?,?,?,0000000140020721,?,?,00000000,000000014001A304), ref: 000000014001DC7B
                • Part of subcall function 0000000140018E48: ExitProcess.KERNEL32 ref: 0000000140018E57
                • Part of subcall function 000000014001A2E0: malloc.LIBCMT ref: 000000014001A2FF
                • Part of subcall function 000000014001A2E0: Sleep.KERNEL32(?,?,00000000,000000014001A895,?,?,00000000,000000014001A93F,?,?,?,?,?,?,00000000,000000014001C67C), ref: 000000014001A316
              • _errno.LIBCMT ref: 000000014001A89D
              • _lock.LIBCMT ref: 000000014001A8B1
              • free.LIBCMT ref: 000000014001A8D3
              • _errno.LIBCMT ref: 000000014001A8D8
              • LeaveCriticalSection.KERNEL32(?,?,00000000,000000014001A93F,?,?,?,?,?,?,00000000,000000014001C67C,?,?,00000000,000000014001B8C5), ref: 000000014001A8FE
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfreemalloc
              • String ID:
              • API String ID: 1024173049-0
              • Opcode ID: 4b8126503065e6b48009ab2c06c44879dd52bdcb099693d6deae534223483fd6
              • Instruction ID: 808b59fbf07043b202a3597875559d9e6a470724fff9b57267105a538d5de662
              • Opcode Fuzzy Hash: 4b8126503065e6b48009ab2c06c44879dd52bdcb099693d6deae534223483fd6
              • Instruction Fuzzy Hash: 6A219031A1468082F667AB13A5043EE6394E78E7C4F544235FB4A4F7E6CF7DC8819740
              Function 00000001400140E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$Process$AllocFree_snwprintf_s
              • String ID: value_from_string()
              • API String ID: 734457407-962593079
              • Opcode ID: 5d32141a8bc92d703f82d54b54d365e21bbe7b70d0b13f31b779d850a6f6be77
              • Instruction ID: 5240c5b56838f1c33d0c176e021e5deb61c2839be4d9d6ecac02f0754599868e
              • Opcode Fuzzy Hash: 5d32141a8bc92d703f82d54b54d365e21bbe7b70d0b13f31b779d850a6f6be77
              • Instruction Fuzzy Hash: B3213675201B8091E7129F62A81039AB7A0FB9DBE4F544729FFA9477F9DF39C5418700
              Function 0000000140012A2C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 51threadCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0000000140011330: GetProcessHeap.KERNEL32 ref: 0000000140011357
                • Part of subcall function 0000000140011330: HeapAlloc.KERNEL32 ref: 0000000140011366
              • SetServiceStatus.ADVAPI32 ref: 0000000140012A65
                • Part of subcall function 00000001400070A0: GetProcessHeap.KERNEL32 ref: 00000001400070DE
                • Part of subcall function 00000001400070A0: HeapAlloc.KERNEL32 ref: 00000001400070F0
              • CreateThread.KERNEL32 ref: 0000000140012AB6
              • GetLastError.KERNEL32 ref: 0000000140012AC1
                • Part of subcall function 0000000140002430: TlsGetValue.KERNEL32 ref: 0000000140002442
                • Part of subcall function 0000000140002430: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002458
                • Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
                • Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
                • Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691
                • Part of subcall function 0000000140011450: UnregisterWait.KERNEL32 ref: 000000014001148E
                • Part of subcall function 0000000140011450: SetServiceStatus.ADVAPI32 ref: 0000000140011526
                • Part of subcall function 0000000140011450: EnterCriticalSection.KERNEL32 ref: 00000001400115A5
                • Part of subcall function 0000000140011450: LeaveCriticalSection.KERNEL32 ref: 00000001400115CE
                • Part of subcall function 0000000140011450: SetServiceStatus.ADVAPI32 ref: 0000000140011610
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$AllocEventServiceStatus$CriticalProcessSectionSource$CreateDeregisterEnterErrorLastLeaveLocalRegisterReportThreadUnregisterValueWait
              • String ID: N$Pre$Stop
              • API String ID: 812145449-3371997690
              • Opcode ID: 9281fc33d314b76a1bf7a4864cfbc9a9ffee161a1aecb02412ce670d735580f2
              • Instruction ID: 6af4c4e2d9bea6531c1b1a8f5835dc278c3db49be028d9187f13332ad1a60afb
              • Opcode Fuzzy Hash: 9281fc33d314b76a1bf7a4864cfbc9a9ffee161a1aecb02412ce670d735580f2
              • Instruction Fuzzy Hash: D3215EB1A04A8186EB11DF32E8557DA7791F788788F48422AEB4D4B6A9DB7CC5058B10
              Function 0000000140009FB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Window$ConsoleHandleProcessStation
              • String ID: 2.24-101-g897c7ad$2017-04-26$64-bit
              • API String ID: 2390998093-1554524045
              • Opcode ID: 40212cfdcf06d07a27e46ac9921e9abb250e1e9d96549386459e7f384bd3f580
              • Instruction ID: 208933ce03e1e4cdc7845d7d233c5fbd470caa9eac46f2f270bb13a7e74a878f
              • Opcode Fuzzy Hash: 40212cfdcf06d07a27e46ac9921e9abb250e1e9d96549386459e7f384bd3f580
              • Instruction Fuzzy Hash: 5B011A70201A4582FB16DB66B841BE563A0BB4C794F84052EBB5D476B0DF3DCA69C251
              Function 0000000140002900 Relevance: 10.5, APIs: 7, Instructions: 32COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Item$EnableWindow
              • String ID:
              • API String ID: 1115945535-0
              • Opcode ID: fdb9829a3620f13d7b2969ddaf86a420751a5d1716256729c1b6106c74bd120c
              • Instruction ID: c136e8dc2aac8da60112be9b768c9bef934fbc30f7073625e23f517483f65cae
              • Opcode Fuzzy Hash: fdb9829a3620f13d7b2969ddaf86a420751a5d1716256729c1b6106c74bd120c
              • Instruction Fuzzy Hash: 5A01B639705A9083EB169F63F85C3A66362BBCCBD1F10402AEB4A43775CE3CC8498211
              Function 0000000140015860 Relevance: 10.1, APIs: 8, Instructions: 108COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f544f8f627ae383a1768f01978c54afb7fcbded243f8772aacbfad5c93b319fe
              • Instruction ID: dd426357a1b9a04df74fbf9960fc75dfd2c65e8efc1bf2d2ec49ae87e7355242
              • Opcode Fuzzy Hash: f544f8f627ae383a1768f01978c54afb7fcbded243f8772aacbfad5c93b319fe
              • Instruction Fuzzy Hash: 9A415E76A14A80C2EB51AB23A4003DA67A1F78DBE4F584116FF4D5B7B8EF39C491CB40
              Function 000000014001BF80 Relevance: 9.1, APIs: 6, Instructions: 122COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _getptd.LIBCMT ref: 000000014001BF9F
                • Part of subcall function 000000014001BC78: GetOEMCP.KERNEL32 ref: 000000014001BCA2
                • Part of subcall function 000000014001A2E0: malloc.LIBCMT ref: 000000014001A2FF
                • Part of subcall function 000000014001A2E0: Sleep.KERNEL32(?,?,00000000,000000014001A895,?,?,00000000,000000014001A93F,?,?,?,?,?,?,00000000,000000014001C67C), ref: 000000014001A316
              • free.LIBCMT ref: 000000014001C02B
                • Part of subcall function 000000014001A458: HeapFree.KERNEL32(?,?,00000000,000000014001C690,?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63), ref: 000000014001A46E
                • Part of subcall function 000000014001A458: _errno.LIBCMT ref: 000000014001A478
                • Part of subcall function 000000014001A458: GetLastError.KERNEL32(?,?,00000000,000000014001C690,?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63), ref: 000000014001A480
              • _lock.LIBCMT ref: 000000014001C063
              • free.LIBCMT ref: 000000014001C113
              • free.LIBCMT ref: 000000014001C143
              • _errno.LIBCMT ref: 000000014001C148
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
              • String ID:
              • API String ID: 2878544890-0
              • Opcode ID: 38aff8a93a219e004d4fb2decce731f2e1a6d6680dbde8491e10bca7deaa2c7b
              • Instruction ID: 9d870c3d51cdc4ff5d3e13d4a664bdaadccf0573858b57b63558978fb1287223
              • Opcode Fuzzy Hash: 38aff8a93a219e004d4fb2decce731f2e1a6d6680dbde8491e10bca7deaa2c7b
              • Instruction Fuzzy Hash: 3A51B23220068086E7579B67A4417E9B7A1F78DBD4F184216FB5A4B3F6CB7EC442C750
              Function 00000001400022C0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 99memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$Process$AllocFree
              • String ID: key$remove_from_environment_block()
              • API String ID: 756756679-4119166937
              • Opcode ID: 50cb34b2d45f5005c24813a1e0df2552c412c9d25a9998c01387e4aadb813f74
              • Instruction ID: 54bd58668acaa8a64a469b9de0776971d6101dcbc09bd55ad8906b7833b5f725
              • Opcode Fuzzy Hash: 50cb34b2d45f5005c24813a1e0df2552c412c9d25a9998c01387e4aadb813f74
              • Instruction Fuzzy Hash: E931A1B6201B9485EB12DF66B4047DA62A4F74CBE4F54422AFF59477A4DE3CCA86C304
              Function 0000000140010FD0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 42d7036cd358576f0070066cd22754db5c612962dedf37fce37ffe29802d89a7
              • Instruction ID: 3bc43f1e5b14f0690f46103c1f8670f803ed3e49879e2c6b4ee8c207eb9faa24
              • Opcode Fuzzy Hash: 42d7036cd358576f0070066cd22754db5c612962dedf37fce37ffe29802d89a7
              • Instruction Fuzzy Hash: C3316B76604A8182EB16EB62F4413EBB360F7887D4F440026EB8A07B65DF7DC98A8700
              Function 0000000140006A20 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 72memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$Event$ProcessSource$AllocDeregisterFreeRegisterReport
              • String ID: add_thread_handle()$hook_thread_t
              • API String ID: 2639727016-2774381828
              • Opcode ID: 07258aa41ff2d329225d4091da11a04ded088b26c61e4ebd4f05c7ccc6aded00
              • Instruction ID: ae4f56caa427e417652939ebecdf0274b2fcb006895382bd4350f4b80705e1a5
              • Opcode Fuzzy Hash: 07258aa41ff2d329225d4091da11a04ded088b26c61e4ebd4f05c7ccc6aded00
              • Instruction Fuzzy Hash: 392139B5200A9086EA16DFA3B990399B351B74DBC4F488439AF8957669DF3CD1528704
              Function 0000000140024344 Relevance: 9.1, APIs: 6, Instructions: 58COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide__initconout
              • String ID:
              • API String ID: 2210154019-0
              • Opcode ID: 49750729c7b7aba1964d5437bfb005b6ebdb22c5dff53d799c2bcbff44f50bda
              • Instruction ID: 6f037757feaa4c27bd12720e07a08ea325e095812da091d21dc5bf2b4c7a5843
              • Opcode Fuzzy Hash: 49750729c7b7aba1964d5437bfb005b6ebdb22c5dff53d799c2bcbff44f50bda
              • Instruction Fuzzy Hash: 5931FC32214A5086FB629B22E4583EA63A0F78D7F5F500319F769479F4DB7DC949CB01
              Function 000000014001C624 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63,?,?,?,?,00000000,000000014001818D), ref: 000000014001C62E
              • FlsGetValue.KERNEL32(?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63,?,?,?,?,00000000,000000014001818D), ref: 000000014001C63C
              • SetLastError.KERNEL32(?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63,?,?,?,?,00000000,000000014001818D), ref: 000000014001C694
                • Part of subcall function 000000014001A34C: Sleep.KERNEL32(?,?,?,000000014001C657,?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63), ref: 000000014001A391
              • FlsSetValue.KERNEL32(?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63,?,?,?,?,00000000,000000014001818D), ref: 000000014001C668
              • free.LIBCMT ref: 000000014001C68B
              • GetCurrentThreadId.KERNEL32 ref: 000000014001C67C
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
              • String ID:
              • API String ID: 3106088686-0
              • Opcode ID: 744ae31ed2748b486f23b4531f5f32d18c4f8e80a7f5ef535a5c4d2a89bb2a02
              • Instruction ID: 0ffe949912e89fedb02e4494acd6bb79bd4d8b9ab6d6ef47e204af3708a6d54b
              • Opcode Fuzzy Hash: 744ae31ed2748b486f23b4531f5f32d18c4f8e80a7f5ef535a5c4d2a89bb2a02
              • Instruction Fuzzy Hash: 9C016734601B4186FB179F7794547E92391AB8CBD4F588228FB2A4B3F5EF3CD9458610
              Function 0000000140017030 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID:
              • String ID: LocalSystem
              • API String ID: 0-3718507506
              • Opcode ID: 5c510378ff35a3638561cda51b730c846dcb0c7f476201026cba6af3d87a6302
              • Instruction ID: 4fab973e0ab3922536d0106af51d2d3be6949260d5916859e64fc5ce486037cb
              • Opcode Fuzzy Hash: 5c510378ff35a3638561cda51b730c846dcb0c7f476201026cba6af3d87a6302
              • Instruction Fuzzy Hash: 6E618031305B8481FA62DB27A8007DB66E4BB8DBE4F584625BF6D4BBE5EF39C4418700
              Function 0000000140017420 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID:
              • String ID: %s
              • API String ID: 0-620797490
              • Opcode ID: 99855a48316195b93616fbf83ab77e05beff4dc8f3728702d7539ec089a948fa
              • Instruction ID: 432093541ee24ec42a9dad4126288decd4c7b585e2e55cd77d9abcda1cabd02e
              • Opcode Fuzzy Hash: 99855a48316195b93616fbf83ab77e05beff4dc8f3728702d7539ec089a948fa
              • Instruction Fuzzy Hash: 5E51C072210B8086FB229B22A8407DA66A5F78DBD4F540225FF5D4BBF6DF39C941C300
              Function 0000000140008B20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: ErrorFileLastSystemTimeWrite_snwprintf_s
              • String ID: %04u-%02u-%02u %02u:%02u:%02u.%03u:
              • API String ID: 3358128232-1268504407
              • Opcode ID: 545cec81cc804d73d1d6c1551bfbb854dad7939054364ccafffc5018a4443183
              • Instruction ID: 7bdd17979279be81dc0a40d8893366271bb910dda1fa186fda7c8216b1e1685a
              • Opcode Fuzzy Hash: 545cec81cc804d73d1d6c1551bfbb854dad7939054364ccafffc5018a4443183
              • Instruction Fuzzy Hash: C231787220879486E7618F26F4407AAB7A0F389BD4F404216FFD943AA8DB3CC559CF00
              Function 0000000140022644 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: free$ErrorFreeHeapLast_errno
              • String ID:
              • API String ID: 1012874770-0
              • Opcode ID: 481ea5d7f3c29c63cf85197afd43e9c94bbba3eedf21573157349b5057f42bfd
              • Instruction ID: 77ca1b70bd230a49568464f667e52b8287626ed6f347ef5051490fb47eb780d6
              • Opcode Fuzzy Hash: 481ea5d7f3c29c63cf85197afd43e9c94bbba3eedf21573157349b5057f42bfd
              • Instruction Fuzzy Hash: 7A019933600444A2FB53EBA3D45A7F91361A7DDBC5F880505BB1E9B5B1CEBAD8809721
              Function 000000014000B710 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 24COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: _snwprintf_s
              • String ID: SYSTEM\CurrentControlSet\Services\%s$SYSTEM\CurrentControlSet\Services\%s\Parameters$SYSTEM\CurrentControlSet\Services\%s\Parameters\%s
              • API String ID: 2338360151-2857344572
              • Opcode ID: 955eb0ba2272fd79fd9059f76f52419cdc5c8a2953150d37e1f3236c5638c1eb
              • Instruction ID: 3b4812ba213ef710f57529e59cf52b854acbe9ee47b84ed3b9b00befb1747d54
              • Opcode Fuzzy Hash: 955eb0ba2272fd79fd9059f76f52419cdc5c8a2953150d37e1f3236c5638c1eb
              • Instruction Fuzzy Hash: CBF01C7A90578092E562EBA674517C533A4B79A3F4F901309FEBC037F5DB388655C600
              Function 000000014001EC58 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 18COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: _getptd
              • String ID: MOC$csm
              • API String ID: 3186804695-1389381023
              • Opcode ID: bf3a03d5970d1dd3e1fb6bd408ba9de5847db261f06e21d03137f6bf29761363
              • Instruction ID: 392b93139b50625e4f00c751eea5d7909c54f268b14a004c93ea04d22c7197c5
              • Opcode Fuzzy Hash: bf3a03d5970d1dd3e1fb6bd408ba9de5847db261f06e21d03137f6bf29761363
              • Instruction Fuzzy Hash: 75E04F36911180C6E7272B66C4453EC36E0FB9C789F86A060A3444B3A3CBBEC4818A52
              Function 0000000140011450 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: CriticalSectionServiceStatus$EnterLeaveUnregisterWait
              • String ID:
              • API String ID: 750648178-0
              • Opcode ID: da6eaf891d5f39c178a9daca24e1f4e62401406960aaf2683fab0f1a6af88cc5
              • Instruction ID: 64d843524deb2b9263129e994287159644b8f218d23b3c23ad896588e56a0bad
              • Opcode Fuzzy Hash: da6eaf891d5f39c178a9daca24e1f4e62401406960aaf2683fab0f1a6af88cc5
              • Instruction Fuzzy Hash: 26519AB6904B86C6E769DB22F4513DBB7A4F3887C8F040215EB9A073A5DB7DD949CB00
              Function 0000000140017D40 Relevance: 7.6, APIs: 6, Instructions: 74memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$ByteCharMultiProcessWide$AllocFree
              • String ID:
              • API String ID: 1621643742-0
              • Opcode ID: c6716c944c1ee476e8fa47434dc82bb4148891a779e4bc662eaca591434aa38c
              • Instruction ID: 73261801b5f655ca270de00b92cee958fb11958522fdb0b445105a0a4ffb2315
              • Opcode Fuzzy Hash: c6716c944c1ee476e8fa47434dc82bb4148891a779e4bc662eaca591434aa38c
              • Instruction Fuzzy Hash: E9216235605B8081E7219F67B81079AABE5FB4D7E4F044229EF99477E9DF38C4508600
              Function 000000014001DE68 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • DecodePointer.KERNEL32(?,?,?,000000014001DF79,?,?,?,?,0000000140018F3E), ref: 000000014001DE91
              • DecodePointer.KERNEL32(?,?,?,000000014001DF79,?,?,?,?,0000000140018F3E), ref: 000000014001DEA0
              • EncodePointer.KERNEL32(?,?,?,000000014001DF79,?,?,?,?,0000000140018F3E), ref: 000000014001DF1D
                • Part of subcall function 000000014001A3D0: realloc.LIBCMT ref: 000000014001A3FB
                • Part of subcall function 000000014001A3D0: Sleep.KERNEL32(?,?,00000000,000000014001DF0D,?,?,?,000000014001DF79,?,?,?,?,0000000140018F3E), ref: 000000014001A417
              • EncodePointer.KERNEL32(?,?,?,000000014001DF79,?,?,?,?,0000000140018F3E), ref: 000000014001DF2C
              • EncodePointer.KERNEL32(?,?,?,000000014001DF79,?,?,?,?,0000000140018F3E), ref: 000000014001DF38
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Pointer$Encode$Decode$Sleep_errnorealloc
              • String ID:
              • API String ID: 1310268301-0
              • Opcode ID: 83f6c6dcc442b54386dccdd7f702393c51a61e551925173b3f35c03b413daf19
              • Instruction ID: 30a756f2d09cec3d8e83d99eff3647af459344b6da25205903a0852a7dfdaa83
              • Opcode Fuzzy Hash: 83f6c6dcc442b54386dccdd7f702393c51a61e551925173b3f35c03b413daf19
              • Instruction Fuzzy Hash: 9B21683131169480EA12AB63F9453DAB392B78DBC0F54583AFB4E4F776EE79D5828304
              Function 0000000140016470 Relevance: 7.6, APIs: 6, Instructions: 55memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$FreeProcess
              • String ID:
              • API String ID: 3859560861-0
              • Opcode ID: 75444d69a368e4496316f745fd35ff06dd85ac79cfc29b2ce87d2832b74a9499
              • Instruction ID: c44fe957979a91557bf25453a9036a81366d3cea9cc272b65acdfdfda9ee0274
              • Opcode Fuzzy Hash: 75444d69a368e4496316f745fd35ff06dd85ac79cfc29b2ce87d2832b74a9499
              • Instruction Fuzzy Hash: 19114CB5605A8482EB129B73A8043DA67A1FB8DBD0F444029FF4E47768DF3CC9498A40
              Function 00000001400169F0 Relevance: 7.6, APIs: 6, Instructions: 55memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$FreeProcess
              • String ID:
              • API String ID: 3859560861-0
              • Opcode ID: 06e58962aa168ef4b9cce3fa7573b8739e7680e84b76f287644083a05431860a
              • Instruction ID: 4df9a403a91ae1dd2fec2ef8b09f26153c7cc104d93c3de734a30b221c7b6cbb
              • Opcode Fuzzy Hash: 06e58962aa168ef4b9cce3fa7573b8739e7680e84b76f287644083a05431860a
              • Instruction Fuzzy Hash: 2E114CB5605A8482EB11DB73A8003DA67A1FBCDBD0F448126FF4E57768DF3DC9498A40
              Function 0000000140008770 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: CloseHandle
              • String ID: hStdError$hStdOutput$stderr_pipe$stdout_pipe
              • API String ID: 2962429428-3965950600
              • Opcode ID: b1431f8af12d8aa5b37c11219322e77cfc5415b162553f20b9ad0d1acf7a8f2b
              • Instruction ID: 132c92118f196b348bc52cac29ee2af79761ecaa20d4e8a20d920413e6b7f2b4
              • Opcode Fuzzy Hash: b1431f8af12d8aa5b37c11219322e77cfc5415b162553f20b9ad0d1acf7a8f2b
              • Instruction Fuzzy Hash: EA11C6B171094186EF96CF67F4457E92360FB4CBC8F844125AF5D831A5DF78C8918B00
              Function 00000001400049A5 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Item$HeapText$_snwprintf_s$AllocProcess$FreeLocal
              • String ID:
              • API String ID: 65965981-0
              • Opcode ID: 21198b540a65345ed7fdc7f0815551f0124c4edbe3ffc441835e824b3edb693a
              • Instruction ID: 8c88ce8c025d37f4d5b0e8d3153f6582234e056b6c9f906e17911e81f835f57e
              • Opcode Fuzzy Hash: 21198b540a65345ed7fdc7f0815551f0124c4edbe3ffc441835e824b3edb693a
              • Instruction Fuzzy Hash: 4B11EFB161968182E7619B12F1547EE6311F789BC4F801125FF4E17AA9CF7CC54A8740
              Function 0000000140004B77 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Item$HeapText$_snwprintf_s$AllocProcess$FreeLocal
              • String ID:
              • API String ID: 65965981-0
              • Opcode ID: bc93de3db2f9f1020f2827c5b2bfaff67fd16c43bba92efd12e0b4febac6b628
              • Instruction ID: 4cb8385e7472ac1fff0796a63c3a7a682bee92a1d82b4e4757a1f87387902318
              • Opcode Fuzzy Hash: bc93de3db2f9f1020f2827c5b2bfaff67fd16c43bba92efd12e0b4febac6b628
              • Instruction Fuzzy Hash: 84111E717196C182EB669B16F158BEE6311F789BC4F801026FE4A17F99CF3CC64A8700
              Function 0000000140020638 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
              • String ID:
              • API String ID: 1445889803-0
              • Opcode ID: c8f6b24ac6350ff6811d1f2cfc27df22994d1d3946078b9506eb196b374217da
              • Instruction ID: 10193c4157f05475708f448b1d2e75a923b46d7bcfff4b871662ec0ac0004df7
              • Opcode Fuzzy Hash: c8f6b24ac6350ff6811d1f2cfc27df22994d1d3946078b9506eb196b374217da
              • Instruction Fuzzy Hash: F9011331226B408AEB928F22E85439A6360F74DBD0F446624FF9E47BB4DB38CD958700
              Function 0000000140002AE0 Relevance: 7.5, APIs: 5, Instructions: 23COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Item$EnableWindow
              • String ID:
              • API String ID: 1115945535-0
              • Opcode ID: fc1f00d6f8de915c0cf1fecaaa3dab29ec18d70c3be1c09bf97593c02900dbf0
              • Instruction ID: 5f5d2ebedf604e459dbdf9e4e943f0f8c65e70048bbde8dab10ac2dd5ce16191
              • Opcode Fuzzy Hash: fc1f00d6f8de915c0cf1fecaaa3dab29ec18d70c3be1c09bf97593c02900dbf0
              • Instruction Fuzzy Hash: 9BF09878B01A1082E7169F63F89C3962361B78CBD1F50402AEB4A53374CD3C888A8210
              Function 000000014001F550 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: _getptd$CallTranslator
              • String ID: MOC
              • API String ID: 3569367362-624257665
              • Opcode ID: 984ef666c86ff0f26ee1dd0a56a556fdf105fcc5e21237e672a10548b4838afa
              • Instruction ID: 1981bdcadb06ce4bdc8508a6749bf47e27913e4d16f9d5307a86893b0f960b5a
              • Opcode Fuzzy Hash: 984ef666c86ff0f26ee1dd0a56a556fdf105fcc5e21237e672a10548b4838afa
              • Instruction Fuzzy Hash: 7861C172204BC096EB21CB16E0807EDB3A1F788BC8F044612FB8E4BAA9DF79C155C700
              Function 000000014000B1B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: CodeEnumExitProcessWindows
              • String ID: kill_process
              • API String ID: 1667765206-4017559064
              • Opcode ID: ec2725fd4d17deee3c6892182f4ec3b674e3a84b23fc252c11801733192f8160
              • Instruction ID: 870ed4e6a64c2b2717d87909e2c3c6a9de5bae361eb89f1ed30753fe3d390e05
              • Opcode Fuzzy Hash: ec2725fd4d17deee3c6892182f4ec3b674e3a84b23fc252c11801733192f8160
              • Instruction Fuzzy Hash: 62315AB620068182EB92CF27E4443ED67E0F78DBCCF484015EF885B6A9DB38C895CB00
              Function 0000000140002100 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49processCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Process$CreateErrorLastTerminate
              • String ID: h
              • API String ID: 391916801-2439710439
              • Opcode ID: f0eea5fc8340ddcc071df88f9cb943006310234530f1304aabdf6978d6f4de95
              • Instruction ID: d870a3890a1a428991c6d2e8576a3997bb0424cf396cd575bfeec439b2630230
              • Opcode Fuzzy Hash: f0eea5fc8340ddcc071df88f9cb943006310234530f1304aabdf6978d6f4de95
              • Instruction Fuzzy Hash: 89116072614AC086DB608B25F44539FB3E5FBC8794F544129A78D87B69EF7CC055CB00
              Function 00000001400025F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46registryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Event$Source$DeregisterRegisterReport
              • String ID: nssm
              • API String ID: 3235303502-2602286837
              • Opcode ID: 7df15c659b1a9ede9e7b78cde8095a5092b846815cd3347651fe12293546a120
              • Instruction ID: e50ceca6900d08032080260d0135b37eb9bb60d2fd49f87d05c207e38d1b7918
              • Opcode Fuzzy Hash: 7df15c659b1a9ede9e7b78cde8095a5092b846815cd3347651fe12293546a120
              • Instruction Fuzzy Hash: FD11C672614B8082DB61CB15B440799B3A4FBA97E9F144229EBA917FA4DF3CC464CB00
              Function 0000000140008200 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41registryCOMMON
              Download Yara Rule
              APIs
              • _snwprintf_s.LIBCMT ref: 0000000140008240
              • RegDeleteValueW.ADVAPI32(?,?,?,?,?,?,?,?,00000000,0000000140004197), ref: 0000000140008278
                • Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
                • Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
                • Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Event$Source$DeleteDeregisterRegisterReportValue_snwprintf_s
              • String ID: %s%s$delete_createfile_parameter()
              • API String ID: 1919654809-3045456684
              • Opcode ID: 175380935694bc14b7af4e0a0e91dce587c67f0dfa4100bd6f875a10a037d859
              • Instruction ID: 00e2f90206eeac15bc4beae9a7c9104b7a997fd30bc8a4e903547ee1ab7b090e
              • Opcode Fuzzy Hash: 175380935694bc14b7af4e0a0e91dce587c67f0dfa4100bd6f875a10a037d859
              • Instruction Fuzzy Hash: C8016171204B8186EA61CB26F8517DA72A0F74C7D4F540229BBAD876E5DF3CC5098700
              Function 0000000140018E0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(?,?,000000FF,0000000140018E55,?,?,00000028,0000000140020735,?,?,00000000,000000014001A304,?,?,00000000,000000014001A895), ref: 0000000140018E1B
              • GetProcAddress.KERNEL32(?,?,000000FF,0000000140018E55,?,?,00000028,0000000140020735,?,?,00000000,000000014001A304,?,?,00000000,000000014001A895), ref: 0000000140018E30
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: AddressHandleModuleProc
              • String ID: CorExitProcess$mscoree.dll
              • API String ID: 1646373207-1276376045
              • Opcode ID: 33c6d0fe48477ca3b6b91b462d7bf832c94a3ce6636cad9f835ac117e0bb2d2e
              • Instruction ID: 7fd0a63c8c4db595e634ee2cb220929ad1125e220e7f5ed1595a97e86bb7ad7d
              • Opcode Fuzzy Hash: 33c6d0fe48477ca3b6b91b462d7bf832c94a3ce6636cad9f835ac117e0bb2d2e
              • Instruction Fuzzy Hash: 88E0627071174592FE1B6BA3B8943E412917B5C7C1F48152D9E5E0B3B0EF389D59C310
              Function 000000014001ECA4 Relevance: 6.1, APIs: 4, Instructions: 107COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: _getptd$BaseImage
              • String ID:
              • API String ID: 2482573191-0
              • Opcode ID: 2237048bf79284b0269ed9c29fe75178a274c15cdf13b4d9d56bc2e72612f190
              • Instruction ID: 43c81dbebb5e7642f9f0f2e393759842062bb8c55fdd15a841d76fd40ecc4635
              • Opcode Fuzzy Hash: 2237048bf79284b0269ed9c29fe75178a274c15cdf13b4d9d56bc2e72612f190
              • Instruction Fuzzy Hash: B241877220158185EA26A727E4457EDA794BB8DFD8F558121FF194B7F2CF36C482C701
              Function 00000001400100E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 66memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$AllocProcess
              • String ID: get_service_username()$username
              • API String ID: 1617791916-1118073074
              • Opcode ID: c429dc061a9a6cf9038fc22e94fa89e910a21fbdcc0c89adca4798bb4a11ac5d
              • Instruction ID: 0cb368d2c87889caaf96027648e82f4ecc8631b9f2301991adb876be56352873
              • Opcode Fuzzy Hash: c429dc061a9a6cf9038fc22e94fa89e910a21fbdcc0c89adca4798bb4a11ac5d
              • Instruction Fuzzy Hash: 8C218E35311F9181EB52EB66A4007D963A0FB4DBD4F145115FFA9477AADF39C5918300
              Function 000000014000F270 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$AllocFreeLocalProcess_vfwprintf_p
              • String ID: canon$prepend_service_group_identifier()
              • API String ID: 3711101700-1763787916
              • Opcode ID: 70bfe6c4fdbcecd35eb41ec2717ce9fd15992a348f7a4d2acb1872022e334d37
              • Instruction ID: 507826b590544fc3c42e086d7e5ceacec4a2a22e150a68cdd10baf9fbc5d2281
              • Opcode Fuzzy Hash: 70bfe6c4fdbcecd35eb41ec2717ce9fd15992a348f7a4d2acb1872022e334d37
              • Instruction Fuzzy Hash: 43219F76211A4185EB12EF66F4403EA73A0FB4CBE4F489125FF5947BA5DE3CC9868300
              Function 0000000140017340 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 55memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Heap$Process$AllocFree_errno
              • String ID: ****$NT Service
              • API String ID: 3082395346-2413771068
              • Opcode ID: 52f29cefcd2ae25377bfd57735bacb64c6185ee46865f8d51834da5f558f6643
              • Instruction ID: 542743ef18242b98f181da6a0e2a201551074ef330fba52be6967c975ec7fa0b
              • Opcode Fuzzy Hash: 52f29cefcd2ae25377bfd57735bacb64c6185ee46865f8d51834da5f558f6643
              • Instruction Fuzzy Hash: 4D210832209B8482EA229B63F4407DA73A4F78DBD8F484115FF9D47BA9DF79C6458B01
              Function 0000000140007CE0 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: CurrentProcess$DuplicateErrorHandleLast
              • String ID:
              • API String ID: 3907606552-0
              • Opcode ID: a1a1746b7a1b8be94718e7fd56a79bcc54c5f9d3e77d580c70b2e15733a3a24d
              • Instruction ID: 063db28a99952865a7c583c334f68a92e69e6d162e6800a70cf4d12b91e85143
              • Opcode Fuzzy Hash: a1a1746b7a1b8be94718e7fd56a79bcc54c5f9d3e77d580c70b2e15733a3a24d
              • Instruction Fuzzy Hash: D1118FB1604B8086E761DF13B80079AB3B0FB99BC4F544129FF8943769DB3CD5458A44
              Function 00000001400082B0 Relevance: 6.0, APIs: 4, Instructions: 44fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: File$CreateErrorLastPointer
              • String ID:
              • API String ID: 2723331319-0
              • Opcode ID: c08339b1e22f32e2d1c44a12ee1b47e332aaf4369c88baee9192c0904b562b12
              • Instruction ID: 04b0ddcd3c0c213606b494fe1a6ff36e368d780fa48891c1d5ff22db1412f183
              • Opcode Fuzzy Hash: c08339b1e22f32e2d1c44a12ee1b47e332aaf4369c88baee9192c0904b562b12
              • Instruction Fuzzy Hash: 3A016DB170478082EB519B67B85579A6290BB8CBF4F044328BFB9477E9DB7CCA404B00
              Function 0000000140020928 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: DecodePointer_errno_flush_freebuf
              • String ID:
              • API String ID: 1889905870-0
              • Opcode ID: 658a91a57760e8bfdda30ba3aa02c586fb4cbff4a2ea938cc334cdc9ad90d10b
              • Instruction ID: dd73d03f2c1ea2f4e6da5caa570c6c82c2ded73eed670ef386c6a809164821d1
              • Opcode Fuzzy Hash: 658a91a57760e8bfdda30ba3aa02c586fb4cbff4a2ea938cc334cdc9ad90d10b
              • Instruction Fuzzy Hash: 0401D432B1474042FB17AB7794513ED62515BDD7E8F280328BB524B5F7CE39CC818240
              Function 0000000140002990 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Window$Rect$DesktopMove
              • String ID:
              • API String ID: 2894293738-0
              • Opcode ID: 6c793aff5eefccb5bb44ad8668e35a694a0f6c32e109282dd85a116bf074420f
              • Instruction ID: 9b88486dfa801f3ea56ee834c5fc61d219d0278a4a683ae30dfced5db79f75a2
              • Opcode Fuzzy Hash: 6c793aff5eefccb5bb44ad8668e35a694a0f6c32e109282dd85a116bf074420f
              • Instruction Fuzzy Hash: 940121723255418BEB65CF3AB4087597BA1F789BC5F485118BF4A93768DF3CD8048B04
              Function 00000001400079F0 Relevance: 6.0, APIs: 4, Instructions: 41memorylibraryloaderCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Event$HeapSource$AddressAllocDeregisterErrorFreeLastLocalProcProcessRegisterReportValue
              • String ID:
              • API String ID: 905504245-0
              • Opcode ID: d5408b3ffb354c67e7c82357409d565c31efe8536ff850fba44303473ab1db3e
              • Instruction ID: 68001dc37862e947b6face855cca3149977c74e6503e290e37182dcd7bd8c4ea
              • Opcode Fuzzy Hash: d5408b3ffb354c67e7c82357409d565c31efe8536ff850fba44303473ab1db3e
              • Instruction Fuzzy Hash: 58019EB5604B9082E7059B67E80039E63A0FB8DBC4F544428FF8C47B69EF3CC9118B00
              Function 000000014001FFE8 Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: __doserrno_errno
              • String ID:
              • API String ID: 921712934-0
              • Opcode ID: e500c259cdb1fa6dcf6b2e184e15fca3845d434d9491e58f95f4bba58c537ff6
              • Instruction ID: 94aae76b054f4c278dc94295e20dd2d585d9ec13bd88ad299c4b3e6ab06a23ff
              • Opcode Fuzzy Hash: e500c259cdb1fa6dcf6b2e184e15fca3845d434d9491e58f95f4bba58c537ff6
              • Instruction Fuzzy Hash: 09014F7261064485FB176B66C9913E926629B98BF5F548349FB2A0B3F2CB394815CA10
              Function 0000000140004CCC Relevance: 6.0, APIs: 4, Instructions: 33windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: MessageSend$Item$EnvironmentTextVariable_snwprintf_s
              • String ID:
              • API String ID: 2263371560-0
              • Opcode ID: 1e261de19b2049f26f316e4d274318e75987586aff01661f23e1450ee786f346
              • Instruction ID: a487d99df9754013241ce58257599312179a340a947fd995e23cf4898c0dcb84
              • Opcode Fuzzy Hash: 1e261de19b2049f26f316e4d274318e75987586aff01661f23e1450ee786f346
              • Instruction Fuzzy Hash: EFF06DB471145042FB62D773F579BEA2251978DBC4F81102AAE0A0BFA5CD3D84C94700
              Function 0000000140004D7A Relevance: 6.0, APIs: 4, Instructions: 29windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: MessageSend$Item$EnvironmentTextVariable_snwprintf_s
              • String ID:
              • API String ID: 2263371560-0
              • Opcode ID: 321d717a814a89acfc3efa5d88a05e77f0a26d3068045a377efcac5b98d509ea
              • Instruction ID: b8c1a0b79c580c7536ba96cf28a415a1f70d0243cf03293b484bff3c148e4e38
              • Opcode Fuzzy Hash: 321d717a814a89acfc3efa5d88a05e77f0a26d3068045a377efcac5b98d509ea
              • Instruction Fuzzy Hash: 07F05E7871154042FB629773B979BDA225197CDBC4F811029AE4A0BFA5DD3C848A4700
              Function 000000014001FD14 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: _getptd
              • String ID: csm$csm
              • API String ID: 3186804695-3733052814
              • Opcode ID: c278b547bf228ec2d41bf35c1773a0c57779f941625d245b0e0dc3692df98d56
              • Instruction ID: d9d2eefccdb791b5da5f69efa20d78588aa8d92e6e4a8d7ac5f61f1dcab05ab9
              • Opcode Fuzzy Hash: c278b547bf228ec2d41bf35c1773a0c57779f941625d245b0e0dc3692df98d56
              • Instruction Fuzzy Hash: 4F518F3220428086EB669E27A4407FD76E1F749BD8F044125FB995BBFACB39C891DB01
              Function 0000000140015BB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID:
              • String ID: %s
              • API String ID: 0-620797490
              • Opcode ID: 66f9b83034cdc10779a5e0043ec0466502995d1837e5eb2a52bbf968e27da1c1
              • Instruction ID: d0e6f41c41585116152e02a184c3a1f58e4f54184c66c8a72e5feecc0c09d718
              • Opcode Fuzzy Hash: 66f9b83034cdc10779a5e0043ec0466502995d1837e5eb2a52bbf968e27da1c1
              • Instruction Fuzzy Hash: 45518F31711B4486EA67AF23B8403DB6690AB89BD4F580525BF5A4F7F5EF39C442C700
              Function 0000000140004330 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: ItemText
              • String ID: remove()$service
              • API String ID: 3367045223-1317115628
              • Opcode ID: d6c1eab33e552a1d51edc14813662fb88a674c685bc921d8b2703708ddee48ca
              • Instruction ID: 884b68b2361b9accba3a5647830a6bbb3516d37918a4cefed32121cd93be4a21
              • Opcode Fuzzy Hash: d6c1eab33e552a1d51edc14813662fb88a674c685bc921d8b2703708ddee48ca
              • Instruction Fuzzy Hash: 7B319FB571855181FB16DB2BF1553EE5361E78ABC0F990021FF490BBAADA3ECA428704
              Function 000000014000CAB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64registryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Event$Source$DeregisterQueryRegisterReportValue_snwprintf_s
              • String ID: %lu
              • API String ID: 4171705784-685833217
              • Opcode ID: 252649570bab39624b2f3eb7c4793306f44bec8960cf66e6758a799e215959da
              • Instruction ID: b465ed42436ed88bcde89125f5b67bdb6df87cfb18eb5e921029c2ca6c48ad98
              • Opcode Fuzzy Hash: 252649570bab39624b2f3eb7c4793306f44bec8960cf66e6758a799e215959da
              • Instruction Fuzzy Hash: EC2190B222578086E761CB52F45179AB7A0F388BD4F541225BF9E47BE9DB3CC545CB00
              Function 0000000140006960 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: EnvironmentVariable_snwprintf_s
              • String ID: %llu
              • API String ID: 709434441-507646796
              • Opcode ID: 62323e847072239d2dfe07a9b4d82c4042ae325b3561faaad9a455eb713a102c
              • Instruction ID: e467e5e73326f99c3117ac0c8c0fbe1bd46234100152dbfbcb59804b6ff9c8b8
              • Opcode Fuzzy Hash: 62323e847072239d2dfe07a9b4d82c4042ae325b3561faaad9a455eb713a102c
              • Instruction Fuzzy Hash: 581142F271568487EE55CF25F450399B3AAF78C7D0F40622ABB5A4BBA9DB38C445CB00
              Function 0000000140002E80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: EnvironmentVariable_snwprintf_s
              • String ID: NSSM_HOOK_%s_%s
              • API String ID: 709434441-2875243618
              • Opcode ID: 4ea9655dce0b04998aeefe81c93d88c27734ff9384fe505650afbcf47a32db9d
              • Instruction ID: cd584e5e7450ae50aa123f35cea241f8afa392f5509ff8d8e49b189544c92063
              • Opcode Fuzzy Hash: 4ea9655dce0b04998aeefe81c93d88c27734ff9384fe505650afbcf47a32db9d
              • Instruction Fuzzy Hash: 9311A5B1324A8441F622DB26E8517DA6254F78D7E8F805225BF9D876E5DE3CC286C700
              Function 0000000140008160 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: Event$Source$DeregisterRegisterReport_snwprintf_s
              • String ID: %s%s$set_createfile_parameter()
              • API String ID: 3081108292-102671490
              • Opcode ID: db437f29594db4c845281d8ab962dddfa93ab2c9490456a63c896ed5cf6eaedd
              • Instruction ID: 36db2d84d5898f6ff56e4daee3153183d4249f022df8d192bd57ebdc47628223
              • Opcode Fuzzy Hash: db437f29594db4c845281d8ab962dddfa93ab2c9490456a63c896ed5cf6eaedd
              • Instruction Fuzzy Hash: 1101B172614A8042F622DB16F851BDA6354BB8C7E4F540325BFAC477E5DF38C50A8740
              Function 00000001400250EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2207279493.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000004.00000002.2207260101.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207305409.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207326468.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000004.00000002.2207376367.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_140000000_nssm.jbxd
              Similarity
              • API ID: _getptd
              • String ID: csm
              • API String ID: 3186804695-1018135373
              • Opcode ID: f518a2f01546b2857537e82e835672f00eb15f2ecaa500e75dd14d18472aae28
              • Instruction ID: 3abc21f0dc36ef9efe3608e6f583550ad69bd6604c7f8c9ada24669edb6f4e5a
              • Opcode Fuzzy Hash: f518a2f01546b2857537e82e835672f00eb15f2ecaa500e75dd14d18472aae28
              • Instruction Fuzzy Hash: 480152322416418ADB72AF23C8503EC23A4E79DBCAF894129EF8D0B7A5DB31C994C305

              Execution Graph

              Execution Coverage:1.4%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:0.7%
              Total number of Nodes:275
              Total number of Limit Nodes:64
              execution_graph 85984 7ffd8e1c7730 85989 7ffd8e2c3190 85984->85989 85986 7ffd8e1c78cc _raise_excf 85988 7ffd8e1c774d new[] _raise_excf 85988->85986 85996 7ffd8e2420f0 85988->85996 85990 7ffd8e2c319d 85989->85990 85992 7ffd8e2c31a4 new[] _raise_excf 85989->85992 85990->85988 85991 7ffd8e2c3190 _raise_excf GetSystemInfo 85993 7ffd8e2c33fb new[] _raise_excf 85991->85993 85992->85991 85995 7ffd8e2c3421 85992->85995 85993->85995 86007 7ffd8e2c35e0 GetSystemInfo 85993->86007 85995->85988 85997 7ffd8e2c3190 _raise_excf GetSystemInfo 85996->85997 85999 7ffd8e242126 new[] 85997->85999 86001 7ffd8e2423a3 85999->86001 86003 7ffd8e24295b _raise_excf 85999->86003 86006 7ffd8e2421c7 _raise_excf 85999->86006 86021 7ffd8e2920f0 GetSystemInfo new[] _raise_excf 85999->86021 86001->86006 86009 7ffd8e25dc60 86001->86009 86003->85986 86004 7ffd8e2424e4 _raise_excf 86004->86006 86017 7ffd8e1d0830 86004->86017 86006->86003 86022 7ffd8e25f5e0 12 API calls _raise_excf 86006->86022 86008 7ffd8e2c361a _raise_excf 86007->86008 86008->85995 86010 7ffd8e25dcb0 new[] _raise_excf 86009->86010 86012 7ffd8e25ddc4 _raise_excf 86010->86012 86015 7ffd8e25e082 _raise_excf 86010->86015 86023 7ffd8e290e30 86010->86023 86012->86004 86014 7ffd8e25dff7 _raise_excf 86014->86015 86027 7ffd8e1c7550 86014->86027 86015->86012 86033 7ffd8e2905b0 12 API calls _raise_excf 86015->86033 86018 7ffd8e1d085c 86017->86018 86020 7ffd8e1d08a6 86018->86020 86046 7ffd8e1c61e0 GetSystemInfo _raise_excf 86018->86046 86020->86006 86021->86001 86022->86003 86024 7ffd8e290eb9 new[] _raise_excf 86023->86024 86025 7ffd8e291126 _raise_excf 86024->86025 86034 7ffd8e1cc0e0 86024->86034 86025->86014 86029 7ffd8e1c757d _raise_excf 86027->86029 86028 7ffd8e1c7600 ReadFile 86028->86029 86030 7ffd8e1c7594 new[] _raise_excf 86028->86030 86029->86028 86029->86030 86031 7ffd8e1c7690 86029->86031 86030->86015 86045 7ffd8e2d5fe0 7 API calls _raise_excf 86031->86045 86033->86012 86036 7ffd8e1cc12e _raise_excf 86034->86036 86037 7ffd8e1cc2d0 CreateFileW 86036->86037 86039 7ffd8e1cc55e 86036->86039 86041 7ffd8e1cc4bd _raise_excf 86036->86041 86042 7ffd8e2d58b0 8 API calls 2 library calls 86036->86042 86043 7ffd8e1d00b0 7 API calls _raise_excf 86036->86043 86037->86036 86044 7ffd8e2d5fe0 7 API calls _raise_excf 86039->86044 86041->86025 86042->86036 86043->86036 86044->86041 86045->86030 86046->86020 86047 7ffd8e297e30 86048 7ffd8e297e49 86047->86048 86049 7ffd8e297e55 86047->86049 86051 7ffd8e289c30 86048->86051 86052 7ffd8e289c6c 86051->86052 86054 7ffd8e289c79 86051->86054 86057 7ffd8e28a3c0 86052->86057 86055 7ffd8e289ccd 86054->86055 86056 7ffd8e28a3c0 _raise_excf 15 API calls 86054->86056 86055->86049 86056->86054 86068 7ffd8e289d00 86057->86068 86059 7ffd8e28a477 _raise_excf 86061 7ffd8e28a49e _raise_excf 86059->86061 86062 7ffd8e28a4d6 _raise_excf 86059->86062 86077 7ffd8e25b920 86059->86077 86061->86054 86062->86061 86067 7ffd8e28a57c _raise_excf 86062->86067 86084 7ffd8e1c4460 15 API calls 2 library calls 86062->86084 86066 7ffd8e28a7b2 _raise_excf 86066->86067 86085 7ffd8e2591e0 15 API calls _raise_excf 86066->86085 86067->86061 86086 7ffd8e25c040 13 API calls _raise_excf 86067->86086 86069 7ffd8e289d2a _raise_excf 86068->86069 86073 7ffd8e289de1 _raise_excf 86068->86073 86069->86059 86071 7ffd8e289df5 _raise_excf 86071->86059 86072 7ffd8e28a04e _raise_excf 86072->86071 86075 7ffd8e28a131 _raise_excf 86072->86075 86093 7ffd8e2b5d00 86072->86093 86073->86071 86087 7ffd8e297550 86073->86087 86096 7ffd8e28d8b0 12 API calls _raise_excf 86075->86096 86081 7ffd8e25b95b _raise_excf 86077->86081 86078 7ffd8e25b9b6 _raise_excf 86078->86062 86080 7ffd8e25bb72 86080->86078 86083 7ffd8e2920a0 _raise_excf 10 API calls 86080->86083 86081->86078 86081->86080 86260 7ffd8e23d100 86081->86260 86263 7ffd8e2412d0 86081->86263 86083->86078 86084->86066 86085->86067 86086->86061 86088 7ffd8e2975d4 new[] _raise_excf 86087->86088 86090 7ffd8e2978a0 _raise_excf 86088->86090 86092 7ffd8e29774d _raise_excf 86088->86092 86097 7ffd8e253370 86088->86097 86091 7ffd8e2b5d00 _raise_excf 15 API calls 86090->86091 86090->86092 86091->86092 86092->86072 86207 7ffd8e2b2570 86093->86207 86095 7ffd8e2b5d15 _raise_excf 86095->86075 86096->86071 86098 7ffd8e2534ed 86097->86098 86100 7ffd8e253392 _raise_excf 86097->86100 86098->86090 86099 7ffd8e25b920 _raise_excf 13 API calls 86099->86100 86100->86098 86100->86099 86103 7ffd8e25c0a0 86100->86103 86109 7ffd8e25c150 86100->86109 86104 7ffd8e25c0c2 _raise_excf 86103->86104 86108 7ffd8e25c0ee _raise_excf 86103->86108 86107 7ffd8e25c0e8 86104->86107 86124 7ffd8e1daff0 12 API calls _raise_excf 86104->86124 86107->86108 86113 7ffd8e290880 86107->86113 86108->86100 86110 7ffd8e25c177 _raise_excf 86109->86110 86112 7ffd8e25c1bc _raise_excf 86109->86112 86110->86112 86194 7ffd8e244960 86110->86194 86112->86100 86114 7ffd8e2908aa _raise_excf 86113->86114 86120 7ffd8e2908c5 _raise_excf 86113->86120 86115 7ffd8e290922 _raise_excf 86114->86115 86117 7ffd8e2909ed 86114->86117 86114->86120 86138 7ffd8e2442e0 10 API calls _raise_excf 86115->86138 86118 7ffd8e290a2c _raise_excf 86117->86118 86139 7ffd8e2920a0 86117->86139 86118->86120 86125 7ffd8e2c4f90 86118->86125 86120->86108 86122 7ffd8e290aec _raise_excf 86122->86120 86133 7ffd8e2458c0 86122->86133 86124->86107 86127 7ffd8e2c4fb2 _raise_excf 86125->86127 86126 7ffd8e2c5147 _raise_excf 86126->86122 86127->86126 86128 7ffd8e2c50f4 86127->86128 86131 7ffd8e1c7550 8 API calls 86127->86131 86128->86126 86156 7ffd8e2da9a0 86128->86156 86130 7ffd8e2c5065 86130->86126 86147 7ffd8e1c7d80 86130->86147 86131->86130 86135 7ffd8e2458d9 86133->86135 86134 7ffd8e245a1e 86134->86120 86135->86134 86137 7ffd8e1c7d80 8 API calls 86135->86137 86169 7ffd8e1db3f0 10 API calls _raise_excf 86135->86169 86137->86135 86138->86120 86140 7ffd8e2920aa 86139->86140 86142 7ffd8e2920b2 _raise_excf 86140->86142 86145 7ffd8e2443e0 _raise_excf 86140->86145 86141 7ffd8e2920bf _raise_excf 86141->86118 86142->86118 86142->86141 86180 7ffd8e28cf90 86142->86180 86146 7ffd8e24455d _raise_excf 86145->86146 86170 7ffd8e2456f0 86145->86170 86146->86118 86148 7ffd8e1c7e93 _raise_excf 86147->86148 86150 7ffd8e1c7dce 86147->86150 86148->86128 86149 7ffd8e1c7de0 WriteFile 86149->86150 86150->86148 86150->86149 86151 7ffd8e1c7ee1 86150->86151 86151->86148 86152 7ffd8e1c7f21 86151->86152 86154 7ffd8e1c7f02 86151->86154 86163 7ffd8e2d5fe0 7 API calls _raise_excf 86152->86163 86162 7ffd8e2d5fe0 7 API calls _raise_excf 86154->86162 86158 7ffd8e2da9e1 86156->86158 86164 7ffd8e1c6dd0 86158->86164 86159 7ffd8e2daa7f new[] 86160 7ffd8e2daaef 86159->86160 86161 7ffd8e1c7d80 8 API calls 86159->86161 86160->86126 86161->86159 86162->86148 86163->86148 86165 7ffd8e2c3190 _raise_excf GetSystemInfo 86164->86165 86166 7ffd8e1c6df8 86165->86166 86167 7ffd8e2c3190 _raise_excf GetSystemInfo 86166->86167 86168 7ffd8e1c6e99 new[] _raise_excf 86166->86168 86167->86168 86168->86159 86168->86168 86169->86135 86177 7ffd8e245721 _raise_excf 86170->86177 86178 7ffd8e245817 _raise_excf 86170->86178 86171 7ffd8e245864 86173 7ffd8e245759 86171->86173 86193 7ffd8e2c4970 9 API calls _raise_excf 86171->86193 86173->86145 86174 7ffd8e245774 86176 7ffd8e2da9a0 _raise_excf 9 API calls 86174->86176 86174->86178 86176->86178 86177->86173 86177->86174 86177->86178 86179 7ffd8e28cf90 _raise_excf 9 API calls 86177->86179 86178->86171 86178->86173 86185 7ffd8e243440 86178->86185 86179->86174 86181 7ffd8e28cfdd 86180->86181 86182 7ffd8e28cfc2 86180->86182 86181->86141 86184 7ffd8e1cc0e0 9 API calls 86182->86184 86183 7ffd8e28cfd8 86183->86141 86184->86183 86186 7ffd8e24346c _raise_excf 86185->86186 86192 7ffd8e1c7d80 8 API calls 86186->86192 86187 7ffd8e24349b 86189 7ffd8e2434f6 _raise_excf 86187->86189 86190 7ffd8e1c7d80 8 API calls 86187->86190 86188 7ffd8e2434c2 86188->86189 86191 7ffd8e1c7d80 8 API calls 86188->86191 86189->86171 86190->86188 86191->86189 86192->86187 86193->86173 86195 7ffd8e244986 _raise_excf 86194->86195 86196 7ffd8e24498c _raise_excf 86195->86196 86198 7ffd8e1ccaa0 86195->86198 86196->86112 86199 7ffd8e1ccac3 86198->86199 86200 7ffd8e1ccad5 GetFileAttributesW 86199->86200 86205 7ffd8e1ccacb _raise_excf 86199->86205 86201 7ffd8e1ccb80 86200->86201 86204 7ffd8e1ccaf3 86200->86204 86201->86205 86206 7ffd8e2d5fe0 7 API calls _raise_excf 86201->86206 86202 7ffd8e1ccb08 DeleteFileW 86202->86204 86202->86205 86204->86201 86204->86202 86205->86196 86206->86205 86208 7ffd8e2b2586 86207->86208 86209 7ffd8e2b258f 86207->86209 86208->86095 86225 7ffd8e1e13b0 86209->86225 86211 7ffd8e2b2710 _raise_excf 86211->86095 86212 7ffd8e2b25bd _raise_excf 86212->86211 86214 7ffd8e2b261a _raise_excf 86212->86214 86246 7ffd8e29a0b0 12 API calls _raise_excf 86212->86246 86215 7ffd8e2b26d8 86214->86215 86216 7ffd8e2b26c6 86214->86216 86221 7ffd8e2b26d0 86214->86221 86220 7ffd8e2b26ee _raise_excf 86215->86220 86233 7ffd8e2c7d20 86215->86233 86247 7ffd8e29a0b0 12 API calls _raise_excf 86216->86247 86220->86211 86220->86221 86248 7ffd8e29a0b0 12 API calls _raise_excf 86220->86248 86221->86211 86224 7ffd8e2b27ee _raise_excf 86221->86224 86249 7ffd8e2c7a70 10 API calls _raise_excf 86221->86249 86224->86211 86250 7ffd8e29a0b0 12 API calls _raise_excf 86224->86250 86226 7ffd8e1e13c9 86225->86226 86227 7ffd8e1e13e3 86225->86227 86256 7ffd8e2b21e0 14 API calls _raise_excf 86226->86256 86251 7ffd8e1e1570 86227->86251 86231 7ffd8e1e13fa _raise_excf 86232 7ffd8e1e1436 _raise_excf 86231->86232 86257 7ffd8e2b1f60 CloseHandle CloseHandle _raise_excf 86231->86257 86232->86212 86238 7ffd8e2c7d60 _raise_excf 86233->86238 86234 7ffd8e2c856e 86235 7ffd8e2c85b9 86234->86235 86236 7ffd8e25c0a0 _raise_excf 13 API calls 86234->86236 86245 7ffd8e2c7e4c _raise_excf 86234->86245 86237 7ffd8e25c150 _raise_excf 9 API calls 86235->86237 86235->86245 86236->86234 86237->86235 86238->86234 86239 7ffd8e1c6dd0 _raise_excf GetSystemInfo 86238->86239 86240 7ffd8e2c7fd2 new[] _raise_excf 86238->86240 86238->86245 86239->86238 86240->86234 86241 7ffd8e2c805f 86240->86241 86242 7ffd8e25c0a0 _raise_excf 13 API calls 86241->86242 86243 7ffd8e2c8287 _raise_excf 86241->86243 86241->86245 86242->86241 86244 7ffd8e25c150 _raise_excf 9 API calls 86243->86244 86243->86245 86244->86243 86245->86220 86246->86214 86247->86221 86248->86221 86249->86224 86250->86211 86252 7ffd8e1e16cf 86251->86252 86255 7ffd8e1e1584 _raise_excf 86251->86255 86252->86231 86255->86252 86258 7ffd8e2b6600 CloseHandle CloseHandle _raise_excf 86255->86258 86259 7ffd8e25bd70 12 API calls _raise_excf 86255->86259 86256->86227 86257->86231 86258->86255 86259->86255 86268 7ffd8e291bf0 86260->86268 86262 7ffd8e23d111 _raise_excf 86262->86081 86264 7ffd8e2412df 86263->86264 86265 7ffd8e2412e7 86263->86265 86264->86081 86266 7ffd8e2920a0 _raise_excf 10 API calls 86265->86266 86267 7ffd8e241302 _raise_excf 86266->86267 86267->86081 86270 7ffd8e291e1d _raise_excf 86268->86270 86274 7ffd8e291c20 _raise_excf 86268->86274 86272 7ffd8e291cbf _raise_excf 86270->86272 86277 7ffd8e2b80f0 GetSystemInfo _raise_excf 86270->86277 86271 7ffd8e291dba _raise_excf 86271->86270 86271->86272 86275 7ffd8e1c7550 8 API calls 86271->86275 86272->86262 86274->86270 86274->86271 86274->86272 86276 7ffd8e244d50 12 API calls _raise_excf 86274->86276 86275->86270 86276->86271 86277->86272 86278 7ffd8e1dde00 86279 7ffd8e1de153 86278->86279 86282 7ffd8e1dde31 _raise_excf 86278->86282 86294 7ffd8e1d83b0 86279->86294 86281 7ffd8e1dde91 _raise_excf 86282->86281 86283 7ffd8e1d83b0 _raise_excf 10 API calls 86282->86283 86284 7ffd8e1ddf4b 86283->86284 86284->86281 86289 7ffd8e1ddf90 _raise_excf 86284->86289 86293 7ffd8e1de0d8 86284->86293 86307 7ffd8e2532d0 10 API calls _raise_excf 86284->86307 86287 7ffd8e1de120 86287->86281 86310 7ffd8e25ef70 10 API calls _raise_excf 86287->86310 86289->86281 86308 7ffd8e24ae80 10 API calls _raise_excf 86289->86308 86291 7ffd8e1de066 _raise_excf 86291->86281 86292 7ffd8e2920a0 _raise_excf 10 API calls 86291->86292 86292->86293 86293->86281 86309 7ffd8e2492b0 10 API calls _raise_excf 86293->86309 86295 7ffd8e1d8430 86294->86295 86305 7ffd8e1d83ff _raise_excf 86294->86305 86296 7ffd8e1d8b25 86295->86296 86299 7ffd8e1d8438 _raise_excf 86295->86299 86297 7ffd8e2920a0 _raise_excf 10 API calls 86296->86297 86301 7ffd8e1d8b36 _raise_excf 86297->86301 86298 7ffd8e2920a0 _raise_excf 10 API calls 86304 7ffd8e1d84a4 _raise_excf 86298->86304 86299->86298 86299->86305 86300 7ffd8e2920a0 _raise_excf 10 API calls 86300->86305 86302 7ffd8e2920a0 _raise_excf 10 API calls 86301->86302 86303 7ffd8e1d8bba _raise_excf 86301->86303 86301->86305 86302->86303 86303->86300 86303->86305 86304->86305 86306 7ffd8e2920a0 10 API calls _raise_excf 86304->86306 86305->86281 86306->86304 86307->86289 86308->86291 86309->86287 86310->86281 86311 7ffd8e1ca8e0 86312 7ffd8e1ca904 86311->86312 86314 7ffd8e1ca8fb _raise_excf 86311->86314 86312->86314 86321 7ffd8e2a20f0 86312->86321 86316 7ffd8e1ca98e _raise_excf 86316->86316 86317 7ffd8e1cac6a _raise_excf 86316->86317 86318 7ffd8e2b5d00 _raise_excf 15 API calls 86316->86318 86320 7ffd8e2a20f0 _raise_excf 15 API calls 86316->86320 86325 7ffd8e28ecc0 86316->86325 86329 7ffd8e1cbc70 15 API calls _raise_excf 86316->86329 86318->86316 86320->86316 86322 7ffd8e2a2103 86321->86322 86324 7ffd8e2a2108 _raise_excf 86321->86324 86330 7ffd8e1cbc70 15 API calls _raise_excf 86322->86330 86324->86316 86327 7ffd8e28ed3e _raise_excf 86325->86327 86328 7ffd8e28eceb _raise_excf 86325->86328 86326 7ffd8e297550 _raise_excf 15 API calls 86326->86327 86327->86326 86327->86328 86328->86316 86329->86316 86330->86324 86331 7ffd8e1c8a20 86332 7ffd8e28ecc0 _raise_excf 15 API calls 86331->86332 86333 7ffd8e1c8a47 86332->86333

              Executed Functions

              Function 00007FFD8E1CC0E0 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 455fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 550 7ffd8e1cc0e0-7ffd8e1cc129 551 7ffd8e1cc12e-7ffd8e1cc1ab 550->551 552 7ffd8e1cc1d2-7ffd8e1cc1e0 call 7ffd8e2d6e90 551->552 553 7ffd8e1cc1ad-7ffd8e1cc1bc call 7ffd8e2d58b0 551->553 560 7ffd8e1cc7ab-7ffd8e1cc7ae 552->560 561 7ffd8e1cc1e6-7ffd8e1cc208 552->561 558 7ffd8e1cc1c2-7ffd8e1cc1cd 553->558 559 7ffd8e1cc82d-7ffd8e1cc850 call 7ffd8e2dfad0 553->559 558->552 563 7ffd8e1cc828 560->563 564 7ffd8e1cc7b0-7ffd8e1cc7b7 560->564 562 7ffd8e1cc210-7ffd8e1cc22c 561->562 573 7ffd8e1cc277-7ffd8e1cc281 562->573 574 7ffd8e1cc22e-7ffd8e1cc241 562->574 563->559 567 7ffd8e1cc7b9-7ffd8e1cc7c3 564->567 568 7ffd8e1cc818-7ffd8e1cc81f 564->568 570 7ffd8e1cc7c5 567->570 571 7ffd8e1cc7d2-7ffd8e1cc80d 567->571 572 7ffd8e1cc822 568->572 570->571 571->563 590 7ffd8e1cc80f-7ffd8e1cc816 571->590 572->563 576 7ffd8e1cc28b-7ffd8e1cc2a3 573->576 577 7ffd8e1cc283-7ffd8e1cc285 573->577 574->576 584 7ffd8e1cc243-7ffd8e1cc249 574->584 578 7ffd8e1cc2ac-7ffd8e1cc2b4 576->578 579 7ffd8e1cc2a5-7ffd8e1cc2aa 576->579 577->576 581 7ffd8e1cc4bd-7ffd8e1cc4c8 call 7ffd8e1c6c40 577->581 582 7ffd8e1cc2b7-7ffd8e1cc2cd 578->582 579->582 593 7ffd8e1cc554-7ffd8e1cc559 581->593 594 7ffd8e1cc4ce-7ffd8e1cc4d5 581->594 586 7ffd8e1cc2d0-7ffd8e1cc303 CreateFileW 582->586 588 7ffd8e1cc24b-7ffd8e1cc24f 584->588 589 7ffd8e1cc251-7ffd8e1cc254 584->589 591 7ffd8e1cc309-7ffd8e1cc30b 586->591 592 7ffd8e1cc3be 586->592 588->589 596 7ffd8e1cc25d-7ffd8e1cc275 588->596 595 7ffd8e1cc256-7ffd8e1cc25b 589->595 589->596 590->572 597 7ffd8e1cc361-7ffd8e1cc375 591->597 598 7ffd8e1cc30d-7ffd8e1cc31f 591->598 601 7ffd8e1cc3c2-7ffd8e1cc3c5 592->601 593->559 599 7ffd8e1cc4d7-7ffd8e1cc4e1 594->599 600 7ffd8e1cc544-7ffd8e1cc54b 594->600 595->576 595->596 596->562 615 7ffd8e1cc3ba-7ffd8e1cc3bc 597->615 616 7ffd8e1cc377-7ffd8e1cc37d 597->616 602 7ffd8e1cc327-7ffd8e1cc34b call 7ffd8e1d00b0 598->602 603 7ffd8e1cc321 598->603 604 7ffd8e1cc4e3 599->604 605 7ffd8e1cc4f0-7ffd8e1cc52b 599->605 600->593 606 7ffd8e1cc3f5-7ffd8e1cc3f9 601->606 607 7ffd8e1cc3c7-7ffd8e1cc3f0 call 7ffd8e1d5660 601->607 624 7ffd8e1cc353-7ffd8e1cc355 602->624 625 7ffd8e1cc34d 602->625 603->602 604->605 605->593 641 7ffd8e1cc52d-7ffd8e1cc53f 605->641 609 7ffd8e1cc595-7ffd8e1cc5a3 606->609 610 7ffd8e1cc3ff-7ffd8e1cc40f call 7ffd8e1c6c40 606->610 607->606 617 7ffd8e1cc5a5-7ffd8e1cc5b1 609->617 618 7ffd8e1cc5b3-7ffd8e1cc5cc call 7ffd8e1c6c40 609->618 627 7ffd8e1cc489-7ffd8e1cc48e 610->627 628 7ffd8e1cc411-7ffd8e1cc418 610->628 615->601 622 7ffd8e1cc38f-7ffd8e1cc392 616->622 623 7ffd8e1cc37f-7ffd8e1cc38d 616->623 617->618 639 7ffd8e1cc646-7ffd8e1cc649 618->639 640 7ffd8e1cc5ce-7ffd8e1cc5d5 618->640 629 7ffd8e1cc39b-7ffd8e1cc3b5 622->629 630 7ffd8e1cc394-7ffd8e1cc399 622->630 623->622 623->629 631 7ffd8e1cc357-7ffd8e1cc35b 624->631 632 7ffd8e1cc35d 624->632 625->624 635 7ffd8e1cc494-7ffd8e1cc499 627->635 636 7ffd8e1cc55e-7ffd8e1cc590 call 7ffd8e2d5fe0 call 7ffd8e25f060 627->636 637 7ffd8e1cc479-7ffd8e1cc480 628->637 638 7ffd8e1cc41a-7ffd8e1cc424 628->638 629->586 630->615 630->629 631->592 631->632 632->597 635->636 644 7ffd8e1cc49f-7ffd8e1cc4b8 635->644 636->559 651 7ffd8e1cc483 637->651 645 7ffd8e1cc426 638->645 646 7ffd8e1cc433-7ffd8e1cc46e 638->646 649 7ffd8e1cc64b-7ffd8e1cc64e 639->649 650 7ffd8e1cc650 639->650 642 7ffd8e1cc636-7ffd8e1cc63d 640->642 643 7ffd8e1cc5d7-7ffd8e1cc5e1 640->643 641->559 656 7ffd8e1cc640 642->656 652 7ffd8e1cc5e3 643->652 653 7ffd8e1cc5f0-7ffd8e1cc62b 643->653 644->551 645->646 646->627 671 7ffd8e1cc470-7ffd8e1cc477 646->671 657 7ffd8e1cc657-7ffd8e1cc66c 649->657 650->657 651->627 652->653 653->639 674 7ffd8e1cc62d-7ffd8e1cc634 653->674 656->639 658 7ffd8e1cc672-7ffd8e1cc67a 657->658 659 7ffd8e1cc66e 657->659 662 7ffd8e1cc780-7ffd8e1cc7a6 658->662 663 7ffd8e1cc680-7ffd8e1cc688 658->663 659->658 662->559 666 7ffd8e1cc77c 663->666 667 7ffd8e1cc68e 663->667 666->662 669 7ffd8e1cc690-7ffd8e1cc694 667->669 672 7ffd8e1cc696-7ffd8e1cc69a 669->672 673 7ffd8e1cc6a8-7ffd8e1cc6ab 669->673 671->651 672->673 675 7ffd8e1cc69c-7ffd8e1cc6a0 672->675 673->669 674->656 675->673 676 7ffd8e1cc6a2-7ffd8e1cc6a6 675->676 676->673 677 7ffd8e1cc6ad 676->677 678 7ffd8e1cc6b4-7ffd8e1cc6bb 677->678 678->678 679 7ffd8e1cc6bd-7ffd8e1cc6cd 678->679 679->666 680 7ffd8e1cc6d3-7ffd8e1cc6da 679->680 681 7ffd8e1cc6e0-7ffd8e1cc6e7 680->681 682 7ffd8e1cc6f0-7ffd8e1cc6fc 681->682 683 7ffd8e1cc709-7ffd8e1cc70c 682->683 684 7ffd8e1cc6fe-7ffd8e1cc702 682->684 686 7ffd8e1cc710 683->686 684->682 685 7ffd8e1cc704-7ffd8e1cc707 684->685 685->686 687 7ffd8e1cc717-7ffd8e1cc71e 686->687 687->687 688 7ffd8e1cc720-7ffd8e1cc72f 687->688 689 7ffd8e1cc731-7ffd8e1cc734 688->689 690 7ffd8e1cc75e-7ffd8e1cc761 688->690 691 7ffd8e1cc73b 689->691 692 7ffd8e1cc736-7ffd8e1cc739 689->692 690->666 693 7ffd8e1cc763-7ffd8e1cc77a call 7ffd8e237530 690->693 695 7ffd8e1cc742-7ffd8e1cc749 691->695 694 7ffd8e1cc750-7ffd8e1cc75a 692->694 693->662 693->666 694->681 698 7ffd8e1cc75c 694->698 695->695 697 7ffd8e1cc74b 695->697 697->694 698->666
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000022.00000002.4624011762.00007FFD8E1B1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFD8E1B0000, based on PE: true
              • Associated: 00000022.00000002.4623987867.00007FFD8E1B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624787910.00007FFD8E31D000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624947940.00007FFD8E320000.00000008.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625047268.00007FFD8E321000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625194425.00007FFD8E324000.00000002.00000001.01000000.0000000E.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_34_2_7ffd8e1b0000_Service.jbxd
              Similarity
              • API ID: CreateFile
              • String ID: delayed %dms for lock/sharing conflict at line %d$psow$winOpen
              • API String ID: 823142352-1266388144
              • Opcode ID: 294564a8028a632a24dace648262c53082131fb7504090ab2508b3d506ebc7ad
              • Instruction ID: da1bc7675d6f0260519faf2ce07881d61b9b8f7aaaab28930335110cbb6b280d
              • Opcode Fuzzy Hash: 294564a8028a632a24dace648262c53082131fb7504090ab2508b3d506ebc7ad
              • Instruction Fuzzy Hash: 1A227D22B0C742A6FB549B95E8603797BA0BF46B95F445239DA5D837A0CF3CE885DF00
              Function 00007FFD8E2C35E0 Relevance: 1.7, APIs: 1, Instructions: 224COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1954 7ffd8e2c35e0-7ffd8e2c3615 GetSystemInfo call 7ffd8e2c3190 1956 7ffd8e2c361a-7ffd8e2c361c 1954->1956 1957 7ffd8e2c36ca-7ffd8e2c36d1 call 7ffd8e2c3190 1956->1957 1958 7ffd8e2c3622-7ffd8e2c3628 1956->1958 1965 7ffd8e2c36d7-7ffd8e2c36dd 1957->1965 1966 7ffd8e2c379c-7ffd8e2c37a3 call 7ffd8e2c3190 1957->1966 1960 7ffd8e2c362a-7ffd8e2c362c 1958->1960 1961 7ffd8e2c362e-7ffd8e2c3646 1958->1961 1963 7ffd8e2c3658-7ffd8e2c3669 1960->1963 1961->1963 1969 7ffd8e2c3648-7ffd8e2c364b 1961->1969 1967 7ffd8e2c366b-7ffd8e2c3672 1963->1967 1968 7ffd8e2c3674-7ffd8e2c3677 1963->1968 1970 7ffd8e2c36df-7ffd8e2c36e1 1965->1970 1971 7ffd8e2c36e3-7ffd8e2c36fb 1965->1971 1984 7ffd8e2c37a9-7ffd8e2c37af 1966->1984 1985 7ffd8e2c386e-7ffd8e2c3875 call 7ffd8e2c3190 1966->1985 1972 7ffd8e2c36a7-7ffd8e2c36b8 1967->1972 1968->1972 1973 7ffd8e2c3679-7ffd8e2c3683 1968->1973 1969->1963 1975 7ffd8e2c370d-7ffd8e2c371e 1970->1975 1971->1975 1988 7ffd8e2c36fd-7ffd8e2c3700 1971->1988 1972->1957 1979 7ffd8e2c36ba-7ffd8e2c36c1 1972->1979 1976 7ffd8e2c3696-7ffd8e2c369a 1973->1976 1977 7ffd8e2c3685-7ffd8e2c3688 1973->1977 1982 7ffd8e2c3730-7ffd8e2c3733 1975->1982 1983 7ffd8e2c3720-7ffd8e2c372e 1975->1983 1976->1972 1986 7ffd8e2c369c-7ffd8e2c36a3 1976->1986 1977->1976 1981 7ffd8e2c368a-7ffd8e2c3694 1977->1981 1979->1957 1981->1976 1981->1977 1992 7ffd8e2c3735-7ffd8e2c373f 1982->1992 1993 7ffd8e2c3779-7ffd8e2c3780 1982->1993 1989 7ffd8e2c3763-7ffd8e2c3766 1983->1989 1990 7ffd8e2c37b5-7ffd8e2c37cd 1984->1990 1991 7ffd8e2c37b1-7ffd8e2c37b3 1984->1991 2001 7ffd8e2c387b-7ffd8e2c3881 1985->2001 2002 7ffd8e2c3940-7ffd8e2c394c 1985->2002 1986->1972 1988->1975 1989->1993 1995 7ffd8e2c3768-7ffd8e2c3777 1989->1995 1997 7ffd8e2c37df-7ffd8e2c37f0 1990->1997 2015 7ffd8e2c37cf-7ffd8e2c37d2 1990->2015 1991->1997 1998 7ffd8e2c3752-7ffd8e2c3756 1992->1998 1999 7ffd8e2c3741-7ffd8e2c3744 1992->1999 1996 7ffd8e2c3787-7ffd8e2c378a 1993->1996 1995->1996 1996->1966 2005 7ffd8e2c378c-7ffd8e2c3793 1996->2005 2003 7ffd8e2c3802-7ffd8e2c3805 1997->2003 2004 7ffd8e2c37f2-7ffd8e2c3800 1997->2004 1998->1989 2000 7ffd8e2c3758-7ffd8e2c375f 1998->2000 1999->1998 2007 7ffd8e2c3746-7ffd8e2c3750 1999->2007 2000->1989 2008 7ffd8e2c3887-7ffd8e2c389f 2001->2008 2009 7ffd8e2c3883-7ffd8e2c3885 2001->2009 2013 7ffd8e2c3960-7ffd8e2c397f 2002->2013 2014 7ffd8e2c394e-7ffd8e2c395f 2002->2014 2011 7ffd8e2c3807-7ffd8e2c3811 2003->2011 2012 7ffd8e2c384b-7ffd8e2c3852 2003->2012 2010 7ffd8e2c3835-7ffd8e2c3838 2004->2010 2005->1966 2007->1998 2007->1999 2016 7ffd8e2c38b1-7ffd8e2c38c2 2008->2016 2028 7ffd8e2c38a1-7ffd8e2c38a4 2008->2028 2009->2016 2010->2012 2019 7ffd8e2c383a-7ffd8e2c3849 2010->2019 2017 7ffd8e2c3824-7ffd8e2c3828 2011->2017 2018 7ffd8e2c3813-7ffd8e2c3816 2011->2018 2020 7ffd8e2c3859-7ffd8e2c385c 2012->2020 2015->1997 2024 7ffd8e2c38d4-7ffd8e2c38d7 2016->2024 2025 7ffd8e2c38c4-7ffd8e2c38d2 2016->2025 2017->2010 2023 7ffd8e2c382a-7ffd8e2c3831 2017->2023 2018->2017 2022 7ffd8e2c3818-7ffd8e2c3822 2018->2022 2019->2020 2020->1985 2027 7ffd8e2c385e-7ffd8e2c3865 2020->2027 2022->2017 2022->2018 2023->2010 2030 7ffd8e2c38d9-7ffd8e2c38e3 2024->2030 2031 7ffd8e2c391d-7ffd8e2c3924 2024->2031 2029 7ffd8e2c3907-7ffd8e2c390a 2025->2029 2027->1985 2028->2016 2029->2031 2032 7ffd8e2c390c-7ffd8e2c391b 2029->2032 2034 7ffd8e2c38f6-7ffd8e2c38fa 2030->2034 2035 7ffd8e2c38e5-7ffd8e2c38e8 2030->2035 2033 7ffd8e2c392b-7ffd8e2c392e 2031->2033 2032->2033 2033->2002 2037 7ffd8e2c3930-7ffd8e2c3937 2033->2037 2034->2029 2036 7ffd8e2c38fc-7ffd8e2c3903 2034->2036 2035->2034 2038 7ffd8e2c38ea-7ffd8e2c38f4 2035->2038 2036->2029 2037->2002 2038->2034 2038->2035
              APIs
              • GetSystemInfo.KERNEL32(?,?,?,?,00007FFD8E2C3421,?,?,?,?,00007FFD8E1B13AB), ref: 00007FFD8E2C360F
              Memory Dump Source
              • Source File: 00000022.00000002.4624011762.00007FFD8E1B1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFD8E1B0000, based on PE: true
              • Associated: 00000022.00000002.4623987867.00007FFD8E1B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624787910.00007FFD8E31D000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624947940.00007FFD8E320000.00000008.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625047268.00007FFD8E321000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625194425.00007FFD8E324000.00000002.00000001.01000000.0000000E.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_34_2_7ffd8e1b0000_Service.jbxd
              Similarity
              • API ID: InfoSystem
              • String ID:
              • API String ID: 31276548-0
              • Opcode ID: 02cd42ee65bd595d438a010dab517e082ebcb4af484fb81384dc88c80ffbaea4
              • Instruction ID: d549e66cd64527b5cf8b05f4caeb750af706209fbc025c6f1cbb1cbf2cb528aa
              • Opcode Fuzzy Hash: 02cd42ee65bd595d438a010dab517e082ebcb4af484fb81384dc88c80ffbaea4
              • Instruction Fuzzy Hash: E2B12764B0AB0790FE54ABC5E8703B423A0BF06B82F540D79D95D477A0DF3DE8A5EA10
              Function 00007FFD8E1C7D80 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114fileCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000022.00000002.4624011762.00007FFD8E1B1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFD8E1B0000, based on PE: true
              • Associated: 00000022.00000002.4623987867.00007FFD8E1B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624787910.00007FFD8E31D000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624947940.00007FFD8E320000.00000008.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625047268.00007FFD8E321000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625194425.00007FFD8E324000.00000002.00000001.01000000.0000000E.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_34_2_7ffd8e1b0000_Service.jbxd
              Similarity
              • API ID: FileWrite
              • String ID: delayed %dms for lock/sharing conflict at line %d$winWrite1$winWrite2
              • API String ID: 3934441357-1808655853
              • Opcode ID: 50579209e13c0d188a9c80e9b678b0d7a88b1b9ad0d8ca593215720cc074c618
              • Instruction ID: 56cf691689dcfeabb70c03a70b0f753b1a95e7f4fa11129e9a9efde06f171f4c
              • Opcode Fuzzy Hash: 50579209e13c0d188a9c80e9b678b0d7a88b1b9ad0d8ca593215720cc074c618
              • Instruction Fuzzy Hash: 8641B133B0865282E7209FA9E8606B97BA5FB85B80F544136DE4C83B94CF7CE841CF00
              Function 00007FFD8E1CCAA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93fileCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000022.00000002.4624011762.00007FFD8E1B1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFD8E1B0000, based on PE: true
              • Associated: 00000022.00000002.4623987867.00007FFD8E1B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624787910.00007FFD8E31D000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624947940.00007FFD8E320000.00000008.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625047268.00007FFD8E321000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625194425.00007FFD8E324000.00000002.00000001.01000000.0000000E.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_34_2_7ffd8e1b0000_Service.jbxd
              Similarity
              • API ID: File$AttributesDelete
              • String ID: delayed %dms for lock/sharing conflict at line %d$winDelete
              • API String ID: 2910425767-1405699761
              • Opcode ID: 999d1ba121ec2a82a5c60d5c34dcdcc3620227e88c38499f7fbdbc7c6c03f416
              • Instruction ID: e7e10091f7e178145eeb31834e4abbd62ce664b77853a7ca124edbe9ae69c46d
              • Opcode Fuzzy Hash: 999d1ba121ec2a82a5c60d5c34dcdcc3620227e88c38499f7fbdbc7c6c03f416
              • Instruction Fuzzy Hash: 5F41AE22B0861692F7149BD9E8602B87BA0BF86B91F540535DA1DC37A1CF3CFC45DE00
              Function 00007FFD8E1C7550 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1093 7ffd8e1c7550-7ffd8e1c757b 1094 7ffd8e1c75cb-7ffd8e1c75f8 1093->1094 1095 7ffd8e1c757d-7ffd8e1c7592 1093->1095 1096 7ffd8e1c7600-7ffd8e1c762b ReadFile 1094->1096 1097 7ffd8e1c75b4-7ffd8e1c75c8 call 7ffd8e2e0c30 1095->1097 1098 7ffd8e1c7594 call 7ffd8e2e0c30 1095->1098 1100 7ffd8e1c76b8-7ffd8e1c76ba 1096->1100 1101 7ffd8e1c7631-7ffd8e1c7641 1096->1101 1097->1094 1106 7ffd8e1c7599 1098->1106 1104 7ffd8e1c76e8-7ffd8e1c76f1 1100->1104 1105 7ffd8e1c76bc-7ffd8e1c76e3 call 7ffd8e1d5660 1100->1105 1101->1100 1111 7ffd8e1c7643-7ffd8e1c7656 1101->1111 1104->1106 1109 7ffd8e1c76f7-7ffd8e1c770c call 7ffd8e2e1040 1104->1109 1105->1104 1110 7ffd8e1c759b-7ffd8e1c75b3 1106->1110 1109->1110 1115 7ffd8e1c7658-7ffd8e1c765e 1111->1115 1116 7ffd8e1c7690-7ffd8e1c76b3 call 7ffd8e2d5fe0 1111->1116 1118 7ffd8e1c7666-7ffd8e1c7669 1115->1118 1119 7ffd8e1c7660-7ffd8e1c7664 1115->1119 1116->1110 1121 7ffd8e1c7672-7ffd8e1c768b 1118->1121 1122 7ffd8e1c766b-7ffd8e1c7670 1118->1122 1119->1118 1119->1121 1121->1096 1122->1116 1122->1121
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000022.00000002.4624011762.00007FFD8E1B1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFD8E1B0000, based on PE: true
              • Associated: 00000022.00000002.4623987867.00007FFD8E1B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624787910.00007FFD8E31D000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624947940.00007FFD8E320000.00000008.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625047268.00007FFD8E321000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625194425.00007FFD8E324000.00000002.00000001.01000000.0000000E.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_34_2_7ffd8e1b0000_Service.jbxd
              Similarity
              • API ID: FileRead
              • String ID: delayed %dms for lock/sharing conflict at line %d$winRead
              • API String ID: 2738559852-1843600136
              • Opcode ID: 54959c592f9b776378a38fea204404d265fd1426f5fd2a84a2b2b3749b4f4957
              • Instruction ID: ef21933d961972008e35ed76706d717a48435160f9c7c8c77ecb71799a781bb5
              • Opcode Fuzzy Hash: 54959c592f9b776378a38fea204404d265fd1426f5fd2a84a2b2b3749b4f4957
              • Instruction Fuzzy Hash: 2E41F232B0865686E3109FA9E4646F9BB65FB46B81F850136EE4D83B55CF7CE442CF40

              Non-executed Functions

              Function 00007FFD8E2E44B0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000022.00000002.4624011762.00007FFD8E1B1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFD8E1B0000, based on PE: true
              • Associated: 00000022.00000002.4623987867.00007FFD8E1B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624787910.00007FFD8E31D000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624947940.00007FFD8E320000.00000008.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625047268.00007FFD8E321000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625194425.00007FFD8E324000.00000002.00000001.01000000.0000000E.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_34_2_7ffd8e1b0000_Service.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
              • String ID:
              • API String ID: 1239891234-0
              • Opcode ID: e0829758c8acea8a88bb22142360789a48b9e3a09f4b65a80001d06f088d6958
              • Instruction ID: 4ab913dfcc8257d5eb3a76d229b30dc5beb7937cc07db83285bb527892e316d2
              • Opcode Fuzzy Hash: e0829758c8acea8a88bb22142360789a48b9e3a09f4b65a80001d06f088d6958
              • Instruction Fuzzy Hash: D2316C36718B9286EB608F65E8507EE73A4FB88758F500136EA8D47B99DF38D545CB00
              Function 00007FFD8E22B9FA Relevance: .0, Instructions: 3COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000022.00000002.4624011762.00007FFD8E1B1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFD8E1B0000, based on PE: true
              • Associated: 00000022.00000002.4623987867.00007FFD8E1B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624787910.00007FFD8E31D000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624947940.00007FFD8E320000.00000008.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625047268.00007FFD8E321000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625194425.00007FFD8E324000.00000002.00000001.01000000.0000000E.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_34_2_7ffd8e1b0000_Service.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7b09fb8bc32717e68df346f831d48fb96644a2980a655d8ed8fcf2c81cfa48b0
              • Instruction ID: 7b0872fbed60f490810981b13608696ddf2fbaa4661be654a1c984df7cea9631
              • Opcode Fuzzy Hash: 7b09fb8bc32717e68df346f831d48fb96644a2980a655d8ed8fcf2c81cfa48b0
              • Instruction Fuzzy Hash:
              Function 00007FFD8E1D4550 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 139COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000022.00000002.4624011762.00007FFD8E1B1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFD8E1B0000, based on PE: true
              • Associated: 00000022.00000002.4623987867.00007FFD8E1B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624787910.00007FFD8E31D000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624947940.00007FFD8E320000.00000008.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625047268.00007FFD8E321000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625194425.00007FFD8E324000.00000002.00000001.01000000.0000000E.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_34_2_7ffd8e1b0000_Service.jbxd
              Similarity
              • API ID: new[]
              • String ID: %s%c%s$:$:$?$\$winFullPathname1$winFullPathname2
              • API String ID: 4059295235-3840279414
              • Opcode ID: ada1d5f0f810558d137832d9d17ccea550533cbd4bee4c5a2ffc3a0b827115f0
              • Instruction ID: 6f3470980daadaae9301cdd5ccf6d4c9fccb120a1e9f760b5a193345d96d7e3c
              • Opcode Fuzzy Hash: ada1d5f0f810558d137832d9d17ccea550533cbd4bee4c5a2ffc3a0b827115f0
              • Instruction Fuzzy Hash: 1751C253F0C68681FB549BE198706B96BA5FF45B88F484036DE5D47696CE3CE445CF00
              Function 00007FFD8E2E620C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • try_get_function.LIBVCRUNTIME ref: 00007FFD8E2E6235
              • TlsSetValue.KERNEL32(?,?,00000000,00007FFD8E2E5CBA,?,?,00000000,00007FFD8E2E47ED,?,?,?,?,00007FFD8E2E1C37), ref: 00007FFD8E2E624C
              Strings
              Memory Dump Source
              • Source File: 00000022.00000002.4624011762.00007FFD8E1B1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFD8E1B0000, based on PE: true
              • Associated: 00000022.00000002.4623987867.00007FFD8E1B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624644715.00007FFD8E2EE000.00000002.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624787910.00007FFD8E31D000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4624947940.00007FFD8E320000.00000008.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625047268.00007FFD8E321000.00000004.00000001.01000000.0000000E.sdmpDownload File
              • Associated: 00000022.00000002.4625194425.00007FFD8E324000.00000002.00000001.01000000.0000000E.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_34_2_7ffd8e1b0000_Service.jbxd
              Similarity
              • API ID: Valuetry_get_function
              • String ID: FlsSetValue
              • API String ID: 738293619-3750699315
              • Opcode ID: 6c623e2a00096b0839e064d8c69010e4eef44c071450a3cda0d12956c4a57d8a
              • Instruction ID: 04425972d892568f9fd0411ea59673002262b36989b54993357d6f595a7b709e
              • Opcode Fuzzy Hash: 6c623e2a00096b0839e064d8c69010e4eef44c071450a3cda0d12956c4a57d8a
              • Instruction Fuzzy Hash: 27E06D61B18A43C1FB155BE4F8386F67222BF88780F485036D91D0A696DE3CED84CB10

              Execution Graph

              Execution Coverage:7.4%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:1.2%
              Total number of Nodes:763
              Total number of Limit Nodes:19
              execution_graph 2057 7ff7df235350 2058 7ff7df235360 2057->2058 2062 7ff7df235359 2057->2062 2059 7ff7df231094 4 API calls 2058->2059 2060 7ff7df235377 2059->2060 2061 7ff7df2311c4 13 API calls 2060->2061 2061->2062 2081 7ff7df236ec0 2084 7ff7df237304 2081->2084 2085 7ff7df237330 6 API calls 2084->2085 2086 7ff7df236ec9 2084->2086 2085->2086 2087 7ff7df234e40 2088 7ff7df234e7c 2087->2088 2089 7ff7df234f6f 2087->2089 2088->2089 2090 7ff7df234e85 LoadStringW 2088->2090 2091 7ff7df236ef0 7 API calls 2089->2091 2090->2089 2092 7ff7df234eab LoadStringW 2090->2092 2094 7ff7df234fca 2091->2094 2092->2089 2093 7ff7df234ece LoadStringW 2092->2093 2093->2089 2095 7ff7df234ef3 2093->2095 2096 7ff7df231a20 34 API calls 2095->2096 2097 7ff7df234f4e 2096->2097 2097->2089 2098 7ff7df234f71 2097->2098 2100 7ff7df234f5d 2097->2100 2099 7ff7df234f91 2098->2099 2101 7ff7df234f78 2098->2101 2103 7ff7df231094 4 API calls 2099->2103 2102 7ff7df231094 4 API calls 2100->2102 2104 7ff7df231094 4 API calls 2101->2104 2102->2089 2103->2089 2104->2089 2105 7ff7df235540 2106 7ff7df235597 2105->2106 2107 7ff7df2355da 2105->2107 2106->2107 2110 7ff7df2355b9 GetFullPathNameW 2106->2110 2108 7ff7df236ef0 7 API calls 2107->2108 2109 7ff7df235745 2108->2109 2110->2107 2111 7ff7df2355e1 memset 2110->2111 2112 7ff7df235603 2111->2112 2112->2107 2113 7ff7df235609 SetupDiGetINFClassW 2112->2113 2113->2107 2114 7ff7df235633 SetupDiCreateDeviceInfoList 2113->2114 2114->2107 2115 7ff7df235652 SetupDiCreateDeviceInfoW 2114->2115 2116 7ff7df235698 SetupDiSetDeviceRegistryPropertyW 2115->2116 2117 7ff7df23571d SetupDiDestroyDeviceInfoList 2115->2117 2116->2117 2119 7ff7df2356d2 SetupDiCallClassInstaller 2116->2119 2117->2107 2119->2117 2120 7ff7df2356ef 2119->2120 2121 7ff7df231094 4 API calls 2120->2121 2122 7ff7df235706 2121->2122 2125 7ff7df2353a0 2122->2125 2126 7ff7df2353ec 2125->2126 2127 7ff7df2354fe 2125->2127 2126->2127 2129 7ff7df235410 GetFullPathNameW 2126->2129 2128 7ff7df236ef0 7 API calls 2127->2128 2130 7ff7df235517 2128->2130 2129->2127 2131 7ff7df235436 GetFileAttributesW 2129->2131 2130->2117 2131->2127 2132 7ff7df235450 LoadLibraryW 2131->2132 2132->2127 2133 7ff7df23546f GetProcAddress 2132->2133 2134 7ff7df23548d 2133->2134 2135 7ff7df2354ef FreeLibrary 2133->2135 2136 7ff7df231094 4 API calls 2134->2136 2135->2127 2137 7ff7df2354aa 2136->2137 2137->2135 2138 7ff7df231094 4 API calls 2137->2138 2139 7ff7df2354e4 2138->2139 2139->2135 2140 7ff7df235c80 2141 7ff7df235cdd 2140->2141 2142 7ff7df2361b8 2140->2142 2141->2142 2143 7ff7df235cea SetupDiClassGuidsFromNameExW 2141->2143 2146 7ff7df236ef0 7 API calls 2142->2146 2144 7ff7df235d27 2143->2144 2145 7ff7df235d12 GetLastError 2143->2145 2144->2142 2147 7ff7df235d32 _wcsicmp 2144->2147 2145->2142 2145->2144 2148 7ff7df2361ce 2146->2148 2149 7ff7df235d59 _wcsicmp 2147->2149 2150 7ff7df235d50 SetupDiOpenClassRegKeyExW 2147->2150 2149->2150 2156 7ff7df236127 2149->2156 2150->2142 2152 7ff7df235dc3 2150->2152 2181 7ff7df231720 2152->2181 2154 7ff7df2361a9 RegCloseKey 2154->2142 2155 7ff7df235dce 2157 7ff7df236162 2155->2157 2177 7ff7df235df2 2155->2177 2190 7ff7df2314a0 2155->2190 2156->2142 2156->2154 2159 7ff7df231094 4 API calls 2157->2159 2161 7ff7df236179 2159->2161 2160 7ff7df23607d 2160->2157 2163 7ff7df23608b 2160->2163 2162 7ff7df233174 2 API calls 2161->2162 2162->2156 2164 7ff7df23612e RegDeleteValueW 2163->2164 2165 7ff7df236094 2163->2165 2164->2156 2166 7ff7df236149 2164->2166 2165->2156 2168 7ff7df2360d7 RegSetValueExW 2165->2168 2170 7ff7df231094 4 API calls 2166->2170 2167 7ff7df235fe6 _wcsicmp 2167->2177 2168->2156 2169 7ff7df236105 2168->2169 2176 7ff7df231094 4 API calls 2169->2176 2170->2156 2171 7ff7df235e9f OpenSCManagerW 2171->2156 2172 7ff7df235ec4 OpenServiceW 2171->2172 2174 7ff7df235ef3 CloseServiceHandle 2172->2174 2175 7ff7df235ee4 CloseServiceHandle 2172->2175 2173 7ff7df2314a0 malloc 2173->2177 2174->2156 2174->2177 2175->2174 2178 7ff7df23611a 2176->2178 2177->2156 2177->2157 2177->2160 2177->2167 2177->2171 2177->2173 2180 7ff7df236b70 malloc 2177->2180 2196 7ff7df233174 2178->2196 2180->2177 2182 7ff7df236b70 malloc 2181->2182 2188 7ff7df231742 2182->2188 2183 7ff7df231801 2183->2155 2184 7ff7df2317b5 RegQueryValueExW 2185 7ff7df23175b GetLastError 2184->2185 2186 7ff7df2317e6 2184->2186 2185->2183 2185->2188 2201 7ff7df2313dc 2186->2201 2188->2183 2188->2184 2189 7ff7df236b70 malloc 2188->2189 2189->2188 2192 7ff7df2314ce 2190->2192 2191 7ff7df236b70 malloc 2195 7ff7df231511 2191->2195 2192->2191 2192->2192 2193 7ff7df2313dc malloc 2194 7ff7df231580 2193->2194 2194->2177 2195->2193 2195->2194 2197 7ff7df2331b5 2196->2197 2198 7ff7df233188 2196->2198 2197->2156 2198->2197 2205 7ff7df231184 2198->2205 2202 7ff7df231403 2201->2202 2202->2202 2203 7ff7df236b70 malloc 2202->2203 2204 7ff7df231439 2203->2204 2204->2183 2206 7ff7df231188 2205->2206 2208 7ff7df2311b5 wprintf 2205->2208 2207 7ff7df231199 fputs 2206->2207 2207->2206 2207->2208 2208->2197 2208->2198 2316 7ff7df234180 2317 7ff7df2341ea 2316->2317 2318 7ff7df2341e2 2316->2318 2319 7ff7df236b70 malloc 2317->2319 2320 7ff7df236ef0 7 API calls 2318->2320 2326 7ff7df2341f4 2319->2326 2321 7ff7df2344fd 2320->2321 2322 7ff7df2344be 2322->2318 2324 7ff7df2344dd SetupDiDestroyDeviceInfoList 2322->2324 2323 7ff7df234280 SetupDiClassGuidsFromNameExW 2325 7ff7df23422b GetLastError 2323->2325 2323->2326 2324->2318 2325->2322 2325->2326 2326->2318 2326->2322 2326->2323 2327 7ff7df2342e3 SetupDiGetClassDevsExW 2326->2327 2329 7ff7df234339 SetupDiEnumDeviceInfo 2326->2329 2330 7ff7df234397 SetupDiGetClassDescriptionExW 2326->2330 2331 7ff7df236b70 malloc 2326->2331 2332 7ff7df231094 FormatMessageW CharPrevW fputws LocalFree 2326->2332 2333 7ff7df234457 SetupDiEnumDeviceInfo 2326->2333 2334 7ff7df234478 SetupDiDestroyDeviceInfoList 2326->2334 2336 7ff7df232300 2326->2336 2327->2326 2328 7ff7df234351 SetupDiClassNameFromGuidExW 2327->2328 2328->2326 2328->2330 2329->2326 2329->2328 2330->2326 2331->2326 2332->2326 2333->2326 2334->2326 2343 7ff7df2312b0 2336->2343 2338 7ff7df232320 2339 7ff7df232336 2338->2339 2340 7ff7df2312b0 3 API calls 2338->2340 2350 7ff7df232214 SetupDiGetDeviceInfoListDetailW 2339->2350 2340->2339 2342 7ff7df232347 2342->2326 2344 7ff7df236b70 malloc 2343->2344 2349 7ff7df2312db 2344->2349 2345 7ff7df231372 SetupDiGetDeviceRegistryPropertyW 2346 7ff7df231304 GetLastError 2345->2346 2347 7ff7df2312e6 2345->2347 2346->2347 2346->2349 2347->2338 2348 7ff7df236b70 malloc 2348->2349 2349->2345 2349->2347 2349->2348 2351 7ff7df232259 CM_Get_Device_ID_ExW 2350->2351 2352 7ff7df232287 2350->2352 2351->2352 2353 7ff7df2322c7 wprintf 2352->2353 2354 7ff7df2322af wprintf 2352->2354 2355 7ff7df2322da 2353->2355 2354->2355 2356 7ff7df236ef0 7 API calls 2355->2356 2357 7ff7df2322ec 2356->2357 2357->2342 2218 7ff7df2329c0 2219 7ff7df2329ce 2218->2219 2220 7ff7df2329d2 2218->2220 2221 7ff7df231184 fputs 2220->2221 2222 7ff7df2329dc wprintf 2221->2222 2222->2219 2223 7ff7df233f80 2224 7ff7df236b70 malloc 2223->2224 2225 7ff7df233fc6 2224->2225 2226 7ff7df234023 SetupDiBuildClassInfoListExW 2225->2226 2231 7ff7df234132 2225->2231 2233 7ff7df236b70 malloc 2225->2233 2228 7ff7df233fd8 GetLastError 2226->2228 2229 7ff7df234048 2226->2229 2227 7ff7df236ef0 7 API calls 2230 7ff7df23414f 2227->2230 2228->2225 2228->2231 2232 7ff7df231094 4 API calls 2229->2232 2231->2227 2237 7ff7df234070 2232->2237 2233->2225 2234 7ff7df23407c SetupDiClassNameFromGuidExW 2235 7ff7df2340c8 SetupDiGetClassDescriptionExW 2234->2235 2234->2237 2236 7ff7df23410a wprintf 2235->2236 2235->2237 2236->2231 2236->2234 2237->2231 2237->2234 2237->2235 2237->2236 2238 7ff7df2369c0 2239 7ff7df2369f8 GetWindowsDirectoryW 2238->2239 2248 7ff7df2369f0 2238->2248 2242 7ff7df236a1b 2239->2242 2239->2248 2240 7ff7df236ef0 7 API calls 2241 7ff7df236b51 2240->2241 2243 7ff7df236aa3 FindFirstFileW 2242->2243 2242->2248 2244 7ff7df236aca 2243->2244 2245 7ff7df236ade 2243->2245 2246 7ff7df231094 4 API calls 2244->2246 2247 7ff7df231094 4 API calls 2245->2247 2246->2248 2250 7ff7df236af0 2247->2250 2248->2240 2249 7ff7df231094 4 API calls 2249->2250 2250->2249 2254 7ff7df233a1c 2250->2254 2253 7ff7df236b2e FindClose 2253->2248 2305 7ff7df237510 2254->2305 2257 7ff7df233a81 GetLastError 2259 7ff7df233dd2 2257->2259 2258 7ff7df233a95 SetupFindFirstLineW 2260 7ff7df233b0b 2258->2260 2261 7ff7df233ac6 SetupGetStringFieldW 2258->2261 2262 7ff7df236ef0 7 API calls 2259->2262 2264 7ff7df231094 4 API calls 2260->2264 2261->2260 2265 7ff7df233aed 2261->2265 2263 7ff7df233de9 FindNextFileW 2262->2263 2263->2250 2263->2253 2266 7ff7df233b20 SetupFindFirstLineW 2264->2266 2267 7ff7df231094 4 API calls 2265->2267 2268 7ff7df233b4a SetupGetStringFieldW 2266->2268 2269 7ff7df233bd7 2266->2269 2270 7ff7df233b09 2267->2270 2268->2269 2271 7ff7df233b71 CLSIDFromString 2268->2271 2274 7ff7df231094 4 API calls 2269->2274 2270->2266 2271->2269 2272 7ff7df233b8d SetupDiGetClassDescriptionExW 2271->2272 2272->2269 2273 7ff7df233bb9 2272->2273 2279 7ff7df231094 4 API calls 2273->2279 2275 7ff7df233bec LoadLibraryW 2274->2275 2276 7ff7df233c0b GetProcAddress 2275->2276 2277 7ff7df233daf SetupCloseInfFile 2275->2277 2276->2277 2278 7ff7df233c2d memset 2276->2278 2277->2259 2280 7ff7df233dc3 FreeLibrary 2277->2280 2282 7ff7df233c5a 2278->2282 2281 7ff7df233bd5 2279->2281 2280->2259 2281->2275 2283 7ff7df233c5e GetLastError 2282->2283 2284 7ff7df233c9b 2282->2284 2283->2284 2285 7ff7df233c71 GetLastError 2283->2285 2287 7ff7df231094 4 API calls 2284->2287 2285->2284 2286 7ff7df233c84 2285->2286 2291 7ff7df231094 4 API calls 2286->2291 2288 7ff7df233cb7 SetupFindFirstLineW 2287->2288 2289 7ff7df233ce1 SetupGetStringFieldW 2288->2289 2290 7ff7df233d85 2288->2290 2292 7ff7df233d2c 2289->2292 2293 7ff7df233d11 2289->2293 2295 7ff7df231094 4 API calls 2290->2295 2294 7ff7df233c99 2291->2294 2297 7ff7df231094 4 API calls 2292->2297 2296 7ff7df231094 4 API calls 2293->2296 2294->2288 2301 7ff7df233d9a 2295->2301 2298 7ff7df233d2a 2296->2298 2299 7ff7df233d3e SetupGetStringFieldW 2297->2299 2298->2299 2300 7ff7df233d6a 2299->2300 2299->2301 2303 7ff7df231094 4 API calls 2300->2303 2302 7ff7df231094 4 API calls 2301->2302 2302->2277 2304 7ff7df233d83 2303->2304 2304->2277 2306 7ff7df233a45 SetupOpenInfFileW 2305->2306 2306->2257 2306->2258 2307 7ff7df236bc0 2309 7ff7df236bd2 2307->2309 2314 7ff7df2371b8 GetModuleHandleW 2309->2314 2310 7ff7df236c39 __set_app_type 2311 7ff7df236c76 2310->2311 2312 7ff7df236c8c 2311->2312 2313 7ff7df236c7f __setusermatherr 2311->2313 2313->2312 2315 7ff7df2371cd 2314->2315 2315->2310 2358 7ff7df236e6b 2359 7ff7df236e7a _exit 2358->2359 2360 7ff7df236e83 2358->2360 2359->2360 2361 7ff7df236e98 2360->2361 2362 7ff7df236e8c _cexit 2360->2362 2362->2361 2363 7ff7df237130 SetUnhandledExceptionFilter 1953 7ff7df236cf0 1954 7ff7df236d14 1953->1954 1955 7ff7df236d26 1954->1955 1956 7ff7df236d2f Sleep 1954->1956 1957 7ff7df236d4b _amsg_exit 1955->1957 1959 7ff7df236d57 1955->1959 1956->1954 1957->1959 1958 7ff7df236dc6 _initterm 1961 7ff7df236de3 _IsNonwritableInCurrentImage 1958->1961 1959->1958 1960 7ff7df236dac 1959->1960 1959->1961 1967 7ff7df231fd0 wcsrchr 1961->1967 1964 7ff7df236e4c exit 1965 7ff7df236e54 1964->1965 1965->1960 1966 7ff7df236e5d _cexit 1965->1966 1966->1960 1968 7ff7df232028 CharNextW 1967->1968 1974 7ff7df232022 1967->1974 1968->1974 1969 7ff7df232139 2002 7ff7df231094 FormatMessageW 1969->2002 1970 7ff7df2320de CharNextW 1973 7ff7df2320f0 1970->1973 1971 7ff7df232105 _wcsicmp 1971->1973 1973->1969 1973->1971 1975 7ff7df232171 1973->1975 1974->1969 1974->1970 1974->1973 1984 7ff7df2359f0 1975->1984 1977 7ff7df2321f8 1978 7ff7df2321ff 1977->1978 1982 7ff7df232153 1977->1982 2009 7ff7df2311c4 GetCurrentProcess OpenProcessToken 1978->2009 1980 7ff7df2321c4 1981 7ff7df231094 4 API calls 1980->1981 1981->1982 1982->1964 1982->1965 1985 7ff7df235a2e 1984->1985 1986 7ff7df235b1a 1984->1986 1985->1986 1987 7ff7df235a37 LoadStringW 1985->1987 2043 7ff7df236ef0 1986->2043 1987->1986 1989 7ff7df235a5a LoadStringW 1987->1989 1989->1986 1991 7ff7df235a80 LoadStringW 1989->1991 1991->1986 1992 7ff7df235aa8 1991->1992 2016 7ff7df231a20 1992->2016 1995 7ff7df235b1c 1997 7ff7df235b3c 1995->1997 1998 7ff7df235b23 1995->1998 1996 7ff7df235b08 1999 7ff7df231094 4 API calls 1996->1999 2001 7ff7df231094 4 API calls 1997->2001 2000 7ff7df231094 4 API calls 1998->2000 1999->1986 2000->1986 2001->1986 2003 7ff7df23116d 2002->2003 2005 7ff7df2310fe 2002->2005 2003->1982 2004 7ff7df231161 LocalFree 2004->2003 2005->2004 2006 7ff7df231109 CharPrevW 2005->2006 2007 7ff7df231131 fputws 2005->2007 2006->2005 2007->2004 2010 7ff7df231270 InitiateSystemShutdownExW 2009->2010 2011 7ff7df231200 LookupPrivilegeValueW 2009->2011 2014 7ff7df236ef0 7 API calls 2010->2014 2012 7ff7df231223 AdjustTokenPrivileges 2011->2012 2013 7ff7df231264 CloseHandle 2011->2013 2012->2013 2013->2010 2015 7ff7df2312a3 2014->2015 2015->1982 2051 7ff7df236b70 2016->2051 2018 7ff7df231fa3 2019 7ff7df236ef0 7 API calls 2018->2019 2020 7ff7df231fb5 2019->2020 2020->1986 2020->1995 2020->1996 2022 7ff7df231c25 2025 7ff7df231c39 SetupDiCreateDeviceInfoListExW 2022->2025 2026 7ff7df231c62 SetupDiGetClassDevsExW 2022->2026 2023 7ff7df231ae0 SetupDiClassGuidsFromNameExW 2024 7ff7df231b0d GetLastError 2023->2024 2028 7ff7df231b22 2023->2028 2024->2028 2032 7ff7df231b2c 2024->2032 2034 7ff7df231ca8 2025->2034 2026->2034 2027 7ff7df231ba3 CharNextW 2027->2028 2028->2022 2028->2027 2029 7ff7df231bda wcschr 2028->2029 2030 7ff7df231bc7 CharNextW 2028->2030 2028->2032 2029->2028 2030->2028 2031 7ff7df231d07 SetupDiGetDeviceInfoListDetailW 2031->2032 2035 7ff7df231d2b SetupDiEnumDeviceInfo 2031->2035 2032->2018 2033 7ff7df231f94 SetupDiDestroyDeviceInfoList 2032->2033 2033->2018 2034->2031 2034->2032 2036 7ff7df231cdb SetupDiOpenDeviceInfoW 2034->2036 2037 7ff7df231d02 2034->2037 2035->2032 2039 7ff7df231d6b 2035->2039 2036->2034 2037->2031 2038 7ff7df231f3d SetupDiEnumDeviceInfo 2038->2032 2038->2039 2039->2032 2039->2038 2040 7ff7df231da1 CM_Get_Device_ID_ExW 2039->2040 2041 7ff7df23182c 11 API calls 2039->2041 2042 7ff7df2315e8 GetLastError SetupDiGetDeviceRegistryPropertyW malloc 2039->2042 2040->2039 2041->2039 2042->2039 2044 7ff7df236ef9 2043->2044 2045 7ff7df236f50 RtlCaptureContext RtlLookupFunctionEntry 2044->2045 2046 7ff7df2321b7 2044->2046 2047 7ff7df236fd7 2045->2047 2048 7ff7df236f95 RtlVirtualUnwind 2045->2048 2046->1977 2046->1980 2046->1982 2055 7ff7df236f14 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2047->2055 2048->2047 2052 7ff7df236b8e malloc 2051->2052 2053 7ff7df231aab 2052->2053 2054 7ff7df236b7f 2052->2054 2053->2018 2053->2023 2053->2028 2054->2052 2054->2053 2364 7ff7df234670 2365 7ff7df23469b 2364->2365 2372 7ff7df234693 2364->2372 2366 7ff7df231a20 34 API calls 2365->2366 2367 7ff7df2346c6 2366->2367 2368 7ff7df2346d2 2367->2368 2369 7ff7df2346f5 2367->2369 2367->2372 2370 7ff7df231094 4 API calls 2368->2370 2371 7ff7df231094 4 API calls 2369->2371 2370->2372 2371->2372 2373 7ff7df2370f0 2374 7ff7df237122 2373->2374 2375 7ff7df2370ff 2373->2375 2375->2374 2376 7ff7df23711b ?terminate@ 2375->2376 2376->2374 2377 7ff7df234530 2378 7ff7df23455e 2377->2378 2379 7ff7df234554 2377->2379 2380 7ff7df232214 11 API calls 2378->2380 2381 7ff7df232300 14 API calls 2379->2381 2382 7ff7df234566 2380->2382 2383 7ff7df234559 2381->2383 2382->2383 2384 7ff7df2345c7 2382->2384 2386 7ff7df2312b0 3 API calls 2382->2386 2385 7ff7df2345e1 2384->2385 2405 7ff7df232370 2384->2405 2389 7ff7df2345f3 2385->2389 2417 7ff7df232454 SetupDiGetDeviceInfoListDetailW 2385->2417 2388 7ff7df234585 2386->2388 2390 7ff7df23459b 2388->2390 2393 7ff7df2312b0 3 API calls 2388->2393 2392 7ff7df234605 2389->2392 2447 7ff7df2327f8 SetupDiGetDeviceInfoListDetailW 2389->2447 2390->2384 2394 7ff7df231184 fputs 2390->2394 2396 7ff7df234617 2392->2396 2468 7ff7df232e8c memset 2392->2468 2393->2390 2401 7ff7df2345ad 2394->2401 2400 7ff7df234629 2396->2400 2497 7ff7df23377c SetupDiGetDeviceInfoListDetailW 2396->2497 2399 7ff7df23463b 2399->2383 2571 7ff7df2332c4 2399->2571 2400->2399 2550 7ff7df2331d0 2400->2550 2404 7ff7df231094 4 API calls 2401->2404 2404->2384 2406 7ff7df231184 fputs 2405->2406 2407 7ff7df232394 2406->2407 2408 7ff7df2312b0 3 API calls 2407->2408 2409 7ff7df2323a5 2408->2409 2410 7ff7df2312b0 3 API calls 2409->2410 2411 7ff7df2323b9 2410->2411 2412 7ff7df2323dd 2411->2412 2413 7ff7df2323c6 2411->2413 2414 7ff7df231094 4 API calls 2412->2414 2415 7ff7df231094 4 API calls 2413->2415 2416 7ff7df2323db 2414->2416 2415->2416 2416->2385 2418 7ff7df2324af CM_Get_DevNode_Status_Ex 2417->2418 2419 7ff7df2325d0 2417->2419 2421 7ff7df2324da 2418->2421 2422 7ff7df23250f 2418->2422 2420 7ff7df231184 fputs 2419->2420 2424 7ff7df2325dc 2420->2424 2421->2419 2425 7ff7df2324e8 2421->2425 2423 7ff7df23253e 2422->2423 2426 7ff7df232524 2422->2426 2429 7ff7df231184 fputs 2423->2429 2444 7ff7df232569 2423->2444 2435 7ff7df231094 4 API calls 2424->2435 2427 7ff7df231184 fputs 2425->2427 2428 7ff7df231184 fputs 2426->2428 2431 7ff7df2324f4 2427->2431 2428->2431 2430 7ff7df232550 2429->2430 2441 7ff7df231094 4 API calls 2430->2441 2442 7ff7df231094 4 API calls 2431->2442 2432 7ff7df231184 fputs 2437 7ff7df23257c 2432->2437 2433 7ff7df232598 2438 7ff7df231184 fputs 2433->2438 2434 7ff7df2325b0 2436 7ff7df232508 2434->2436 2439 7ff7df231184 fputs 2434->2439 2435->2436 2440 7ff7df236ef0 7 API calls 2436->2440 2445 7ff7df231094 4 API calls 2437->2445 2438->2431 2439->2431 2443 7ff7df232601 2440->2443 2441->2444 2442->2436 2443->2389 2444->2432 2446 7ff7df232590 2444->2446 2445->2446 2446->2433 2446->2434 2448 7ff7df232934 2447->2448 2449 7ff7df232852 CM_Get_DevNode_Status_Ex 2447->2449 2451 7ff7df236ef0 7 API calls 2448->2451 2449->2448 2450 7ff7df232881 2449->2450 2452 7ff7df23288b CM_Get_First_Log_Conf_Ex 2450->2452 2453 7ff7df2328b0 CM_Get_First_Log_Conf_Ex 2450->2453 2454 7ff7df23299a 2451->2454 2452->2453 2455 7ff7df23293b 2452->2455 2453->2455 2456 7ff7df2328d3 2453->2456 2454->2392 2457 7ff7df231184 fputs 2455->2457 2458 7ff7df2328e4 CM_Get_First_Log_Conf_Ex 2456->2458 2459 7ff7df232907 2456->2459 2460 7ff7df232945 2457->2460 2458->2455 2458->2459 2461 7ff7df231184 fputs 2459->2461 2463 7ff7df231094 4 API calls 2460->2463 2462 7ff7df232911 2461->2462 2465 7ff7df231094 4 API calls 2462->2465 2464 7ff7df232967 2463->2464 2604 7ff7df232620 CM_Get_Next_Res_Des_Ex 2464->2604 2465->2448 2617 7ff7df232a04 2468->2617 2471 7ff7df232f27 SetupDiGetDriverInfoDetailW 2474 7ff7df232f79 2471->2474 2475 7ff7df232f64 GetLastError 2471->2475 2472 7ff7df232f02 2473 7ff7df231184 fputs 2472->2473 2477 7ff7df232f0c 2473->2477 2476 7ff7df2330f5 SetupDiDestroyDriverInfoList 2474->2476 2478 7ff7df232f95 SetupDiSetSelectedDriverW 2474->2478 2475->2474 2475->2476 2479 7ff7df23311f 2476->2479 2480 7ff7df233110 SetupCloseFileQueue 2476->2480 2485 7ff7df231094 4 API calls 2477->2485 2478->2476 2482 7ff7df232fb6 SetupOpenFileQueue 2478->2482 2481 7ff7df232f20 2479->2481 2483 7ff7df231184 fputs 2479->2483 2480->2479 2488 7ff7df236ef0 7 API calls 2481->2488 2482->2476 2484 7ff7df232fcf memset SetupDiGetDeviceInstallParamsW 2482->2484 2486 7ff7df23312a 2483->2486 2484->2476 2487 7ff7df233008 SetupDiSetDeviceInstallParamsW 2484->2487 2485->2481 2492 7ff7df231094 4 API calls 2486->2492 2487->2476 2489 7ff7df233031 SetupDiCallClassInstaller 2487->2489 2490 7ff7df23314f 2488->2490 2489->2476 2491 7ff7df233050 SetupScanFileQueueW 2489->2491 2490->2396 2493 7ff7df231184 fputs 2491->2493 2492->2481 2494 7ff7df233092 2493->2494 2495 7ff7df231094 4 API calls 2494->2495 2496 7ff7df2330c7 SetupScanFileQueueW 2495->2496 2496->2476 2498 7ff7df2337d1 SetupDiOpenClassRegKeyExW 2497->2498 2538 7ff7df2339db 2497->2538 2499 7ff7df233858 2498->2499 2500 7ff7df233814 2498->2500 2646 7ff7df2315e8 2499->2646 2503 7ff7df231720 3 API calls 2500->2503 2501 7ff7df236ef0 7 API calls 2504 7ff7df2339f6 2501->2504 2506 7ff7df233823 2503->2506 2504->2400 2505 7ff7df233871 2507 7ff7df2338a6 2505->2507 2510 7ff7df231184 fputs 2505->2510 2506->2499 2511 7ff7df231184 fputs 2506->2511 2508 7ff7df2312b0 3 API calls 2507->2508 2509 7ff7df2338bf 2508->2509 2512 7ff7df231184 fputs 2509->2512 2513 7ff7df233886 2510->2513 2514 7ff7df233838 2511->2514 2515 7ff7df2338ca 2512->2515 2517 7ff7df231094 4 API calls 2513->2517 2516 7ff7df231094 4 API calls 2514->2516 2519 7ff7df231094 4 API calls 2515->2519 2518 7ff7df23384d 2516->2518 2520 7ff7df23389b 2517->2520 2522 7ff7df233174 2 API calls 2518->2522 2523 7ff7df2338df 2519->2523 2521 7ff7df233174 2 API calls 2520->2521 2521->2507 2522->2499 2524 7ff7df23390a 2523->2524 2526 7ff7df2338ea 2523->2526 2525 7ff7df231184 fputs 2524->2525 2527 7ff7df233912 2525->2527 2528 7ff7df231184 fputs 2526->2528 2531 7ff7df231094 4 API calls 2527->2531 2529 7ff7df2338f2 wprintf 2528->2529 2530 7ff7df233927 2529->2530 2532 7ff7df233995 2530->2532 2534 7ff7df231720 3 API calls 2530->2534 2531->2530 2533 7ff7df2315e8 3 API calls 2532->2533 2535 7ff7df2339a6 2533->2535 2536 7ff7df233949 2534->2536 2535->2538 2540 7ff7df231184 fputs 2535->2540 2537 7ff7df233986 RegCloseKey 2536->2537 2539 7ff7df23397e 2536->2539 2541 7ff7df231184 fputs 2536->2541 2537->2532 2538->2501 2539->2537 2543 7ff7df2339bb 2540->2543 2542 7ff7df23395e 2541->2542 2545 7ff7df231094 4 API calls 2542->2545 2544 7ff7df231094 4 API calls 2543->2544 2546 7ff7df2339d0 2544->2546 2547 7ff7df233973 2545->2547 2548 7ff7df233174 2 API calls 2546->2548 2549 7ff7df233174 2 API calls 2547->2549 2548->2538 2549->2539 2551 7ff7df2315e8 3 API calls 2550->2551 2552 7ff7df2331f7 2551->2552 2553 7ff7df2315e8 3 API calls 2552->2553 2554 7ff7df233209 2553->2554 2555 7ff7df233240 2554->2555 2557 7ff7df231184 fputs 2554->2557 2556 7ff7df233275 2555->2556 2560 7ff7df231184 fputs 2555->2560 2559 7ff7df231184 fputs 2556->2559 2563 7ff7df233294 2556->2563 2558 7ff7df233221 2557->2558 2564 7ff7df231094 4 API calls 2558->2564 2561 7ff7df233280 2559->2561 2562 7ff7df233254 2560->2562 2567 7ff7df231094 4 API calls 2561->2567 2565 7ff7df231094 4 API calls 2562->2565 2563->2399 2566 7ff7df233235 2564->2566 2568 7ff7df233268 2565->2568 2569 7ff7df233174 2 API calls 2566->2569 2567->2563 2570 7ff7df233174 2 API calls 2568->2570 2569->2555 2570->2556 2572 7ff7df237510 2571->2572 2573 7ff7df2332e6 memset memset SetupDiGetDeviceInstallParamsW 2572->2573 2574 7ff7df233744 2573->2574 2575 7ff7df23335a SetupDiSetDeviceInstallParamsW 2573->2575 2579 7ff7df236ef0 7 API calls 2574->2579 2575->2574 2576 7ff7df23337f SetupDiBuildDriverInfoList 2575->2576 2577 7ff7df233729 2576->2577 2578 7ff7df2333a3 SetupDiEnumDriverInfoW 2576->2578 2580 7ff7df231184 fputs 2577->2580 2581 7ff7df23370f SetupDiDestroyDriverInfoList 2578->2581 2584 7ff7df2333d5 2578->2584 2582 7ff7df23375a 2579->2582 2583 7ff7df233730 2580->2583 2581->2574 2581->2577 2582->2383 2585 7ff7df231094 4 API calls 2583->2585 2586 7ff7df231094 4 API calls 2584->2586 2600 7ff7df2336d4 SetupDiEnumDriverInfoW 2584->2600 2601 7ff7df231094 FormatMessageW CharPrevW fputws LocalFree 2584->2601 2602 7ff7df231184 fputs 2584->2602 2603 7ff7df231094 4 API calls 2584->2603 2585->2574 2587 7ff7df2333ef SetupDiGetDriverInfoDetailW 2586->2587 2588 7ff7df23342b GetLastError 2587->2588 2591 7ff7df23343c 2587->2591 2588->2591 2589 7ff7df231094 FormatMessageW CharPrevW fputws LocalFree 2589->2591 2590 7ff7df231184 fputs 2590->2591 2591->2589 2591->2590 2592 7ff7df231094 4 API calls 2591->2592 2593 7ff7df2334e6 FileTimeToSystemTime 2592->2593 2594 7ff7df233535 2593->2594 2595 7ff7df233502 GetDateFormatW 2593->2595 2596 7ff7df231184 fputs 2594->2596 2597 7ff7df231094 4 API calls 2594->2597 2598 7ff7df231094 4 API calls 2594->2598 2595->2594 2596->2594 2599 7ff7df2335a0 SetupDiGetDriverInstallParamsW 2597->2599 2598->2594 2599->2584 2599->2600 2600->2581 2600->2584 2601->2584 2602->2584 2603->2600 2605 7ff7df2327dc CM_Free_Log_Conf_Handle 2604->2605 2613 7ff7df232679 2604->2613 2605->2448 2606 7ff7df23268d CM_Get_Res_Des_Data_Size_Ex 2608 7ff7df23279c CM_Get_Next_Res_Des_Ex 2606->2608 2606->2613 2607 7ff7df23267e CM_Free_Res_Des_Handle 2607->2606 2609 7ff7df2327c8 2608->2609 2608->2613 2609->2605 2611 7ff7df2327cd CM_Free_Res_Des_Handle 2609->2611 2610 7ff7df236b70 malloc 2610->2613 2611->2605 2612 7ff7df2326c6 CM_Get_Res_Des_Data_Ex 2612->2613 2613->2606 2613->2607 2613->2608 2613->2610 2613->2612 2614 7ff7df23277b wprintf 2613->2614 2615 7ff7df231184 fputs 2613->2615 2616 7ff7df232717 wprintf 2613->2616 2614->2613 2615->2613 2616->2613 2618 7ff7df232a26 2617->2618 2619 7ff7df232a57 SetupDiGetDeviceInstallParamsW 2618->2619 2620 7ff7df232a7e SetupDiSetDeviceInstallParamsW 2619->2620 2645 7ff7df232ae6 2619->2645 2621 7ff7df232aed SetupDiOpenDevRegKey 2620->2621 2622 7ff7df232aad SetupDiBuildDriverInfoList 2620->2622 2624 7ff7df232e4a RegCloseKey 2621->2624 2625 7ff7df232b24 RegQueryValueExW 2621->2625 2623 7ff7df232ac1 SetupDiEnumDriverInfoW 2622->2623 2622->2645 2623->2645 2624->2645 2627 7ff7df232e47 2625->2627 2628 7ff7df232b65 2625->2628 2626 7ff7df236ef0 7 API calls 2629 7ff7df232e67 2626->2629 2627->2624 2628->2627 2630 7ff7df232b6f RegQueryValueExW 2628->2630 2629->2471 2629->2472 2630->2627 2631 7ff7df232bb4 2630->2631 2631->2627 2632 7ff7df232bbe RegQueryValueExW 2631->2632 2632->2627 2633 7ff7df232bfe 2632->2633 2633->2627 2634 7ff7df232c08 RegQueryValueExW RegCloseKey 2633->2634 2635 7ff7df232c59 2634->2635 2634->2645 2636 7ff7df232c63 SetupDiGetDeviceRegistryPropertyW 2635->2636 2635->2645 2637 7ff7df232c9d SetupDiSetDeviceInstallParamsW 2636->2637 2636->2645 2638 7ff7df232cc8 SetupDiBuildDriverInfoList 2637->2638 2637->2645 2639 7ff7df232ce5 SetupDiEnumDriverInfoW 2638->2639 2638->2645 2640 7ff7df232e2a SetupDiDestroyDriverInfoList 2639->2640 2644 7ff7df232d0c 2639->2644 2640->2645 2641 7ff7df232e03 SetupDiEnumDriverInfoW 2641->2640 2641->2644 2642 7ff7df232d69 SetupDiGetDriverInfoDetailW 2643 7ff7df232da0 GetLastError 2642->2643 2642->2644 2643->2641 2643->2644 2644->2641 2644->2642 2644->2645 2645->2626 2647 7ff7df236b70 malloc 2646->2647 2653 7ff7df231613 2647->2653 2648 7ff7df2316ed 2648->2505 2649 7ff7df2316a8 SetupDiGetDeviceRegistryPropertyW 2650 7ff7df231639 GetLastError 2649->2650 2651 7ff7df2316cf 2649->2651 2650->2648 2650->2653 2652 7ff7df2313dc malloc 2651->2652 2652->2648 2653->2648 2653->2649 2654 7ff7df236b70 malloc 2653->2654 2654->2653 2655 7ff7df236830 2656 7ff7df236879 GetFullPathNameW 2655->2656 2657 7ff7df236871 2655->2657 2658 7ff7df23689f 2656->2658 2659 7ff7df236912 2656->2659 2661 7ff7df236ef0 7 API calls 2657->2661 2658->2659 2660 7ff7df2368aa LoadLibraryW 2658->2660 2665 7ff7df231094 4 API calls 2659->2665 2660->2657 2662 7ff7df2368c9 GetProcAddress 2660->2662 2663 7ff7df2369a0 2661->2663 2664 7ff7df2368e8 2662->2664 2671 7ff7df23695f 2662->2671 2667 7ff7df2368ff GetLastError 2664->2667 2668 7ff7df236943 2664->2668 2665->2671 2666 7ff7df23697f FreeLibrary 2666->2657 2667->2659 2669 7ff7df236919 GetLastError 2667->2669 2670 7ff7df231094 4 API calls 2668->2670 2669->2659 2670->2671 2671->2657 2671->2666 2672 7ff7df2365f0 2673 7ff7df236618 2672->2673 2678 7ff7df236644 2672->2678 2674 7ff7df23661a _wcsicmp 2673->2674 2673->2678 2674->2673 2675 7ff7df236662 2674->2675 2676 7ff7df231a20 34 API calls 2675->2676 2675->2678 2677 7ff7df2366b1 2676->2677 2677->2678 2679 7ff7df2366db 2677->2679 2680 7ff7df2366bf 2677->2680 2681 7ff7df2366f8 2679->2681 2682 7ff7df2366e0 2679->2682 2683 7ff7df231094 4 API calls 2680->2683 2685 7ff7df231094 4 API calls 2681->2685 2684 7ff7df231094 4 API calls 2682->2684 2683->2678 2684->2678 2685->2678 2686 7ff7df2361f0 SetupDiGetDeviceInfoListDetailW 2687 7ff7df23625a CM_Get_Device_ID_ExW 2686->2687 2702 7ff7df2362f0 2686->2702 2688 7ff7df23628b CM_Get_DevNode_Status_Ex 2687->2688 2687->2702 2690 7ff7df2362b9 2688->2690 2688->2702 2689 7ff7df236ef0 7 API calls 2691 7ff7df236306 2689->2691 2692 7ff7df236322 2690->2692 2693 7ff7df2362c0 wprintf 2690->2693 2694 7ff7df2315e8 3 API calls 2692->2694 2695 7ff7df2362e3 2693->2695 2696 7ff7df236331 2694->2696 2697 7ff7df231094 4 API calls 2695->2697 2698 7ff7df2314a0 malloc 2696->2698 2709 7ff7df236340 2696->2709 2697->2702 2698->2709 2699 7ff7df236539 wprintf 2700 7ff7df2365a2 wprintf 2699->2700 2701 7ff7df236560 2699->2701 2700->2702 2703 7ff7df23656d wprintf 2701->2703 2704 7ff7df236580 wprintf 2701->2704 2702->2689 2703->2704 2704->2700 2704->2701 2705 7ff7df236b70 malloc 2705->2709 2706 7ff7df2363fe _wcsicmp 2706->2709 2707 7ff7df2314a0 malloc 2707->2709 2708 7ff7df236446 _wcsicmp 2708->2709 2709->2699 2709->2702 2709->2705 2709->2706 2709->2707 2709->2708 2711 7ff7df2364cc 2709->2711 2710 7ff7df23651b SetupDiSetDeviceRegistryPropertyW 2710->2699 2710->2702 2711->2702 2711->2710 2711->2711 2712 7ff7df2349b0 2713 7ff7df2349c5 2712->2713 2714 7ff7df234a1f 2712->2714 2713->2714 2715 7ff7df231a20 34 API calls 2713->2715 2716 7ff7df2349fb 2715->2716 2716->2714 2717 7ff7df234a0a 2716->2717 2718 7ff7df234a21 2716->2718 2719 7ff7df231094 4 API calls 2717->2719 2720 7ff7df231094 4 API calls 2718->2720 2719->2714 2720->2714 2721 7ff7df234cb0 2722 7ff7df234cff SetupDiSetClassInstallParamsW 2721->2722 2723 7ff7df234d05 SetupDiSetClassInstallParamsW 2721->2723 2726 7ff7df234e02 2722->2726 2727 7ff7df234d8f SetupDiCallClassInstaller 2722->2727 2723->2722 2725 7ff7df234d33 SetupDiCallClassInstaller 2723->2725 2725->2722 2728 7ff7df232214 11 API calls 2726->2728 2727->2726 2729 7ff7df234daa SetupDiGetDeviceInstallParamsW 2727->2729 2735 7ff7df234de6 2728->2735 2730 7ff7df234dcd 2729->2730 2731 7ff7df234def 2729->2731 2730->2731 2733 7ff7df234dd7 2730->2733 2734 7ff7df232214 11 API calls 2731->2734 2732 7ff7df236ef0 7 API calls 2736 7ff7df234e22 2732->2736 2737 7ff7df232214 11 API calls 2733->2737 2734->2735 2735->2732 2737->2735 2738 7ff7df235770 LoadLibraryW 2739 7ff7df2357d1 GetProcAddress 2738->2739 2740 7ff7df2357b4 2738->2740 2741 7ff7df2357ef FreeLibrary 2739->2741 2742 7ff7df235800 2739->2742 2743 7ff7df2353a0 16 API calls 2740->2743 2741->2740 2745 7ff7df2353a0 16 API calls 2742->2745 2744 7ff7df2357cf 2743->2744 2746 7ff7df235828 FreeLibrary 2745->2746 2746->2744 2748 7ff7df235870 SetupDiGetDeviceInfoListDetailW 2749 7ff7df2359b9 2748->2749 2750 7ff7df2358c2 CM_Get_Device_ID_ExW 2748->2750 2751 7ff7df236ef0 7 API calls 2749->2751 2750->2749 2752 7ff7df2358f3 SetupDiSetClassInstallParamsW 2750->2752 2753 7ff7df2359ca 2751->2753 2754 7ff7df235938 SetupDiCallClassInstaller 2752->2754 2757 7ff7df23597a wprintf 2752->2757 2756 7ff7df235953 SetupDiGetDeviceInstallParamsW 2754->2756 2754->2757 2756->2757 2757->2749 2056 7ff7df236ca0 __wgetmainargs 2776 7ff7df233e20 2777 7ff7df233ed1 2776->2777 2782 7ff7df233e52 2776->2782 2781 7ff7df231094 4 API calls 2777->2781 2778 7ff7df233e8e 2778->2777 2780 7ff7df233eb2 2778->2780 2779 7ff7df233e65 _wcsicmp 2779->2778 2779->2782 2784 7ff7df231094 4 API calls 2780->2784 2785 7ff7df233ef2 2781->2785 2782->2778 2782->2779 2783 7ff7df233ecc 2784->2783 2785->2783 2786 7ff7df231094 4 API calls 2785->2786 2787 7ff7df233f2d fputs 2785->2787 2786->2785 2787->2785 2788 7ff7df236720 2789 7ff7df236759 2788->2789 2790 7ff7df236761 GetFullPathNameW 2788->2790 2792 7ff7df236ef0 7 API calls 2789->2792 2791 7ff7df236788 SetupCopyOEMInfW 2790->2791 2794 7ff7df2367d0 2790->2794 2793 7ff7df2367dc 2791->2793 2791->2794 2795 7ff7df236820 2792->2795 2796 7ff7df231094 4 API calls 2793->2796 2797 7ff7df231094 4 API calls 2794->2797 2796->2789 2797->2789 2816 7ff7df235ba0 2817 7ff7df235bbf CM_Connect_MachineW 2816->2817 2818 7ff7df235be0 CM_Locate_DevNode_ExW 2816->2818 2819 7ff7df235bdb 2817->2819 2820 7ff7df235c5f 2817->2820 2821 7ff7df235bfa 2818->2821 2827 7ff7df235c47 2818->2827 2819->2818 2823 7ff7df231094 4 API calls 2821->2823 2822 7ff7df235c53 CM_Disconnect_Machine 2822->2820 2824 7ff7df235c17 CM_Reenumerate_DevNode_Ex 2823->2824 2825 7ff7df235c32 2824->2825 2824->2827 2826 7ff7df231094 4 API calls 2825->2826 2826->2827 2827->2820 2827->2822 2855 7ff7df237563 _XcptFilter

              Callgraph

              • Executed
              • Not Executed
              • Opacity -> Relevance
              • Disassembly available
              callgraph 0 Function_00007FF7DF237448 61 Function_00007FF7DF23746C 0->61 1 Function_00007FF7DF231FD0 14 Function_00007FF7DF2311C4 1->14 25 Function_00007FF7DF237418 1->25 46 Function_00007FF7DF231094 1->46 74 Function_00007FF7DF2359F0 1->74 2 Function_00007FF7DF235350 2->14 2->25 2->46 3 Function_00007FF7DF2331D0 24 Function_00007FF7DF2315B4 3->24 3->25 3->46 56 Function_00007FF7DF231184 3->56 59 Function_00007FF7DF2315E8 3->59 75 Function_00007FF7DF233174 3->75 4 Function_00007FF7DF2372D0 5 Function_00007FF7DF232454 5->25 5->46 5->56 65 Function_00007FF7DF236EF0 5->65 6 Function_00007FF7DF2371B8 76 Function_00007FF7DF23715C 6->76 7 Function_00007FF7DF234E40 7->25 28 Function_00007FF7DF231A20 7->28 7->46 7->65 8 Function_00007FF7DF235540 8->25 37 Function_00007FF7DF2353A0 8->37 39 Function_00007FF7DF231008 8->39 8->46 8->65 9 Function_00007FF7DF234740 9->25 9->28 9->46 10 Function_00007FF7DF236EC0 58 Function_00007FF7DF237304 10->58 11 Function_00007FF7DF2329C0 11->56 12 Function_00007FF7DF2369C0 12->25 26 Function_00007FF7DF233A1C 12->26 12->46 12->65 13 Function_00007FF7DF236BC0 13->6 45 Function_00007FF7DF237210 13->45 14->65 15 Function_00007FF7DF2332C4 15->25 42 Function_00007FF7DF237510 15->42 15->46 15->56 15->65 16 Function_00007FF7DF23182C 17 Function_00007FF7DF237130 18 Function_00007FF7DF234530 18->3 18->5 18->15 20 Function_00007FF7DF2312B0 18->20 18->25 40 Function_00007FF7DF232E8C 18->40 18->46 47 Function_00007FF7DF232214 18->47 49 Function_00007FF7DF2327F8 18->49 50 Function_00007FF7DF23377C 18->50 55 Function_00007FF7DF232300 18->55 18->56 67 Function_00007FF7DF232370 18->67 19 Function_00007FF7DF236830 19->25 19->46 19->65 64 Function_00007FF7DF236B70 20->64 21 Function_00007FF7DF2349B0 21->25 21->28 21->46 22 Function_00007FF7DF234CB0 22->47 22->65 23 Function_00007FF7DF2372B0 26->25 26->42 26->46 26->65 27 Function_00007FF7DF2371A2 28->16 28->24 28->59 28->64 28->65 29 Function_00007FF7DF237220 30 Function_00007FF7DF233E20 30->25 30->46 31 Function_00007FF7DF232620 31->56 31->64 32 Function_00007FF7DF231720 32->64 77 Function_00007FF7DF2313DC 32->77 33 Function_00007FF7DF236720 33->25 33->46 33->65 34 Function_00007FF7DF236CA0 35 Function_00007FF7DF2314A0 35->39 35->64 35->77 36 Function_00007FF7DF2351A0 36->25 36->28 36->46 36->65 37->25 37->46 37->65 38 Function_00007FF7DF235BA0 38->25 38->46 40->25 40->46 40->56 57 Function_00007FF7DF232A04 40->57 40->65 41 Function_00007FF7DF237590 43 Function_00007FF7DF234810 43->25 43->28 43->46 44 Function_00007FF7DF234B10 44->25 44->28 44->46 47->39 47->65 48 Function_00007FF7DF236F14 49->25 49->31 49->46 49->56 49->65 50->20 50->24 50->25 50->32 50->46 50->56 50->59 50->65 50->75 51 Function_00007FF7DF237402 52 Function_00007FF7DF234180 52->25 52->39 52->46 52->55 52->64 52->65 53 Function_00007FF7DF233F80 53->25 53->39 53->46 53->64 53->65 54 Function_00007FF7DF235C80 54->24 54->25 54->32 54->35 54->46 54->64 54->65 54->75 55->20 55->47 56->25 57->42 57->65 59->64 59->77 60 Function_00007FF7DF236E6B 62 Function_00007FF7DF236CF0 62->1 66 Function_00007FF7DF237270 62->66 63 Function_00007FF7DF2370F0 65->48 66->4 66->29 67->20 67->25 67->46 67->56 68 Function_00007FF7DF2365F0 68->25 68->28 68->46 69 Function_00007FF7DF2361F0 69->24 69->25 69->35 69->46 69->59 69->64 69->65 70 Function_00007FF7DF234670 70->25 70->28 70->46 71 Function_00007FF7DF235770 71->37 72 Function_00007FF7DF234FF0 72->25 72->28 72->46 72->65 73 Function_00007FF7DF235870 73->65 74->25 74->28 74->46 74->65 75->56 77->64 78 Function_00007FF7DF234A60 78->25 78->28 78->46 79 Function_00007FF7DF2348E0 79->25 79->28 79->46 80 Function_00007FF7DF234BE0 80->25 80->28 80->46 81 Function_00007FF7DF237563

              Executed Functions

              Function 00007FF7DF231A20 Relevance: 19.9, APIs: 13, Instructions: 372COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 7ff7df231a20-7ff7df231ab9 call 7ff7df236b70 3 7ff7df231abf-7ff7df231ac5 0->3 4 7ff7df231fa3-7ff7df231fc8 call 7ff7df236ef0 0->4 6 7ff7df231acb-7ff7df231ad5 3->6 7 7ff7df231b66 3->7 10 7ff7df231ad7-7ff7df231ade 6->10 11 7ff7df231b48-7ff7df231b4a 6->11 8 7ff7df231b6c-7ff7df231b75 7->8 12 7ff7df231b7b-7ff7df231b88 8->12 13 7ff7df231c34-7ff7df231c37 8->13 10->11 14 7ff7df231ae0-7ff7df231b0b SetupDiClassGuidsFromNameExW 10->14 11->7 15 7ff7df231b4c-7ff7df231b57 11->15 16 7ff7df231b8c-7ff7df231ba1 12->16 19 7ff7df231c39-7ff7df231c60 SetupDiCreateDeviceInfoListExW 13->19 20 7ff7df231c62-7ff7df231ca3 SetupDiGetClassDevsExW 13->20 17 7ff7df231b0d-7ff7df231b1c GetLastError 14->17 18 7ff7df231b25-7ff7df231b2a 14->18 15->8 21 7ff7df231b59-7ff7df231b5e 15->21 23 7ff7df231bbe-7ff7df231bc5 16->23 24 7ff7df231ba3-7ff7df231bb9 CharNextW 16->24 25 7ff7df231b22 17->25 26 7ff7df231f84-7ff7df231f92 call 7ff7df236bb0 17->26 27 7ff7df231b2c-7ff7df231b2f 18->27 28 7ff7df231b34-7ff7df231b44 18->28 22 7ff7df231ca8-7ff7df231caf 19->22 20->22 21->8 29 7ff7df231b60-7ff7df231b62 21->29 30 7ff7df231f7e 22->30 31 7ff7df231cb5-7ff7df231cc2 22->31 32 7ff7df231bda-7ff7df231beb wcschr 23->32 33 7ff7df231bc7-7ff7df231bd8 CharNextW 23->33 24->23 25->18 26->4 39 7ff7df231f94-7ff7df231f9e SetupDiDestroyDeviceInfoList 26->39 27->26 28->11 29->7 30->26 35 7ff7df231d07-7ff7df231d25 SetupDiGetDeviceInfoListDetailW 31->35 36 7ff7df231cc4-7ff7df231cd2 31->36 37 7ff7df231bef-7ff7df231c08 32->37 33->37 35->30 41 7ff7df231d2b-7ff7df231d65 SetupDiEnumDeviceInfo 35->41 40 7ff7df231cd5-7ff7df231cd9 36->40 42 7ff7df231c0a-7ff7df231c0d 37->42 43 7ff7df231c0f 37->43 39->4 44 7ff7df231cf8-7ff7df231d00 40->44 45 7ff7df231cdb-7ff7df231cf3 SetupDiOpenDeviceInfoW 40->45 46 7ff7df231f79-7ff7df231f7c 41->46 47 7ff7df231d6b-7ff7df231d6d 41->47 42->43 48 7ff7df231c15-7ff7df231c1f 42->48 43->48 44->40 49 7ff7df231d02 44->49 45->44 46->26 50 7ff7df231f0f 47->50 51 7ff7df231d73-7ff7df231d82 47->51 48->16 52 7ff7df231c25-7ff7df231c32 48->52 49->35 53 7ff7df231f14-7ff7df231f16 50->53 54 7ff7df231d88-7ff7df231d94 51->54 55 7ff7df231f3d-7ff7df231f5f SetupDiEnumDeviceInfo 51->55 52->13 52->20 53->55 56 7ff7df231f18 53->56 58 7ff7df231d99-7ff7df231d9b 54->58 55->46 57 7ff7df231f61-7ff7df231f6f 55->57 59 7ff7df231f1e-7ff7df231f3b 56->59 57->47 60 7ff7df231f1a 58->60 61 7ff7df231da1-7ff7df231dd6 CM_Get_Device_ID_ExW 58->61 59->55 69 7ff7df231f74-7ff7df231f77 59->69 60->59 62 7ff7df231dd8 61->62 63 7ff7df231ddf-7ff7df231de3 61->63 62->63 64 7ff7df231de5-7ff7df231e03 call 7ff7df23182c 63->64 65 7ff7df231e13-7ff7df231e3d call 7ff7df2315e8 * 2 63->65 72 7ff7df231e09-7ff7df231e0e 64->72 73 7ff7df231ed0-7ff7df231f03 call 7ff7df2315b4 * 2 64->73 75 7ff7df231e42-7ff7df231e50 65->75 69->26 72->73 73->58 87 7ff7df231f09-7ff7df231f0d 73->87 77 7ff7df231e87-7ff7df231e8d 75->77 78 7ff7df231e52-7ff7df231e58 75->78 80 7ff7df231ecb 77->80 81 7ff7df231e8f-7ff7df231e95 77->81 78->77 82 7ff7df231e5a-7ff7df231e66 78->82 80->73 81->80 84 7ff7df231e97-7ff7df231ea3 81->84 85 7ff7df231e6a-7ff7df231e74 call 7ff7df23182c 82->85 88 7ff7df231ea7-7ff7df231eb1 call 7ff7df23182c 84->88 93 7ff7df231ec1 85->93 94 7ff7df231e76-7ff7df231e80 85->94 87->53 88->93 95 7ff7df231eb3-7ff7df231ebd 88->95 96 7ff7df231ec6 93->96 94->85 97 7ff7df231e82 94->97 95->88 98 7ff7df231ebf 95->98 96->80 97->77 98->96
              APIs
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: Setup$DeviceInfo$List$CharClassEnumNext$CreateDestroyDetailDevice_DevsErrorFromGet_GuidsLastNameOpenmallocwcschr
              • String ID:
              • API String ID: 43639810-0
              • Opcode ID: d41a9043a0705f584194fec2f2fc8c1674a380258fb798434675f33b760b6502
              • Instruction ID: b85119a1a781d57cc69684d518d9c50211085be27a788e1be6a65b22be78c5bb
              • Opcode Fuzzy Hash: d41a9043a0705f584194fec2f2fc8c1674a380258fb798434675f33b760b6502
              • Instruction Fuzzy Hash: 54F18FB2A08A8296EB109B55E4512FDB7E0FB8AB98FD0413ADA4D47B94DF3CE445C710
              Function 00007FF7DF2315E8 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: DeviceErrorLastPropertyRegistrySetupmalloc
              • String ID:
              • API String ID: 3222414921-0
              • Opcode ID: 090b46064aa7c0e42f17cac93464e8602f3f87fbcec76419732d820bd4227342
              • Instruction ID: 8ede08da112b6493f5c7756d95b9a4b3fcad02a1e78c3e8073902fa8f6056c46
              • Opcode Fuzzy Hash: 090b46064aa7c0e42f17cac93464e8602f3f87fbcec76419732d820bd4227342
              • Instruction Fuzzy Hash: 5221B6626087C195EB549F11A4116BEB7E4FB89B90FD8423AEE9E43795DF3CE4418F00
              Function 00007FF7DF236CF0 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
              • String ID:
              • API String ID: 4291973834-0
              • Opcode ID: 706a97d6c57b6583ab6d2954fa5cc554724fb3c63a47e31049ab5f7dc56f8480
              • Instruction ID: 560d62939d5ef026dc44fc959b7df3fa7f88c90443496c309198d680182877f8
              • Opcode Fuzzy Hash: 706a97d6c57b6583ab6d2954fa5cc554724fb3c63a47e31049ab5f7dc56f8480
              • Instruction Fuzzy Hash: 9B41C6A1A0C68686FB50BF55E840AFEAAE4AF44744FC4053FD90D876A5DF7CF8448760
              Function 00007FF7DF231FD0 Relevance: 6.2, APIs: 4, Instructions: 163COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 135 7ff7df231fd0-7ff7df232020 wcsrchr 136 7ff7df232028-7ff7df232037 CharNextW 135->136 137 7ff7df232022-7ff7df232026 135->137 138 7ff7df23203a-7ff7df232043 136->138 137->138 139 7ff7df2320c0-7ff7df2320c7 138->139 140 7ff7df232045-7ff7df23204a 138->140 141 7ff7df232139-7ff7df232153 call 7ff7df237418 call 7ff7df231094 139->141 142 7ff7df2320c9-7ff7df2320dc 139->142 143 7ff7df23204e-7ff7df23205c 140->143 167 7ff7df232158-7ff7df23216f 141->167 144 7ff7df2320de-7ff7df2320ed CharNextW 142->144 145 7ff7df2320f0-7ff7df232100 142->145 146 7ff7df23205e-7ff7df232069 143->146 147 7ff7df2320bc 143->147 144->145 145->141 149 7ff7df232102 145->149 150 7ff7df232098-7ff7df23209d 146->150 151 7ff7df23206b-7ff7df232072 146->151 147->139 153 7ff7df232105-7ff7df232119 _wcsicmp 149->153 150->147 157 7ff7df23209f-7ff7df2320a7 150->157 154 7ff7df23208a-7ff7df23208f 151->154 155 7ff7df232074-7ff7df23207c 151->155 158 7ff7df23211b-7ff7df23211e 153->158 159 7ff7df232120-7ff7df232137 153->159 154->147 161 7ff7df232091-7ff7df232096 154->161 155->147 160 7ff7df23207e-7ff7df232083 155->160 157->147 163 7ff7df2320a9 157->163 158->159 165 7ff7df232171-7ff7df232193 158->165 159->141 159->153 160->147 166 7ff7df232085-7ff7df232088 160->166 164 7ff7df2320b1-7ff7df2320ba 161->164 163->164 164->143 164->147 168 7ff7df2321a0-7ff7df2321ab 165->168 169 7ff7df232195-7ff7df23219e 165->169 166->164 170 7ff7df2321ae-7ff7df2321b1 call 7ff7df2359f0 168->170 169->170 171 7ff7df2321b7-7ff7df2321bd 170->171 172 7ff7df2321bf-7ff7df2321c2 171->172 173 7ff7df232204-7ff7df232206 171->173 174 7ff7df2321f8-7ff7df2321fd 172->174 175 7ff7df2321c4-7ff7df2321d0 172->175 173->167 174->173 176 7ff7df2321ff call 7ff7df2311c4 174->176 177 7ff7df2321de-7ff7df2321e3 call 7ff7df237418 175->177 178 7ff7df2321d2-7ff7df2321dc call 7ff7df237418 175->178 176->173 184 7ff7df2321e8-7ff7df2321f6 call 7ff7df231094 177->184 178->184 184->173
              APIs
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: CharNext$_wcsicmpwcsrchr
              • String ID:
              • API String ID: 349611830-0
              • Opcode ID: 00a20d2dbd4039686c28c160fa1c05f15aff131818592b9301d6560f865f19a8
              • Instruction ID: ba323dd8258c6e1b8eea24a500bbe9d1043d1c9367630c2ab819aec3e64ce41f
              • Opcode Fuzzy Hash: 00a20d2dbd4039686c28c160fa1c05f15aff131818592b9301d6560f865f19a8
              • Instruction Fuzzy Hash: 4051BDA2A086C286EA20AB1599442BDE6E0FB55B84FC5813FDF4D477D1EE3CF549C320
              Function 00007FF7DF2359F0 Relevance: 4.6, APIs: 3, Instructions: 94COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: LoadString$Setup$CharClassDestroyDeviceErrorFormatFreeFromGuidsInfoLastListLocalMessageNamePrevfputws
              • String ID:
              • API String ID: 2156310005-0
              • Opcode ID: 4c3c7b40d94fe2c47dfe18297074997c7891f4faa63f9ec967768bd3813214f2
              • Instruction ID: 5dffd118107491f494923edf92a5e96183100fc33802c515bee63e0e59c0a1e3
              • Opcode Fuzzy Hash: 4c3c7b40d94fe2c47dfe18297074997c7891f4faa63f9ec967768bd3813214f2
              • Instruction Fuzzy Hash: 7A417C72618AC28AE720AB20E4517EEB6E5FB49744FD0403AEA4D47B88DF3CF5058721
              Function 00007FF7DF236CA0 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 239 7ff7df236ca0-7ff7df236ce8 __wgetmainargs
              APIs
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: __wgetmainargs
              • String ID:
              • API String ID: 1709950718-0
              • Opcode ID: 943ab0ee3eda69021a4f07d25a78058e0e8e433080375cef63d515d42e6b7d78
              • Instruction ID: fb7a660bc6f4a883233bcb0c37b18c93a45a4014b06a918486929b79d7502258
              • Opcode Fuzzy Hash: 943ab0ee3eda69021a4f07d25a78058e0e8e433080375cef63d515d42e6b7d78
              • Instruction Fuzzy Hash: 3CE048B4A08A8796EA00AF50AC404ECB7E0AB44304FC0423FC81C56234DE3CB14ACB20

              Non-executed Functions

              Function 00007FF7DF235C80 Relevance: 40.6, APIs: 13, Strings: 10, Instructions: 363registryserviceCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 314 7ff7df235c80-7ff7df235cd7 315 7ff7df235cdd-7ff7df235ce4 314->315 316 7ff7df2361bc 314->316 315->316 317 7ff7df235cea-7ff7df235d10 SetupDiClassGuidsFromNameExW 315->317 318 7ff7df2361c1-7ff7df2361e8 call 7ff7df236ef0 316->318 319 7ff7df235d27-7ff7df235d2c 317->319 320 7ff7df235d12-7ff7df235d21 GetLastError 317->320 322 7ff7df2361b8-7ff7df2361ba 319->322 323 7ff7df235d32-7ff7df235d4e _wcsicmp 319->323 320->319 320->322 322->318 325 7ff7df235d59-7ff7df235d75 _wcsicmp 323->325 326 7ff7df235d50-7ff7df235d57 323->326 328 7ff7df23618e 325->328 329 7ff7df235d7b 325->329 327 7ff7df235d82-7ff7df235dbd SetupDiOpenClassRegKeyExW 326->327 327->322 330 7ff7df235dc3-7ff7df235dd3 call 7ff7df231720 327->330 331 7ff7df236193-7ff7df236196 328->331 329->327 338 7ff7df235dd9-7ff7df235de9 330->338 339 7ff7df236162-7ff7df23618c call 7ff7df237418 call 7ff7df231094 call 7ff7df233174 330->339 333 7ff7df236198-7ff7df23619b call 7ff7df2315b4 331->333 334 7ff7df2361a0-7ff7df2361a7 331->334 333->334 334->322 335 7ff7df2361a9-7ff7df2361b3 RegCloseKey 334->335 335->322 341 7ff7df235deb-7ff7df235dfb call 7ff7df2314a0 338->341 342 7ff7df235e05-7ff7df235e0d 338->342 339->331 341->334 349 7ff7df235e01 341->349 342->339 343 7ff7df235e13-7ff7df235e16 342->343 347 7ff7df235e1b-7ff7df235e27 343->347 350 7ff7df23607d 347->350 351 7ff7df235e2d-7ff7df235e37 347->351 349->342 356 7ff7df236082-7ff7df236085 350->356 353 7ff7df235e39-7ff7df235e45 351->353 354 7ff7df235e4e-7ff7df235e52 351->354 358 7ff7df235e4b 353->358 359 7ff7df236064-7ff7df236076 353->359 354->328 360 7ff7df235e58-7ff7df235e5b 354->360 356->339 357 7ff7df23608b-7ff7df23608e 356->357 362 7ff7df23612e-7ff7df236147 RegDeleteValueW 357->362 363 7ff7df236094-7ff7df23609f 357->363 358->354 359->356 366 7ff7df236078 359->366 364 7ff7df235fde-7ff7df235fe4 360->364 365 7ff7df235e61-7ff7df235e64 360->365 362->331 371 7ff7df236149-7ff7df236160 call 7ff7df237418 call 7ff7df231094 362->371 367 7ff7df2360bc-7ff7df2360d1 363->367 368 7ff7df2360a1 363->368 370 7ff7df236004-7ff7df23600b 364->370 365->364 369 7ff7df235e6a-7ff7df235e6d 365->369 366->347 367->331 376 7ff7df2360d7-7ff7df2360ff RegSetValueExW 367->376 375 7ff7df2360a4-7ff7df2360ac 368->375 377 7ff7df235e6f-7ff7df235e71 369->377 378 7ff7df235e90-7ff7df235e93 369->378 372 7ff7df23600d-7ff7df236017 370->372 373 7ff7df235fe6-7ff7df235ffd _wcsicmp 370->373 400 7ff7df236127-7ff7df23612c 371->400 372->331 379 7ff7df23601d-7ff7df236020 372->379 373->372 386 7ff7df235fff-7ff7df236001 373->386 375->375 382 7ff7df2360ae-7ff7df2360ba 375->382 376->331 383 7ff7df236105-7ff7df236122 call 7ff7df237418 call 7ff7df231094 call 7ff7df233174 376->383 384 7ff7df235e8b-7ff7df235e8e 377->384 385 7ff7df235e73-7ff7df235e79 377->385 378->328 381 7ff7df235e99-7ff7df235e9b 378->381 387 7ff7df236028-7ff7df236036 379->387 388 7ff7df236022-7ff7df236026 379->388 390 7ff7df235e9f-7ff7df235ebe OpenSCManagerW 381->390 382->367 382->368 383->400 384->390 385->390 392 7ff7df235e7b 385->392 386->370 387->387 395 7ff7df236038-7ff7df236046 call 7ff7df2314a0 387->395 393 7ff7df236060 388->393 390->331 396 7ff7df235ec4-7ff7df235ee2 OpenServiceW 390->396 398 7ff7df235e7e-7ff7df235e87 392->398 393->359 395->331 408 7ff7df23604c-7ff7df236057 call 7ff7df2315b4 395->408 402 7ff7df235ef3-7ff7df235f08 CloseServiceHandle 396->402 403 7ff7df235ee4-7ff7df235eee CloseServiceHandle 396->403 398->398 399 7ff7df235e89 398->399 399->390 400->331 402->331 406 7ff7df235f0e-7ff7df235f14 402->406 403->402 409 7ff7df235f16 406->409 410 7ff7df235f24-7ff7df235f4f call 7ff7df236b70 406->410 417 7ff7df23605a-7ff7df23605d 408->417 413 7ff7df235f19-7ff7df235f22 409->413 410->331 418 7ff7df235f55-7ff7df235f5d 410->418 413->410 413->413 417->393 419 7ff7df235f7c-7ff7df235f83 418->419 420 7ff7df235f5f-7ff7df235f68 418->420 422 7ff7df235faa-7ff7df235fc5 call 7ff7df2314a0 call 7ff7df236bb0 419->422 423 7ff7df235f85-7ff7df235f95 419->423 421 7ff7df235f6b-7ff7df235f7a 420->421 421->419 421->421 422->331 429 7ff7df235fcb-7ff7df235fdc call 7ff7df2315b4 422->429 424 7ff7df235f98-7ff7df235fa8 423->424 424->422 424->424 429->417
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: CloseOpenService_wcsicmp$ClassHandleSetupValue$CharDeleteErrorFormatFreeFromGuidsLastLocalManagerMessageNamePrevfputwswprintf
              • String ID: !$+$-$=$@$@$LowerFilters$UpperFilters$lower$upper
              • API String ID: 1724156078-2693469231
              • Opcode ID: 926cd04b1689d02a59abcbcd5e01b1a056d007f521a5af8e348f38f05508dc4f
              • Instruction ID: 6e4076afae871ca43db3063109900921337390d1b7ea55714aa7a5c58fe4e8c6
              • Opcode Fuzzy Hash: 926cd04b1689d02a59abcbcd5e01b1a056d007f521a5af8e348f38f05508dc4f
              • Instruction Fuzzy Hash: AEE1A4A2A086C285EA14AB1594516FEEBE5FF45BA0FC5823ADE5E077D1DF3CF4408260
              Function 00007FF7DF232A04 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 271registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 432 7ff7df232a04-7ff7df232a78 call 7ff7df237510 call 7ff7df2374d6 SetupDiGetDeviceInstallParamsW 437 7ff7df232a7e-7ff7df232aab SetupDiSetDeviceInstallParamsW 432->437 438 7ff7df232e56 432->438 440 7ff7df232aed-7ff7df232b1e SetupDiOpenDevRegKey 437->440 441 7ff7df232aad-7ff7df232abb SetupDiBuildDriverInfoList 437->441 439 7ff7df232e58-7ff7df232e81 call 7ff7df236ef0 438->439 443 7ff7df232e4a-7ff7df232e51 RegCloseKey 440->443 444 7ff7df232b24-7ff7df232b5f RegQueryValueExW 440->444 441->438 442 7ff7df232ac1-7ff7df232ae0 SetupDiEnumDriverInfoW 441->442 442->438 446 7ff7df232ae6-7ff7df232ae8 442->446 443->438 447 7ff7df232e47 444->447 448 7ff7df232b65-7ff7df232b69 444->448 446->439 447->443 448->447 450 7ff7df232b6f-7ff7df232bae RegQueryValueExW 448->450 450->447 451 7ff7df232bb4-7ff7df232bb8 450->451 451->447 452 7ff7df232bbe-7ff7df232bf8 RegQueryValueExW 451->452 452->447 453 7ff7df232bfe-7ff7df232c02 452->453 453->447 454 7ff7df232c08-7ff7df232c53 RegQueryValueExW RegCloseKey 453->454 454->438 455 7ff7df232c59-7ff7df232c5d 454->455 455->438 456 7ff7df232c63-7ff7df232c97 SetupDiGetDeviceRegistryPropertyW 455->456 456->438 457 7ff7df232c9d-7ff7df232cc2 SetupDiSetDeviceInstallParamsW 456->457 457->438 458 7ff7df232cc8-7ff7df232cdf SetupDiBuildDriverInfoList 457->458 458->438 459 7ff7df232ce5-7ff7df232d06 SetupDiEnumDriverInfoW 458->459 460 7ff7df232e2a-7ff7df232e3a SetupDiDestroyDriverInfoList 459->460 461 7ff7df232d0c 459->461 463 7ff7df232e3f-7ff7df232e41 460->463 462 7ff7df232d13-7ff7df232d1d 461->462 464 7ff7df232d20-7ff7df232d2a 462->464 463->439 465 7ff7df232d2c-7ff7df232d32 464->465 466 7ff7df232d34-7ff7df232d36 464->466 465->464 465->466 467 7ff7df232d3c-7ff7df232d4a 466->467 468 7ff7df232e03-7ff7df232e24 SetupDiEnumDriverInfoW 466->468 469 7ff7df232d4d-7ff7df232d57 467->469 468->460 468->462 470 7ff7df232d59-7ff7df232d5f 469->470 471 7ff7df232d61-7ff7df232d63 469->471 470->469 470->471 471->468 472 7ff7df232d69-7ff7df232d9e SetupDiGetDriverInfoDetailW 471->472 473 7ff7df232db1-7ff7df232dbf 472->473 474 7ff7df232da0-7ff7df232daf GetLastError 472->474 475 7ff7df232dc2-7ff7df232dcc 473->475 474->468 474->473 476 7ff7df232dce-7ff7df232dd4 475->476 477 7ff7df232dd6-7ff7df232dd8 475->477 476->475 476->477 477->468 478 7ff7df232dda-7ff7df232de8 477->478 479 7ff7df232deb-7ff7df232df5 478->479 480 7ff7df232df7-7ff7df232dfd 479->480 481 7ff7df232dff-7ff7df232e01 479->481 480->479 480->481 481->468 482 7ff7df232e43-7ff7df232e45 481->482 482->463
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: Setup$DeviceQueryValue$DriverInfoInstallParams$BuildList$CloseEnumOpenPropertyRegistry
              • String ID: DriverDesc$InfPath$InfSection$ProviderName
              • API String ID: 1187922586-109328823
              • Opcode ID: 70622a9b5a574f4e2a8280fc3ff9c5255fc456a0584ec18a8c22dc112fbdd8cc
              • Instruction ID: 89179a752d20a2c1ec8a73f73206dd41ef37d4543ca531a8ee271a3b2f898234
              • Opcode Fuzzy Hash: 70622a9b5a574f4e2a8280fc3ff9c5255fc456a0584ec18a8c22dc112fbdd8cc
              • Instruction Fuzzy Hash: 44C12D72608AC286EB609F51A4042FEF6E4FB89B95FC4813ADE4D46794DF3CE504CB60
              Function 00007FF7DF234180 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 231COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 792 7ff7df234180-7ff7df2341e0 793 7ff7df2341ea-7ff7df2341fa call 7ff7df236b70 792->793 794 7ff7df2341e2-7ff7df2341e5 792->794 799 7ff7df2344ec 793->799 800 7ff7df234200-7ff7df23420a 793->800 795 7ff7df2344ee-7ff7df23451d call 7ff7df236ef0 794->795 799->795 802 7ff7df234210-7ff7df234217 800->802 803 7ff7df2344c5-7ff7df2344cd call 7ff7df236bb0 800->803 804 7ff7df23421d-7ff7df234220 802->804 805 7ff7df2344a2-7ff7df2344b8 802->805 811 7ff7df2344d4-7ff7df2344db 803->811 804->805 807 7ff7df234226-7ff7df234229 804->807 805->802 808 7ff7df2344be 805->808 810 7ff7df234280-7ff7df2342a0 SetupDiClassGuidsFromNameExW 807->810 808->803 813 7ff7df23422b-7ff7df23423a GetLastError 810->813 814 7ff7df2342a2-7ff7df2342a8 810->814 811->799 812 7ff7df2344dd-7ff7df2344e7 SetupDiDestroyDeviceInfoList 811->812 812->799 815 7ff7df2344c0 813->815 816 7ff7df234240-7ff7df234273 call 7ff7df236bb0 call 7ff7df236b70 813->816 817 7ff7df2342aa-7ff7df2342d3 call 7ff7df237418 call 7ff7df231094 814->817 818 7ff7df2342d8-7ff7df2342dd 814->818 815->803 840 7ff7df234279-7ff7df23427d 816->840 841 7ff7df2344cf 816->841 817->805 818->805 819 7ff7df2342e3-7ff7df234325 SetupDiGetClassDevsExW 818->819 823 7ff7df234327-7ff7df234331 819->823 824 7ff7df234351-7ff7df234379 SetupDiClassNameFromGuidExW 819->824 827 7ff7df234339-7ff7df23434f SetupDiEnumDeviceInfo 823->827 828 7ff7df234397-7ff7df2343c0 SetupDiGetClassDescriptionExW 824->828 829 7ff7df23437b-7ff7df234391 call 7ff7df231008 824->829 827->824 832 7ff7df234333-7ff7df234336 827->832 835 7ff7df2343dd-7ff7df2343e8 828->835 836 7ff7df2343c2-7ff7df2343d7 call 7ff7df231008 828->836 829->815 829->828 832->827 837 7ff7df2343ea-7ff7df234410 call 7ff7df237418 call 7ff7df231094 835->837 838 7ff7df234412-7ff7df234444 call 7ff7df237418 call 7ff7df231094 835->838 836->815 836->835 852 7ff7df23446f-7ff7df234476 837->852 853 7ff7df234457-7ff7df23446d SetupDiEnumDeviceInfo 838->853 840->810 841->811 854 7ff7df23448a-7ff7df234497 852->854 855 7ff7df234478-7ff7df234487 SetupDiDestroyDeviceInfoList 852->855 853->852 856 7ff7df234446-7ff7df234455 call 7ff7df232300 853->856 854->819 857 7ff7df23449d 854->857 855->854 856->853 857->805
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: Setup$ClassDestroyDeviceFromGuidsInfoListName
              • String ID:
              • API String ID: 1860465623-3916222277
              • Opcode ID: e6450321c0d2d64a461101c674be3e33342555eeae8982276af84a45cca274cc
              • Instruction ID: 3c18da26abfad7c0115c91e04ef955d4e418fb18c17e3e50d0b0b03d57ee9d66
              • Opcode Fuzzy Hash: e6450321c0d2d64a461101c674be3e33342555eeae8982276af84a45cca274cc
              • Instruction Fuzzy Hash: F3A180626186C286E710AB61A4503FDA6E4FB89BA4FD5423ADB9D077C8CF3CE5058710
              Function 00007FF7DF2311C4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48shutdownCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSystemValue
              • String ID: SeShutdownPrivilege
              • API String ID: 2036077386-3733053543
              • Opcode ID: fddce4556390571a9fb10fe5ea09b351c16824cdf68d2e6d798df49b6638f994
              • Instruction ID: ff5e766f2f558c671a465a8a56e034a5bb7fb35071308f44e161dec2f033d3b5
              • Opcode Fuzzy Hash: fddce4556390571a9fb10fe5ea09b351c16824cdf68d2e6d798df49b6638f994
              • Instruction Fuzzy Hash: 8921FF72618A81C7EB509B51F4157EEFBA0FB89B45FC4912ADA8E46A54CF7CE044CB10
              Function 00007FF7DF2369C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103fileCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: DirectoryFileFindFirstWindows
              • String ID: \INF\OEM*.INF
              • API String ID: 1585389207-2728984289
              • Opcode ID: 6a7a1a2d6b532156aec20f8e7e9eeafbd71c87cdb6d56367d2f17184ac1bf8f6
              • Instruction ID: abe9d1482eb0c03b36996d98ea038bb0d9e5a68340019fc023e7e87b1dd85345
              • Opcode Fuzzy Hash: 6a7a1a2d6b532156aec20f8e7e9eeafbd71c87cdb6d56367d2f17184ac1bf8f6
              • Instruction Fuzzy Hash: B34152A2B186C286EE10AB24D4506FEAAE5EF44790FD4853BCA5D07795DF3CF8058760
              Function 00007FF7DF233A1C Relevance: 42.2, APIs: 18, Strings: 6, Instructions: 232libraryfileloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 240 7ff7df233a1c-7ff7df233a7f call 7ff7df237510 SetupOpenInfFileW 243 7ff7df233a81-7ff7df233a90 GetLastError 240->243 244 7ff7df233a95-7ff7df233ac4 SetupFindFirstLineW 240->244 245 7ff7df233dd2-7ff7df233e09 call 7ff7df236ef0 243->245 246 7ff7df233b0b-7ff7df233b1b call 7ff7df237418 call 7ff7df231094 244->246 247 7ff7df233ac6-7ff7df233aeb SetupGetStringFieldW 244->247 256 7ff7df233b20-7ff7df233b44 SetupFindFirstLineW 246->256 247->246 248 7ff7df233aed-7ff7df233b09 call 7ff7df237418 call 7ff7df231094 247->248 248->256 258 7ff7df233b4a-7ff7df233b6f SetupGetStringFieldW 256->258 259 7ff7df233bd7-7ff7df233be7 call 7ff7df237418 call 7ff7df231094 256->259 258->259 261 7ff7df233b71-7ff7df233b8b CLSIDFromString 258->261 268 7ff7df233bec-7ff7df233c05 LoadLibraryW 259->268 261->259 263 7ff7df233b8d-7ff7df233bb7 SetupDiGetClassDescriptionExW 261->263 263->259 265 7ff7df233bb9-7ff7df233bd5 call 7ff7df237418 call 7ff7df231094 263->265 265->268 269 7ff7df233c0b-7ff7df233c27 GetProcAddress 268->269 270 7ff7df233daf-7ff7df233dc1 SetupCloseInfFile 268->270 269->270 272 7ff7df233c2d-7ff7df233c5c memset 269->272 270->245 274 7ff7df233dc3-7ff7df233dcd FreeLibrary 270->274 277 7ff7df233c5e-7ff7df233c6f GetLastError 272->277 278 7ff7df233c9b-7ff7df233cb2 call 7ff7df237418 call 7ff7df231094 272->278 274->245 277->278 279 7ff7df233c71-7ff7df233c82 GetLastError 277->279 286 7ff7df233cb7-7ff7df233cdb SetupFindFirstLineW 278->286 279->278 281 7ff7df233c84-7ff7df233c99 call 7ff7df237418 call 7ff7df231094 279->281 281->286 287 7ff7df233ce1-7ff7df233d0f SetupGetStringFieldW 286->287 288 7ff7df233d85-7ff7df233d9a call 7ff7df237418 call 7ff7df231094 286->288 290 7ff7df233d2c-7ff7df233d39 call 7ff7df237418 call 7ff7df231094 287->290 291 7ff7df233d11-7ff7df233d2a call 7ff7df237418 call 7ff7df231094 287->291 304 7ff7df233d9d-7ff7df233daa call 7ff7df237418 call 7ff7df231094 288->304 305 7ff7df233d3e-7ff7df233d68 SetupGetStringFieldW 290->305 291->305 304->270 305->304 307 7ff7df233d6a-7ff7df233d83 call 7ff7df237418 call 7ff7df231094 305->307 307->270
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: Setup$ErrorLastString$FieldFindFirstLine$AddressClassDescriptionFileFromLibraryLoadOpenProcmemset
              • String ID: ClassGUID$DriverVer$Provider$SetupVerifyInfFile$Version$setupapi.dll
              • API String ID: 653204746-1638047923
              • Opcode ID: 564b6a287c9b88aca2cc48c980f14925d6c819359dbf66884c50b56fdeedf4fc
              • Instruction ID: 6b64bc5016fcd17995b3eba8a2cf4ed4cf647bcbbb3a6a6c2c242ba2479c2342
              • Opcode Fuzzy Hash: 564b6a287c9b88aca2cc48c980f14925d6c819359dbf66884c50b56fdeedf4fc
              • Instruction Fuzzy Hash: 42A175A2608AC296E610BB61E8101FDA6E1FF89B54FC4813BD90E57794DF3CF649C720
              Function 00007FF7DF2332C4 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 290timeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 483 7ff7df2332c4-7ff7df233354 call 7ff7df237510 memset * 2 SetupDiGetDeviceInstallParamsW 486 7ff7df233749 483->486 487 7ff7df23335a-7ff7df233379 SetupDiSetDeviceInstallParamsW 483->487 489 7ff7df23374b-7ff7df233774 call 7ff7df236ef0 486->489 487->486 488 7ff7df23337f-7ff7df23339d SetupDiBuildDriverInfoList 487->488 490 7ff7df233729-7ff7df23373f call 7ff7df231184 call 7ff7df237418 call 7ff7df231094 488->490 491 7ff7df2333a3-7ff7df2333cf SetupDiEnumDriverInfoW 488->491 497 7ff7df233744-7ff7df233747 490->497 494 7ff7df23370f-7ff7df233727 SetupDiDestroyDriverInfoList 491->494 495 7ff7df2333d5 491->495 494->490 494->497 499 7ff7df2333d8-7ff7df233429 call 7ff7df237418 call 7ff7df231094 SetupDiGetDriverInfoDetailW 495->499 497->489 507 7ff7df23342b-7ff7df23343a GetLastError 499->507 508 7ff7df23343c-7ff7df23347b call 7ff7df231184 call 7ff7df237418 call 7ff7df231094 call 7ff7df231184 call 7ff7df237418 call 7ff7df231094 499->508 507->508 509 7ff7df233480-7ff7df233500 call 7ff7df231184 call 7ff7df237418 call 7ff7df231094 call 7ff7df231184 call 7ff7df237418 call 7ff7df231094 call 7ff7df231184 call 7ff7df237418 call 7ff7df231094 FileTimeToSystemTime 507->509 508->509 539 7ff7df233557-7ff7df2335cb call 7ff7df231184 call 7ff7df237418 call 7ff7df231094 SetupDiGetDriverInstallParamsW 509->539 540 7ff7df233502-7ff7df233533 GetDateFormatW 509->540 553 7ff7df2335d1-7ff7df233622 call 7ff7df231184 call 7ff7df237418 call 7ff7df231094 call 7ff7df231184 call 7ff7df237418 call 7ff7df231094 539->553 554 7ff7df2336d4-7ff7df233709 SetupDiEnumDriverInfoW 539->554 540->539 542 7ff7df233535-7ff7df233552 call 7ff7df231184 call 7ff7df237418 call 7ff7df231094 540->542 542->539 567 7ff7df233644-7ff7df233648 553->567 568 7ff7df233624-7ff7df233640 call 7ff7df231184 call 7ff7df237418 call 7ff7df231094 553->568 554->494 554->499 569 7ff7df233669-7ff7df23366d 567->569 570 7ff7df23364a-7ff7df233665 call 7ff7df231184 call 7ff7df237418 call 7ff7df231094 567->570 568->567 573 7ff7df23368e-7ff7df233692 569->573 574 7ff7df23366f-7ff7df23368a call 7ff7df231184 call 7ff7df237418 call 7ff7df231094 569->574 570->569 576 7ff7df2336b3-7ff7df2336b7 573->576 577 7ff7df233694-7ff7df2336af call 7ff7df231184 call 7ff7df237418 call 7ff7df231094 573->577 574->573 576->554 583 7ff7df2336b9-7ff7df2336cf call 7ff7df231184 call 7ff7df237418 call 7ff7df231094 576->583 577->576 583->554
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: Setup$Driver$Info$InstallParams$DeviceEnumFormatListTimememset$BuildCharDateDestroyDetailErrorFileFreeLastLocalMessagePrevSystemfputws
              • String ID:
              • API String ID: 2199235825-3916222277
              • Opcode ID: 04f89785b6df9a3bfffd53cf9e2ae7aa516d764af16d114aa2dc309da656ddb3
              • Instruction ID: d60d7ae60db1168fc2dd285504f86e21f002a15746b568e482e8f31d22ba54b9
              • Opcode Fuzzy Hash: 04f89785b6df9a3bfffd53cf9e2ae7aa516d764af16d114aa2dc309da656ddb3
              • Instruction Fuzzy Hash: 79C1B0A1B081C297EA14BB2194112FEE6E1FB8A744FC4443EEA4E5B796CE3CF5458760
              Function 00007FF7DF2361F0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 261COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 605 7ff7df2361f0-7ff7df236254 SetupDiGetDeviceInfoListDetailW 606 7ff7df23625a-7ff7df236289 CM_Get_Device_ID_ExW 605->606 607 7ff7df2362f4 605->607 606->607 609 7ff7df23628b-7ff7df2362b7 CM_Get_DevNode_Status_Ex 606->609 608 7ff7df2362f6-7ff7df236320 call 7ff7df236ef0 607->608 609->607 611 7ff7df2362b9-7ff7df2362be 609->611 613 7ff7df236322-7ff7df236337 call 7ff7df2315e8 611->613 614 7ff7df2362c0-7ff7df2362f0 wprintf call 7ff7df237418 call 7ff7df231094 611->614 620 7ff7df236339-7ff7df236346 call 7ff7df2314a0 613->620 621 7ff7df23634c-7ff7df23635b 613->621 614->607 620->621 634 7ff7df236348-7ff7df23634a 620->634 624 7ff7df236539-7ff7df23655e wprintf 621->624 625 7ff7df236361-7ff7df236364 621->625 626 7ff7df2365a2-7ff7df2365b0 wprintf 624->626 627 7ff7df236560-7ff7df236565 624->627 629 7ff7df236369-7ff7df236375 625->629 633 7ff7df2365b5-7ff7df2365b8 626->633 632 7ff7df236568-7ff7df23656b 627->632 630 7ff7df236377 629->630 631 7ff7df23637f-7ff7df236383 629->631 635 7ff7df23637a-7ff7df23637d 630->635 631->635 636 7ff7df236385-7ff7df236389 631->636 637 7ff7df23656d-7ff7df23657b wprintf 632->637 638 7ff7df236580-7ff7df2365a0 wprintf 632->638 633->634 639 7ff7df2365be-7ff7df2365c6 call 7ff7df2315b4 633->639 634->608 640 7ff7df23639b 635->640 641 7ff7df23638b-7ff7df23638e 636->641 642 7ff7df236390-7ff7df236394 636->642 637->638 638->626 638->632 639->634 644 7ff7df23639e-7ff7df2363a2 640->644 641->640 642->644 645 7ff7df236396 642->645 647 7ff7df2365d8-7ff7df2365dd 644->647 648 7ff7df2363a8-7ff7df2363ae 644->648 645->640 647->633 649 7ff7df2363be-7ff7df2363c1 648->649 650 7ff7df2363b0 648->650 652 7ff7df2363c7 649->652 653 7ff7df2363c3-7ff7df2363c5 649->653 651 7ff7df2363b3-7ff7df2363bc 650->651 651->649 651->651 654 7ff7df2363c9-7ff7df2363ee call 7ff7df236b70 652->654 653->652 653->654 654->633 657 7ff7df2363f4-7ff7df2363f9 654->657 658 7ff7df2363fb 657->658 659 7ff7df236430 657->659 660 7ff7df2363fe-7ff7df236413 _wcsicmp 658->660 661 7ff7df23643a-7ff7df23643f 659->661 662 7ff7df236432-7ff7df236437 659->662 663 7ff7df236421-7ff7df236427 660->663 664 7ff7df236415-7ff7df23641e 660->664 665 7ff7df236441 661->665 666 7ff7df236476-7ff7df236494 call 7ff7df2314a0 call 7ff7df236bb0 661->666 662->661 663->660 668 7ff7df236429-7ff7df23642e 663->668 664->663 669 7ff7df236446-7ff7df23645b _wcsicmp 665->669 666->633 676 7ff7df23649a-7ff7df2364c6 call 7ff7df2315b4 666->676 668->659 671 7ff7df236469-7ff7df23646f 669->671 672 7ff7df23645d-7ff7df236466 669->672 671->669 674 7ff7df236471 671->674 672->671 674->666 676->629 679 7ff7df2364cc-7ff7df2364cf 676->679 680 7ff7df2365cb-7ff7df2365d3 679->680 681 7ff7df2364d5-7ff7df2364e0 679->681 684 7ff7df23651b-7ff7df236537 SetupDiSetDeviceRegistryPropertyW 680->684 682 7ff7df2364fd-7ff7df236511 681->682 683 7ff7df2364e2 681->683 682->633 686 7ff7df236517 682->686 685 7ff7df2364e5-7ff7df2364ed 683->685 684->624 684->633 685->685 687 7ff7df2364ef-7ff7df2364fb 685->687 686->684 687->682 687->683
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: Get_$CharDetailDeviceDevice_FormatFreeInfoListLocalMessageNode_PrevSetupStatus_fputwswprintf
              • String ID: %-60s:
              • API String ID: 1600579866-769737362
              • Opcode ID: 1b2a9536429bf194cee0a4d69f163f41c3bb829d22fb6b4f6b7bdc286ad8f67c
              • Instruction ID: 1d7a9708e29f430794a4a97d9168d96f36b53e23007fc03b46e99281aeec7a21
              • Opcode Fuzzy Hash: 1b2a9536429bf194cee0a4d69f163f41c3bb829d22fb6b4f6b7bdc286ad8f67c
              • Instruction Fuzzy Hash: 18B161A2A096C682E620AF11E5406BEFBE8FB45B84FC5813ADA4E47794DF3CF4558710
              Function 00007FF7DF23182C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 135COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: CharNext$_wcsnicmpwcschr$_wcsicmpiswalphatowlowertowupper
              • String ID: *
              • API String ID: 658721666-163128923
              • Opcode ID: 6c028171533642cf754e1c2f9030c6ee29d2d88fe8cbbbcee21d3451e464a59a
              • Instruction ID: 5023e45a5fb7629a278966ade8052420f4af0e9f072ce8d7eb41b9cda44853c4
              • Opcode Fuzzy Hash: 6c028171533642cf754e1c2f9030c6ee29d2d88fe8cbbbcee21d3451e464a59a
              • Instruction Fuzzy Hash: AD515EA6A08BD292EA106B5694100BDF6E0FB4AF95BC5813ACF9E07794DF3CF455C320
              Function 00007FF7DF232620 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: Des_Res_$Get_$Data_Free_HandleNext_wprintf$Size_fputs
              • String ID: DMA : %u$IO : %04I64x-%04I64x$IRQ : %u$MEM : %08I64x-%08I64x
              • API String ID: 722776883-3427375868
              • Opcode ID: 9b08e2580fd995fd1323d7d8c7d3968f47489ccd5d6e3822b77bb76949f4117a
              • Instruction ID: 56b9b3df0d6923d75606f3c9995dbffd20f14a1aa3e0c794148fed87532868ab
              • Opcode Fuzzy Hash: 9b08e2580fd995fd1323d7d8c7d3968f47489ccd5d6e3822b77bb76949f4117a
              • Instruction Fuzzy Hash: 595149B6A0869286E714AF25D4546FDBBE0FB4AB94FC4803ADE0D47794DF38F4448621
              Function 00007FF7DF232E8C Relevance: 19.7, APIs: 13, Instructions: 168COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: Setup$DeviceDriverInstallParams$FileInfoQueue$Scanmemset$BuildCallCharClassDetailEnumErrorFormatFreeInstallerLastListLocalMessageOpenPrevSelectedfputsfputws
              • String ID:
              • API String ID: 3550884892-0
              • Opcode ID: 1c0340ecdef8709fe67892c2f2bd353b30d0c9940b17e42dad09206d73fa4277
              • Instruction ID: 62bd7b62351e2f5470d51a74fe35d142c122d11a3f59333a5609eb31e0f05837
              • Opcode Fuzzy Hash: 1c0340ecdef8709fe67892c2f2bd353b30d0c9940b17e42dad09206d73fa4277
              • Instruction Fuzzy Hash: E47160726086C18AE720AB61E8111FEBAE1FB89B54FC4423ADE5D47B94CF3CE6058710
              Function 00007FF7DF235540 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 134COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: Setup$Device$Info$ClassCreateList$CallDestroyFullInstallerNamePathPropertyRegistrymemset
              • String ID:
              • API String ID: 2770198913-3916222277
              • Opcode ID: 637852011958671ebc2a86af737020983344680163c69d9b2c53f9f14a188548
              • Instruction ID: 560f2d36c108ac05103bdfec28ab8a89605ec0c0796d16caac107cbdd5322330
              • Opcode Fuzzy Hash: 637852011958671ebc2a86af737020983344680163c69d9b2c53f9f14a188548
              • Instruction Fuzzy Hash: 3A517C72A08AC286E720AB61E8016EDA7E1F788B94FC5813ADE4D47B84DF78F505C750
              Function 00007FF7DF236830 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89libraryloaderCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: Library$AddressErrorFreeFullLastLoadNamePathProc
              • String ID: SetupUninstallOEMInfW$setupapi.dll
              • API String ID: 3805412813-3713901415
              • Opcode ID: f826e6926d4abd4d1c32c8a32c69696b6dbc7c6ad6b6f534f13fffafd3e8f701
              • Instruction ID: 536b50b993a7a883d600550df96956ea1865973b231572f77eb8d325f036cdd6
              • Opcode Fuzzy Hash: f826e6926d4abd4d1c32c8a32c69696b6dbc7c6ad6b6f534f13fffafd3e8f701
              • Instruction Fuzzy Hash: A4416262A086C282EB20AB50E4547FEEBE5FB89750FD5843ADA4D47785CF3CF4058760
              Function 00007FF7DF23377C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171registryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: Setupwprintf$CharClassCloseDetailDeviceFormatFreeInfoListLocalMessageOpenPrevQueryValuefputsfputws
              • String ID: %s$LowerFilters$UpperFilters
              • API String ID: 4180368772-1836264166
              • Opcode ID: adf3199537e207df6ee1509fbd2a7beae66e8764c313c8e2cfae44d6cba4330b
              • Instruction ID: e2e260466e9f90b4c7eaad49036e549bc25a64b03040e853af92758d2f69b3db
              • Opcode Fuzzy Hash: adf3199537e207df6ee1509fbd2a7beae66e8764c313c8e2cfae44d6cba4330b
              • Instruction Fuzzy Hash: 4F517091E086C292ED18BB2194121FDD2D5AF86B90FC8453EDA4E0B7D6DE3DFA418360
              Function 00007FF7DF2353A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92libraryloaderCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: FreeLibrary$AddressAttributesCharFileFormatFullLoadLocalMessageNamePathPrevProcfputws
              • String ID: UpdateDriverForPlugAndPlayDevicesW$newdev.dll
              • API String ID: 3139919817-3767700378
              • Opcode ID: b5a4fe77c619eed7b17a7eefbe38ac003ec55746e375a6d3b133f2d118feb241
              • Instruction ID: 66de4b6974bebe6ea9c80577fe14977b89e4d54fa90bc5c076eb494e0fce428f
              • Opcode Fuzzy Hash: b5a4fe77c619eed7b17a7eefbe38ac003ec55746e375a6d3b133f2d118feb241
              • Instruction Fuzzy Hash: F7413AB2A08BC286EA10AF10E4556EDA7E4FB89B80FC5813ADA4D57794DF3CF445C720
              Function 00007FF7DF235870 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: Setup$ClassDeviceInstallParams$CallDetailDevice_Get_InfoInstallerListwprintf
              • String ID: %-60s: %s
              • API String ID: 1061212145-3470069224
              • Opcode ID: d8e35f1dae23d892e67c052b59891b43c6bb9e2ccfcc005567ed7e1e6362209c
              • Instruction ID: 4b296085a95ddefc0e4c838de9d87cb89e596cc3fc115362504d451791bcba4d
              • Opcode Fuzzy Hash: d8e35f1dae23d892e67c052b59891b43c6bb9e2ccfcc005567ed7e1e6362209c
              • Instruction Fuzzy Hash: E03126B2614AC28AE7205F61D8047EEB7B4FB49B85FC4513ACA4D4B654DF3DE105C750
              Function 00007FF7DF233F80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: ClassSetup$BuildDescriptionErrorFromGuidInfoLastListNamemallocwprintf
              • String ID: %-20s: %s
              • API String ID: 894314750-1251934994
              • Opcode ID: 1f7e96aa73fb74d08126d1bbaf1fdb7694c13161de74e7aefa62b0d6292f9c7f
              • Instruction ID: 7c84c16f9bc2414a15426dd9a959ed3e442591d0ff30d889d44c062de9a6eb00
              • Opcode Fuzzy Hash: 1f7e96aa73fb74d08126d1bbaf1fdb7694c13161de74e7aefa62b0d6292f9c7f
              • Instruction Fuzzy Hash: E7516072A18AC286EB50AB61E8507FDA7A4FB49B94FC0413ADA8D47794CF3CF505C750
              Function 00007FF7DF235770 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 65libraryloaderCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: Library$Free$AddressLoadProc$AttributesFileFullNamePath
              • String ID: SetupSetNonInteractiveMode$setupapi.dll
              • API String ID: 298606531-1268865691
              • Opcode ID: d6473bd80b3354bc20dd18b845dee4fc7294c20c11b53f877abf81ad8315ab3c
              • Instruction ID: 151cba43905f446a8bb7e802e56e98fd8b8438d23ad7da14bee67b91de5959ae
              • Opcode Fuzzy Hash: d6473bd80b3354bc20dd18b845dee4fc7294c20c11b53f877abf81ad8315ab3c
              • Instruction Fuzzy Hash: EE213E66B18B9183EA10AB56A4400BDFBE0FB89F80BC4813ADE4D07B50DF3CF0458754
              Function 00007FF7DF232214 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: wprintf$DetailDeviceDevice_Get_InfoListSetup
              • String ID: %-60s: %s$%s
              • API String ID: 500149863-1339393084
              • Opcode ID: 22688ed9ad00e57f419abfa9b832a18cfacfc1b16a54d8d9094973b0933df31a
              • Instruction ID: 7cf820f355ea4ad2dac46cc7ef9eebecee8c3a0007aed945457900e0e5ec93b9
              • Opcode Fuzzy Hash: 22688ed9ad00e57f419abfa9b832a18cfacfc1b16a54d8d9094973b0933df31a
              • Instruction Fuzzy Hash: A12142B2A18AC286E7109B54E8407FDE7A0FB89741FC4913ADE4D47694DF3CE549C720
              Function 00007FF7DF2327F8 Relevance: 9.1, APIs: 6, Instructions: 96COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: Conf_Get_Log_$First_$DetailDeviceFree_HandleInfoListNode_SetupStatus_
              • String ID:
              • API String ID: 950201049-0
              • Opcode ID: 31dd0be03b1e2ed74105f98b7802783fa533680d4a7a54325da88854b0cf6a6b
              • Instruction ID: e650dfa860bc901156e2ed67d35a204926c6d0a8c60bc63dfec6644b7cf81170
              • Opcode Fuzzy Hash: 31dd0be03b1e2ed74105f98b7802783fa533680d4a7a54325da88854b0cf6a6b
              • Instruction Fuzzy Hash: 25416A726186C286E750AF61E4507EEBBB0EB85B44FC4513AEA4E47698CF3CE445CB60
              Function 00007FF7DF237304 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
              • String ID:
              • API String ID: 4104442557-0
              • Opcode ID: ff399e0d3ff5fe37e71ae8076eddf2ae3c4423fb69a0fba1259bbe2426c4784e
              • Instruction ID: ba32d1f0cdf93386098d23aa8236b74e2f121bd33b8b4218b8efc3f1f588988f
              • Opcode Fuzzy Hash: ff399e0d3ff5fe37e71ae8076eddf2ae3c4423fb69a0fba1259bbe2426c4784e
              • Instruction Fuzzy Hash: F7111D62A04F818AEB00EF61E8442ED73E4FB09758FC40A3AEA6D47754DF7CE5A48350
              Function 00007FF7DF234CB0 Relevance: 7.6, APIs: 5, Instructions: 91COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: Setup$Class$InstallParams$CallDeviceInstallerwprintf$DetailDevice_Get_InfoList
              • String ID:
              • API String ID: 3776784670-0
              • Opcode ID: 8ce33fe5aa1e47d727e1c62a8cf72dee673e4573541e05452e905546d644a5c8
              • Instruction ID: 125bcad98e73406545bff58d5c612262991ada126ab030950f3f78d7bb87af1d
              • Opcode Fuzzy Hash: 8ce33fe5aa1e47d727e1c62a8cf72dee673e4573541e05452e905546d644a5c8
              • Instruction Fuzzy Hash: 75411CB26086858AE7249F51E5543FDAAE4FB49BC4F84812ADE8D0BB95CF3CE505CB10
              Function 00007FF7DF236EF0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
              • String ID:
              • API String ID: 140117192-0
              • Opcode ID: f73fcc106f6f841744f8b0324b0c44eff1169e70cc5ac8b3154f84bef4cecd31
              • Instruction ID: a7a6ecbecef64bb184d4db700197e34c1352409b64353b19a88ceb63e1f995b5
              • Opcode Fuzzy Hash: f73fcc106f6f841744f8b0324b0c44eff1169e70cc5ac8b3154f84bef4cecd31
              • Instruction Fuzzy Hash: 1741A5B5A08B8685EA10AF19F8503AEB7A4FB88784FD0413ADA8D47764DF7CE455C720
              Function 00007FF7DF231094 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: CharFormatFreeLocalMessagePrevfputws
              • String ID:
              • API String ID: 578739846-0
              • Opcode ID: 80f2999c9d4d5f92137bd9dbf908d4475c93929c27a24fa275eded79dab9367f
              • Instruction ID: 5e9f12577abcdc6ba6bf505b5d79737d598ea893fd2cea1456b40422b024acb1
              • Opcode Fuzzy Hash: 80f2999c9d4d5f92137bd9dbf908d4475c93929c27a24fa275eded79dab9367f
              • Instruction Fuzzy Hash: 252148B7A04B519AE7019F61E8444ECB7B4FB89B44B868936CE5E03754EF34D841C360
              Function 00007FF7DF235BA0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000029.00000002.2268418573.00007FF7DF231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7DF230000, based on PE: true
              • Associated: 00000029.00000002.2268381276.00007FF7DF230000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268454913.00007FF7DF238000.00000002.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268490154.00007FF7DF23B000.00000004.00000001.01000000.0000000B.sdmpDownload File
              • Associated: 00000029.00000002.2268519185.00007FF7DF23C000.00000002.00000001.01000000.0000000B.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_41_2_7ff7df230000_devcon.jbxd
              Similarity
              • API ID: MachineNode_$Connect_Disconnect_Locate_Reenumerate_
              • String ID:
              • API String ID: 218754429-0
              • Opcode ID: bcf9bd167d5d9956257164c9fa32b781fcb5858d099143dc4dd555625cd9d9f3
              • Instruction ID: a79319c53038e5b1390bd897e69a8b0e6270a882ebeb06bc3705a978e702e3af
              • Opcode Fuzzy Hash: bcf9bd167d5d9956257164c9fa32b781fcb5858d099143dc4dd555625cd9d9f3
              • Instruction Fuzzy Hash: 701190B2A08AC282EB14AB21E4115FDE7E1FFC9B84BC5C93ADE4E47655DE3CF4048610

              Execution Graph

              Execution Coverage:21.8%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:4.5%
              Total number of Nodes:354
              Total number of Limit Nodes:14
              execution_graph 1317 7ffda5491f30 1318 7ffda5491f6f 1317->1318 1320 7ffda5491fd0 1318->1320 1321 7ffda5492059 1318->1321 1319 7ffda549202c 1374 7ffda5492fa4 1319->1374 1320->1319 1325 7ffda5491fdf 1320->1325 1322 7ffda5492066 1321->1322 1323 7ffda54920bf 1321->1323 1329 7ffda5491ffa 1321->1329 1326 7ffda549206b 1322->1326 1327 7ffda54920af 1322->1327 1426 7ffda5493158 1323->1426 1330 7ffda549200f 1325->1330 1331 7ffda5491fe4 1325->1331 1333 7ffda549209f 1326->1333 1334 7ffda5492070 1326->1334 1414 7ffda549221c 1327->1414 1368 7ffda5492ef4 1330->1368 1337 7ffda5491fe9 1331->1337 1338 7ffda5492002 1331->1338 1405 7ffda5493390 1333->1405 1339 7ffda5492075 1334->1339 1340 7ffda549208f 1334->1340 1337->1329 1345 7ffda54925bc 1337->1345 1355 7ffda54934b4 1338->1355 1339->1329 1383 7ffda54923a0 1339->1383 1393 7ffda5492448 1340->1393 1441 7ffda5492698 1345->1441 1347 7ffda54925ed 1450 7ffda5493d90 1347->1450 1348 7ffda5492646 1351 7ffda5492fa4 10 API calls 1348->1351 1351->1347 1353 7ffda5492608 swprintf 1354 7ffda5492634 OutputDebugStringA 1353->1354 1354->1347 1356 7ffda54934fd swprintf 1355->1356 1357 7ffda5493511 OutputDebugStringA 1356->1357 1464 7ffda5493860 1357->1464 1359 7ffda5493529 swprintf 1360 7ffda5493534 swprintf 1359->1360 1361 7ffda5493583 OutputDebugStringA 1359->1361 1362 7ffda5493669 OutputDebugStringA 1360->1362 1361->1360 1366 7ffda549359a swprintf 1361->1366 1363 7ffda5493671 1362->1363 1364 7ffda5493d90 8 API calls 1363->1364 1365 7ffda5493680 1364->1365 1365->1329 1367 7ffda54935ce OutputDebugStringA 1366->1367 1367->1363 1372 7ffda5492f39 swprintf 1368->1372 1369 7ffda5492f7c 1370 7ffda5493d90 8 API calls 1369->1370 1371 7ffda5492f90 1370->1371 1371->1329 1372->1369 1373 7ffda5492f6f OutputDebugStringA 1372->1373 1373->1369 1375 7ffda5492ff7 1374->1375 1378 7ffda5493066 swprintf 1375->1378 1382 7ffda5492ffd swprintf 1375->1382 1376 7ffda549302f OutputDebugStringA 1377 7ffda5493116 1376->1377 1380 7ffda5493d90 8 API calls 1377->1380 1379 7ffda5493094 OutputDebugStringA 1378->1379 1379->1377 1381 7ffda5493148 1380->1381 1381->1329 1382->1376 1382->1377 1384 7ffda5492698 10 API calls 1383->1384 1385 7ffda54923cd 1384->1385 1386 7ffda549242e 1385->1386 1387 7ffda5492416 1385->1387 1391 7ffda54923d8 swprintf 1385->1391 1388 7ffda5493d90 8 API calls 1386->1388 1390 7ffda5492fa4 10 API calls 1387->1390 1389 7ffda549243e 1388->1389 1389->1329 1390->1386 1392 7ffda5492404 OutputDebugStringA 1391->1392 1392->1386 1394 7ffda5492491 swprintf 1393->1394 1395 7ffda54924a5 OutputDebugStringA 1394->1395 1470 7ffda5493698 1395->1470 1398 7ffda549250d swprintf 1402 7ffda54924c3 1398->1402 1404 7ffda549254b OutputDebugStringA 1398->1404 1399 7ffda54924d2 swprintf 1403 7ffda54924f9 OutputDebugStringA 1399->1403 1400 7ffda5493d90 8 API calls 1401 7ffda54925a2 1400->1401 1401->1329 1402->1400 1403->1402 1404->1402 1406 7ffda54933cd swprintf 1405->1406 1407 7ffda54933e1 OutputDebugStringA 1406->1407 1408 7ffda5493860 9 API calls 1407->1408 1409 7ffda54933f9 swprintf 1408->1409 1411 7ffda54933ff 1409->1411 1413 7ffda5493447 OutputDebugStringA 1409->1413 1410 7ffda5493d90 8 API calls 1412 7ffda549349d 1410->1412 1411->1410 1412->1329 1413->1411 1415 7ffda5492266 swprintf 1414->1415 1416 7ffda549227a OutputDebugStringA 1415->1416 1417 7ffda5493698 10 API calls 1416->1417 1418 7ffda5492292 1417->1418 1420 7ffda5492298 1418->1420 1422 7ffda54922a7 swprintf 1418->1422 1423 7ffda54922e2 swprintf 1418->1423 1419 7ffda5493d90 8 API calls 1421 7ffda5492386 1419->1421 1420->1419 1421->1329 1424 7ffda54922ce OutputDebugStringA 1422->1424 1423->1420 1425 7ffda5492320 OutputDebugStringA 1423->1425 1424->1420 1425->1420 1427 7ffda54931a0 swprintf 1426->1427 1428 7ffda54931b4 OutputDebugStringA 1427->1428 1429 7ffda5493860 9 API calls 1428->1429 1430 7ffda54931cc 1429->1430 1431 7ffda549321c 1430->1431 1434 7ffda54931d2 1430->1434 1435 7ffda54931e1 swprintf 1430->1435 1437 7ffda5493226 swprintf 1431->1437 1439 7ffda5493271 swprintf 1431->1439 1432 7ffda5493d90 8 API calls 1433 7ffda5493379 1432->1433 1433->1329 1434->1432 1436 7ffda5493208 OutputDebugStringA 1435->1436 1436->1434 1438 7ffda549325a OutputDebugStringA 1437->1438 1438->1434 1439->1434 1440 7ffda549331c OutputDebugStringA 1439->1440 1440->1434 1442 7ffda54926de 1441->1442 1443 7ffda5492721 swprintf 1442->1443 1444 7ffda54926e4 swprintf 1442->1444 1446 7ffda549279d 1443->1446 1449 7ffda5492788 OutputDebugStringA 1443->1449 1445 7ffda5492711 OutputDebugStringA 1444->1445 1445->1446 1447 7ffda5493d90 8 API calls 1446->1447 1448 7ffda54925e9 1447->1448 1448->1347 1448->1348 1448->1353 1449->1446 1451 7ffda5493d99 1450->1451 1452 7ffda549268c 1451->1452 1453 7ffda5494150 IsProcessorFeaturePresent 1451->1453 1452->1329 1454 7ffda5494168 1453->1454 1459 7ffda5494224 RtlCaptureContext 1454->1459 1460 7ffda549423e RtlLookupFunctionEntry 1459->1460 1461 7ffda549417b 1460->1461 1462 7ffda5494254 RtlVirtualUnwind 1460->1462 1463 7ffda5494110 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1461->1463 1462->1460 1462->1461 1466 7ffda54938a5 swprintf 1464->1466 1465 7ffda54938e5 1468 7ffda5493d90 8 API calls 1465->1468 1466->1465 1467 7ffda54938d8 OutputDebugStringA 1466->1467 1467->1465 1469 7ffda5493926 1468->1469 1469->1359 1471 7ffda54936e9 1470->1471 1473 7ffda5493759 swprintf 1471->1473 1474 7ffda54936ef swprintf 1471->1474 1472 7ffda5493721 OutputDebugStringA 1477 7ffda549380d 1472->1477 1475 7ffda549378b OutputDebugStringA 1473->1475 1474->1472 1474->1477 1475->1477 1476 7ffda5493d90 8 API calls 1478 7ffda54924bd 1476->1478 1477->1476 1478->1398 1478->1399 1478->1402 1495 7ffda5491450 1496 7ffda5491496 SleepEx 1495->1496 1497 7ffda54914a6 CreateNamedPipeW 1496->1497 1499 7ffda54914db swprintf 1496->1499 1497->1499 1498 7ffda5491680 WaitForSingleObject 1498->1496 1498->1499 1499->1498 1500 7ffda54916a6 WriteFile 1499->1500 1501 7ffda54916dd PeekNamedPipe 1499->1501 1505 7ffda54914fc OutputDebugStringA 1499->1505 1506 7ffda5491547 OutputDebugStringA ConnectNamedPipe 1499->1506 1508 7ffda549164f FindCloseChangeNotification 1499->1508 1509 7ffda54915a1 OutputDebugStringA 1499->1509 1510 7ffda54915c6 WriteFile 1499->1510 1511 7ffda5491667 ReleaseMutex 1499->1511 1512 7ffda5491602 SleepEx ReadFile 1499->1512 1502 7ffda54916fe CloseHandle 1500->1502 1504 7ffda54916c4 1500->1504 1501->1502 1503 7ffda5491711 ReleaseMutex 1501->1503 1502->1503 1503->1496 1504->1503 1505->1496 1506->1499 1507 7ffda5491568 GetLastError 1506->1507 1507->1499 1508->1496 1509->1499 1510->1499 1510->1508 1511->1498 1512->1499 1609 7ffda5492110 1610 7ffda5492149 1609->1610 1616 7ffda54921e1 1610->1616 1617 7ffda54910ec WaitForSingleObject 1610->1617 1611 7ffda5493d90 8 API calls 1613 7ffda549220f 1611->1613 1615 7ffda5492fa4 10 API calls 1615->1616 1616->1611 1618 7ffda549110c 1617->1618 1619 7ffda5491113 1617->1619 1618->1615 1620 7ffda5491133 ReleaseMutex 1619->1620 1621 7ffda549114c 1619->1621 1620->1618 1622 7ffda5491178 ReleaseMutex 1621->1622 1622->1618 1651 7ffda54940d0 1652 7ffda54940ec 1651->1652 1653 7ffda54940f1 1651->1653 1655 7ffda5494298 1652->1655 1656 7ffda54942bb GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 1655->1656 1657 7ffda549432f 1655->1657 1656->1657 1657->1653 1658 7ffda54919d0 1659 7ffda54919e2 1658->1659 1660 7ffda5491a4b 1659->1660 1667 7ffda549100c 1659->1667 1663 7ffda5491a0b malloc 1664 7ffda5491a26 1663->1664 1670 7ffda5491724 1664->1670 1668 7ffda549101c WaitForSingleObject 1667->1668 1669 7ffda5491034 1667->1669 1668->1669 1669->1660 1669->1663 1671 7ffda5491727 ReleaseMutex 1670->1671 1623 7ffda5495533 1624 7ffda54955b8 _IsNonwritableInCurrentImage __except_validate_context_record 1623->1624 1625 7ffda54956e0 1624->1625 1626 7ffda54956ab RtlUnwindEx 1624->1626 1626->1624 1672 7ffda5494454 1674 7ffda5494478 __scrt_release_startup_lock 1672->1674 1673 7ffda5495cb3 _seh_filter_dll 1674->1673 1675 7ffda5495e54 __scrt_dllmain_exception_filter 1705 7ffda5494414 1710 7ffda549580c 1705->1710 1707 7ffda5494421 1708 7ffda549441d 1708->1707 1713 7ffda5495820 1708->1713 1711 7ffda54959ec 7 API calls 1710->1711 1712 7ffda5495815 1711->1712 1712->1708 1716 7ffda5495980 1713->1716 1717 7ffda549582b 1716->1717 1718 7ffda5495994 1716->1718 1717->1707 1719 7ffda54959a8 FlsSetValue 1718->1719 1720 7ffda5495999 FlsGetValue 1718->1720 1719->1717 1721 7ffda54959b5 1719->1721 1720->1719 1721->1717 1722 7ffda54959c1 free 1721->1722 1722->1717 1627 7ffda5491727 ReleaseMutex 1479 7ffda54911a0 1480 7ffda54911e6 SleepEx 1479->1480 1481 7ffda54911f6 CreateNamedPipeW 1480->1481 1494 7ffda549122b swprintf 1480->1494 1481->1494 1482 7ffda54913b6 WaitForSingleObject 1482->1480 1482->1494 1483 7ffda54913d5 ReadFile 1485 7ffda54913fa FindCloseChangeNotification 1483->1485 1483->1494 1484 7ffda5491430 ReleaseMutex 1484->1480 1485->1484 1486 7ffda549124c OutputDebugStringA 1486->1480 1487 7ffda5491297 OutputDebugStringA ConnectNamedPipe 1488 7ffda54912b8 GetLastError 1487->1488 1487->1494 1488->1494 1489 7ffda54913a3 CloseHandle 1489->1482 1490 7ffda54912f1 OutputDebugStringA 1490->1494 1491 7ffda5491316 WriteFile 1491->1489 1491->1494 1492 7ffda5491356 SleepEx ReadFile 1492->1494 1493 7ffda549140f ReleaseMutex 1493->1482 1494->1482 1494->1483 1494->1484 1494->1486 1494->1487 1494->1489 1494->1490 1494->1491 1494->1492 1494->1493 1513 7ffda5493940 1514 7ffda5493948 1513->1514 1515 7ffda5493b15 DbgPrintEx 1514->1515 1516 7ffda5493983 1514->1516 1518 7ffda5493a2d 1515->1518 1517 7ffda549399c DbgPrintEx DbgPrintEx 1516->1517 1519 7ffda54939c5 1516->1519 1517->1519 1520 7ffda54939fb 1519->1520 1521 7ffda5493a34 1519->1521 1520->1518 1524 7ffda5493a04 DbgPrintEx DbgPrintEx 1520->1524 1522 7ffda5493a66 1521->1522 1523 7ffda5493a3d DbgPrintEx DbgPrintEx 1521->1523 1534 7ffda5493b50 1522->1534 1523->1522 1524->1518 1527 7ffda5493a8b DbgPrintEx DbgPrintEx 1528 7ffda5493ab4 1527->1528 1541 7ffda5491b18 1528->1541 1531 7ffda5493ac5 DbgPrintEx 1531->1518 1532 7ffda5493ae1 1532->1518 1533 7ffda5493aea DbgPrintEx DbgPrintEx 1532->1533 1533->1518 1535 7ffda5493b86 DbgPrintEx 1534->1535 1538 7ffda5493bad 1534->1538 1536 7ffda5493a78 1535->1536 1536->1518 1536->1527 1536->1528 1537 7ffda5493cbe DbgPrintEx 1538->1536 1538->1537 1539 7ffda5493c23 DbgPrintEx 1538->1539 1540 7ffda5493c9a DbgPrintEx 1538->1540 1539->1536 1540->1536 1542 7ffda5491b56 swprintf 1541->1542 1543 7ffda5491b69 OutputDebugStringA 1542->1543 1546 7ffda5491bca swprintf 1543->1546 1544 7ffda5491c0e 1545 7ffda5493d90 8 API calls 1544->1545 1547 7ffda5491c1e 1545->1547 1546->1544 1548 7ffda5491bfe OutputDebugStringA 1546->1548 1547->1531 1547->1532 1548->1544 1549 7ffda5491c40 1550 7ffda5491c87 swprintf 1549->1550 1551 7ffda5491c99 OutputDebugStringA 1550->1551 1552 7ffda5491cc3 1551->1552 1553 7ffda5491d66 1552->1553 1555 7ffda5491d26 swprintf 1552->1555 1576 7ffda5492b38 1553->1576 1557 7ffda5491d52 OutputDebugStringA 1555->1557 1558 7ffda5491de9 1557->1558 1559 7ffda5493d90 8 API calls 1558->1559 1561 7ffda5491f0b 1559->1561 1566 7ffda5491e59 swprintf 1568 7ffda5491e8b OutputDebugStringA 1566->1568 1567 7ffda5491e9a 1594 7ffda549103c CreateMutexW CreateMutexW 1567->1594 1568->1567 1570 7ffda5491e1f swprintf 1570->1567 1571 7ffda5491e4c OutputDebugStringA 1570->1571 1571->1566 1572 7ffda5491e9f swprintf 1573 7ffda5491ecb OutputDebugStringA 1572->1573 1598 7ffda549196c malloc 1573->1598 1575 7ffda5491ee2 malloc 1575->1558 1577 7ffda5492b7e swprintf 1576->1577 1578 7ffda5492b91 OutputDebugStringA 1577->1578 1579 7ffda5492baf swprintf 1578->1579 1580 7ffda5492c67 OutputDebugStringA 1579->1580 1581 7ffda5492c76 1579->1581 1580->1581 1582 7ffda5493d90 8 API calls 1581->1582 1583 7ffda5491dcc 1582->1583 1583->1558 1584 7ffda54927cc 1583->1584 1585 7ffda549280d swprintf 1584->1585 1586 7ffda54928b8 OutputDebugStringA 1585->1586 1589 7ffda54928ca swprintf 1585->1589 1586->1589 1587 7ffda5493d90 8 API calls 1588 7ffda5491de5 1587->1588 1588->1558 1590 7ffda5491a54 1588->1590 1589->1587 1591 7ffda5491a98 1590->1591 1592 7ffda5491ada 1591->1592 1593 7ffda5491a9e RtlInitUnicodeString 1591->1593 1592->1566 1601 7ffda5492d08 1592->1601 1593->1592 1595 7ffda5493cf6 1594->1595 1596 7ffda5491076 malloc CreateThread CreateThread 1595->1596 1597 7ffda54910d9 1596->1597 1597->1572 1599 7ffda549198b malloc 1598->1599 1600 7ffda54919a0 1598->1600 1599->1600 1600->1575 1602 7ffda5492d65 1601->1602 1603 7ffda5492dac RtlInitUnicodeString 1602->1603 1606 7ffda5492ea7 1602->1606 1607 7ffda5492e33 swprintf 1603->1607 1604 7ffda5493d90 8 API calls 1605 7ffda5492ed8 1604->1605 1605->1570 1606->1604 1607->1606 1608 7ffda5492e8c OutputDebugStringA 1607->1608 1608->1606 1676 7ffda5495960 1677 7ffda5495969 1676->1677 1678 7ffda549597a 1676->1678 1677->1678 1679 7ffda5495975 free 1677->1679 1679->1678 1628 7ffda5495ea2 1629 7ffda5495f26 1628->1629 1630 7ffda5495eba 1628->1630 1630->1629 1635 7ffda54959d0 1630->1635 1632 7ffda5495f07 1633 7ffda54959d0 7 API calls 1632->1633 1634 7ffda5495f1c terminate 1633->1634 1634->1629 1638 7ffda54959ec 1635->1638 1637 7ffda54959d9 1637->1632 1639 7ffda5495a0b GetLastError FlsGetValue 1638->1639 1640 7ffda5495a04 1638->1640 1641 7ffda5495a2a 1639->1641 1642 7ffda5495a94 SetLastError 1639->1642 1640->1637 1643 7ffda5495a2f 1641->1643 1644 7ffda5495a34 FlsSetValue 1641->1644 1642->1640 1643->1642 1644->1642 1645 7ffda5495a44 1644->1645 1646 7ffda5495a5f FlsSetValue 1645->1646 1647 7ffda5495a84 FlsSetValue 1645->1647 1648 7ffda5495a6c 1646->1648 1649 7ffda5495a7e 1646->1649 1650 7ffda5495a8c free 1647->1650 1648->1650 1649->1647 1650->1642 1680 7ffda54957e4 1687 7ffda5495b20 1680->1687 1683 7ffda54957f1 1688 7ffda5495b28 InitializeCriticalSectionEx 1687->1688 1689 7ffda5495b49 1688->1689 1690 7ffda5495b5a 1688->1690 1689->1688 1691 7ffda54957ed 1689->1691 1692 7ffda5495b68 __vcrt_uninitialize_locks DeleteCriticalSection 1690->1692 1691->1683 1693 7ffda5495ab0 FlsAlloc 1691->1693 1692->1691 1694 7ffda5495acc FlsSetValue 1693->1694 1695 7ffda54957fa 1693->1695 1694->1695 1696 7ffda5495aed 1694->1696 1695->1683 1698 7ffda5495b68 1695->1698 1702 7ffda5495afc 1696->1702 1699 7ffda5495b93 1698->1699 1700 7ffda5495b76 DeleteCriticalSection 1699->1700 1701 7ffda5495b97 1699->1701 1700->1699 1701->1683 1703 7ffda5495b18 1702->1703 1704 7ffda5495b0b FlsFree 1702->1704 1703->1695 1704->1703

              Executed Functions

              Function 00007FFDA54911A0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 155filesynchronizationpipeCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: DebugFileOutputStringswprintf$CloseMutexNamedPipeReadReleaseSleep$ChangeConnectCreateErrorFindHandleLastNotificationObjectSingleWaitWrite
              • String ID: Client connected to Rx Pipe$Couldn't create RX PIPE$Rx Pipe waiting for client to connect
              • API String ID: 141928102-3588961759
              • Opcode ID: ff1bbc41128ba2a93588fd681ccb65bf33ce0c646b4688b609364b64b3b30b10
              • Instruction ID: bed7cc1b632d0d522f718cd50daa891a76ef72661b1936df159ac350fa256f93
              • Opcode Fuzzy Hash: ff1bbc41128ba2a93588fd681ccb65bf33ce0c646b4688b609364b64b3b30b10
              • Instruction Fuzzy Hash: 13811D61F1A64AC5F610DF22E8A227973A0BF87F84F801136D94D467A6CFBCE509C748
              Function 00007FFDA549103C Relevance: 7.5, APIs: 5, Instructions: 47synchronizationthreadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: Create$MutexThread$malloc
              • String ID:
              • API String ID: 526595258-0
              • Opcode ID: 6e7591fc25fa7a7917ff9ce46d05516ef4a6fab5bfa89c3d551d250ca750e818
              • Instruction ID: 0392f64aaf8a26610552f9def9d76ced2428212001fc1a93e3087a20555de313
              • Opcode Fuzzy Hash: 6e7591fc25fa7a7917ff9ce46d05516ef4a6fab5bfa89c3d551d250ca750e818
              • Instruction Fuzzy Hash: B5117072B1AB49C3F714DB75B8A776623A1AB8BB04F44813DD94E45752DFBCE0188608
              Function 00007FFDA5491450 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 167filesynchronizationpipeCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: DebugFileNamedOutputPipeStringswprintf$CloseMutexReleaseSleepWrite$ChangeConnectCreateErrorFindHandleLastNotificationObjectPeekReadSingleWait
              • String ID: Client connected to Tx Pipe$Couldn't create TX PIPE$Tx Pipe waiting for client to connect
              • API String ID: 2104952168-620275337
              • Opcode ID: ccde033439e10b9cae6ee0591f6f41d027f13791ba550421f44d8fdc33a4abd9
              • Instruction ID: d1f3c3559a347877fb7f860fcaf9575fb199f200d88801519020a7ca47b75f26
              • Opcode Fuzzy Hash: ccde033439e10b9cae6ee0591f6f41d027f13791ba550421f44d8fdc33a4abd9
              • Instruction Fuzzy Hash: 18812D61F1A74AC2E710DF22E8A67B923A1BB87F94F400136D95D467A6CFBCE504C748
              Function 00007FFDA5493940 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 127COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: Print
              • String ID: FxDriverEntryUm: DriverEntry failed 0x%x for driver %wZ$FxDriverEntryUm: PDRIVER_OBJECT_UM 0x%p Successfully bound to class library if present$FxDriverEntryUm: PDRIVER_OBJECT_UM 0x%p Successfully bound to version library$FxDriverEntryUm: PDRIVER_OBJECT_UM 0x%p Successfully returned from driver's DriverEntry$FxDriverEntryUm: VersionBind status 0x%x$FxDriverEntryUm: invalid LoaderInterface 0x%x$FxDriverEntrydUm Enter PDRIVER_OBJECT_UM 0x%p$Wudfx2000:
              • API String ID: 3558298466-464219049
              • Opcode ID: f9f4fa4e0a429dc2f3b1f90cd808eaf3d505fd65c7824ea117bca7e17036aa37
              • Instruction ID: d8d787d7998ea385f21e6be9dcc2f5cad736dfd28c09d43e16ecf90ab0a04460
              • Opcode Fuzzy Hash: f9f4fa4e0a429dc2f3b1f90cd808eaf3d505fd65c7824ea117bca7e17036aa37
              • Instruction Fuzzy Hash: 35513024B0A74BD6FB148B51A82A7A57361FF8BF94F440136C92D53366CFBCE585C248
              Function 00007FFDA5491C40 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 157COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: DebugOutputStringswprintf
              • String ID: PipesInit returned: %d$8$Enter EvtDeviceAdd$Error: WdfDeviceCreate failed 0x%x$Failed to read descriptor from registry$Using Hard-coded Report descriptor
              • API String ID: 79745889-3959671834
              • Opcode ID: fd1598e41f4a5a219b1df524046772ba4cab182639afa06942277a0f2473a26f
              • Instruction ID: df2610497d8327c7381bc04654daf809112f161940d10712e30f3654cd90c42e
              • Opcode Fuzzy Hash: fd1598e41f4a5a219b1df524046772ba4cab182639afa06942277a0f2473a26f
              • Instruction Fuzzy Hash: C7816F21B1AB8AC5E750DF22E8623E92360FB87F84F405032EA4D87766DF78E644C744
              Function 00007FFDA5492B38 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 103COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: DebugOutputStringswprintf
              • String ID: 8$QUEUecre$WdfIoQueueCreate failed 0x%x
              • API String ID: 79745889-1312770787
              • Opcode ID: 90a3f2d5762d31625a14d2fc45adea2f86764422d7893843a7f10a0f03dde394
              • Instruction ID: b740f129e5946390126626be68ab69fb600cd08006302ff76f3b55c942159b43
              • Opcode Fuzzy Hash: 90a3f2d5762d31625a14d2fc45adea2f86764422d7893843a7f10a0f03dde394
              • Instruction Fuzzy Hash: CD515A22B19B85C5E710CF26E8A13A97760FB8AB94F400136EE4D4376ADF78D185C704
              Function 00007FFDA5491B18 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 61COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: DebugOutputStringswprintf
              • String ID: $DriverEntry for IDmelonHIDdrv$Error: WdfDriverCreate failed 0x%x
              • API String ID: 79745889-3519952669
              • Opcode ID: a22b21f8a936388fc97461c0f9945eeb537ba2ea1cc19efaa65f3d543d1f3138
              • Instruction ID: 86a2be15b5e1fdb95db354b941e6937a34ef423a0c644aa535d3164c8cf35344
              • Opcode Fuzzy Hash: a22b21f8a936388fc97461c0f9945eeb537ba2ea1cc19efaa65f3d543d1f3138
              • Instruction Fuzzy Hash: 05215232B19B89C1E720CB11F8667A66364FBCAB90F800131DA8D8375ADF7DD544CB44
              Function 00007FFDA5491A54 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: InitStringUnicode
              • String ID: ReadFromRegistry
              • API String ID: 4228678080-2823807924
              • Opcode ID: d7045735b450d10ca7eef2bf90baf95b1a0a9490a264fc47a8becad569abb2c4
              • Instruction ID: 62235623c28cd1027dbb900396bdef8b05a15090e9b75c501f7b800ab1f0ac8e
              • Opcode Fuzzy Hash: d7045735b450d10ca7eef2bf90baf95b1a0a9490a264fc47a8becad569abb2c4
              • Instruction Fuzzy Hash: D211E975B1AB1AC2EB008B56E8A67697360FB4AF85F000132DE1C47376DEAED485C744
              Function 00007FFDA549196C Relevance: 2.5, APIs: 2, Instructions: 26COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 206 7ffda549196c-7ffda5491989 malloc 207 7ffda54919a8 206->207 208 7ffda549198b-7ffda549199e malloc 206->208 211 7ffda54919ab-7ffda54919b5 207->211 209 7ffda54919b6-7ffda54919c0 call 7ffda5493cfc 208->209 210 7ffda54919a0-7ffda54919a4 208->210 209->211 210->207
              APIs
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: malloc
              • String ID:
              • API String ID: 2803490479-0
              • Opcode ID: 1e42bd493bbaa962412695e9efec54261937a4001b952f01b66bb145e9638e47
              • Instruction ID: 8dea3a5a67d36468b37a536081ae2b58b439fa77f9e5a962d035ced094fe0bc5
              • Opcode Fuzzy Hash: 1e42bd493bbaa962412695e9efec54261937a4001b952f01b66bb145e9638e47
              • Instruction Fuzzy Hash: 68F08C22B0AB4BC1EA549B25B56223822A0AF4BF80F585034EE4E46387EE7CE460C344

              Non-executed Functions

              Function 00007FFDA54927CC Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 186COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: swprintf$DebugOutputString
              • String ID: ($($WdfIoQueueCreate failed 0x%x$WdfTimerCreate failed 0x%x
              • API String ID: 2627967256-2377412015
              • Opcode ID: c736806c944dfe9459cdeb6948cce325341392466bc6cae8614ca52d8a592f4c
              • Instruction ID: 1efe854bd77155d393da0eac27377270bda6bca91b8c1dbef8fa85be6fbfc346
              • Opcode Fuzzy Hash: c736806c944dfe9459cdeb6948cce325341392466bc6cae8614ca52d8a592f4c
              • Instruction Fuzzy Hash: 4AA15C22B1AB85CAE710CF62E8613E97760F786B88F005136EE4D4376ADFB8D184C744
              Function 00007FFDA54946C8 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
              • String ID:
              • API String ID: 3140674995-0
              • Opcode ID: 344297d84c8067e6abf24d991a323fa6e0dc01afb207876c91f4e9e0aea85330
              • Instruction ID: d47057aa2917b14a2e806cd2bbb19aff60413c580733729c15e64145adbfeec3
              • Opcode Fuzzy Hash: 344297d84c8067e6abf24d991a323fa6e0dc01afb207876c91f4e9e0aea85330
              • Instruction Fuzzy Hash: 03312C7270AA85C5EB60CF60E8613E96360FB86B48F444439DA4E47B95DF78D548C714
              Function 00007FFDA5493158 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 129COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: DebugOutputStringswprintf
              • String ID: SetFeature$SetFeature: IDMELONHID_CONTROL_CODE_DUMMY1$SetFeature: IDMELONHID_CONTROL_CODE_DUMMY2$SetFeature: Unknown control Code 0x%x$SetFeature: invalid input buffer. size %d, expect %d$SetFeature: invalid report id %d
              • API String ID: 79745889-321838564
              • Opcode ID: e010d420a2bb48320439f17d13db64a889c1f4fd4f3445e748223449e5cc304c
              • Instruction ID: 59a2ea900952fe99077011e040f64c29d428e84ee9d8c6fe74299d03876ce34e
              • Opcode Fuzzy Hash: e010d420a2bb48320439f17d13db64a889c1f4fd4f3445e748223449e5cc304c
              • Instruction Fuzzy Hash: 6C518365719A8AC5E720DB25E8663F96360FB87F88F404031EA4D4779ADEBCE644C708
              Function 00007FFDA54934B4 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 104COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: DebugOutputStringswprintf
              • String ID: WriteReport$WriteReport: input buffer. size %d$WriteReport: iRequestGetHidXferPacket_ToWriteToDevice failed$WriteReport: information set bytes %d$WriteReport: invalid input buffer. size %d, expect %d
              • API String ID: 79745889-1969825649
              • Opcode ID: 27dc0d55051a149a62840a266a3792bc134b13d6674b58aa0cf559228ccf8a14
              • Instruction ID: 6ed959f4482139d4ae6892bbb4a06cdd16a2fa7cec5c3da21cb0eadd061976a0
              • Opcode Fuzzy Hash: 27dc0d55051a149a62840a266a3792bc134b13d6674b58aa0cf559228ccf8a14
              • Instruction Fuzzy Hash: 7C418325B19A8AC5E720DF22E8667E92320FB87F88F800031EA4D57766DF7CD645C744
              Function 00007FFDA549221C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 88COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: DebugOutputStringswprintf
              • String ID: GetFeature$GetFeature: invalid report id %d$GetFeature: output buffer too small. Size %d, expect %d
              • API String ID: 79745889-3916486426
              • Opcode ID: 01a1b0822caab69461dbe954ec9eae928e8f7ba608eb4ac28a7acc99e7c711f7
              • Instruction ID: 890d9f6a5848ab9490545aa6c57b6b786c4666b0e053341f0db117007bcd9fa1
              • Opcode Fuzzy Hash: 01a1b0822caab69461dbe954ec9eae928e8f7ba608eb4ac28a7acc99e7c711f7
              • Instruction Fuzzy Hash: 7141B225719A86D5EB20CF22D8663B96360FB8BF84F404032EA4D47B66DF7DD545C704
              Function 00007FFDA5492448 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: DebugOutputStringswprintf
              • String ID: GetInputReport$GetInputReport: invalid report id %d$GetInputReport: output buffer too small. Size %d, expect %d
              • API String ID: 79745889-1024876767
              • Opcode ID: 3f22c7e6480db2682eeb50e5b7a68e78ab0da883729ff340ae19963219fc38ee
              • Instruction ID: 8d8834fdacbb8f5a54fa23fbb688dd5d8a930b590cf18bdef0d91b20c77d4178
              • Opcode Fuzzy Hash: 3f22c7e6480db2682eeb50e5b7a68e78ab0da883729ff340ae19963219fc38ee
              • Instruction Fuzzy Hash: E341B12571AA86C5EB20DB22E8663F96721FB8BB84F804031EA4D47767CEBDD545C704
              Function 00007FFDA5493698 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 101COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: DebugOutputStringswprintf
              • String ID: WdfRequestRetrieveInputMemory failed 0x%x$WdfRequestRetrieveInputMemory: invalid input buffer. size %d, expect %d$WdfRequestRetrieveOutputMemory failed 0x%x
              • API String ID: 79745889-1090594742
              • Opcode ID: 80aff233d870849c0cbc87c11f867bbff2568ec6a4f4e4078b9fa3f26c915016
              • Instruction ID: 7d7b1ab584659f699094f980cc39c282008e2dd0b7944353b3ccfaf1f13333ad
              • Opcode Fuzzy Hash: 80aff233d870849c0cbc87c11f867bbff2568ec6a4f4e4078b9fa3f26c915016
              • Instruction Fuzzy Hash: 6D413B26B09A8AC5E710DF66E8A63EA7360FB8BF94F404032DA4D43766CEBCD545C744
              Function 00007FFDA5492FA4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 100COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: DebugOutputStringswprintf
              • String ID: RequestCopyFromBuffer: buffer too small. Size %d, expect %d$WdfMemoryCopyFromBuffer failed 0x%x$WdfRequestRetrieveOutputMemory failed 0x%x
              • API String ID: 79745889-3405115737
              • Opcode ID: 2ec1cebfa06fe716da7dd59f542e31adca3a226b2322e9e272680fa5f53667f5
              • Instruction ID: 74aca8815a5361fce28d5ad7c95251545ebeb152be46b2cd3c372360c8163c12
              • Opcode Fuzzy Hash: 2ec1cebfa06fe716da7dd59f542e31adca3a226b2322e9e272680fa5f53667f5
              • Instruction Fuzzy Hash: 9F415E26B1AA9AC2EB10DF12E8A27E96320FB8BF94F400032ED4D43766DE7DD545C744
              Function 00007FFDA5493B50 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 99COMMON
              Download Yara Rule
              APIs
              Strings
              • FxGetNextClassBindInfo failed, xrefs: 00007FFDA5493CC0
              • FxStubBindClasses: invalid driver image, the address of symbol __KMDF_CLASS_BIND_START 0x%p is greater than the address of symbol __KMDF_CLASS_BIND_END 0x%p, status 0x%x, xrefs: 00007FFDA5493B8D
              • FxStubBindClasses: VersionBindClass WDF_CLASS_BIND_INFO 0x%p, class %S, returned status 0x%x, xrefs: 00007FFDA5493C9E
              • FxStubBindClasses: ClientBindClass %p, WDF_CLASS_BIND_INFO 0x%p, class %S, returned status 0x%x, xrefs: 00007FFDA5493C27
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: Print
              • String ID: FxGetNextClassBindInfo failed$FxStubBindClasses: ClientBindClass %p, WDF_CLASS_BIND_INFO 0x%p, class %S, returned status 0x%x$FxStubBindClasses: VersionBindClass WDF_CLASS_BIND_INFO 0x%p, class %S, returned status 0x%x$FxStubBindClasses: invalid driver image, the address of symbol __KMDF_CLASS_BIND_START 0x%p is greater than the address of symbol __KMDF_CLASS_BIND_END 0x%p, status 0x%x
              • API String ID: 3558298466-25039098
              • Opcode ID: f02df258cd53c364223eff0353354d87365857eeac632ec2e8b57c0b11e4937c
              • Instruction ID: efa0c121a023253501e7b89905ce71b870942f95981080441c8cfc10be5fc4e7
              • Opcode Fuzzy Hash: f02df258cd53c364223eff0353354d87365857eeac632ec2e8b57c0b11e4937c
              • Instruction Fuzzy Hash: F8416072B0AB4AC6EA14CF16E86666973A0FB47F84F544132D90D43366DF7CE545C344
              Function 00007FFDA5493DB0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
              • String ID:
              • API String ID: 190073905-0
              • Opcode ID: 954c3e957acb9558f11fa21a36b279f32b61ef67e54de2f5c0e76da4e01a6560
              • Instruction ID: 380eed15c57492a9e98969c37457a7cb924476705dff38ec3ec94ccf119040f4
              • Opcode Fuzzy Hash: 954c3e957acb9558f11fa21a36b279f32b61ef67e54de2f5c0e76da4e01a6560
              • Instruction Fuzzy Hash: 2D818060F0E24BC5FA649B65E4733B962A0BF87F84F544135D90C43797DEADE8418788
              Function 00007FFDA5492D08 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: String$DebugInitOutputUnicodeswprintf
              • String ID: 8$MyReportDescriptor$No. of report descriptor bytes copied: %d
              • API String ID: 4008883908-1845194508
              • Opcode ID: b02a79a54b4ddba33779877d9069f3ab775a5e906b3da4e03cffeec6627880c0
              • Instruction ID: 7a570cbc6ad7a461e1818a81f7e69e9cbe6d183a64d2aa10bdcab269f401844c
              • Opcode Fuzzy Hash: b02a79a54b4ddba33779877d9069f3ab775a5e906b3da4e03cffeec6627880c0
              • Instruction Fuzzy Hash: 7F511932B09B4AC6EB108B56E8653AA7760F78AB84F500136DE8C43726CFBDE185C704
              Function 00007FFDA5492698 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: DebugOutputStringswprintf
              • String ID: GetStringId: invalid input buffer. size %d, expect %d$WdfRequestRetrieveInputMemory failed 0x%x
              • API String ID: 79745889-555852278
              • Opcode ID: 38d0409d3813333f2bee9a46dfebe6d07e6bd4e1a022ccd2fc7e73a9e0900cbb
              • Instruction ID: 90d372316ec8cfe6753e5762f4fce5b465f4ab8256cd4f5fd1bc78f07d1f2cdf
              • Opcode Fuzzy Hash: 38d0409d3813333f2bee9a46dfebe6d07e6bd4e1a022ccd2fc7e73a9e0900cbb
              • Instruction Fuzzy Hash: 21315035B19A4AC2E710DB12E8A67AA7360FB8BF94F404032EA4E83766DF7CD444C744
              Function 00007FFDA5493390 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 65COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: DebugOutputStringswprintf
              • String ID: SetOutputReport$SetOutputReport: invalid input buffer. size %d, expect %d
              • API String ID: 79745889-2303318144
              • Opcode ID: c11430cfef5bba140b3b919910bcc19f44db8ca4e0b832e1d45df74e04fbc7af
              • Instruction ID: efd6b04bb51eca401f5482c28f4b5d63442506e5ed41dce2398fcdc8416b3c7c
              • Opcode Fuzzy Hash: c11430cfef5bba140b3b919910bcc19f44db8ca4e0b832e1d45df74e04fbc7af
              • Instruction Fuzzy Hash: B721932171DA8AC1E720DB12F8A63AA6720FB8BF84F404031DA4D53767DE7CD549CB48
              Function 00007FFDA54959EC Relevance: 10.6, APIs: 7, Instructions: 53COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,?,?,00007FFDA5495815,?,?,?,?,00007FFDA549441D,?,?,?,?,00007FFDA5493DDD), ref: 00007FFDA5495A0B
              • FlsGetValue.KERNEL32(?,?,?,00007FFDA5495815,?,?,?,?,00007FFDA549441D,?,?,?,?,00007FFDA5493DDD), ref: 00007FFDA5495A19
              • SetLastError.KERNEL32(?,?,?,00007FFDA5495815,?,?,?,?,00007FFDA549441D,?,?,?,?,00007FFDA5493DDD), ref: 00007FFDA5495A96
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: ErrorLast$Value
              • String ID:
              • API String ID: 1883355122-0
              • Opcode ID: 3a53b49d89fcfb0990be15416f23b776ae89fad4ae039d28db4b36a074390e63
              • Instruction ID: 7cfadc89be2ab41a49b24db8fcb816caa800f7a897d5f81258bb77f5d590ddbd
              • Opcode Fuzzy Hash: 3a53b49d89fcfb0990be15416f23b776ae89fad4ae039d28db4b36a074390e63
              • Instruction Fuzzy Hash: 55112420F0B65AC2FE548B26A86727522D16F57FA0F544634D92E073E6DEBCE441C60D
              Function 00007FFDA54925BC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: DebugOutputStringswprintf
              • String ID: GetString: unkown string id %d$UMDF Virtual AccessKey FIDO HID Device Manufacturer string$UMDF Virtual AccessKey FIDO HID Device Product string$UMDF Virtual AccessKey FIDO HID Device Serial Number string
              • API String ID: 79745889-1896618911
              • Opcode ID: c4f2a244a1dc23aea743032f213965f659474282e2358e41eed4bfeb1af6266f
              • Instruction ID: b1bf420e21cca834462a8b15d2a7a4950f33deb7e9da9396d18064efc2b70b01
              • Opcode Fuzzy Hash: c4f2a244a1dc23aea743032f213965f659474282e2358e41eed4bfeb1af6266f
              • Instruction Fuzzy Hash: F7118761B1E64AC1FA618B15E4767B56260FF8BF44F404032F94D47B97DEACE604CB48
              Function 00007FFDA5495533 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
              • String ID: csm$f
              • API String ID: 2395640692-629598281
              • Opcode ID: fba172f9e0be19d4b70c4800c4adb321cd4f8c035479ce89570abe1b3d123658
              • Instruction ID: 835f134a72c9a0a846203f7abf5179c3532df764e710d40c07767a1bfc218bf3
              • Opcode Fuzzy Hash: fba172f9e0be19d4b70c4800c4adb321cd4f8c035479ce89570abe1b3d123658
              • Instruction Fuzzy Hash: 8851C136B0A646CAE714CF11E465BA83795FF63F98F608530DA0E4774ADFB8E9418708
              Function 00007FFDA54923A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: DebugOutputStringswprintf
              • String ID: GetString: unkown string index %d$UMDF Virtual AccessKey FIDO HID Device
              • API String ID: 79745889-2538044269
              • Opcode ID: eeeb98476b812c8bfa2d5e2a05108d0f48fbaa56241f4f89c7e4470fe9665883
              • Instruction ID: ef4a366e822dfd25121dd6a22e6107d693638cb55e00fcb56df40c98201e55db
              • Opcode Fuzzy Hash: eeeb98476b812c8bfa2d5e2a05108d0f48fbaa56241f4f89c7e4470fe9665883
              • Instruction Fuzzy Hash: 77014465B2D68AC2F621DB11E4627E56350FF8BB44F401032E94D47B5BDE7CE544CB48
              Function 00007FFDA5493860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: DebugOutputStringswprintf
              • String ID: WdfRequestRetrieveInputMemory failed 0x%x
              • API String ID: 79745889-1324185097
              • Opcode ID: bd0ce6cc008070f1534a7335cc03115e47e4efc729aa8a19adac5ad3c39e0905
              • Instruction ID: 61825c698721d9f6a7d55218ac172345d2a218f8a82ce9c33919c1feb8f9178f
              • Opcode Fuzzy Hash: bd0ce6cc008070f1534a7335cc03115e47e4efc729aa8a19adac5ad3c39e0905
              • Instruction Fuzzy Hash: DA111D35B19B4AC1EB10DB16F8A67AA73A0FB8AF84F404032DA5D83766DE7CD544CB44
              Function 00007FFDA5492EF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000034.00000002.4610964096.00007FFDA5491000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFDA5490000, based on PE: true
              • Associated: 00000034.00000002.4610911377.00007FFDA5490000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611012970.00007FFDA5496000.00000002.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611067609.00007FFDA549A000.00000004.00000001.01000000.0000000C.sdmpDownload File
              • Associated: 00000034.00000002.4611121561.00007FFDA549B000.00000002.00000001.01000000.0000000C.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_52_2_7ffda5490000_WUDFHost.jbxd
              Similarity
              • API ID: DebugOutputStringswprintf
              • String ID: WdfRequestForwardToIoQueue failed with 0x%x
              • API String ID: 79745889-420988317
              • Opcode ID: 4570f5cfa8f07c1f8e7aa15afdc99eb437d33734220852b2caeb4416c538655f
              • Instruction ID: 6f289ba5349e0866842c7b43b5f8bc3c33d1744ebce100e9a56b45c82f97cc3b
              • Opcode Fuzzy Hash: 4570f5cfa8f07c1f8e7aa15afdc99eb437d33734220852b2caeb4416c538655f
              • Instruction Fuzzy Hash: FA115E36719B89C1E7219F16E8A23EA6360FB9FF84F400132DA9C43766DE6CD545C744